Demo packaging (#7020)

* checkin for testing

* Initial work on packaging, still need to configure fleet to use it

* Add the terraform stuff for installers

* Add iam permissions for packaging

* Add environment variables for installers to fleet

* Implement review fixes

* Add an extra state for provisioned, but not ready for customers

* Add secretsmanager stuff for apple

* fixup

* fixup

* Bugfixes

* fixup

* fixup and added some stuff to the readdme

* Add link to openapi.json in readme

infrastructure/sandbox/.terraform.lock.hcl

@@ -0,0 +1,318 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "3.18.0"
+  constraints = "3.18.0, ~> 3.18.0"
+  hashes = [
+    "h1:hsmaGs6+0AMWlEuAVjBdO8rv77K3psZQRQ2L5tRXTqI=",
+    "zh:0de7001183fa716a5eb69d17a873d6fa3d36c62f122fe5f36f011e94286f58b3",
+    "zh:0e75940486ffd8234030801da20c3b46242a2cbda455e6d3913d009638b8bdd5",
+    "zh:0ff02d93ee1222eacba113647e4a817e2a41c3a1add97a292f826d80da568b72",
+    "zh:1125b90ed5499874ff0ca399a7716c94affa5dbfe0098afee14647f2ba6bada0",
+    "zh:64bb8e62cdb9635c76a0cf2d2e0c3b00b28bac7a19eba8ade460c4b12c0a8a13",
+    "zh:6705b9fc0e08d1da96b756729ba3aaa2724d16153b261f6d4ebbb9cb300c49cb",
+    "zh:6a7877593e103e4d178c056d43f5659aaf5778a37d58f3a5223e447bbff05e24",
+    "zh:708439ccc8b7bb64695ed631b37b4543c7429d765bc6d5131fcfd1378baf2039",
+    "zh:7b17bda86b18dee0fd38bf30d95cd78321f5717e5ea6833cfa67be1d899620a2",
+    "zh:880951986c10afcd1f6154de905b1994a22a43afb7188362ab6c5de573ef4149",
+    "zh:912b18dd6902a2880e9c787749985e5844aad6986f05293931501467a32b3209",
+    "zh:9f3feac3d9e529fa92d9dc9b0cdc4dd5581a8a2ef0925b15ac899b0021646b0c",
+    "zh:c8ba5584e2c596352a0f3de223026d26bcd72e607c418c4eadbdf94cbd5b4d22",
+    "zh:d13ebc676b9964e69b3ea421dbb03bf30c957d78e35f0839e50f27ac5c4316ed",
+  ]
+}
+
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.14.0"
+  constraints = ">= 1.7.0, >= 1.13.1"
+  hashes = [
+    "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=",
+    "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858",
+    "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030",
+    "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5",
+    "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4",
+    "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5",
+    "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5",
+    "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf",
+    "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93",
+    "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/archive" {
+  version = "2.2.0"
+  hashes = [
+    "h1:CIWi5G6ob7p2wWoThRQbOB8AbmFlCzp7Ka81hR3cVp0=",
+    "zh:06bd875932288f235c16e2237142b493c2c2b6aba0e82e8c85068332a8d2a29e",
+    "zh:0c681b481372afcaefddacc7ccdf1d3bb3a0c0d4678a526bc8b02d0c331479bc",
+    "zh:100fc5b3fc01ea463533d7bbfb01cb7113947a969a4ec12e27f5b2be49884d6c",
+    "zh:55c0d7ddddbd0a46d57c51fcfa9b91f14eed081a45101dbfc7fd9d2278aa1403",
+    "zh:73a5dd68379119167934c48afa1101b09abad2deb436cd5c446733e705869d6b",
+    "zh:841fc4ac6dc3479981330974d44ad2341deada8a5ff9e3b1b4510702dfbdbed9",
+    "zh:91be62c9b41edb137f7f835491183628d484e9d6efa82fcb75cfa538c92791c5",
+    "zh:acd5f442bd88d67eb948b18dc2ed421c6c3faee62d3a12200e442bfff0aa7d8b",
+    "zh:ad5720da5524641ad718a565694821be5f61f68f1c3c5d2cfa24426b8e774bef",
+    "zh:e63f12ea938520b3f83634fc29da28d92eed5cfbc5cc8ca08281a6a9c36cca65",
+    "zh:f6542918faa115df46474a36aabb4c3899650bea036b5f8a5e296be6f8f25767",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.10.0"
+  constraints = ">= 3.63.0, >= 3.66.0, >= 3.72.0, >= 4.3.0, ~> 4.10.0"
+  hashes = [
+    "h1:S6xGPRL08YEuBdemiYZyIBf/YwM4OCvzVuaiuU6kLjc=",
+    "zh:0a2a7eabfeb7dbb17b7f82aff3fa2ba51e836c15e5be4f5468ea44bd1299b48d",
+    "zh:23409c7205d13d2d68b5528e1c49e0a0455d99bbfec61eb0201142beffaa81f7",
+    "zh:3adad2245d97816f3919778b52c58fb2de130938a3e9081358bfbb72ec478d9a",
+    "zh:5bf100aba6332f24b1ffeae7536d5d489bb907bf774a06b95f2183089eaf1a1a",
+    "zh:63c3a24c0c229a1d3390e6ea2454ba4d8ace9b94e086bee1dbdcf665ae969e15",
+    "zh:6b76f5ffd920f0a750da3a4ff1d00eab18d9cd3731b009aae3df4135613bad4d",
+    "zh:8cd6b1e6b51e8e9bbe2944bb169f113d20d1d72d07ccd1b7b83f40b3c958233e",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:c5c31f58fb5bd6aebc6c662a4693640ec763cb3399cce0b592101cf24ece1625",
+    "zh:cc485410be43d6ad95d81b9e54cc4d2117aadf9bf5941165a9df26565d9cce42",
+    "zh:cebb89c74b6a3dc6780824b1d1e2a8d16a51e75679e14ad0b830d9f7da1a3a67",
+    "zh:e7dc427189cb491e1f96e295101964415cbf8630395ee51e396d2a811f365237",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/cloudinit" {
+  version     = "2.2.0"
+  constraints = ">= 2.0.0"
+  hashes = [
+    "h1:tQLNREqesrdCQ/bIJnl0+yUK+XfdWzAG0wo4lp10LvM=",
+    "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96",
+    "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d",
+    "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9",
+    "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472",
+    "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f",
+    "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb",
+    "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a",
+    "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c",
