Create different templates for CSPM and CNVM #1125
Conversation
|
This pull request does not have a backport label. Could you fix it @jeniawhite? 🙏
|
📊 Allure Report - 💚 No failures were reported.
|
| FILENAME="cloudformation-$VERSION-$DATE.yml" | ||
| echo "Uploading $FILENAME to S3" | ||
| aws s3 cp deploy/cloudformation/elastic-agent-ec2.yml s3://elastic-cspm-cft/$FILENAME | ||
| CNVMFILENAME="cloudformation-cnvm-$VERSION-$DATE.yml" |
There was a problem hiding this comment.
nit:
| CNVMFILENAME="cloudformation-cnvm-$VERSION-$DATE.yml" | |
| CNVM_FILENAME="cloudformation-cnvm-$VERSION-$DATE.yml" |
| echo "Uploading $CNVMFILENAME to S3" | ||
| aws s3 cp deploy/cloudformation/elastic-agent-ec2-cnvm.yml s3://elastic-cnvm-cft/$CNVMFILENAME | ||
|
|
||
| CSPMFILENAME="cloudformation-cspm-$VERSION-$DATE.yml" |
There was a problem hiding this comment.
nit:
| CSPMFILENAME="cloudformation-cspm-$VERSION-$DATE.yml" | |
| CSPM_FILENAME="cloudformation-cspm-$VERSION-$DATE.yml" |
.pre-commit-config.yaml
Outdated
| @@ -7,7 +7,7 @@ repos: | |||
| - id: check-added-large-files | |||
| - id: check-yaml | |||
| args: [--allow-multiple-documents, --unsafe] | |||
| exclude: (^tests/deploy/k8s-cloudbeat-tests/templates/.*)$|(^deploy/cloudformation/elastic-agent-ec2.yml)$ | |||
| exclude: (^tests/deploy/k8s-cloudbeat-tests/templates/.*)$|(^deploy/cloudformation/elastic-agent-ec2-*.yml)$ | |||
There was a problem hiding this comment.
do we still want to ignore them now that we won't use templating?
| "-rn", # Only display messages | ||
| "--rcfile=tests/pylintrc", # Link to your config file | ||
| ] |
There was a problem hiding this comment.
please revert the auto IDE formatting changes (unless you think they are needed)
| --check, | ||
| --diff, | ||
| ] | ||
| args: [--line-length=120, --check, --diff] |
There was a problem hiding this comment.
please revert the auto IDE formatting changes (unless you think they are needed)
|
|
||
| - repo: local | ||
| hooks: | ||
| - id: yq | ||
| name: format with yq | ||
| entry: sh -c 'for file in "$@"; do yq -i "$file"; done' | ||
| language: system | ||
| args: [ -i ] | ||
| args: [-i] |
There was a problem hiding this comment.
please revert the auto IDE formatting changes (unless you think they are needed)
| files: deploy/cloudformation/.*yml | ||
|
|
||
| - repo: https://github.com/awslabs/cfn-python-lint | ||
| rev: v0.77.5 | ||
| hooks: | ||
| - id: cfn-python-lint | ||
| - id: cfn-python-lint |
There was a problem hiding this comment.
please revert the auto IDE formatting changes (unless you think they are needed)
deploy/cloudformation/.gitignore
Outdated
| elastic-agent-ec2-dev-cspm.yml | ||
| elastic-agent-ec2-dev-cnvm.yml |
There was a problem hiding this comment.
I think you can use dev-* here instead, but don't you think it would be useful to commit these files and share them?
There was a problem hiding this comment.
I've kept the pre-existing logic of ignoring the dev generated yml.
I'm not against pushing the dev templates, but they are auto-generated anyways.
| @@ -3,8 +3,8 @@ AWSTemplateFormatVersion: "2010-09-09" | |||
| Description: Creates an EC2 instance with permissions to run elastic-agent | |||
| Parameters: | |||
| LatestAmiId: | |||
| Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' | |||
| Default: '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-arm64' | |||
| Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>" | |||
There was a problem hiding this comment.
