Improve sidecar support for vuln processing

infrastructure/dogfood/terraform/aws-tf-module/main.tf

@@ -521,14 +521,16 @@ module "geolite2" {
 }
 
 module "vuln-processing" {
-  source                              = "github.com/fleetdm/fleet//terraform/addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.1.0"
+  source                              = "github.com/fleetdm/fleet//terraform/addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.2.0"
   ecs_cluster                         = module.main.byo-vpc.byo-db.byo-ecs.service.cluster
   execution_iam_role_arn              = module.main.byo-vpc.byo-db.byo-ecs.execution_iam_role_arn
   subnets                             = module.main.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].subnets
   security_groups                     = module.main.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].security_groups
   fleet_config                        = module.main.byo-vpc.byo-db.byo-ecs.fleet_config
   task_role_arn                       = module.main.byo-vpc.byo-db.byo-ecs.iam_role_arn
   fleet_server_private_key_secret_arn = module.main.byo-vpc.byo-db.byo-ecs.fleet_server_private_key_secret_arn
+  vuln_processing_task_memory         = 5120
+  vuln_processing_task_cpu            = 2048
   awslogs_config = {
     group  = module.main.byo-vpc.byo-db.byo-ecs.fleet_config.awslogs.name
     region = module.main.byo-vpc.byo-db.byo-ecs.fleet_config.awslogs.region

terraform/addons/external-vuln-scans/README.md

@@ -39,14 +39,18 @@ No modules.
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | The ecs cluster module that is created by the byo-db module | `any` | n/a | yes |
 | <a name="input_execution_iam_role_arn"></a> [execution\_iam\_role\_arn](#input\_execution\_iam\_role\_arn) | The ARN of the fleet execution role, this is necessary to pass role from ecs events | `any` | n/a | yes |
 | <a name="input_fleet_config"></a> [fleet\_config](#input\_fleet\_config) | The root Fleet config object | `any` | n/a | yes |
+| <a name="input_fleet_server_private_key_secret_arn"></a> [fleet\_server\_private\_key\_secret\_arn](#input\_fleet\_server\_private\_key\_secret\_arn) | The ARN of the secret that stores the Fleet private key | `string` | n/a | yes |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | n/a | `list(string)` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | n/a | `list(string)` | n/a | yes |
 | <a name="input_task_role_arn"></a> [task\_role\_arn](#input\_task\_role\_arn) | The ARN of the fleet task role, this is necessary to pass role from ecs events | `any` | n/a | yes |
 | <a name="input_vuln_processing_cpu"></a> [vuln\_processing\_cpu](#input\_vuln\_processing\_cpu) | The amount of CPU to dedicate to the vuln processing command | `number` | `1024` | no |
 | <a name="input_vuln_processing_memory"></a> [vuln\_processing\_memory](#input\_vuln\_processing\_memory) | The amount of memory to dedicate to the vuln processing command | `number` | `4096` | no |
+| <a name="input_vuln_processing_task_cpu"></a> [vuln\_processing\_task\_cpu](#input\_vuln\_processing\_task\_cpu) | The amount of CPU to dedicate to the vuln processing task including sidecars | `number` | `1024` | no |
+| <a name="input_vuln_processing_task_memory"></a> [vuln\_processing\_task\_memory](#input\_vuln\_processing\_task\_memory) | The amount of memory to dedicate to the vuln processing task including sidecars | `number` | `4096` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_extra_environment_variables"></a> [extra\_environment\_variables](#output\_extra\_environment\_variables) | n/a |
+| <a name="output_vuln_service_arn"></a> [vuln\_service\_arn](#output\_vuln\_service\_arn) | n/a |

terraform/addons/external-vuln-scans/main.tf

@@ -50,17 +50,20 @@ resource "aws_ecs_service" "fleet" {
 
 resource "aws_ecs_task_definition" "vuln-processing" {
   family                   = "${var.fleet_config.family}-vuln-processing"
-  cpu                      = var.vuln_processing_cpu
-  memory                   = var.vuln_processing_memory
+  cpu                      = var.vuln_processing_task_cpu
+  memory                   = var.vuln_processing_task_memory
   execution_role_arn       = var.execution_iam_role_arn
   task_role_arn            = var.task_role_arn
   network_mode             = "awsvpc"
+  pid_mode                 = var.fleet_config.pid_mode
   requires_compatibilities = ["FARGATE"]
 
   container_definitions = jsonencode(concat([
     {
       name                  = "fleet-vuln-processing"
       image                 = var.fleet_config.image
+      cpu                   = var.vuln_processing_cpu
+      memory                = var.vuln_processing_memory
       essential             = true
       networkMode           = "awsvpc"
       secrets               = local.secrets

terraform/addons/external-vuln-scans/outputs.tf

@@ -1,6 +1,6 @@
 output "extra_environment_variables" {
   value = {
-    FLEET_VULNERABILITIES_DISABLE_SCHEDULE  = "true"
+    FLEET_VULNERABILITIES_DISABLE_SCHEDULE = "true"
   }
 }
 

terraform/addons/external-vuln-scans/variables.tf

@@ -45,6 +45,19 @@ variable "task_role_arn" {
   description = "The ARN of the fleet task role, this is necessary to pass role from ecs events"
 }
 
+variable "vuln_processing_task_memory" {
+  // note must conform to FARGATE breakpoints https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-defs.html
+  default     = 4096
+  description = "The amount of memory to dedicate to the vuln processing task including sidecars"
+}
+
+variable "vuln_processing_task_cpu" {
+  // note must conform to FARGETE breakpoints https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-defs.html
+  default     = 1024
+  description = "The amount of CPU to dedicate to the vuln processing task including sidecars"
+}
+
+
 variable "vuln_processing_memory" {
   // note must conform to FARGATE breakpoints https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-defs.html
   default     = 4096