diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml
index ca1f6d4be9..393102abd0 100644
--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@@ -30,6 +30,7 @@ env:
TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
+ TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}
permissions:
id-token: write
diff --git a/infrastructure/dogfood/terraform/aws-tf-module/free.tf b/infrastructure/dogfood/terraform/aws-tf-module/free.tf
index 12a9ecd6a8..ba6d77514c 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/free.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/free.tf
@@ -53,7 +53,7 @@ module "free" {
cluster_name = local.customer_free
}
fleet_config = {
- image = local.fleet_image
+ image = local.geolite2_image
family = local.customer_free
security_group_name = local.customer_free
autoscaling = {
@@ -75,7 +75,7 @@ module "free" {
}
}
extra_iam_policies = module.ses-free.fleet_extra_iam_policies
- extra_environment_variables = merge(module.ses-free.fleet_extra_environment_variables, local.extra_environment_variables_free)
+ extra_environment_variables = merge(module.ses-free.fleet_extra_environment_variables, local.extra_environment_variables_free, module.geolite2.extra_environment_variables)
}
alb_config = {
name = local.customer_free
diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
index 353cff63e0..2443ac833f 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@@ -32,6 +32,7 @@ variable "fleet_license" {}
variable "fleet_image" {
default = "160035666661.dkr.ecr.us-east-2.amazonaws.com/fleet:1f68e7a5e39339d763da26a0c8ae3e459b2e1f016538d7962312310493381f7c"
}
+variable "geolite2_license" {}
variable "fleet_sentry_dsn" {}
variable "elastic_url" {}
variable "elastic_token" {}
@@ -41,6 +42,7 @@ data "aws_caller_identity" "current" {}
locals {
customer = "fleet-dogfood"
fleet_image = var.fleet_image # Set this to the version of fleet to be deployed
+ geolite2_image = "${aws_ecr_repository.fleet.repository_url}:${split(":", var.fleet_image)[1]}-geolite2"
extra_environment_variables = {
FLEET_LICENSE_KEY = var.fleet_license
FLEET_LOGGING_DEBUG = "true"
@@ -89,7 +91,7 @@ module "main" {
cluster_name = local.customer
}
fleet_config = {
- image = local.fleet_image
+ image = local.geolite2_image
family = local.customer
autoscaling = {
min_capacity = 2
@@ -111,7 +113,7 @@ module "main" {
}
extra_iam_policies = concat(module.firehose-logging.fleet_extra_iam_policies, module.osquery-carve.fleet_extra_iam_policies, module.ses.fleet_extra_iam_policies)
extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies, [aws_iam_policy.sentry.arn]) #, module.saml_auth_proxy.fleet_extra_execution_policies)
- extra_environment_variables = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, module.ses.fleet_extra_environment_variables, local.extra_environment_variables)
+ extra_environment_variables = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, module.ses.fleet_extra_environment_variables, local.extra_environment_variables, module.geolite2.extra_environment_variables)
extra_secrets = merge(module.mdm.extra_secrets, local.sentry_secrets)
# extra_load_balancers = [{
# target_group_arn = module.saml_auth_proxy.lb_target_group_arn
@@ -425,4 +427,9 @@ resource "aws_s3_object" "idp_metadata" {
acl = "public-read"
}
-
+module "geolite2" {
+ source = "github.com/fleetdm/fleet//terraform/addons/geolite2?ref=tf-mod-addon-geolite2-v1.0.0"
+ fleet_image = var.fleet_image
+ destination_image = local.geolite2_image
+ license_key = var.geolite2_license
+}
diff --git a/terraform/addons/geolite2/.header.md b/terraform/addons/geolite2/.header.md
new file mode 100644
index 0000000000..89585fd96b
--- /dev/null
+++ b/terraform/addons/geolite2/.header.md
@@ -0,0 +1,9 @@
+# Geoip Terraform module for Fleet
+
+This module adds Geoip data to the Fleet docker image for use with the Fleet Terraform module.
+
+See the [documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration#geoip) for some basic information about what happens under the hood.
+
+You will need to supply a Maxmind license key and a destination docker registry (such as ECR) to hold the new image.