+    "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c",
+    "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517",
+    "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/external" {
+  version     = "2.2.2"
+  constraints = ">= 1.0.0"
+  hashes = [
+    "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=",
+    "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca",
+    "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28",
+    "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b",
+    "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327",
+    "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955",
+    "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb",
+    "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0",
+    "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a",
+    "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372",
+    "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.6.0"
+  constraints = ">= 2.4.1"
+  hashes = [
+    "h1:rGVucCeYAqklKupwoLVG5VPQTIkUhO7WGcw3WuHYrm8=",
+    "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8",
+    "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5",
+    "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b",
+    "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381",
+    "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c",
+    "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814",
+    "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456",
+    "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5",
+    "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44",
+    "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c",
+    "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.12.1"
+  constraints = ">= 2.10.0"
+  hashes = [
+    "h1:6ZgqegUao9WcfVzYg7taxCQOQldTmMVw0HqjG5S46OY=",
+    "zh:1ecb2adff52754fb4680c7cfe6143d1d8c264b00bb0c44f07f5583b1c7f978b8",
+    "zh:1fbd155088cd5818ad5874e4d59ccf1801e4e1961ac0711442b963315f1967ab",
+    "zh:29e927c7c8f112ee0e8ab70e71b498f2f2ae6f47df1a14e6fd0fdb6f14b57c00",
+    "zh:42c2f421da6b5b7c997e42aa04ca1457fceb13dd66099a057057a0812b680836",
+    "zh:522a7bccd5cd7acbb4ec3ef077d47f4888df7e59ff9f3d598b717ad3ee4fe9c9",
+    "zh:b45d8dc5dcbc5e30ae570d0c2e198505f47d09098dfd5f004871be8262e6ec1e",
+    "zh:c3ea0943f2050001c7d6a7115b9b990f148b082ebfc4ff3c2ff3463a8affcc4a",
+    "zh:f111833a64e06659d2e21864de39b7b7dec462615294d02f04c777956742a930",
+    "zh:f182dba5707b90b0952d5984c23f7a2da3baa62b4d71e78df7759f16cc88d957",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f76655a68680887daceabd947b2f68e2103f5bbec49a2bc29530f82ab8e3bca3",
+    "zh:fadb77352caa570bd3259dfb59c31db614d55bc96df0ff15a3c0cd2e685678b9",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version     = "2.2.3"
+  constraints = ">= 2.1.0"
+  hashes = [
+    "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=",
+    "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0",
+    "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa",
+    "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797",
+    "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb",
+    "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3",
+    "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c",
+    "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8",
+    "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e",
+    "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9",
+    "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version     = "3.1.1"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=",
+    "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597",
+    "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf",
+    "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e",
+    "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa",
+    "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5",
+    "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4",
+    "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46",
+    "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924",
+    "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b",
+    "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.1.3"
+  constraints = ">= 2.2.0, ~> 3.1.2"
+  hashes = [
+    "h1:nLWniS8xhb32qRQy+n4bDPjQ7YWZPVMR3v1vSrx7QyY=",
+    "zh:26e07aa32e403303fc212a4367b4d67188ac965c37a9812e07acee1470687a73",
+    "zh:27386f48e9c9d849fbb5a8828d461fde35e71f6b6c9fc235bc4ae8403eb9c92d",
+    "zh:5f4edda4c94240297bbd9b83618fd362348cadf6bf24ea65ea0e1844d7ccedc0",
+    "zh:646313a907126cd5e69f6a9fafe816e9154fccdc04541e06fed02bb3a8fa2d2e",
+    "zh:7349692932a5d462f8dee1500ab60401594dddb94e9aa6bf6c4c0bd53e91bbb8",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9034daba8d9b32b35930d168f363af04cecb153d5849a7e4a5966c97c5dc956e",
+    "zh:bb81dfca59ef5f949ef39f19ea4f4de25479907abc28cdaa36d12ecd7c0a9699",
+    "zh:bcf7806b99b4c248439ae02c8e21f77aff9fadbc019ce619b929eef09d1221bb",
+    "zh:d708e14d169e61f326535dd08eecd3811cd4942555a6f8efabc37dbff9c6fc61",
+    "zh:dc294e19a46e1cefb9e557a7b789c8dd8f319beca99b8c265181bc633dc434cc",
+    "zh:f9d758ee53c55dc016dd736427b6b0c3c8eb4d0dbbc785b6a3579b0ffedd9e42",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version = "0.7.2"
