From 82ba1a00a265b908711ac8ab82c064be6157179d Mon Sep 17 00:00:00 2001 From: Zachary Winnerman <98712682+zwinnerman-fleetdm@users.noreply.github.com> Date: Fri, 5 Aug 2022 11:41:41 -0400 Subject: [PATCH] Demo packaging (#7020) * checkin for testing * Initial work on packaging, still need to configure fleet to use it * Add the terraform stuff for installers * Add iam permissions for packaging * Add environment variables for installers to fleet * Implement review fixes * Add an extra state for provisioned, but not ready for customers * Add secretsmanager stuff for apple * fixup * fixup * Bugfixes * fixup * fixup and added some stuff to the readdme * Add link to openapi.json in readme --- infrastructure/sandbox/.terraform.lock.hcl | 318 ++++++ .../sandbox/PreProvisioner/lambda/Dockerfile | 30 +- .../deploy_terraform/.terraform.lock.hcl | 84 ++ .../fleet/templates/deployment.yaml | 10 + .../lambda/deploy_terraform/fleet/values.yaml | 5 + .../lambda/deploy_terraform/main.tf | 85 +- .../sandbox/PreProvisioner/lambda/go.mod | 106 +- .../sandbox/PreProvisioner/lambda/go.sum | 963 +++++++++++++++--- .../sandbox/PreProvisioner/lambda/main.go | 145 ++- infrastructure/sandbox/PreProvisioner/main.tf | 73 ++ .../sandbox/PreProvisioner/variables.tf | 3 + .../sandbox/SharedInfrastructure/eks.tf | 8 + .../sandbox/SharedInfrastructure/variables.tf | 1 + infrastructure/sandbox/main.tf | 26 +- infrastructure/sandbox/readme.md | 24 +- 15 files changed, 1685 insertions(+), 196 deletions(-) create mode 100644 infrastructure/sandbox/.terraform.lock.hcl create mode 100644 infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/.terraform.lock.hcl diff --git a/infrastructure/sandbox/.terraform.lock.hcl b/infrastructure/sandbox/.terraform.lock.hcl new file mode 100644 index 0000000000..382b41af6c --- /dev/null +++ b/infrastructure/sandbox/.terraform.lock.hcl @@ -0,0 +1,318 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "3.18.0" + constraints = "3.18.0, ~> 3.18.0" + hashes = [ + "h1:hsmaGs6+0AMWlEuAVjBdO8rv77K3psZQRQ2L5tRXTqI=", + "zh:0de7001183fa716a5eb69d17a873d6fa3d36c62f122fe5f36f011e94286f58b3", + "zh:0e75940486ffd8234030801da20c3b46242a2cbda455e6d3913d009638b8bdd5", + "zh:0ff02d93ee1222eacba113647e4a817e2a41c3a1add97a292f826d80da568b72", + "zh:1125b90ed5499874ff0ca399a7716c94affa5dbfe0098afee14647f2ba6bada0", + "zh:64bb8e62cdb9635c76a0cf2d2e0c3b00b28bac7a19eba8ade460c4b12c0a8a13", + "zh:6705b9fc0e08d1da96b756729ba3aaa2724d16153b261f6d4ebbb9cb300c49cb", + "zh:6a7877593e103e4d178c056d43f5659aaf5778a37d58f3a5223e447bbff05e24", + "zh:708439ccc8b7bb64695ed631b37b4543c7429d765bc6d5131fcfd1378baf2039", + "zh:7b17bda86b18dee0fd38bf30d95cd78321f5717e5ea6833cfa67be1d899620a2", + "zh:880951986c10afcd1f6154de905b1994a22a43afb7188362ab6c5de573ef4149", + "zh:912b18dd6902a2880e9c787749985e5844aad6986f05293931501467a32b3209", + "zh:9f3feac3d9e529fa92d9dc9b0cdc4dd5581a8a2ef0925b15ac899b0021646b0c", + "zh:c8ba5584e2c596352a0f3de223026d26bcd72e607c418c4eadbdf94cbd5b4d22", + "zh:d13ebc676b9964e69b3ea421dbb03bf30c957d78e35f0839e50f27ac5c4316ed", + ] +} + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.14.0" + constraints = ">= 1.7.0, >= 1.13.1" + hashes = [ + "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", + "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", + "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", + "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", + "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", + "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", + "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", + "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", + "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", + "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", + ] +} + +provider "registry.terraform.io/hashicorp/archive" { + version = "2.2.0" + hashes = [ + "h1:CIWi5G6ob7p2wWoThRQbOB8AbmFlCzp7Ka81hR3cVp0=", + "zh:06bd875932288f235c16e2237142b493c2c2b6aba0e82e8c85068332a8d2a29e", + "zh:0c681b481372afcaefddacc7ccdf1d3bb3a0c0d4678a526bc8b02d0c331479bc", + "zh:100fc5b3fc01ea463533d7bbfb01cb7113947a969a4ec12e27f5b2be49884d6c", + "zh:55c0d7ddddbd0a46d57c51fcfa9b91f14eed081a45101dbfc7fd9d2278aa1403", + "zh:73a5dd68379119167934c48afa1101b09abad2deb436cd5c446733e705869d6b", + "zh:841fc4ac6dc3479981330974d44ad2341deada8a5ff9e3b1b4510702dfbdbed9", + "zh:91be62c9b41edb137f7f835491183628d484e9d6efa82fcb75cfa538c92791c5", + "zh:acd5f442bd88d67eb948b18dc2ed421c6c3faee62d3a12200e442bfff0aa7d8b", + "zh:ad5720da5524641ad718a565694821be5f61f68f1c3c5d2cfa24426b8e774bef", + "zh:e63f12ea938520b3f83634fc29da28d92eed5cfbc5cc8ca08281a6a9c36cca65", + "zh:f6542918faa115df46474a36aabb4c3899650bea036b5f8a5e296be6f8f25767", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.10.0" + constraints = ">= 3.63.0, >= 3.66.0, >= 3.72.0, >= 4.3.0, ~> 4.10.0" + hashes = [ + "h1:S6xGPRL08YEuBdemiYZyIBf/YwM4OCvzVuaiuU6kLjc=", + "zh:0a2a7eabfeb7dbb17b7f82aff3fa2ba51e836c15e5be4f5468ea44bd1299b48d", + "zh:23409c7205d13d2d68b5528e1c49e0a0455d99bbfec61eb0201142beffaa81f7", + "zh:3adad2245d97816f3919778b52c58fb2de130938a3e9081358bfbb72ec478d9a", + "zh:5bf100aba6332f24b1ffeae7536d5d489bb907bf774a06b95f2183089eaf1a1a", + "zh:63c3a24c0c229a1d3390e6ea2454ba4d8ace9b94e086bee1dbdcf665ae969e15", + "zh:6b76f5ffd920f0a750da3a4ff1d00eab18d9cd3731b009aae3df4135613bad4d", + "zh:8cd6b1e6b51e8e9bbe2944bb169f113d20d1d72d07ccd1b7b83f40b3c958233e", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c5c31f58fb5bd6aebc6c662a4693640ec763cb3399cce0b592101cf24ece1625", + "zh:cc485410be43d6ad95d81b9e54cc4d2117aadf9bf5941165a9df26565d9cce42", + "zh:cebb89c74b6a3dc6780824b1d1e2a8d16a51e75679e14ad0b830d9f7da1a3a67", + "zh:e7dc427189cb491e1f96e295101964415cbf8630395ee51e396d2a811f365237", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.2.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:tQLNREqesrdCQ/bIJnl0+yUK+XfdWzAG0wo4lp10LvM=", + "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", + "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", + "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", + "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", + "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", + "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", + "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", + "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", + "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", + "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", + "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.2.2" + constraints = ">= 1.0.0" + hashes = [ + "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=", + "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca", + "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28", + "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b", + "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327", + "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955", + "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb", + "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0", + "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a", + "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372", + "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.6.0" + constraints = ">= 2.4.1" + hashes = [ + "h1:rGVucCeYAqklKupwoLVG5VPQTIkUhO7WGcw3WuHYrm8=", + "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8", + "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5", + "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b", + "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381", + "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c", + "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814", + "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456", + "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5", + "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44", + "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c", + "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.12.1" + constraints = ">= 2.10.0" + hashes = [ + "h1:6ZgqegUao9WcfVzYg7taxCQOQldTmMVw0HqjG5S46OY=", + "zh:1ecb2adff52754fb4680c7cfe6143d1d8c264b00bb0c44f07f5583b1c7f978b8", + "zh:1fbd155088cd5818ad5874e4d59ccf1801e4e1961ac0711442b963315f1967ab", + "zh:29e927c7c8f112ee0e8ab70e71b498f2f2ae6f47df1a14e6fd0fdb6f14b57c00", + "zh:42c2f421da6b5b7c997e42aa04ca1457fceb13dd66099a057057a0812b680836", + "zh:522a7bccd5cd7acbb4ec3ef077d47f4888df7e59ff9f3d598b717ad3ee4fe9c9", + "zh:b45d8dc5dcbc5e30ae570d0c2e198505f47d09098dfd5f004871be8262e6ec1e", + "zh:c3ea0943f2050001c7d6a7115b9b990f148b082ebfc4ff3c2ff3463a8affcc4a", + "zh:f111833a64e06659d2e21864de39b7b7dec462615294d02f04c777956742a930", + "zh:f182dba5707b90b0952d5984c23f7a2da3baa62b4d71e78df7759f16cc88d957", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f76655a68680887daceabd947b2f68e2103f5bbec49a2bc29530f82ab8e3bca3", + "zh:fadb77352caa570bd3259dfb59c31db614d55bc96df0ff15a3c0cd2e685678b9", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.2.3" + constraints = ">= 2.1.0" + hashes = [ + "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=", + "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", + "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", + "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", + "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", + "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", + "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", + "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", + "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", + "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", + "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.1.1" + constraints = ">= 3.1.0" + hashes = [ + "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=", + "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", + "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", + "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", + "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", + "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", + "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", + "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", + "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", + "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", + "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.3" + constraints = ">= 2.2.0, ~> 3.1.2" + hashes = [ + "h1:nLWniS8xhb32qRQy+n4bDPjQ7YWZPVMR3v1vSrx7QyY=", + "zh:26e07aa32e403303fc212a4367b4d67188ac965c37a9812e07acee1470687a73", + "zh:27386f48e9c9d849fbb5a8828d461fde35e71f6b6c9fc235bc4ae8403eb9c92d", + "zh:5f4edda4c94240297bbd9b83618fd362348cadf6bf24ea65ea0e1844d7ccedc0", + "zh:646313a907126cd5e69f6a9fafe816e9154fccdc04541e06fed02bb3a8fa2d2e", + "zh:7349692932a5d462f8dee1500ab60401594dddb94e9aa6bf6c4c0bd53e91bbb8", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9034daba8d9b32b35930d168f363af04cecb153d5849a7e4a5966c97c5dc956e", + "zh:bb81dfca59ef5f949ef39f19ea4f4de25479907abc28cdaa36d12ecd7c0a9699", + "zh:bcf7806b99b4c248439ae02c8e21f77aff9fadbc019ce619b929eef09d1221bb", + "zh:d708e14d169e61f326535dd08eecd3811cd4942555a6f8efabc37dbff9c6fc61", + "zh:dc294e19a46e1cefb9e557a7b789c8dd8f319beca99b8c265181bc633dc434cc", + "zh:f9d758ee53c55dc016dd736427b6b0c3c8eb4d0dbbc785b6a3579b0ffedd9e42", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.7.2" + hashes = [ + "h1:YYLAfhMFP5nhV2iZPslqsLkZN+6sZo7gMJW7pLcLfM8=", + "zh:0bbe0158c2a9e3f5be911b7e94477586110c51746bb13d102054f22754565bda", + "zh:3250af7fd49b8aaf2ccc895588af05197d886e38b727e3ba33bcbb8cc96ad34d", + "zh:35e4de0437f4fa9c1ad69aaf8136413be2369ea607d78e04bb68dc66a6a520b8", + "zh:369756417a6272e79cad31eb2c82c202f6a4b6e4204a893f656644ba9e149fa2", + "zh:390370f1179d89b33c3a0731691e772d5450a7d59fc66671ec625e201db74aa2", + "zh:3d12ac905259d225c685bc42e5507ed0fbdaa5a09c30dce7c1932d908df857f7", + "zh:75f63e5e1c68e6c5bccba4568c3564e2774eb3a7a19189eb8e2b6e0d58c8f8cc", + "zh:7c22a2078a608e3e0278c4cbc9c483909062ebd1843bddaf8f176346c6d378b1", + "zh:7cfb3c02f78f0060d59c757c4726ab45a962ce4a9cf4833beca704a1020785bd", + "zh:a0325917f47c28a2ed088dedcea0d9520d91b264e63cc667fe4336ac993c0c11", + "zh:c181551d4c0a40b52e236f1755cc340aeca0fb5dcfd08b3b1c393a7667d2f327", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "3.4.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:oyllIA9rNGCFtClSyBitUIzCXdnKtspVepdsvpLlfys=", + "zh:2442a0df0cfb550b8eba9b2af39ac06f54b62447eb369ecc6b1c29f739b33bbb", + "zh:3ebb82cacb677a099de55f844f0d02886bc804b1a2b94441bc40fabcb64d2a38", + "zh:436125c2a7e66bc62a4a7c68bdca694f071d7aa894e8637dc83f4a68fe322546", + "zh:5f03db9f1d77e8274ff4750ae32d5c16c42b862b06bcb0683e4d733c8db922e4", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8190142ae8a539ab34193b7e75da0fa04035d1dcd8af8be94df1eafeeffb44b6", + "zh:8cdc7cd9221e27c189e5beaf78462fce4c2edb081f415a1eafc6da2949de31e2", + "zh:a5de0f7f5d63c59ebf61d3c1d94040f410665ff0aa04f66674efe24b39a11f94", + "zh:a9fce48db3c140cc3e06f8a3c7ef4d36735e457e7660442d6d5dcd2b0781adc3", + "zh:beb92de584c790c7c7f047e45ccd22b6ee3263c7b5a91ae4d6882ae6e7700570", + "zh:f373f8cc52846fb513f44f468d885f722ca4dc22af9ff1942368cafd16b796b3", + "zh:f69627fd6e5a920b17ff423cdbad2715078ca6d13146dc67668795582ab43748", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "2.16.0" + constraints = "~> 2.16.0" + hashes = [ + "h1:OcTn2QyCQNjDiJYy1vqQFmz2dxJdOF/2/HBXBvGxU2E=", + "zh:0ff8aa7884c6dae90e6f245bb9d37898735f89e095ba53413f2f364db4d11a77", + "zh:4101f4c909477f3a8225829b7063e5c5a2e2986a6163e0f113af040b5feab61f", + "zh:59db110d2b6c620cc12a1741d81ed8d1dd7fb0540024428fefbb57e8bebe5b60", + "zh:6e134983f195ea0273ac042f0a2df14158d676a24e8dd140ca0357f3efc3fd61", + "zh:7de1de3cc1eacb2ef2693207f5c5f54fa4814ae8c024b8b3c2a0923c82fd6f14", + "zh:a6659fbc7c45fbb60c7c9bf06724eb6084711f1b79c720ef8512a4367e63cbe5", + "zh:ae97c721431517d8c71f8cede91d734d2f2372a1bfef0c3bba43b54c0f8b1cee", + "zh:b3cbd47d5f0cb522b6dd3561ccd2f491fb6afb577372718e0663d12cfeef30e9", + "zh:b64af7c6ad8870c11677874f6cd13322aa03d2190391a120be17304ca324ea1c", + "zh:c363747bae968af997eaf22193168451523e92b59aee8aee135d3b27db132366", + "zh:c40721250642157b2a72d8db44fa09de0f7635ba4b0e2ebf5527570f3988e62f", + "zh:e97707609e346bf463d539099faa8790f2f453cfbd0b880327b6eae16ca4f213", + "zh:f4a23ce27cb430f91895466b3e2d132c534fa2b58808f6771235d76e696f4972", + "zh:fd634e973eb2b6483a1ce9251801a393d04cb496f8e83ffcf3f0c4cad8c18f4c", + ] +} + +provider "registry.terraform.io/paultyng/git" { + version = "0.1.0" + constraints = "~> 0.1.0" + hashes = [ + "h1:nz3VfU3LHDUQFdILoXq8O0FWbQZfCmXhpQOTKRRzEaY=", + "zh:0d593ac990f711171875ba5fc838f0087df84ddb1c69154ee630def5984931ea", + "zh:3895c2719f42e93fc993474859b34de87d90e2c47dfb757d435b9b57945195e4", + "zh:3a90ce559a3589628a2d6820a9d76a354763c268b0c173982ff773e022032856", + "zh:42339a6084095e37d0c843907dcabe66989949ea3f0025f6f1f9d8583d7da779", + "zh:435522beccaedf89bc39eed495393194b43156d1730ef45c29faa584552dc355", + "zh:87b4ee4f521283daaa0d63dd7949dc59f700b92e246e4aeb06510c01842a3c8b", + "zh:997aca77ddc1411dd601ea1fa2e455be9531c3e3c0f0917e8f2423ffd4ffb9ba", + "zh:a70e98ce6ef7a8256286ab791bc231777b76c8f038da4b9eccf399d2b22051fb", + "zh:af9301520e8befe3ec6d1125e10cc0724b318590f5680f12032c8bdc3b0c827d", + "zh:d995a3b8eaa5ac61744d49127fbf68b4c32e16d3c67d570edda2af26113b92a5", + "zh:e8b5c7354a02c54efc026d8289ce9d3784f58abd673a78e80bd4fb073dd75101", + ] +} + +provider "registry.terraform.io/terraform-aws-modules/http" { + version = "2.4.1" + constraints = "2.4.1" + hashes = [ + "h1:ZnkXcawrIr611RvZpoDzbtPU7SVFyHym+7p1t+PQh20=", + "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", + "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", + "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", + "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", + "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", + "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", + "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", + "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", + "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", + "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", + "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", + "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", + "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", + ] +} diff --git a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile index 3bb6f1ad4e..d9979e5bca 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile +++ b/infrastructure/sandbox/PreProvisioner/lambda/Dockerfile @@ -1,5 +1,31 @@ -FROM golang:1.18-alpine AS builder -RUN apk update && apk add --no-cache git curl openssl unzip +FROM rust:latest AS builder + +ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin + +RUN cargo install apple-codesign \ + && curl -sSf $transporter_url -o transporter_install.sh \ + && sh transporter_install.sh --target transporter --accept --noexec + +FROM golang:1.18.4-bullseye + +RUN apt-get update \ + && dpkg --add-architecture i386 \ + && apt update \ + && apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \ + && rm -rf /var/lib/apt/lists/* + +# copy macOS dependencies +COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/ +COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/ +COPY --from=builder /transporter/itms /usr/local/ +COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin + +# copy Windows dependencies +COPY --from=fleetdm/wix:latest /home/wine /home/wine + +ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all + +RUN apt update; apt install -y curl openssl unzip WORKDIR /build COPY . . RUN go get -d -v diff --git a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/.terraform.lock.hcl b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/.terraform.lock.hcl new file mode 100644 index 0000000000..5626bd0aa3 --- /dev/null +++ b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/.terraform.lock.hcl @@ -0,0 +1,84 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.10.0" + constraints = "~> 4.10.0" + hashes = [ + "h1:S6xGPRL08YEuBdemiYZyIBf/YwM4OCvzVuaiuU6kLjc=", + "zh:0a2a7eabfeb7dbb17b7f82aff3fa2ba51e836c15e5be4f5468ea44bd1299b48d", + "zh:23409c7205d13d2d68b5528e1c49e0a0455d99bbfec61eb0201142beffaa81f7", + "zh:3adad2245d97816f3919778b52c58fb2de130938a3e9081358bfbb72ec478d9a", + "zh:5bf100aba6332f24b1ffeae7536d5d489bb907bf774a06b95f2183089eaf1a1a", + "zh:63c3a24c0c229a1d3390e6ea2454ba4d8ace9b94e086bee1dbdcf665ae969e15", + "zh:6b76f5ffd920f0a750da3a4ff1d00eab18d9cd3731b009aae3df4135613bad4d", + "zh:8cd6b1e6b51e8e9bbe2944bb169f113d20d1d72d07ccd1b7b83f40b3c958233e", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c5c31f58fb5bd6aebc6c662a4693640ec763cb3399cce0b592101cf24ece1625", + "zh:cc485410be43d6ad95d81b9e54cc4d2117aadf9bf5941165a9df26565d9cce42", + "zh:cebb89c74b6a3dc6780824b1d1e2a8d16a51e75679e14ad0b830d9f7da1a3a67", + "zh:e7dc427189cb491e1f96e295101964415cbf8630395ee51e396d2a811f365237", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + constraints = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.3" + constraints = "~> 3.1.2" + hashes = [ + "h1:nLWniS8xhb32qRQy+n4bDPjQ7YWZPVMR3v1vSrx7QyY=", + "zh:26e07aa32e403303fc212a4367b4d67188ac965c37a9812e07acee1470687a73", + "zh:27386f48e9c9d849fbb5a8828d461fde35e71f6b6c9fc235bc4ae8403eb9c92d", + "zh:5f4edda4c94240297bbd9b83618fd362348cadf6bf24ea65ea0e1844d7ccedc0", + "zh:646313a907126cd5e69f6a9fafe816e9154fccdc04541e06fed02bb3a8fa2d2e", + "zh:7349692932a5d462f8dee1500ab60401594dddb94e9aa6bf6c4c0bd53e91bbb8", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9034daba8d9b32b35930d168f363af04cecb153d5849a7e4a5966c97c5dc956e", + "zh:bb81dfca59ef5f949ef39f19ea4f4de25479907abc28cdaa36d12ecd7c0a9699", + "zh:bcf7806b99b4c248439ae02c8e21f77aff9fadbc019ce619b929eef09d1221bb", + "zh:d708e14d169e61f326535dd08eecd3811cd4942555a6f8efabc37dbff9c6fc61", + "zh:dc294e19a46e1cefb9e557a7b789c8dd8f319beca99b8c265181bc633dc434cc", + "zh:f9d758ee53c55dc016dd736427b6b0c3c8eb4d0dbbc785b6a3579b0ffedd9e42", + ] +} + +provider "registry.terraform.io/petoju/mysql" { + version = "3.0.12" + constraints = "3.0.12" + hashes = [ + "h1:HjwoRcnjjg9ZDC/EVzBPbe76s1Ut7VmDA3QwkVCaC5A=", + "zh:03e43a5254c6bd1bade161c24b11f019f296efe395710445617ef28d7a75bf73", + "zh:05e8949f079246c17fdd1e2dbae8e313551906a13cc4488f3e35548502d477ee", + "zh:080e95478021b353c00ab7a7718801815ae49435ce4833520a391dcbd3de1137", + "zh:4497661a09ebbde569cec8d86db848ef159c7bbc5fcf21c2602d18e471604f7d", + "zh:5b03de967142d8a84710fd75d926f6293ec917685de66457c704cfc64b6bef26", + "zh:6a33f8aecd02689d89963554470a9ae704a7ae481ebabc3d7571d589b4febc37", + "zh:6e1d3e0acf2e006578ace24a38ba93b98469e0c280fb97acae40b2d2a4ec81cb", + "zh:86174e6940a4a66ad26cb88f38f68a17b8d56bf0139bc156d50e2e064a5614ef", + "zh:929370d7710e1669b0a3d386f5722280b0ff720185c6f0822432ab4cb1098cce", + "zh:9e1c0ed9530ae75c555b0f84cb0430ee03fbceb9f0726bcecc1ae1276d871be7", + "zh:bf39753d4e518857a0e149f9a5d9c034a42247114ac10582ccc24713c7b73836", + "zh:d3f6240beab52ada658314626cae16089b5a46a91a0573a2e10332bbc8873078", + "zh:e66dead39a840833386aebf2131db40b52b5d134792a0a7ec23ef69e2ef4833e", + "zh:ea22ce26f6bd4f3a8eba56a9af5ee166343a88e2769571174098f659e0ac64af", + ] +} diff --git a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml index abab2f7383..84f145a2e5 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml +++ b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml @@ -52,6 +52,16 @@ spec: ## BEGIN FLEET SECTION - name: FLEET_SERVER_SANDBOX_ENABLED value: "1" + - name: FLEET_LICENSE_ENFORCE_HOST_LIMIT + value: "true" + {{- if ne .Values.packaging.enrollSecret "" }} + - name: FLEET_PACKAGING_GLOBAL_ENROLL_SECRET + value: "{{ .Values.packaging.enrollSecret }}" + - name: FLEET_PACKAGING_S3_BUCKET + value: "{{ .Values.packaging.s3.bucket }}" + - name: FLEET_PACKAGING_S3_PREFIX + value: "{{ .Values.packaging.s3.prefix }}" + {{- end }} - name: FLEET_SERVER_ADDRESS value: "0.0.0.0:{{ .Values.fleet.listenPort }}" - name: FLEET_AUTH_BCRYPT_COST diff --git a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml index 3ede79179b..ecbca5f593 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml +++ b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml @@ -9,6 +9,11 @@ imageTag: v4.12.0 # Version of Fleet to deploy createNamespace: false # Whether or not to automatically create the Namespace createIngress: true # Whether or not to automatically create an Ingress ingressAnnotations: {} # Additional annotation to add to the Ingress +packaging: + enrollSecret: "" + s3: + bucket: "" + prefix: "" podLabels: {} # Additional labels to add to the Fleet pod podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account diff --git a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf index 76c1a9f85a..03f8a3f0df 100644 --- a/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf +++ b/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf @@ -48,6 +48,12 @@ variable "redis_address" {} variable "redis_database" {} variable "lifecycle_table" {} variable "base_domain" {} +variable "enroll_secret" {} +variable "installer_bucket" {} +variable "installer_bucket_arn" {} +variable "oidc_provider_arn" {} +variable "oidc_provider" {} +variable "kms_key_arn" {} resource "mysql_user" "main" { user = terraform.workspace @@ -152,6 +158,83 @@ resource "helm_release" "main" { name = "imageTag" value = "main" } + + set { + name = "packaging.enrollSecret" + value = var.enroll_secret + } + + set { + name = "packaging.s3.bucket" + value = var.installer_bucket + } + + set { + name = "packaging.s3.prefix" + value = terraform.workspace + } + + set { + name = "serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn" + value = aws_iam_role.main.arn + } +} + +data "aws_iam_policy_document" "main" { + statement { + actions = [ + "s3:*Object", + "s3:ListBucket", + ] + resources = [ + var.installer_bucket_arn, + "${var.installer_bucket_arn}/${terraform.workspace}/*" + ] + } + statement { + actions = [ + "kms:DescribeKey", + "kms:GenerateDataKey", + "kms:Decrypt", + ] + resources = [var.kms_key_arn] + } +} + +resource "aws_iam_policy" "main" { + name = terraform.workspace + policy = data.aws_iam_policy_document.main.json +} + +resource "aws_iam_role_policy_attachment" "main" { + role = aws_iam_role.main.id + policy_arn = aws_iam_policy.main.arn +} + +data "aws_iam_policy_document" "main-assume-role" { + statement { + principals { + type = "Federated" + identifiers = [var.oidc_provider_arn] + } + actions = ["sts:AssumeRoleWithWebIdentity"] + condition { + test = "StringEquals" + variable = "${var.oidc_provider}:aud" + values = ["sts.amazonaws.com"] + } + condition { + test = "StringEquals" + variable = "${var.oidc_provider}:sub" + values = ["system:serviceaccount:default:${terraform.workspace}"] + } + } +} + +resource "aws_iam_role" "main" { + name_prefix = terraform.workspace + path = "/sandbox/" + assume_role_policy = data.aws_iam_policy_document.main-assume-role.json } resource "aws_dynamodb_table_item" "main" { @@ -161,7 +244,7 @@ resource "aws_dynamodb_table_item" "main" { item = < unclaimed -> claimed -> [destroyed] +``` +provisioned means an instance was "terraform apply'ed" but no installers were generated. +unclaimed means its ready for a customer. claimed means its already in use by a customer. [destroyed] isn't a state you'll see in dynamodb, but it means that everything has been torn down. ### Bugs 1. module.shared-infrastructure.kubernetes_manifest.targetgroupbinding is bugged sometimes, if it gives issues just comment it out 1. on a fresh apply, module.shared-infrastructure.aws_acm_certificate.main will have to be targeted first, then a normal apply can follow 1. If errors happen, see if applying again will fix it +1. There is a secret for apple signing whos values are not provided by this code. If you destroy/apply this secret, then it will have to be filled in manually. ### Maintenance commands #### Referesh fleet instances @@ -29,3 +31,11 @@ for i in $((aws dynamodb scan --table-name sandbox-prod-lifecycle | jq -r '.Item ```bash for i in $(aws dynamodb scan --table-name sandbox-prod-lifecycle | jq -r '.Items[] | select(.State.S == "provisioned") | .ID.S'); do helm uninstall $i; aws dynamodb delete-item --table-name sandbox-prod-lifecycle --key "{\"ID\": {\"S\": \"${i}\"}}"; done ``` + +### TODOs +1. JITProvisioner needs to return proper errors +1. Create and use a different kms key for installers +1. Sane scale levels for prod +1. Allow for parallel spinup of sandbox instances (preprovisioner) +1. https://redis.io/commands/flushdb/ during the teardown process +1. name state machines something random and track the new name in dynamodb