diff --git a/modules/services/agentless-scanning/README.md b/modules/services/agentless-scanning/README.md
index 7e8dcf6..d863bb4 100644
--- a/modules/services/agentless-scanning/README.md
+++ b/modules/services/agentless-scanning/README.md
@@ -11,14 +11,14 @@ The following resources will be created in each instrumented account:
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.39.0 |
+| [terraform](#requirement\_terraform) | >= 1.2.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.39.0 |
+| [aws](#provider\_aws) | >= 5.60.0 |
## Modules
@@ -40,37 +40,39 @@ No modules.
| [aws_kms_alias.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | n/a | yes |
-| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
-| [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
-| [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false | `string` | `""` | no |
+| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
+| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
+| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
| [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Deletion window for shared KMS key | `number` | `7` | no |
+| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-secure-scanning"` | no |
| [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Scanning. By default, Agentless Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| [regions](#input\_regions) | (Optional) List of regions in which to install Agentless Scanning | `set(string)` | `[]` | no |
+| [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy\_global\_resources is false | `string` | `""` | no |
+| [scanning\_account\_id](#input\_scanning\_account\_id) | The identifier of the account that will receive volume snapshots | `string` | `"878070807337"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
-| [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
-| [mgt_stackset](#mgt\_stackset) | Whether to create the resources on the management account using a stackset | `bool` | `true` | no |
+| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
## Outputs
| Name | Description |
|------|-------------|
-| [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Scanning |
| [kms\_key](#output\_kms\_key) | KMS key ID and ARN |
| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS key alias |
+| [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Scanning |
## Authors
diff --git a/modules/services/agentless-scanning/organizational.tf b/modules/services/agentless-scanning/organizational.tf
index ec22009..08a3b45 100644
--- a/modules/services/agentless-scanning/organizational.tf
+++ b/modules/services/agentless-scanning/organizational.tf
@@ -138,7 +138,10 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
- max_concurrent_count = 10
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ # Roles are not regional and hence do not need regional parallelism
}
timeouts {
@@ -219,8 +222,10 @@ resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.mgmt_acc_resources_stackset[0].name
operation_preferences {
- max_concurrent_count = 10
- region_concurrency_type = "PARALLEL"
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ region_concurrency_type = "PARALLEL"
}
timeouts {
@@ -309,8 +314,10 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
- max_concurrent_count = 10
- region_concurrency_type = "PARALLEL"
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ region_concurrency_type = "PARALLEL"
}
timeouts {
diff --git a/modules/services/agentless-scanning/variables.tf b/modules/services/agentless-scanning/variables.tf
index d8fa86c..49c854f 100644
--- a/modules/services/agentless-scanning/variables.tf
+++ b/modules/services/agentless-scanning/variables.tf
@@ -79,4 +79,10 @@ variable "mgt_stackset" {
description = "(Optional) Indicates if the management stackset should be deployed"
type = bool
default = true
-}
\ No newline at end of file
+}
+
+variable "failure_tolerance_percentage" {
+ type = number
+ description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+ default = 90
+}
diff --git a/modules/services/agentless-scanning/versions.tf b/modules/services/agentless-scanning/versions.tf
index 00773b6..1a96589 100644
--- a/modules/services/agentless-scanning/versions.tf
+++ b/modules/services/agentless-scanning/versions.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.39.0"
+ version = ">= 5.60.0"
}
}
}
diff --git a/modules/services/event-bridge/README.md b/modules/services/event-bridge/README.md
index 2aabd4e..933ae86 100644
--- a/modules/services/event-bridge/README.md
+++ b/modules/services/event-bridge/README.md
@@ -16,13 +16,13 @@ When run in Organizational mode, this module will be deployed as a CloudFormatio
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.39.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.39.0 |
+| [aws](#provider\_aws) | >= 5.60.0 |
## Modules
@@ -41,6 +41,7 @@ No modules.
| [aws_cloudwatch_event_rule.sysdig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.sysdig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_iam_role.event_bus_invoke_remote_event_bus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.cloud_trail_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
## Inputs
@@ -51,15 +52,18 @@ No modules.