+  hashes = [
+    "h1:YYLAfhMFP5nhV2iZPslqsLkZN+6sZo7gMJW7pLcLfM8=",
+    "zh:0bbe0158c2a9e3f5be911b7e94477586110c51746bb13d102054f22754565bda",
+    "zh:3250af7fd49b8aaf2ccc895588af05197d886e38b727e3ba33bcbb8cc96ad34d",
+    "zh:35e4de0437f4fa9c1ad69aaf8136413be2369ea607d78e04bb68dc66a6a520b8",
+    "zh:369756417a6272e79cad31eb2c82c202f6a4b6e4204a893f656644ba9e149fa2",
+    "zh:390370f1179d89b33c3a0731691e772d5450a7d59fc66671ec625e201db74aa2",
+    "zh:3d12ac905259d225c685bc42e5507ed0fbdaa5a09c30dce7c1932d908df857f7",
+    "zh:75f63e5e1c68e6c5bccba4568c3564e2774eb3a7a19189eb8e2b6e0d58c8f8cc",
+    "zh:7c22a2078a608e3e0278c4cbc9c483909062ebd1843bddaf8f176346c6d378b1",
+    "zh:7cfb3c02f78f0060d59c757c4726ab45a962ce4a9cf4833beca704a1020785bd",
+    "zh:a0325917f47c28a2ed088dedcea0d9520d91b264e63cc667fe4336ac993c0c11",
+    "zh:c181551d4c0a40b52e236f1755cc340aeca0fb5dcfd08b3b1c393a7667d2f327",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version     = "3.4.0"
+  constraints = ">= 3.0.0"
+  hashes = [
+    "h1:oyllIA9rNGCFtClSyBitUIzCXdnKtspVepdsvpLlfys=",
+    "zh:2442a0df0cfb550b8eba9b2af39ac06f54b62447eb369ecc6b1c29f739b33bbb",
+    "zh:3ebb82cacb677a099de55f844f0d02886bc804b1a2b94441bc40fabcb64d2a38",
+    "zh:436125c2a7e66bc62a4a7c68bdca694f071d7aa894e8637dc83f4a68fe322546",
+    "zh:5f03db9f1d77e8274ff4750ae32d5c16c42b862b06bcb0683e4d733c8db922e4",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:8190142ae8a539ab34193b7e75da0fa04035d1dcd8af8be94df1eafeeffb44b6",
+    "zh:8cdc7cd9221e27c189e5beaf78462fce4c2edb081f415a1eafc6da2949de31e2",
+    "zh:a5de0f7f5d63c59ebf61d3c1d94040f410665ff0aa04f66674efe24b39a11f94",
+    "zh:a9fce48db3c140cc3e06f8a3c7ef4d36735e457e7660442d6d5dcd2b0781adc3",
+    "zh:beb92de584c790c7c7f047e45ccd22b6ee3263c7b5a91ae4d6882ae6e7700570",
+    "zh:f373f8cc52846fb513f44f468d885f722ca4dc22af9ff1942368cafd16b796b3",
+    "zh:f69627fd6e5a920b17ff423cdbad2715078ca6d13146dc67668795582ab43748",
+  ]
+}
+
+provider "registry.terraform.io/kreuzwerker/docker" {
+  version     = "2.16.0"
+  constraints = "~> 2.16.0"
+  hashes = [
+    "h1:OcTn2QyCQNjDiJYy1vqQFmz2dxJdOF/2/HBXBvGxU2E=",
+    "zh:0ff8aa7884c6dae90e6f245bb9d37898735f89e095ba53413f2f364db4d11a77",
+    "zh:4101f4c909477f3a8225829b7063e5c5a2e2986a6163e0f113af040b5feab61f",
+    "zh:59db110d2b6c620cc12a1741d81ed8d1dd7fb0540024428fefbb57e8bebe5b60",
+    "zh:6e134983f195ea0273ac042f0a2df14158d676a24e8dd140ca0357f3efc3fd61",
+    "zh:7de1de3cc1eacb2ef2693207f5c5f54fa4814ae8c024b8b3c2a0923c82fd6f14",
+    "zh:a6659fbc7c45fbb60c7c9bf06724eb6084711f1b79c720ef8512a4367e63cbe5",
+    "zh:ae97c721431517d8c71f8cede91d734d2f2372a1bfef0c3bba43b54c0f8b1cee",
+    "zh:b3cbd47d5f0cb522b6dd3561ccd2f491fb6afb577372718e0663d12cfeef30e9",
+    "zh:b64af7c6ad8870c11677874f6cd13322aa03d2190391a120be17304ca324ea1c",
+    "zh:c363747bae968af997eaf22193168451523e92b59aee8aee135d3b27db132366",
+    "zh:c40721250642157b2a72d8db44fa09de0f7635ba4b0e2ebf5527570f3988e62f",
+    "zh:e97707609e346bf463d539099faa8790f2f453cfbd0b880327b6eae16ca4f213",
+    "zh:f4a23ce27cb430f91895466b3e2d132c534fa2b58808f6771235d76e696f4972",
+    "zh:fd634e973eb2b6483a1ce9251801a393d04cb496f8e83ffcf3f0c4cad8c18f4c",
+  ]
+}
+
+provider "registry.terraform.io/paultyng/git" {
+  version     = "0.1.0"
+  constraints = "~> 0.1.0"
+  hashes = [
+    "h1:nz3VfU3LHDUQFdILoXq8O0FWbQZfCmXhpQOTKRRzEaY=",
+    "zh:0d593ac990f711171875ba5fc838f0087df84ddb1c69154ee630def5984931ea",
+    "zh:3895c2719f42e93fc993474859b34de87d90e2c47dfb757d435b9b57945195e4",
+    "zh:3a90ce559a3589628a2d6820a9d76a354763c268b0c173982ff773e022032856",
+    "zh:42339a6084095e37d0c843907dcabe66989949ea3f0025f6f1f9d8583d7da779",
+    "zh:435522beccaedf89bc39eed495393194b43156d1730ef45c29faa584552dc355",
+    "zh:87b4ee4f521283daaa0d63dd7949dc59f700b92e246e4aeb06510c01842a3c8b",
+    "zh:997aca77ddc1411dd601ea1fa2e455be9531c3e3c0f0917e8f2423ffd4ffb9ba",
+    "zh:a70e98ce6ef7a8256286ab791bc231777b76c8f038da4b9eccf399d2b22051fb",
+    "zh:af9301520e8befe3ec6d1125e10cc0724b318590f5680f12032c8bdc3b0c827d",
+    "zh:d995a3b8eaa5ac61744d49127fbf68b4c32e16d3c67d570edda2af26113b92a5",
+    "zh:e8b5c7354a02c54efc026d8289ce9d3784f58abd673a78e80bd4fb073dd75101",
+  ]
+}
+
+provider "registry.terraform.io/terraform-aws-modules/http" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:ZnkXcawrIr611RvZpoDzbtPU7SVFyHym+7p1t+PQh20=",
+    "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697",
+    "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204",
+    "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d",
+    "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb",
+    "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05",
+    "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304",
+    "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b",
+    "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a",
+    "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0",
+    "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f",
+    "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d",
+    "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568",
+    "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a",
+  ]
+}