+
+Outputs will be added to the environment variables in Fleet via the `extra_environment_variables` list.
diff --git a/terraform/addons/geolite2/.terraform-docs.yml b/terraform/addons/geolite2/.terraform-docs.yml
new file mode 100644
index 0000000000..1d139ddb40
--- /dev/null
+++ b/terraform/addons/geolite2/.terraform-docs.yml
@@ -0,0 +1 @@
+header-from: .header.md
diff --git a/terraform/addons/geolite2/Dockerfile b/terraform/addons/geolite2/Dockerfile
new file mode 100644
index 0000000000..aa746d4964
--- /dev/null
+++ b/terraform/addons/geolite2/Dockerfile
@@ -0,0 +1,17 @@
+ARG FLEET_IMAGE
+
+FROM ${FLEET_IMAGE}
+
+ARG LICENSE_KEY
+USER root
+
+RUN mkdir -p /opt/GeoLite2 && cd /opt/GeoLite2 &&\
+ wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${LICENSE_KEY}&suffix=tar.gz" -O GeoLite2-City.tar.gz &&\
+ wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${LICENSE_KEY}&suffix=tar.gz.sha256" -O GeoLite2-City.tar.gz.sha256 &&\
+ [ "$(awk '{ print $1 }' GeoLite2-City.tar.gz.sha256)" == "$(sha256sum GeoLite2-City.tar.gz | awk '{ print $1 }')" ] &&\
+ (tar -xzvf GeoLite2-City.tar.gz "*/GeoLite2-City.mmdb" --strip-components 1 2>/dev/null || true) &&\
+ rm -f GeoLite2-City.tar.gz*
+
+USER fleet
+# Might not be needed again, but keep it just in case
+CMD ["fleet", "serve"]
diff --git a/terraform/addons/geolite2/README.md b/terraform/addons/geolite2/README.md
new file mode 100644
index 0000000000..47c93f1da2
--- /dev/null
+++ b/terraform/addons/geolite2/README.md
@@ -0,0 +1,48 @@
+# Geoip Terraform module for Fleet
+
+This module adds Geoip data to the Fleet docker image for use with the Fleet Terraform module.
+
+See the [documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration#geoip) for some basic information about what happens under the hood.
+
+You will need to supply a Maxmind license key and a destination docker registry (such as ECR) to hold the new image.
+
+Outputs will be added to the environment variables in Fleet via the `extra_environment_variables` list.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [docker](#requirement\_docker) | 3.0.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [docker](#provider\_docker) | 3.0.2 |
+| [local](#provider\_local) | 2.4.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [docker_image.maxmind_fleet](https://registry.terraform.io/providers/kreuzwerker/docker/3.0.2/docs/resources/image) | resource |
+| [docker_registry_image.maxmind_fleet](https://registry.terraform.io/providers/kreuzwerker/docker/3.0.2/docs/resources/registry_image) | resource |
+| [local_file.dockerfile](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [destination\_image](#input\_destination\_image) | n/a | `string` | n/a | yes |
+| [fleet\_image](#input\_fleet\_image) | n/a | `string` | n/a | yes |
+| [license\_key](#input\_license\_key) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [extra\_environment\_variables](#output\_extra\_environment\_variables) | n/a |
diff --git a/terraform/addons/geolite2/main.tf b/terraform/addons/geolite2/main.tf
new file mode 100644
index 0000000000..aef0baebed
--- /dev/null
+++ b/terraform/addons/geolite2/main.tf
@@ -0,0 +1,32 @@
+terraform {
+ required_providers {
+ docker = {
+ source = "kreuzwerker/docker"
+ version = "3.0.2"
+ }
+ }
+}
+
+# Build the new image
+resource "docker_image" "maxmind_fleet" {
+ name = var.destination_image
+
+ build {
+ context = path.module
+ platform = "linux/amd64"
+ build_args = {
+ FLEET_IMAGE = var.fleet_image
+ LICENSE_KEY = var.license_key
+ }
+ pull_parent = true
+ }
+}
+
+# push it to the specified repo
+resource "docker_registry_image" "maxmind_fleet" {
+ triggers = {
+ fleet_digest = docker_image.maxmind_fleet.repo_digest
+ }
+ name = docker_image.maxmind_fleet.name
+ keep_remotely = true
+}
diff --git a/terraform/addons/geolite2/outputs.tf b/terraform/addons/geolite2/outputs.tf
new file mode 100644
index 0000000000..7c4e5d7ddb
--- /dev/null
+++ b/terraform/addons/geolite2/outputs.tf
@@ -0,0 +1,5 @@
+output "extra_environment_variables" {
+ value = {
+ FLEET_GEOIP_DATABASE_PATH = "/opt/GeoLite2/GeoLite2-City.mmdb"
+ }
+}
diff --git a/terraform/addons/geolite2/variables.tf b/terraform/addons/geolite2/variables.tf
new file mode 100644
index 0000000000..cae84fcbda
--- /dev/null
+++ b/terraform/addons/geolite2/variables.tf
@@ -0,0 +1,11 @@
+variable "fleet_image" {
+ type = string
+}
+
+variable "destination_image" {
+ type = string
+}
+
+variable "license_key" {
+ type = string
+}