| [target\_event\_bus\_arn](#input\_target\_event\_bus\_arn) | (Required) The ARN of Sysdig's event bus that will receive events from your account | `string` | n/a | yes |
| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
+| [event\_pattern](#input\_event\_pattern) | Event pattern for CloudWatch Event Rule | `string` | `"{\n \"detail-type\": [\n \"AWS API Call via CloudTrail\",\n \"AWS Console Sign In via CloudTrail\",\n \"AWS Service Event via CloudTrail\",\n \"Object Access Tier Changed\",\n \"Object ACL Updated\",\n \"Object Created\",\n \"Object Deleted\",\n \"Object Restore Completed\",\n \"Object Restore Expired\",\n \"Object Restore Initiated\",\n \"Object Storage Class Changed\",\n \"Object Tags Added\",\n \"Object Tags Deleted\",\n \"GuardDuty Finding\"\n ]\n}\n"` | no |
+| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy EventBridge to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
+| [mgt\_stackset](#input\_mgt\_stackset) | (Optional) Indicates if the management stackset should be deployed | `bool` | `true` | no |
| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig"` | no |
| [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
| [regions](#input\_regions) | (Optional) List of regions in which to setup EventBridge. By default, current region is selected | `set(string)` | `[]` | no |
| [role\_arn](#input\_role\_arn) | (Optional) IAM role created for event-bridge. If already created value is needed to be passed | `string` | `""` | no |
+| [rule\_state](#input\_rule\_state) | State of the rule. When state is ENABLED, the rule is enabled for all events except those delivered by CloudTrail. To also enable the rule for events delivered by CloudTrail, set state to ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"` | no |
| [stackset\_admin\_role\_arn](#input\_stackset\_admin\_role\_arn) | (Optional) stackset admin role to run SELF\_MANAGED stackset | `string` | `""` | no |
| [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | {
"product": "sysdig"
} | no |
-| [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
-| [mgt_stackset](#mgt\_stackset) | Whether to create the resources on the management account using a stackset | `bool` | `true` | no |
+| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
## Outputs
diff --git a/modules/services/event-bridge/organizational.tf b/modules/services/event-bridge/organizational.tf
index a5766fc..13e59f8 100644
--- a/modules/services/event-bridge/organizational.tf
+++ b/modules/services/event-bridge/organizational.tf
@@ -133,8 +133,10 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
- max_concurrent_count = 10
- region_concurrency_type = "PARALLEL"
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ region_concurrency_type = "PARALLEL"
}
timeouts {
@@ -151,8 +153,10 @@ resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
stack_set_name = aws_cloudformation_stack_set.mgmt-stackset[0].name
operation_preferences {
- max_concurrent_count = 10
- region_concurrency_type = "PARALLEL"
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ region_concurrency_type = "PARALLEL"
}
timeouts {
@@ -171,8 +175,10 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
- max_concurrent_count = 10
- region_concurrency_type = "PARALLEL"
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ # Roles are not regional and hence do not need regional parallelism
}
timeouts {
diff --git a/modules/services/event-bridge/variables.tf b/modules/services/event-bridge/variables.tf
index c8e84e9..ffa6272 100644
--- a/modules/services/event-bridge/variables.tf
+++ b/modules/services/event-bridge/variables.tf
@@ -104,4 +104,10 @@ variable "mgt_stackset" {
description = "(Optional) Indicates if the management stackset should be deployed"
type = bool
default = true
-}
\ No newline at end of file
+}
+
+variable "failure_tolerance_percentage" {
+ type = number
+ description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+ default = 90
+}
diff --git a/modules/services/event-bridge/versions.tf b/modules/services/event-bridge/versions.tf
index 35fda82..8892dbe 100644
--- a/modules/services/event-bridge/versions.tf
+++ b/modules/services/event-bridge/versions.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.27.0"
+ version = ">= 5.60.0"
}
}
}
diff --git a/modules/services/trust-relationship/README.md b/modules/services/trust-relationship/README.md
index 090cdac..d399ea2 100644
--- a/modules/services/trust-relationship/README.md
+++ b/modules/services/trust-relationship/README.md
@@ -6,9 +6,9 @@ The following resources will be created in each instrumented account:
- An IAM Role and associated IAM Policies mentioned below to grant Sysdig read only permissions to secure you AWS Account:
- `arn:aws:iam::aws:policy/SecurityAudit`
- a custom policy (`custom_resources_policy`)
- - An Access Policy attached to this role using a Sysdig provided `ExternalId`.
+ - An Access Policy attached to this role using a Sysdig provided `ExternalId`.
-If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
+If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account.
