mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 08:58:41 +00:00
Add cloudfront to dogfood (#26962)
This commit is contained in:
Robert Fairburn
GitHub
parent
e7d6a36c2c
commit
f32f80261a
4 changed files with 60 additions and 34 deletions
2
.github/workflows/dogfood-deploy.yml
vendored
2
.github/workflows/dogfood-deploy.yml
vendored
|
|
@ -34,6 +34,8 @@ env:
|
|||
TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}
|
||||
TF_VAR_dogfood_sidecar_enroll_secret: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
|
||||
TF_VAR_android_service_credentials: ${{ secrets.FLEET_DEV_ANDROID_SERVICE_CREDENTIALS }}
|
||||
TF_VAR_cloudfront_public_key: ${{ secrets.CLOUDFRONT_SIGNING_PUBLIC_KEY }}
|
||||
TF_VAR_cloudfront_private_key: ${{ secrets.CLOUDFRONT_SIGNING_PRIVATE_KEY }}
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
|
|
|
|||
|
|
@ -21,25 +21,25 @@ provider "registry.terraform.io/hashicorp/archive" {
|
|||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/aws" {
|
||||
version = "5.82.2"
|
||||
constraints = ">= 2.67.0, >= 3.0.0, >= 4.6.0, >= 4.8.0, >= 4.9.0, >= 4.18.0, >= 4.27.0, >= 4.30.0, >= 4.40.0, >= 5.0.0, ~> 5.0"
|
||||
version = "5.90.0"
|
||||
constraints = ">= 2.67.0, >= 3.0.0, >= 4.6.0, >= 4.8.0, >= 4.9.0, >= 4.18.0, >= 4.27.0, >= 4.30.0, >= 4.40.0, >= 4.52.0, >= 5.0.0, ~> 5.0, >= 5.83.0"
|
||||
hashes = [
|
||||
"h1:ce6Dw2y4PpuqAPtnQ0dO270dRTmwEARqnfffrE1VYJ8=",
|
||||
"zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8",
|
||||
"zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b",
|
||||
"zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3",
|
||||
"zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470",
|
||||
"zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724",
|
||||
"h1:cJ3ab7uBP0NmD+LzxHK63ZG1o9nIppAjt6c0OafGKPw=",
|
||||
"zh:0ed246595c4ffb3ea3649528ff171503db208fb20be5f750b8e359d17ee72b60",
|
||||
"zh:1d5c500913b5df0fbf5e8143354aecc736cc4e66d58d4ab17deb24b721ab743a",
|
||||
"zh:337f3511335e6e32431548913d1973ae077d1a4c2f77677675c92c60cd2f5e0a",
|
||||
"zh:624762ff78819aee434d6c3e6c79eb93c91060be2df4f45f9014272a60b5d608",
|
||||
"zh:7f4ab9bcd667e38b7d7b7aa1068535f01eef3656ecd422acccbe8238d377a15a",
|
||||
"zh:84542ce0403cacee245c1a159169cc0ddb965d7d734216f9eb0bb3ff0a0bae36",
|
||||
"zh:85dd27e39f2c3ab13cb5c02236b810893bd90ec6da33fabaa7ab6d116accfa10",
|
||||
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
|
||||
"zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733",
|
||||
"zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096",
|
||||
"zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7",
|
||||
"zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde",
|
||||
"zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8",
|
||||
"zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a",
|
||||
"zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b",
|
||||
"zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3",
|
||||
"zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069",
|
||||
"zh:a0cf76959ade91958b08d186f5bcdc403395fa635f21912464da40bc7a5db4ff",
|
||||
"zh:a9a48f9f7f4122b6a44b7273b4cc54020887f7346f50286d7da1278cca2ee952",
|
||||
"zh:c119b826e334aac2d03ea561774dad536ccd6449e2a4f42b3af100623ae02679",
|
||||
"zh:d4204ca7f1295732660c70db4ea04c3ae1f7e1ac82c0ec9d0dc549493bc45e7a",
|
||||
"zh:d95f89181d12ebab1b1f964274d29795e1e6e2d112ea97caffd8a7f1326a922d",
|
||||
"zh:e529c7be1037f1a9a733fc0bcbbdcc58fc44f85ed343f891e5c584b2ef56fd5c",
|
||||
"zh:e541c135514a6727f20410a9a52c06cb71b4ddadaf2a41da28d599fb1c442845",
|
||||
]
|
||||
}
|
||||
|
||||
|
|
@ -104,22 +104,22 @@ provider "registry.terraform.io/hashicorp/null" {
|
|||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/random" {
|
||||
version = "3.6.3"
|
||||
version = "3.7.1"
|
||||
constraints = ">= 2.2.0"
|
||||
hashes = [
|
||||
"h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
|
||||
"zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
|
||||
"zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
|
||||
"zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
|
||||
"zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
|
||||
"zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
|
||||
"zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
|
||||
"h1:t152MY0tQH4a8fLzTtEWx70ITd3azVOrFDn/pQblbto=",
|
||||
"zh:3193b89b43bf5805493e290374cdda5132578de6535f8009547c8b5d7a351585",
|
||||
"zh:3218320de4be943e5812ed3de995946056db86eb8d03aa3f074e0c7316599bef",
|
||||
"zh:419861805a37fa443e7d63b69fb3279926ccf98a79d256c422d5d82f0f387d1d",
|
||||
"zh:4df9bd9d839b8fc11a3b8098a604b9b46e2235eb65ef15f4432bde0e175f9ca6",
|
||||
"zh:5814be3f9c9cc39d2955d6f083bae793050d75c572e70ca11ccceb5517ced6b1",
|
||||
