Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
fleet/infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf
Zachary Winnerman 4b6da3dd62
bump version (#10216) 
# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-03-01 13:03:03 -05:00

269 lines
5.5 KiB
HCL
Raw Blame History

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.10.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.1.2"
}
mysql = {
source = "petoju/mysql"
version = "3.0.12"
}
helm = {
source = "hashicorp/helm"
version = "2.5.1"
}
}
backend "s3" {}
}
provider "helm" {
kubernetes {
host = data.aws_eks_cluster.cluster.endpoint
token = data.aws_eks_cluster_auth.cluster.token
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
}
}
data "aws_eks_cluster" "cluster" {
name = var.eks_cluster
}
data "aws_eks_cluster_auth" "cluster" {
name = var.eks_cluster
}
provider "mysql" {
endpoint = jsondecode(data.aws_secretsmanager_secret_version.mysql.secret_string)["endpoint"]
username = jsondecode(data.aws_secretsmanager_secret_version.mysql.secret_string)["username"]
password = jsondecode(data.aws_secretsmanager_secret_version.mysql.secret_string)["password"]
}
variable "mysql_secret" {}
variable "eks_cluster" {}
variable "redis_address" {}
variable "redis_database" {}
variable "lifecycle_table" {}
variable "base_domain" {}
variable "enroll_secret" {}
variable "installer_bucket" {}
variable "installer_bucket_arn" {}
variable "oidc_provider_arn" {}
variable "oidc_provider" {}
variable "kms_key_arn" {}
variable "ecr_url" {}
resource "mysql_user" "main" {
user = terraform.workspace
host = "%"
plaintext_password = random_password.db.result
}
resource "mysql_database" "main" {
name = terraform.workspace
}
resource "mysql_grant" "main" {
user = mysql_user.main.user
database = mysql_database.main.name
host = "%"
privileges = ["ALL"]
}
data "aws_secretsmanager_secret_version" "mysql" {
secret_id = var.mysql_secret
}
resource "random_password" "db" {
length = 8
}
resource "random_integer" "cron_offset" {
min = 0
max = 14
}
resource "helm_release" "main" {
name = terraform.workspace
chart = "${path.module}/fleet"
set {
name = "fleetName"
value = terraform.workspace
}
set {
name = "mysql.password"
value = random_password.db.result
}
set {
name = "mysql.createSecret"
value = true
}
set {
name = "mysql.secretName"
value = terraform.workspace
}
set {
name = "mysql.username"
value = mysql_user.main.user
}
set {
name = "mysql.database"
value = terraform.workspace
}
set {
name = "mysql.address"
value = jsondecode(data.aws_secretsmanager_secret_version.mysql.secret_string)["endpoint"]
}
set {
name = "fleet.tls.enabled"
value = false
}
set {
name = "redis.address"
value = var.redis_address
}
set {
name = "redis.database"
value = var.redis_database
}
set {
name = "kubernetes.io/ingress.class"
value = "nginx"
}
set {
name = "hostName"
value = "${terraform.workspace}.${var.base_domain}"
}
set {
name = "ingressAnnotations.kubernetes\\.io/ingress\\.class"
value = "haproxy"
}
set {
name = "replicas"
value = "1"
}
set {
name = "imageTag"
value = "v4.26.0-3"
}
set {
name = "imageRepo"
value = var.ecr_url
}
set {
name = "packaging.enrollSecret"
value = var.enroll_secret
}
set {
name = "packaging.s3.bucket"
value = var.installer_bucket
}
set {
name = "packaging.s3.prefix"
value = terraform.workspace
}
set {
name = "serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn"
value = aws_iam_role.main.arn
}
set {
name = "crons.vulnerabilities"
value = "${random_integer.cron_offset.result}\\,${random_integer.cron_offset.result + 15}\\,${random_integer.cron_offset.result + 30}\\,${random_integer.cron_offset.result + 45} * * * *"
}
}
data "aws_iam_policy_document" "main" {
statement {
actions = [
"s3:*Object",
"s3:ListBucket",
]
resources = [
var.installer_bucket_arn,
"${var.installer_bucket_arn}/${terraform.workspace}/*"
]
}
statement {
actions = [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt",
]
resources = [var.kms_key_arn]
}
}
resource "aws_iam_policy" "main" {
name = terraform.workspace
policy = data.aws_iam_policy_document.main.json
}
resource "aws_iam_role_policy_attachment" "main" {
role = aws_iam_role.main.id
policy_arn = aws_iam_policy.main.arn
}
data "aws_iam_policy_document" "main-assume-role" {
statement {
principals {
type = "Federated"
identifiers = [var.oidc_provider_arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${var.oidc_provider}:aud"
values = ["sts.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "${var.oidc_provider}:sub"
values = ["system:serviceaccount:default:${terraform.workspace}"]
}
}
}
resource "aws_iam_role" "main" {
name_prefix = terraform.workspace
path = "/sandbox/"
assume_role_policy = data.aws_iam_policy_document.main-assume-role.json
}
resource "aws_dynamodb_table_item" "main" {
table_name = var.lifecycle_table
hash_key = "ID"
item = <<ITEM
{
"ID": {"S": "${terraform.workspace}"},
"State": {"S": "provisioned"},
"redis_db": {"N": "${var.redis_database}"}
}
ITEM
depends_on = [helm_release.main]
}
Reference in a new issue View git blame Copy permalink