From cf59d7372ed89563c9452f0796c3499aec53413d Mon Sep 17 00:00:00 2001 From: Teddy Reed Date: Mon, 25 Mar 2024 12:45:03 -0400 Subject: [PATCH] docs: Simplify existing VPC networking example (#137) --- .../README.md | 71 ++++--------------- .../main.tf | 13 +++- .../single-account-existing-vpc/README.md | 42 ----------- examples/single-account-existing-vpc/main.tf | 31 -------- .../single-account-existing-vpc/versions.tf | 10 --- scripts/ci_tests.sh | 1 - 6 files changed, 24 insertions(+), 144 deletions(-) delete mode 100644 examples/single-account-existing-vpc/README.md delete mode 100644 examples/single-account-existing-vpc/main.tf delete mode 100644 examples/single-account-existing-vpc/versions.tf diff --git a/examples/single-account-existing-vpc-networking/README.md b/examples/single-account-existing-vpc-networking/README.md index 5e0156e..008e694 100644 --- a/examples/single-account-existing-vpc-networking/README.md +++ b/examples/single-account-existing-vpc-networking/README.md @@ -1,78 +1,33 @@ # Single Account with Existing VPC & Networking Example ```hcl - provider "lacework" {} provider "aws" { region = "us-west-1" } -resource "aws_vpc" "existing" { - cidr_block = "10.0.0.0/16" - enable_dns_support = true - enable_dns_hostnames = true - instance_tenancy = "default" -} - -resource "aws_internet_gateway" "existing" { - vpc_id = aws_vpc.existing.id -} - -resource "aws_route_table" "existing" { - vpc_id = aws_vpc.existing.id -} - -resource "aws_route" "existing" { - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.existing.id - route_table_id = aws_route_table.existing.id -} - -resource "aws_route_table_association" "agentless_scan_route_table_association" { - subnet_id = aws_subnet.existing.id - route_table_id = aws_route_table.existing.id -} - -resource "aws_subnet" "existing" { - vpc_id = aws_vpc.existing.id - cidr_block = "10.0.0.0/24" - map_public_ip_on_launch = false -} - -resource "aws_security_group" "existing" { - name = "existing-security-group" - vpc_id = aws_vpc.existing.id - - ingress { - protocol = -1 - self = true - from_port = 0 - to_port = 0 - } - - egress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } -} - +// Create global resources, includes lacework cloud integration. +// This will also create regional resources too. +// If scanning should occur on multiple regions then refer to the 'default' example. module "lacework_aws_agentless_scanning_singleregion" { - source = "lacework/agentless-scanning/aws" - version = "~> 0.8" + source = "../.." global = true regional = true lacework_integration_name = "agentless_from_terraform" + // This expects the VPC to have a route to the internet. + // There are options in the terraform here to create an IGW if needed. use_existing_vpc = true - vpc_id = aws_vpc.existing.id + use_internet_gateway = false + vpc_id = "vpc-123456" use_existing_security_group = true - security_group_id = aws_security_group.existing.id - use_existing_subnet = true - subnet_id = aws_subnet.existing.id + security_group_id = "sg-123456" + + // Only a single subnet is needed. + use_existing_subnet = true + subnet_id = "subnet-123456" } ``` diff --git a/examples/single-account-existing-vpc-networking/main.tf b/examples/single-account-existing-vpc-networking/main.tf index 78dc1e4..608fb2a 100644 --- a/examples/single-account-existing-vpc-networking/main.tf +++ b/examples/single-account-existing-vpc-networking/main.tf @@ -4,6 +4,8 @@ provider "aws" { region = "us-west-1" } +// START: The following resources are provided for the integration tests only. +// These are not needed for actual usages, see the README.md. resource "aws_vpc" "existing" { cidr_block = "10.0.0.0/16" enable_dns_support = true @@ -54,6 +56,8 @@ resource "aws_security_group" "existing" { cidr_blocks = ["0.0.0.0/0"] } } +// END: This is the end of resource created needed for integration testing. +// The above resources are created for testing purposes only. // Create global resources, includes lacework cloud integration. // This will also