"zh:63c6548a06de1231c8ee5570e42ca09c4b3db336578ded39b938f2156f06dd2e",
|
||||
"zh:697e434c6bdee0502cc3deb098263b8dcd63948e8a96d61722811628dce2eba1",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
|
||||
"zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
|
||||
"zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
|
||||
"zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
|
||||
"zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
|
||||
"zh:a0b8e44927e6327852bbfdc9d408d802569367f1e22a95bcdd7181b1c3b07601",
|
||||
"zh:b7d3af018683ef22794eea9c218bc72d7c35a2b3ede9233b69653b3c782ee436",
|
||||
"zh:d63b911d618a6fe446c65bfc21e793a7663e934b2fef833d42d3ccd38dd8d68d",
|
||||
"zh:fa985cd0b11e6d651f47cff3055f0a9fd085ec190b6dbe99bf5448174434cdea",
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -98,6 +98,7 @@ data "aws_iam_policy_document" "gha-permissions" {
|
|||
"ses:*",
|
||||
"wafv2:*",
|
||||
"events:*",
|
||||
"cloudfront:*",
|
||||
]
|
||||
resources = ["*"]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ variable "fleet_calendar_periodicity" {
|
|||
}
|
||||
variable "android_service_credentials" {}
|
||||
variable "dogfood_sidecar_enroll_secret" {}
|
||||
variable "cloudfront_public_key" {}
|
||||
variable "cloudfront_private_key" {}
|
||||
|
||||
data "aws_caller_identity" "current" {}
|
||||
|
||||
|
|
@ -72,7 +74,7 @@ locals {
|
|||
}
|
||||
|
||||
module "main" {
|
||||
source = "github.com/fleetdm/fleet-terraform?ref=tf-mod-root-v1.12.0"
|
||||
source = "github.com/fleetdm/fleet-terraform?ref=tf-mod-root-v1.13.0"
|
||||
certificate_arn = module.acm.acm_certificate_arn
|
||||
vpc = {
|
||||
name = local.customer
|
||||
|
|
@ -128,7 +130,6 @@ module "main" {
|
|||
}
|
||||
}
|
||||
extra_iam_policies = concat(module.firehose-logging.fleet_extra_iam_policies, module.osquery-carve.fleet_extra_iam_policies, module.ses.fleet_extra_iam_policies)
|
||||
extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies, [aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn]) #, module.saml_auth_proxy.fleet_extra_execution_policies)
|
||||
extra_environment_variables = merge(
|
||||
module.firehose-logging.fleet_extra_environment_variables,
|
||||
module.osquery-carve.fleet_extra_environment_variables,
|
||||
|
|
@ -137,7 +138,16 @@ module "main" {
|
|||
module.geolite2.extra_environment_variables,
|
||||
module.vuln-processing.extra_environment_variables
|
||||
)
|
||||
extra_secrets = merge(module.mdm.extra_secrets, local.sentry_secrets)
|
||||
extra_execution_iam_policies = concat(
|
||||
module.mdm.extra_execution_iam_policies,
|
||||
[aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn],
|
||||
module.cloudfront-software-installers.extra_execution_iam_policies,
|
||||
) #, module.saml_auth_proxy.fleet_extra_execution_policies)
|
||||
extra_secrets = merge(
|
||||
module.mdm.extra_secrets,
|
||||
local.sentry_secrets,
|
||||
module.cloudfront-software-installers.extra_secrets
|
||||
)
|
||||
private_key_secret_name = "${local.customer}-fleet-server-private-key"
|
||||
# extra_load_balancers = [{
|
||||
# target_group_arn = module.saml_auth_proxy.lb_target_group_arn
|
||||
|
|
@ -146,6 +156,8 @@ module "main" {
|
|||
# }]
|
||||
software_installers = {
|
||||
bucket_prefix = "${local.customer}-software-installers-"
|
||||
create_kms_key = true
|
||||
kms_alias = "${local.customer}-software-installers"
|
||||
}
|
||||
# sidecars = [
|
||||
# {
|
||||
|
|
@ -419,7 +431,7 @@ module "monitoring" {
|
|||
}
|
||||
|
||||
module "logging_alb" {
|
||||
source = "github.com/fleetdm/fleet-terraform//addons/logging-alb?ref=tf-mod-addon-logging-alb-v1.2.0"
|
||||
source = "github.com/fleetdm/fleet-terraform//addons/logging-alb?ref=tf-mod-addon-logging-alb-v1.3.0"
|
||||
prefix = local.customer
|
||||
enable_athena = true
|
||||
}
|
||||
|
|
@ -616,3 +628,14 @@ resource "aws_iam_policy" "osquery_sidecar" {
|
|||
description = "IAM policy that Osquery sidecar containers use to define access to AWS resources"
|
||||
policy = data.aws_iam_policy_document.osquery_sidecar.json
|
||||
}
|
||||
|
||||
module "cloudfront-software-installers" {
|
||||
source = "github.com/fleetdm/fleet-terraform/addons/cloudfront-software-installers?ref=tf-mod-addon-cloudfront-software-installers-v1.0.0"
|
||||
customer = local.customer
|
||||
s3_bucket = module.main.byo-vpc.byo-db.byo-ecs.fleet_s3_software_installers_config.bucket_name
|
||||
s3_kms_key_id = module.main.byo-vpc.byo-db.byo-ecs.fleet_s3_software_installers_config.kms_key_id
|
||||
public_key = var.cloudfront_public_key
|
||||
private_key = var.cloudfront_private_key
|
||||
enable_logging = true
|
||||
logging_s3_bucket = module.logging_alb.log_s3_bucket_id
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue