bfe3b186d3
For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed. |
||
|---|---|---|
| .. | ||
| fleetdm_client | ||
| provider | ||
| tf | ||
| .gitignore | ||
| generator.yaml | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
| Makefile | ||
| openapi.json | ||
| README.md | ||
Terraform Provider for FleetDM Teams
This is a Terraform provider for managing FleetDM teams. When you have 100+ teams in FleetDM, and manually managing them is not feasible. The primary setting of concern is the team's "agent options" which consists of some settings and command line flags. These (potentially dangerously) configure FleetDM all machines.
Usage
All the interesting commands are in the Makefile. If you just want
to use the thing, see make install and make apply.
Note that if you run terraform apply in the tf directory, it won't
work out of the box. That's because you need to set the
TF_CLI_CONFIG_FILE environment variable to point to a file that
enables local development of this provider. The Makefile does this
for you.
Future work: actually publish this provider.
Development
Code Generation
See make gen. It will create team_resource_gen.go, which defines
the types that Terraform knows about. This is automatically run
when you run make install.
Running locally
See make plan and make apply.
Running Tests
You probably guessed this. See make test. Note that these tests
require a FleetDM server to be running. The tests will create teams
and delete them when they're done. The tests also require a valid
FleetDM API token to be in the FLEETDM_APIKEY environment variable.
Debugging locally
The basic idea is that you want to run the provider in a debugger. When terraform normally runs, it will execute the provider a few times in the course of operations. What you want to do instead is to run the provider in debug mode and tell terraform to contact it.
To do this, you need to start the provider with the -debug flag
inside a debugger. You'll also need to give it the FLEETDM_APIKEY
environment variable. The provider will print out a big environment
variable that you can copy and paste to your command line.
When you run terraform apply or the like, you'll invoke it with
that big environment variable. It'll look something like
TF_REATTACH_PROVIDERS='{"fleetdm.com/tf/fleetdm":{"Protocol":"grpc","ProtocolVersion":6,"Pid":33644,"Test":true,"Addr":{"Network":"unix","String":"/var/folders/32/xw2p1jtd4w10hpnsyrb_4nmm0000gq/T/plugin771405263"}}}' terraform apply
With this magic, terraform will look to your provider that's running in a debugger. You get breakpoints and the goodness of a debugger.