infrastructure/sandbox/PreProvisioner/lambda/Dockerfile

@@ -1,5 +1,31 @@
-FROM golang:1.18-alpine AS builder
-RUN apk update && apk add --no-cache git curl openssl unzip
+FROM rust:latest AS builder
+
+ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
+
+RUN cargo install apple-codesign \
+  && curl -sSf $transporter_url -o transporter_install.sh \
+  && sh transporter_install.sh --target transporter --accept --noexec
+
+FROM golang:1.18.4-bullseye
+
+RUN apt-get update \
+  && dpkg --add-architecture i386 \
+  && apt update \
+  && apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \
+  && rm -rf /var/lib/apt/lists/* 
+
+# copy macOS dependencies
+COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/
+COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/
+COPY --from=builder /transporter/itms /usr/local/
+COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin
+
+# copy Windows dependencies
+COPY --from=fleetdm/wix:latest /home/wine /home/wine
+
+ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all
+
+RUN apt update; apt install -y curl openssl unzip
 WORKDIR /build
 COPY . .
 RUN go get -d -v

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/.terraform.lock.hcl

@@ -0,0 +1,84 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.10.0"
+  constraints = "~> 4.10.0"
+  hashes = [
+    "h1:S6xGPRL08YEuBdemiYZyIBf/YwM4OCvzVuaiuU6kLjc=",
+    "zh:0a2a7eabfeb7dbb17b7f82aff3fa2ba51e836c15e5be4f5468ea44bd1299b48d",
+    "zh:23409c7205d13d2d68b5528e1c49e0a0455d99bbfec61eb0201142beffaa81f7",
+    "zh:3adad2245d97816f3919778b52c58fb2de130938a3e9081358bfbb72ec478d9a",
+    "zh:5bf100aba6332f24b1ffeae7536d5d489bb907bf774a06b95f2183089eaf1a1a",
+    "zh:63c3a24c0c229a1d3390e6ea2454ba4d8ace9b94e086bee1dbdcf665ae969e15",
+    "zh:6b76f5ffd920f0a750da3a4ff1d00eab18d9cd3731b009aae3df4135613bad4d",
+    "zh:8cd6b1e6b51e8e9bbe2944bb169f113d20d1d72d07ccd1b7b83f40b3c958233e",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:c5c31f58fb5bd6aebc6c662a4693640ec763cb3399cce0b592101cf24ece1625",
+    "zh:cc485410be43d6ad95d81b9e54cc4d2117aadf9bf5941165a9df26565d9cce42",
+    "zh:cebb89c74b6a3dc6780824b1d1e2a8d16a51e75679e14ad0b830d9f7da1a3a67",
+    "zh:e7dc427189cb491e1f96e295101964415cbf8630395ee51e396d2a811f365237",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.5.1"
+  constraints = "2.5.1"
+  hashes = [
+    "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=",
+    "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9",
+    "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669",
+    "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c",
+    "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933",
+    "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c",
+    "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2",
+    "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f",
+    "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436",
+    "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a",
+    "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936",
+    "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.1.3"
+  constraints = "~> 3.1.2"
+  hashes = [
+    "h1:nLWniS8xhb32qRQy+n4bDPjQ7YWZPVMR3v1vSrx7QyY=",
+    "zh:26e07aa32e403303fc212a4367b4d67188ac965c37a9812e07acee1470687a73",
+    "zh:27386f48e9c9d849fbb5a8828d461fde35e71f6b6c9fc235bc4ae8403eb9c92d",
+    "zh:5f4edda4c94240297bbd9b83618fd362348cadf6bf24ea65ea0e1844d7ccedc0",
+    "zh:646313a907126cd5e69f6a9fafe816e9154fccdc04541e06fed02bb3a8fa2d2e",
+    "zh:7349692932a5d462f8dee1500ab60401594dddb94e9aa6bf6c4c0bd53e91bbb8",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9034daba8d9b32b35930d168f363af04cecb153d5849a7e4a5966c97c5dc956e",
+    "zh:bb81dfca59ef5f949ef39f19ea4f4de25479907abc28cdaa36d12ecd7c0a9699",
+    "zh:bcf7806b99b4c248439ae02c8e21f77aff9fadbc019ce619b929eef09d1221bb",
+    "zh:d708e14d169e61f326535dd08eecd3811cd4942555a6f8efabc37dbff9c6fc61",
+    "zh:dc294e19a46e1cefb9e557a7b789c8dd8f319beca99b8c265181bc633dc434cc",
+    "zh:f9d758ee53c55dc016dd736427b6b0c3c8eb4d0dbbc785b6a3579b0ffedd9e42",
+  ]
+}
+
+provider "registry.terraform.io/petoju/mysql" {
+  version     = "3.0.12"
+  constraints = "3.0.12"
+  hashes = [
+    "h1:HjwoRcnjjg9ZDC/EVzBPbe76s1Ut7VmDA3QwkVCaC5A=",
+    "zh:03e43a5254c6bd1bade161c24b11f019f296efe395710445617ef28d7a75bf73",
+    "zh:05e8949f079246c17fdd1e2dbae8e313551906a13cc4488f3e35548502d477ee",
+    "zh:080e95478021b353c00ab7a7718801815ae49435ce4833520a391dcbd3de1137",
+    "zh:4497661a09ebbde569cec8d86db848ef159c7bbc5fcf21c2602d18e471604f7d",
+    "zh:5b03de967142d8a84710fd75d926f6293ec917685de66457c704cfc64b6bef26",
+    "zh:6a33f8aecd02689d89963554470a9ae704a7ae481ebabc3d7571d589b4febc37",
+    "zh:6e1d3e0acf2e006578ace24a38ba93b98469e0c280fb97acae40b2d2a4ec81cb",
+    "zh:86174e6940a4a66ad26cb88f38f68a17b8d56bf0139bc156d50e2e064a5614ef",
+    "zh:929370d7710e1669b0a3d386f5722280b0ff720185c6f0822432ab4cb1098cce",
+    "zh:9e1c0ed9530ae75c555b0f84cb0430ee03fbceb9f0726bcecc1ae1276d871be7",
+    "zh:bf39753d4e518857a0e149f9a5d9c034a42247114ac10582ccc24713c7b73836",
+    "zh:d3f6240beab52ada658314626cae16089b5a46a91a0573a2e10332bbc8873078",
+    "zh:e66dead39a840833386aebf2131db40b52b5d134792a0a7ec23ef69e2ef4833e",
+    "zh:ea22ce26f6bd4f3a8eba56a9af5ee166343a88e2769571174098f659e0ac64af",
+  ]
+}

