Knowledge Base

How do I deploy the Steampipe Runner into an existing Gruntwork Reference Architecture?

View full discussion in GitHub

Answer

Hi, I am using the Gruntwork Reference Architecture with CIS, and I would like to use the Steampipe Runner. What is the best way to get this accomplished? --- <ins datetime="2022-07-26T18:24:52Z"> <p><a href="https://support.gruntwork.io/hc/requests/109060">Tracked in ticket #109060</a></p> </ins>

You can migrate the existing `ecs-deploy-runner` from the Service Catalog to the `ecs-deploy-runner-with-steampipe-runner` module from the [terraform-aws-ci-steampipe](https://github.com/gruntwork-io/terraform-aws-ci-steampipe/) repo using the following steps: 1. Make sure you have updated the `ecs-deploy-runner` module to version `v0.92.0` of the Service Catalog. 2. Add a new ECR repo in the shared account to hold the steampipe runner docker image. 1. Create a new build script for building [the steampipe-runner docker image](https://github.com/gruntwork-io/terraform-aws-ci-steampipe/tree/main/modules/steampipe-runner). - Use the [build_deploy_runner_image.sh](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/examples/for-production/infrastructure-live/shared/us-west-2/_regional/container_images/build_deploy_runner_image.sh) script as a starting point. 1. Build the steampipe runner docker image by invoking the build script. 1. Replace the module source to point to the `ecs-deploy-runner-with-steampipe-runner` module. We recommend doing this in the `_envcommon/mgmt/ecs-deploy-runner.hcl` file. 1. Add [the configuration inputs for the steampipe runner](https://github.com/gruntwork-io/terraform-aws-ci-steampipe/blob/main/modules/ecs-deploy-runner-with-steampipe-runner/variables.tf#L16-L96) in the envcommon file. 3. Add an invoke schedule for periodically invoking steampipe runner to run the checks. You can use the following as a starting point: ``` invoke_schedule = { run_cis_checks = { container_name = "steampipe-runner" script = "run-steampipe-mod-check" args = "--repo https://github.com/turbot/steampipe-mod-aws-compliance.git --ref v0.42 --check-selector benchmark.cis_v140 --output none --publish-to-securityhub" schedule_expression = "cron(0 0,6,12,18 * * ? *)" } } ``` 4. In each ECS Deploy Runner deployment: - Migrate the state of the standard ECS Deploy Runner to fit the steampipe runner state: ``` terragrunt state mv module.ecs_deploy_runner module.tmp terragrunt state mv module.tmp module.standard_ecs_deploy_runner.module.ecs_deploy_runner terragrunt state mv module.shared_secrets_kms_grants module.standard_ecs_deploy_runner.module.shared_secrets_kms_grants ``` - Run `terragrunt plan` and make sure there are no destroy actions. - Run `terragrunt apply`