mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
3.9 KiB
3.9 KiB
Fleet Terraform Module Example
This code provides some example usage of the Fleet Terraform module, including how some addons can be used to extend functionality. Prior to applying, edit the locals in main.tf to match the settings you want for your Fleet instance including:
- domain name
- route53 zone name (may match the domain name)
- license key (if premium)
- uncommenting the mdm module if mdm is desired
- any extra settings to be passed to Fleet via ENV var.
Due to Terraform issues, this code requires 3 applies "from scratch":
terraform apply -target module.fleet.module.vpcterraform apply -target module.osquery-carve -target module.firehose-logging- If using a new route53 zone:
terraform apply -target aws_route53_zone.main- From the output, obtain the NS records created for the zone and add them to the parent DNS zone
- If enabling mdm:
terraform apply -target module.mdm. It will need to be uncommented as well as the KMS section below it. terraform apply -target module.fleetterraform apply- If enabling mdm do the following:
- Record the KMS key from step 5 output.
- Use
fleetctlto obtain all of the mdm certs. Use https://fleetdm.com/docs/using-fleet/mdm-macos-setup#apple-push-notification-service-apns and https://fleetdm.com/docs/using-fleet/mdm-setup#apple-business-manager-abm for reference. - Place the certificates in the
resourcesfolder with the following names based upon their function:
scep.crt
scep.key
apns.crt
apns.key
abm.crt
abm.key
abm_token.p7m
- Using the
encrypt.shscript, KMS encrypt all of these secrets as follows:
cd resources
for i in *; do ../scripts/encrypt.sh <kms-key-id-from-terraform-output> $i $i.encrypted; done
for i in *.encrypted; do rm ${i/.encrypted/}; done
This will encrypt all of the mdm secrets and add the .encrypted extension to them. It will also remove the non-encrypted version of the secrets so that they are encrypted at rest even locally.
- Uncomment all of the resources and data sources in
mdm-secrets.tf. - Re-run
terraform applyto populate the Secrets Manager secrets. - Uncomment the sections in the
fleet_configportion ofmain.tffor mdm and run a finalterraform apply. Services will restart with mdm enabled.
Requirements
| Name | Version |
|---|---|
| aws | 5.36.0 |
Providers
| Name | Version |
|---|---|
| aws | 5.36.0 |
Modules
| Name | Source | Version |
|---|---|---|
| acm | terraform-aws-modules/acm/aws | 4.3.1 |
| firehose-logging | github.com/fleetdm/fleet//terraform/addons/logging-destination-firehose | tf-mod-addon-logging-destination-firehose-v1.1.0 |
| fleet | github.com/fleetdm/fleet//terraform | tf-mod-root-v1.7.3 |
| migrations | github.com/fleetdm/fleet//terraform/addons/migrations | tf-mod-addon-migrations-v2.0.0 |
| osquery-carve | github.com/fleetdm/fleet//terraform/addons/osquery-carve | tf-mod-addon-osquery-carve-v1.0.1 |
Resources
| Name | Type |
|---|---|
| aws_route53_record.main | resource |
| aws_route53_zone.main | resource |
Inputs
No inputs.
Outputs
| Name | Description |
|---|---|
| route53_name_servers | Ensure that these records are added to the parent DNS zone Delete this output if you switched the route53 zone above to a data source. |