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml

@@ -52,6 +52,16 @@ spec:
           ## BEGIN FLEET SECTION
           - name: FLEET_SERVER_SANDBOX_ENABLED
             value: "1"
+          - name: FLEET_LICENSE_ENFORCE_HOST_LIMIT
+            value: "true"
+          {{- if ne .Values.packaging.enrollSecret "" }}
+          - name: FLEET_PACKAGING_GLOBAL_ENROLL_SECRET
+            value: "{{ .Values.packaging.enrollSecret }}"
+          - name: FLEET_PACKAGING_S3_BUCKET
+            value: "{{ .Values.packaging.s3.bucket }}"
+          - name: FLEET_PACKAGING_S3_PREFIX
+            value: "{{ .Values.packaging.s3.prefix }}"
+          {{- end }}
           - name: FLEET_SERVER_ADDRESS
             value: "0.0.0.0:{{ .Values.fleet.listenPort }}"
           - name: FLEET_AUTH_BCRYPT_COST

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml

@@ -9,6 +9,11 @@ imageTag: v4.12.0 # Version of Fleet to deploy
 createNamespace: false # Whether or not to automatically create the Namespace
 createIngress: true # Whether or not to automatically create an Ingress
 ingressAnnotations: {} # Additional annotation to add to the Ingress
+packaging:
+  enrollSecret: ""
+  s3:
+    bucket: ""
+    prefix: ""
 podLabels: {} # Additional labels to add to the Fleet pod
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf

@@ -48,6 +48,12 @@ variable "redis_address" {}
 variable "redis_database" {}
 variable "lifecycle_table" {}
 variable "base_domain" {}
+variable "enroll_secret" {}
+variable "installer_bucket" {}
+variable "installer_bucket_arn" {}
+variable "oidc_provider_arn" {}
+variable "oidc_provider" {}
+variable "kms_key_arn" {}
 
 resource "mysql_user" "main" {
   user               = terraform.workspace
@@ -152,6 +158,83 @@ resource "helm_release" "main" {
     name  = "imageTag"
     value = "main"
   }
+
+  set {
+    name  = "packaging.enrollSecret"
+    value = var.enroll_secret
+  }
+
+  set {
+    name  = "packaging.s3.bucket"
+    value = var.installer_bucket
+  }
+
+  set {
+    name  = "packaging.s3.prefix"
+    value = terraform.workspace
+  }
+
+  set {
+    name  = "serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.main.arn
+  }
+}
+
+data "aws_iam_policy_document" "main" {
+  statement {
+    actions = [
+      "s3:*Object",
+      "s3:ListBucket",
+    ]
+    resources = [
+      var.installer_bucket_arn,
+      "${var.installer_bucket_arn}/${terraform.workspace}/*"
+    ]
+  }
+  statement {
+    actions = [
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+    resources = [var.kms_key_arn]
+  }
+}
+
+resource "aws_iam_policy" "main" {
+  name   = terraform.workspace
+  policy = data.aws_iam_policy_document.main.json
+}
+
+resource "aws_iam_role_policy_attachment" "main" {
+  role       = aws_iam_role.main.id
+  policy_arn = aws_iam_policy.main.arn
+}
+
+data "aws_iam_policy_document" "main-assume-role" {
+  statement {
+    principals {
+      type        = "Federated"
+      identifiers = [var.oidc_provider_arn]
+    }
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    condition {
+      test     = "StringEquals"
+      variable = "${var.oidc_provider}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${var.oidc_provider}:sub"
+      values   = ["system:serviceaccount:default:${terraform.workspace}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "main" {
+  name_prefix        = terraform.workspace
+  path               = "/sandbox/"
+  assume_role_policy = data.aws_iam_policy_document.main-assume-role.json
 }
 
 resource "aws_dynamodb_table_item" "main" {
@@ -161,7 +244,7 @@ resource "aws_dynamodb_table_item" "main" {
   item = <<ITEM
 {
   "ID": {"S": "${terraform.workspace}"},
-  "State": {"S": "unclaimed"},
+  "State": {"S": "provisioned"},
   "redis_db": {"N": "${var.redis_database}"}
 }
 ITEM

infrastructure/sandbox/PreProvisioner/lambda/go.mod

@@ -5,29 +5,97 @@ go 1.18
 require (
 	github.com/aws/aws-lambda-go v1.29.0
 	github.com/aws/aws-sdk-go v1.43.37
-	github.com/awslabs/aws-lambda-go-api-proxy v0.13.1
-	github.com/gin-gonic/gin v1.7.7
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/fleetdm/fleet/v4 v4.1.1-0.20220801144727-7dd0152819da
 	github.com/google/uuid v1.3.0
 	github.com/jessevdk/go-flags v1.5.0
-	github.com/otiai10/copy v1.7.0
 )
 