I feel like there's an IDE formatting war between some of the CF devs (see here for example lol) Please let's solve this instead of committing multiple "->' lines
There was a problem hiding this comment.
Syncing with @amirbenun it looks like he manually edited the "->' changes (it looks like that he doesn't use any formatter for yml files).
I'm using the default configurations of VSCode.
If you think that I should change the default formatting, please provide me the configuration that you'd like me to use.
There was a problem hiding this comment.
rain fmt seems to be the AWS recommendation.
deploy/cloudformation/README.md
Outdated
| @@ -10,7 +10,7 @@ The EC2 instance has elastic-agent preinstalled in it using the fleet URL and en | |||
| 2. You have AWS CLI installed on your laptop and configured to work with our dev account `elastic-security-cloud-security-dev` (in particular, `~/.aws/config` and `~/.aws/credentials` should be set, check https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html for more information) | |||
|
|
|||
| *Steps:* | |||
| 1. Install the Vulnerability Management integration on a new agent policy, you might have to check the "Display beta integrations" checkbox. | |||
| 1. Install Vulnerability Management integration on a new agent policy, you might have to check the "Display beta integrations" checkbox. | |||
There was a problem hiding this comment.
"the" is grammatically correct there :)
| Dev *devConfig `mapstructure:"DEV"` | ||
| DeploymentType string `mapstructure:"DEPLOYMENT_TYPE"` |
There was a problem hiding this comment.
I think it should be inside the devConfig because all the "regular" parameters being sent as CloudFormation parameters which will cause an unknown parameter.
Another option is to wrap the CloudFormation parameters under some new object.
There was a problem hiding this comment.
Dev is also not a part of the template and yet it exists in the same scope.
I do think that the DeploymentType should be in the root because it is not part of the Dev subsection.
It actually decides what template we will apply eventually.
This is only relevant for use-case when we are running via the gomain.go.
| @@ -19,7 +19,6 @@ FLEET_URL="<Elastic Agent Fleet URL>" | |||
| ENROLLMENT_TOKEN="<Elastic Agent Enrollment Token>" | |||
| ELASTIC_ARTIFACT_SERVER="https://artifacts.elastic.co/downloads/beats/elastic-agent" # Replace artifact URL with a pre-release version (BC or snapshot) | |||
| ELASTIC_AGENT_VERSION="<Elastic Agent Version>" # e.g: 8.8.0 | 8.8.0-SNAPSHOT | |||
| # INTEGRATION=CloudSecurityPostureManagement # Defaults to VulnerabilityManagement if not specified | |||
There was a problem hiding this comment.
Document the new parameter instead
There was a problem hiding this comment.
The DeploymentType is not a template parameter and is only being used by the config.go.
| DEV: "elastic-agent-ec2-dev-cnvm.yml", | ||
| PROD: "elastic-agent-ec2-cnvm.yml", | ||
| }, | ||
| } |
There was a problem hiding this comment.
nit: Create a struct
type flavor struct {
Name string
DevTemplate string
ProdTemplate string
}
There was a problem hiding this comment.
Discussed together and came to conclusion that we would like to keep the map access dynamic for now.
We can re-evaluate in future if needed.
| @@ -171,3 +188,13 @@ func createStack(stackName string, templatePath string, params map[string]string | |||
| log.Printf("Created stack %s", *stackOutput.StackId) | |||
| return nil | |||
| } | |||
|
|
|||
| func getTemplatePath(deploymentType string, env string) (string, error) { | |||
| if deploymentType == "" { | |||
There was a problem hiding this comment.
where possible, validations should be in config.go under the validation function.
| Dev *devConfig `mapstructure:"DEV"` | ||
| DeploymentType string `mapstructure:"DEPLOYMENT_TYPE"` |
There was a problem hiding this comment.
The sanity flow needs to create a CNVM stack, you can add an env var here:
There was a problem hiding this comment.
It will do it by default.
func getTemplatePath(deploymentType string, env string) string {
if deploymentType == "" {
// Default is CNVM
deploymentType = DeploymentTypeCNVM
Summary of your changes
In order to have different permissions and policies, we've resorted to creating different templates.
Related Issues
Checklist