create regional resources too. @@ -65,10 +69,15 @@ module "lacework_aws_agentless_scanning_singleregion" { regional = true lacework_integration_name = "agentless_from_terraform" + // This expects the VPC to have a route to the internet. + // There are options in the terraform here to create an IGW if needed. use_existing_vpc = true + use_internet_gateway = false vpc_id = aws_vpc.existing.id use_existing_security_group = true security_group_id = aws_security_group.existing.id - use_existing_subnet = true - subnet_id = aws_subnet.existing.id + + // Only a single subnet is needed. + use_existing_subnet = true + subnet_id = aws_subnet.existing.id } diff --git a/examples/single-account-existing-vpc/README.md b/examples/single-account-existing-vpc/README.md deleted file mode 100644 index aa9a7db..0000000 --- a/examples/single-account-existing-vpc/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Single Account with Existing VPC Example - -```hcl - -provider "lacework" {} - -provider "aws" { - region = "us-west-1" -} - -resource "aws_vpc" "existing" { - cidr_block = "10.0.0.0/16" - enable_dns_support = true - enable_dns_hostnames = true - instance_tenancy = "default" -} - -resource "aws_internet_gateway" "existing" { - vpc_id = aws_vpc.existing.id -} - -module "lacework_aws_agentless_scanning_singleregion" { - source = "lacework/agentless-scanning/aws" - version = "~> 0.5" - - global = true - regional = true - lacework_integration_name = "agentless_from_terraform" - - use_existing_vpc = true - vpc_id = aws_vpc.existing.id - vpc_cidr_block = "10.0.0.0/24" # This should be an unused subnet within the VPC's CIDR Block -} -``` - -In this example the **global** resources and **regional** resources are added. -Global resources include the single per-account resources like IAM roles, -policies, and S3 bucket. Regional resources include and ECS cluster. -This example uses a single module to add both types of resources. -This is the simplest usage but only supports a single account and single region. - -Refer to the _default_ example for adding scanning to multiple regions. diff --git a/examples/single-account-existing-vpc/main.tf b/examples/single-account-existing-vpc/main.tf deleted file mode 100644 index a717183..0000000 --- a/examples/single-account-existing-vpc/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -provider "lacework" {} - -provider "aws" { - region = "us-west-1" -} - -resource "aws_vpc" "existing" { - cidr_block = "10.0.0.0/16" - enable_dns_support = true - enable_dns_hostnames = true - instance_tenancy = "default" -} - -resource "aws_internet_gateway" "existing" { - vpc_id = aws_vpc.existing.id -} - -// Create global resources, includes lacework cloud integration. -// This will also create regional resources too. -// If scanning should occur on multiple regions then refer to the 'default' example. -module "lacework_aws_agentless_scanning_singleregion" { - source = "../.." - - global = true - regional = true - lacework_integration_name = "agentless_from_terraform" - - use_existing_vpc = true - vpc_id = aws_vpc.existing.id - vpc_cidr_block = "10.0.0.0/24" # This should be an unused subnet within the VPC's CIDR Block -} diff --git a/examples/single-account-existing-vpc/versions.tf b/examples/single-account-existing-vpc/versions.tf deleted file mode 100644 index 8be3575..0000000 --- a/examples/single-account-existing-vpc/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.15.0" - - required_providers { - lacework = { - source = "lacework/lacework" - version = "~> 1.0" - } - } -} diff --git a/scripts/ci_tests.sh b/scripts/ci_tests.sh index 54106da..f42102c 100755 --- a/scripts/ci_tests.sh +++ b/scripts/ci_tests.sh @@ -11,7 +11,6 @@ readonly project_name=terraform-aws-agentless-scanning TEST_CASES=( examples/multi-account-multi-region-auto-snapshot examples/multi-account-multi-region - examples/single-account-existing-vpc examples/single-account-existing-vpc-networking examples/single-account-multi-region examples/single-account-single-region