 require (
-	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/go-playground/locales v0.13.0 // indirect
-	github.com/go-playground/universal-translator v0.17.0 // indirect
-	github.com/go-playground/validator/v10 v10.4.1 // indirect
-	github.com/golang/protobuf v1.4.2 // indirect
+	github.com/AlekSi/pointer v1.2.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20210512092938-c05353c2d58c // indirect
+	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/andygrunwald/go-jira v1.15.1 // indirect
+	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
+	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e // indirect
+	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/fatih/color v1.12.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.3.1 // indirect
+	github.com/go-git/go-git/v5 v5.4.2 // indirect
+	github.com/go-kit/kit v0.9.0 // indirect
+	github.com/go-logfmt/logfmt v0.5.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
+	github.com/gomodule/redigo v1.8.5 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea // indirect
+	github.com/goreleaser/chglog v0.1.2 // indirect
+	github.com/goreleaser/fileglob v1.2.0 // indirect
+	github.com/goreleaser/nfpm/v2 v2.10.0 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
+	github.com/hashicorp/go-hclog v0.9.3-0.20191025211905-234833755cb2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/igm/sockjs-go/v3 v3.0.0 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/json-iterator/go v1.1.10 // indirect
-	github.com/leodido/go-urn v1.2.0 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/ugorji/go/codec v1.1.7 // indirect
-	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
-	golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect
-	google.golang.org/protobuf v1.25.0 // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
+	github.com/kevinburke/ssh_config v1.1.0 // indirect
+	github.com/kolide/kit v0.0.0-20191023141830-6312ecc11c23 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/matryer/is v1.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/gon v0.2.3 // indirect
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/nukosuke/go-zendesk v0.12.0 // indirect
+	github.com/oschwald/geoip2-golang v1.6.1 // indirect
+	github.com/oschwald/maxminddb-golang v1.8.0 // indirect
+	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rs/zerolog v1.20.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.3.1 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cobra v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.8.1 // indirect
+	github.com/stretchr/testify v1.8.0 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/theupdateframework/go-tuf v0.3.0 // indirect
+	github.com/trivago/tgo v1.0.7 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/xanzy/ssh-agent v0.3.1 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/guregu/null.v3 v3.4.0 // indirect
+	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
 )

infrastructure/sandbox/PreProvisioner/lambda/main.go

@@ -8,23 +8,146 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
+	"github.com/fleetdm/fleet/v4/orbit/pkg/packaging"
+	"github.com/fleetdm/fleet/v4/server"
+	"github.com/fleetdm/fleet/v4/server/config"
+	"github.com/fleetdm/fleet/v4/server/datastore/s3"
+	"github.com/fleetdm/fleet/v4/server/fleet"
 	"github.com/google/uuid"
 	flags "github.com/jessevdk/go-flags"
 	"log"
 	"math/rand"
 	"os"
 	"os/exec"
+	"path/filepath"
+	"time"
 )
 
 type OptionsStruct struct {
-	LambdaExecutionEnv string `long:"lambda-execution-environment" env:"AWS_EXECUTION_ENV"`
-	LifecycleTable     string `long:"dynamodb-lifecycle-table" env:"DYNAMODB_LIFECYCLE_TABLE" required:"true"`
-	MaxInstances       int64  `long:"max-instances" env:"MAX_INSTANCES" required:"true"`
-	QueuedInstances    int64  `long:"queued-instances" env:"QUEUED_INSTANCES" required:"true"`
+	LambdaExecutionEnv           string `long:"lambda-execution-environment" env:"AWS_EXECUTION_ENV"`
+	LifecycleTable               string `long:"dynamodb-lifecycle-table" env:"DYNAMODB_LIFECYCLE_TABLE" required:"true"`
+	MaxInstances                 int64  `long:"max-instances" env:"MAX_INSTANCES" required:"true"`
+	QueuedInstances              int64  `long:"queued-instances" env:"QUEUED_INSTANCES" required:"true"`
+	FleetBaseURL                 string `long:"fleet-base-url" env:"FLEET_BASE_URL" required:"true"`
+	InstallerBucket              string `long:"installer-bucket" env:"INSTALLER_BUCKET" required:"true"`
+	MacOSDevIDCertificateContent string `long:"macos-dev-id-certificate-content" env:"MACOS_DEV_ID_CERTIFICATE_CONTENT" required:"true"`
+	AppStoreConnectAPIKeyID      string `long:"app-store-connect-api-key-id" env:"APP_STORE_CONNECT_API_KEY_ID" required:"true"`
+	AppStoreConnectAPIKeyIssuer  string `long:"app-store-connect-api-key-issuer" env:"APP_STORE_CONNECT_API_KEY_ISSUER" required:"true"`
+	AppStoreConnectAPIKeyContent string `long:"app-store-connect-api-key-content" env:"APP_STORE_CONNECT_API_KEY_CONTENT" required:"true"`
 }
 
 var options = OptionsStruct{}
 
+func FinishFleet(instanceID string) (err error) {
+	log.Printf("Finishing instance: %s", instanceID)
+	svc := dynamodb.New(session.New())
+	// Perform a conditional update to claim the item
+	input := &dynamodb.UpdateItemInput{
+		ConditionExpression: aws.String("#fleet_state = :v1"),
+		TableName:           aws.String(options.LifecycleTable),
+		Key: map[string]*dynamodb.AttributeValue{
+			"ID": {
+				S: aws.String(instanceID),
+			},
+		},
+		UpdateExpression:         aws.String("set #fleet_state = :v2"),
+		ExpressionAttributeNames: map[string]*string{"#fleet_state": aws.String("State")},
+		ExpressionAttributeValues: map[string]*dynamodb.AttributeValue{
+			":v1": {
+				S: aws.String("provisioned"),
+			},
+			":v2": {
+				S: aws.String("unclaimed"),
+			},
+		},
+	}
+	if _, err = svc.UpdateItem(input); err != nil {
+		return
+	}
+	return
+}
+
+func buildPackages(instanceID, enrollSecret string) (err error) {
+	funcs := []func(packaging.Options) (string, error){
+		packaging.BuildPkg,
+		packaging.BuildDeb,
+		packaging.BuildRPM,
+		packaging.BuildMSI,
+	}
+	pkgopts := packaging.Options{
+		FleetURL:                     fmt.Sprintf("https://%s.%s", instanceID, options.FleetBaseURL),
+		EnrollSecret:                 enrollSecret,
+		UpdateURL:                    "https://tuf.fleetctl.com",
+		Identifier:                   "com.fleetdm.orbit",
+		StartService:                 true,
+		NativeTooling:                true,
+		OrbitChannel:                 "stable",
+		OsquerydChannel:              "stable",
+		DesktopChannel:               "stable",
+		OrbitUpdateInterval:          15 * time.Minute,
+		MacOSDevIDCertificateContent: options.MacOSDevIDCertificateContent,
+		AppStoreConnectAPIKeyID:      options.AppStoreConnectAPIKeyID,
+		AppStoreConnectAPIKeyIssuer:  options.AppStoreConnectAPIKeyIssuer,
+		AppStoreConnectAPIKeyContent: options.AppStoreConnectAPIKeyContent,
+	}
+	store, err := s3.NewInstallerStore(config.S3Config{
+		Bucket: options.InstallerBucket,
+		Prefix: instanceID,
+	})
+
+	// Build non-desktop
+	for _, buildFunc := range funcs {
+		var filename string
+		filename, err = buildFunc(pkgopts)
+		if err != nil {
+			log.Print(err)
+			return
+		}
+		var r *os.File
+		r, err = os.Open(filename)
+		defer r.Close()
+		if err != nil {
+			return err
+		}
+		_, err = store.Put(context.Background(), fleet.Installer{
+			EnrollSecret: enrollSecret,
+			Kind:         filepath.Ext(filename)[1:],
+			Desktop:      pkgopts.Desktop,
+			Content:      r,
+		})
+		if err != nil {
+			return
+		}
+	}
+
+	// Build desktop
+	pkgopts.Desktop = true
+	for _, buildFunc := range funcs {
+		var filename string
+		filename, err = buildFunc(pkgopts)
+		if err != nil {
+			log.Print(err)
+			return
+		}
+		var r *os.File
+		r, err = os.Open(filename)
+		defer r.Close()
+		if err != nil {
+			return err
+		}
+		_, err = store.Put(context.Background(), fleet.Installer{
+			EnrollSecret: enrollSecret,
+			Kind:         filepath.Ext(filename)[1:],
+			Desktop:      pkgopts.Desktop,
+			Content:      r,
+		})
+		if err != nil {
+			return
+		}
+	}
+	return FinishFleet(instanceID)
+}
+
 type LifecycleRecord struct {
 	ID    string
 	State string
@@ -90,7 +213,7 @@ func initTerraform() error {
 	return err
 }
 