## Requirements
@@ -16,13 +16,13 @@ If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 3.62.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.62.0 |
+| [aws](#provider\_aws) | >= 5.60.0 |
## Modules
@@ -35,8 +35,8 @@ No modules.
| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
## Inputs
@@ -44,12 +44,13 @@ No modules.
|------|-------------|------|---------|:--------:|
| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
+| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
| [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no |
-| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
+| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no |
| [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no |
| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-| [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
+| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
## Outputs
diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf
index d644035..ae765a3 100644
--- a/modules/services/trust-relationship/main.tf
+++ b/modules/services/trust-relationship/main.tf
@@ -206,7 +206,10 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
organizational_unit_ids = local.org_units_to_deploy
}
operation_preferences {
- max_concurrent_count = 10
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ # Roles are not regional and hence do not need regional parallelism
}
timeouts {
diff --git a/modules/services/trust-relationship/variables.tf b/modules/services/trust-relationship/variables.tf
index 72eeace..15ea238 100644
--- a/modules/services/trust-relationship/variables.tf
+++ b/modules/services/trust-relationship/variables.tf
@@ -49,4 +49,10 @@ variable "timeout" {
type = string
description = "Default timeout values for create, update, and delete operations"
default = "30m"
-}
\ No newline at end of file
+}
+
+variable "failure_tolerance_percentage" {
+ type = number
+ description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+ default = 90
+}
diff --git a/modules/services/trust-relationship/versions.tf b/modules/services/trust-relationship/versions.tf
index 987ef51..8892dbe 100644
--- a/modules/services/trust-relationship/versions.tf
+++ b/modules/services/trust-relationship/versions.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.62.0"
+ version = ">= 5.60.0"
}
}
}
diff --git a/modules/services/workload-scanning/README.md b/modules/services/workload-scanning/README.md
index d537a8a..6f67d7b 100644
--- a/modules/services/workload-scanning/README.md
+++ b/modules/services/workload-scanning/README.md
@@ -9,16 +9,16 @@ pull images from ECR.
## Requirements
-| Name | Version |
-|------|-----------|
-| [terraform](#requirement\_terraform) | >= 1.2.0 |
-| [aws](#requirement\_aws) | >= 4.39.0 |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.7 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.39.0 |
+| [aws](#provider\_aws) | >= 5.60.0 |
## Modules
@@ -26,36 +26,38 @@ No modules.
## Resources
-| Name | Type |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
-| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
-| [aws_cloudformation_stack_set_registry.scanning_role_stackset_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_policy.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
-| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| Name | Type |
+|------|------|
+| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.scanning_role_stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_iam_policy.ecr_scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
-| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
-| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
-| [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false | `string` | `""` | no |
-| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
-| [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-workload-scanning"` | no |
-| [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
-| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
-| [timeout](#input\_timeout) | Stackset instance timeout | `string` | `"30m"` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [trusted\_identity](#input\_trusted\_identity) | This value should be provided by Sysdig. The field refers to Sysdig's IAM role that will be authorized to pull ECR images | `string` | n/a | yes |
+| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
+| [ecr\_role\_name](#input\_ecr\_role\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-workload-scanning"` | no |
+| [external\_id](#input\_external\_id) | (Optional) This value should be provided by Sysdig. External ID is optional information that you can use in an IAM role trust policy to designate who in Sysdig can assume the role. | `string` | `null` | no |
+| [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no |
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
+| [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy\_global\_resources is false | `string` | `""` | no |
+| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
+| [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no |
## Outputs
-| Name | Description |
-|------|---------------------------------------------------------------------|
-| [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Workload Scanning |
+| Name | Description |
+|------|-------------|
+| [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Agentless Workload Scanning |
+| [validate\_deploy\_global\_resources](#output\_validate\_deploy\_global\_resources) | n/a |
## Authors
diff --git a/modules/services/workload-scanning/organizational.tf b/modules/services/workload-scanning/organizational.tf
index 1080580..cb8097c 100644
--- a/modules/services/workload-scanning/organizational.tf
+++ b/modules/services/workload-scanning/organizational.tf
@@ -87,7 +87,10 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
organizational_unit_ids = local.organizational_unit_ids
}
operation_preferences {
- max_concurrent_count = 10
+ max_concurrent_percentage = 100
+ failure_tolerance_percentage = var.failure_tolerance_percentage
+ concurrency_mode = "SOFT_FAILURE_TOLERANCE"
+ # Roles are not regional and hence do not need regional parallelism
}
timeouts {
diff --git a/modules/services/workload-scanning/variables.tf b/modules/services/workload-scanning/variables.tf
index c3fde8b..4483a0b 100644
--- a/modules/services/workload-scanning/variables.tf
+++ b/modules/services/workload-scanning/variables.tf
@@ -51,4 +51,10 @@ variable "timeout" {
type = string
description = "Default timeout values for create, update, and delete operations"
default = "30m"
-}
\ No newline at end of file
+}
+
+variable "failure_tolerance_percentage" {
+ type = number
+ description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+ default = 90
+}
diff --git a/modules/services/workload-scanning/versions.tf b/modules/services/workload-scanning/versions.tf
index bd4ef84..c402eab 100644
--- a/modules/services/workload-scanning/versions.tf
+++ b/modules/services/workload-scanning/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = ">= 5.60.0"
}
}
}