-func runTerraform(workspace string, redis_database int) error {
+func runTerraform(workspace string, redis_database int, enrollSecret string) error {
 	err := runCmd([]string{
 		"workspace",
 		"new",
@@ -105,6 +228,8 @@ func runTerraform(workspace string, redis_database int) error {
 		"-no-color",
 		"-var",
 		fmt.Sprintf("redis_database=%d", redis_database),
+		"-var",
+		fmt.Sprintf("enroll_secret=%s", enrollSecret),
 	})
 	return err
 }
@@ -166,7 +291,15 @@ func handler(ctx context.Context, name NullEvent) error {
 		if err != nil {
 			return err
 		}
-		if err := runTerraform(fmt.Sprintf("t%s", uuid.New().String()[:8]), redisDatabase); err != nil {
+		enrollSecret, err := server.GenerateRandomText(fleet.EnrollSecretDefaultLength)
+		if err != nil {
+			return err
+		}
+		instanceID := fmt.Sprintf("t%s", uuid.New().String()[:8])
+		if err := runTerraform(instanceID, redisDatabase, enrollSecret); err != nil {
+			return err
+		}
+		if err = buildPackages(instanceID, enrollSecret); err != nil {
 			return err
 		}
 	}

infrastructure/sandbox/PreProvisioner/main.tf

@@ -137,6 +137,23 @@ data "aws_iam_policy_document" "lambda" {
     resources = [aws_kms_key.ecr.arn, var.kms_key.arn]
   }
 
+  statement {
+    actions = [
+      "s3:*Object",
+      "s3:ListBucket",
+    ]
+    resources = [
+      var.installer_bucket.arn,
+      "${var.installer_bucket.arn}/*"
+    ]
+  }
+
+  statement {
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [aws_secretsmanager_secret.apple-signing-secrets.arn]
+  }
+
+  # TODO: limit this, this is for terraform
   statement {
     actions   = ["*"]
     resources = ["*"]
@@ -172,6 +189,16 @@ data "aws_eks_cluster" "cluster" {
   name = var.eks_cluster.eks_cluster_id
 }
 
+resource "aws_secretsmanager_secret" "apple-signing-secrets" {
+  name                    = "${local.full_name}-apple-signing-secrets"
+  kms_key_id              = var.kms_key.id
+  recovery_window_in_days = 0
+}
+
+data "aws_secretsmanager_secret_version" "apple-signing-secrets" {
+  secret_id = aws_secretsmanager_secret.apple-signing-secrets.id
+}
+
 resource "aws_ecs_task_definition" "main" {
   family                   = local.full_name
   network_mode             = "awsvpc"
@@ -234,6 +261,52 @@ resource "aws_ecs_task_definition" "main" {
             name  = "TF_VAR_redis_address"
             value = "${var.redis_cluster.primary_endpoint_address}:6379"
           },
+          {
+            name  = "FLEET_BASE_URL"
+            value = var.base_domain
+          },
+          {
+            name  = "INSTALLER_BUCKET"
+            value = var.installer_bucket.id
+          },
+          {
+            name  = "TF_VAR_installer_bucket"
+            value = var.installer_bucket.id
+          },
+          {
+            name  = "TF_VAR_installer_bucket_arn"
+            value = var.installer_bucket.arn
+          },
+          {
+            name  = "TF_VAR_oidc_provider_arn"
+            value = var.oidc_provider_arn
+          },
+          {
+            name  = "TF_VAR_oidc_provider"
+            value = var.oidc_provider
+          },
+          {
+            name  = "TF_VAR_kms_key_arn"
+            value = var.kms_key.arn
+          },
+        ]),
+        secrets = concat([
+          {
+            name      = "MACOS_DEV_ID_CERTIFICATE_CONTENT"
+            valueFrom = "${aws_secretsmanager_secret.apple-signing-secrets.arn}:MACOS_DEV_ID_CERTIFICATE_CONTENT::"
+          },
+          {
+            name      = "APP_STORE_CONNECT_API_KEY_ID"
+            valueFrom = "${aws_secretsmanager_secret.apple-signing-secrets.arn}:APP_STORE_CONNECT_API_KEY_ID::"
+          },
+          {
+            name      = "APP_STORE_CONNECT_API_KEY_ISSUER"
+            valueFrom = "${aws_secretsmanager_secret.apple-signing-secrets.arn}:APP_STORE_CONNECT_API_KEY_ISSUER::"
+          },
+          {
+            name      = "APP_STORE_CONNECT_API_KEY_CONTENT"
+            valueFrom = "${aws_secretsmanager_secret.apple-signing-secrets.arn}:APP_STORE_CONNECT_API_KEY_CONTENT::"
+          }
         ])
       }
   ])

infrastructure/sandbox/PreProvisioner/variables.tf

@@ -8,3 +8,6 @@ variable "redis_cluster" {}
 variable "base_domain" {}
 variable "ecs_cluster" {}
 variable "kms_key" {}
+variable "installer_bucket" {}
+variable "oidc_provider_arn" {}
+variable "oidc_provider" {}

infrastructure/sandbox/SharedInfrastructure/eks.tf

@@ -91,6 +91,14 @@ module "aws-eks-accelerator-for-terraform" {
   }
 }
 
+output "oidc_provider_arn" {
+  value = module.aws-eks-accelerator-for-terraform.eks_oidc_provider_arn
+}
+
+output "oidc_provider" {
+  value = module.aws-eks-accelerator-for-terraform.oidc_provider
+}
+
 data "aws_eks_cluster" "cluster" {
   name = module.aws-eks-accelerator-for-terraform.eks_cluster_id
 }

infrastructure/sandbox/SharedInfrastructure/variables.tf

@@ -12,3 +12,4 @@ variable "eks_allowed_roles" {
 
 variable "vpc" {}
 variable "base_domain" {}
+variable "kms_key" {}

infrastructure/sandbox/main.tf

@@ -138,20 +138,24 @@ module "shared-infrastructure" {
   allowed_security_groups = [module.pre-provisioner.lambda_security_group.id]
   eks_allowed_roles       = [module.pre-provisioner.lambda_role, module.jit-provisioner.deprovisioner_role]
   base_domain             = local.base_domain
+  kms_key                 = aws_kms_key.main
 }
 
 module "pre-provisioner" {
-  source         = "./PreProvisioner"
-  prefix         = local.prefix
-  vpc            = module.vpc
-  kms_key        = aws_kms_key.main
-  dynamodb_table = aws_dynamodb_table.lifecycle-table
-  remote_state   = module.remote_state
-  mysql_secret   = module.shared-infrastructure.mysql_secret
-  eks_cluster    = module.shared-infrastructure.eks_cluster
-  redis_cluster  = module.shared-infrastructure.redis_cluster
-  ecs_cluster    = aws_ecs_cluster.main
-  base_domain    = local.base_domain
+  source            = "./PreProvisioner"
+  prefix            = local.prefix
+  vpc               = module.vpc
+  kms_key           = aws_kms_key.main
+  dynamodb_table    = aws_dynamodb_table.lifecycle-table
+  remote_state      = module.remote_state
+  mysql_secret      = module.shared-infrastructure.mysql_secret
+  eks_cluster       = module.shared-infrastructure.eks_cluster
+  redis_cluster     = module.shared-infrastructure.redis_cluster
+  ecs_cluster       = aws_ecs_cluster.main
+  base_domain       = local.base_domain
+  installer_bucket  = module.shared-infrastructure.installer_bucket
+  oidc_provider_arn = module.shared-infrastructure.oidc_provider_arn
+  oidc_provider     = module.shared-infrastructure.oidc_provider
 }
 
 module "jit-provisioner" {

infrastructure/sandbox/readme.md

@@ -1,18 +1,20 @@
 ## Terraform for the Fleet Demo Environment
-This folder holds the infrastructure code for Fleet's demo environment. See https://github.com/fleetdm/fleet-infra/pull/3 for design documentation.
+This folder holds the infrastructure code for Fleet's demo environment.
 
-The interface into this code is designed to be minimal.
-If you require changes beyond whats described here, contact @zwinnerman-fleetdm.
+This readme itself is intended for infrastructure developers. If you aren't an infrastructure developer, please see https://sandbox.fleetdm.com/openapi.json for documentation.
 
-### Deploying your code to the loadtesting environment
-1. Initialize your terraform environment with `terraform init`
-2. Check out the appropiate workspace for your code, for instance `terraform workspace select production`
-3. Apply terraform with your branch name with `terraform apply -var tag=BRANCH_NAME -var-file production.tfvars`
+### Instance state machine
+```
+provisioned -> unclaimed -> claimed -> [destroyed]
+```
+provisioned means an instance was "terraform apply'ed" but no installers were generated.
+unclaimed means its ready for a customer. claimed means its already in use by a customer. [destroyed] isn't a state you'll see in dynamodb, but it means that everything has been torn down.
 
 ### Bugs
 1. module.shared-infrastructure.kubernetes_manifest.targetgroupbinding is bugged sometimes, if it gives issues just comment it out
 1. on a fresh apply, module.shared-infrastructure.aws_acm_certificate.main will have to be targeted first, then a normal apply can follow
 1. If errors happen, see if applying again will fix it
+1. There is a secret for apple signing whos values are not provided by this code. If you destroy/apply this secret, then it will have to be filled in manually.
 
 ### Maintenance commands
 #### Referesh fleet instances
@@ -29,3 +31,11 @@ for i in $((aws dynamodb scan --table-name sandbox-prod-lifecycle | jq -r '.Item
 ```bash
 for i in $(aws dynamodb scan --table-name sandbox-prod-lifecycle | jq -r '.Items[] | select(.State.S == "provisioned") | .ID.S'); do helm uninstall $i; aws dynamodb delete-item --table-name sandbox-prod-lifecycle --key "{\"ID\": {\"S\": \"${i}\"}}"; done
 ```
+
+### TODOs
+1. JITProvisioner needs to return proper errors
+1. Create and use a different kms key for installers
+1. Sane scale levels for prod
+1. Allow for parallel spinup of sandbox instances (preprovisioner)
+1. https://redis.io/commands/flushdb/ during the teardown process
+1. name state machines something random and track the new name in dynamodb