diff --git a/README.md b/README.md index a707d9196b7c54105eb69322b618f5057bf57530..11e33fd31aed5b2d2ee08909298dfa1a3c9446cb 100644 --- a/README.md +++ b/README.md @@ -29,14 +29,18 @@ Find out more about adaptive applications on [F5's Website](https://www.f5.com/c ## Resource Inventory -| Resource | Description | Used By | -|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------| -| [F5 NGINX Management Suite](resources/f5-nginx-management-suite) | Terraform and Ansible artifacts to deploy F5 NGINX Management Suite to virtual machines | [Deploy API to NGINX Management Suite](solutions/deploy-api-to-f5-nginx-management-suite) | -| [F5 DistributedCloud & AWS EKS](resources/f5xc-vk8s-mk8s-nlb/) | Deployment instructions and artifacts to demonstrate Kubernetes multi-cluster resiliency | [Multi-Cluster Application Resilience](solutions/k8s-mutlicluster-resilency/) | -| [F5 NGINX & AWS EKS](resources/terraform/aws-eks-nginx-kic/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using NGINX & EKS | TBA | -| [F5 BIG-IP CIS & AWS EKS](resources/terraform/aws-eks-cbip-cis/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using F5 BIG-IP CIS & EKS | TBA | -| [F5 IngressLink & AWS EKS](resources/terraform/aws-eks-cbip-ingresslink/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using F5 BIG-IP/NGINX IngressLink & EKS | TBA | -| [F5 DistributedCloud](resources/terraform/f5xc-icap/) | Deployment instructions and artifacts to demonstrate clamAV ICAP vk8s deployment to F5XC | TBA | +| Resource | Description | Used By | +|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------| +| [F5 NGINX Management Suite](resources/f5-nginx-management-suite) | Terraform & Ansible artifacts to deploy F5 NGINX Management Suite to virtual machines | [Deploy API to NGINX Management Suite](solutions/deploy-api-to-f5-nginx-management-suite) | +| [F5 DistributedCloud & AWS EKS](resources/f5xc-vk8s-mk8s-nlb/) | Deployment instructions & artifacts to deploy Kubernetes multi-cluster resiliency | [Multi-Cluster Application Resilience](solutions/k8s-mutlicluster-resilency/) | +| [F5 NGINX & AWS EKS](resources/terraform/aws-eks-nginx-kic/) | Deployment instructions & artifacts to deploy OpenTelemetry using NGINX & EKS | TBA | +| [F5 BIG-IP CIS & AWS EKS](resources/terraform/aws-eks-cbip-cis/) | Deployment instructions & artifacts to deploy OpenTelemetry using F5 BIG-IP CIS & EKS | TBA | +| [F5 IngressLink & AWS EKS](resources/terraform/aws-eks-cbip-ingresslink/) | Deployment instructions & artifacts to deploy OpenTelemetry using F5 BIG-IP/NGINX IngressLink & EKS | TBA | +| [F5 DistributedCloud RE's](resources/terraform/f5xc-icap/) | Deployment instructions & artifacts to deploy clamAV ICAP vk8s deployment to F5XC for RE's | TBA | +| [F5 DistributedCloud CE's](resources/terraform/f5xc-aws-icap/) | Deployment instructions & artifacts to deploy clamAV ICAP vk8s deployment to F5XC for CE's | TBA | +| [F5 PolicySupervisor (AWAF)](resources/terraform/polsup-eks-cis/) | Deployment instructions & artifacts to deploy PolicySupervisor with JuiceShop using AWS EKS & BIG-IP AWAF | TBA | +| [F5 PolicySupervisor (NAP)](resources/terraform/polsup-eks-nap/) | Deployment instructions & artifacts to deploy PolicySupervisor with JuiceShop using AWS EKS & NGINX NAP | TBA | + ## Support diff --git a/resources/README.md b/resources/README.md index 8e022aebe5153ef4ae8af10d564d239ac5a8f887..4fc2b114f602d035c0b1830c1acc6f15d8bac3a0 100644 --- a/resources/README.md +++ b/resources/README.md @@ -11,6 +11,9 @@ * [`modules`](./terraform/modules/) are a WIP for supporting modules to simplify stacks * [`aws-microservices`](./terraform/aws-microservices/) is a WIP for turnkey ModernApplication (microservices) workloads * [`f5xc-icap`](./terraform/f5xc-icap/) is a vk8s clamAV http/api deployment + * [`f5xc-aws-icap`](./terraform/f5xc-aws-icap/) is a vk8s clamAV http/api deployment for F5XC Customer Edges (CE) in AWS + * [`polsup-eks-cis`](./terraform/polsup-eks-cis/) is a JuiceShop deployment using AWS EKS and BIG-IP AWAF & CIS for PolicySupervisor + * [`polsup-eks-nap`](./terraform/polsup-eks-nap/) is a JuiceShop deployment using AWS EKS and NGINX KIC & NAP for PolicySupervisor [`helm-values`](./helm-values/) is the required helm values for the OTel/NGINX IngressController Astro demostack @@ -23,7 +26,8 @@ * [`cis`](./k8s-manifests/cis/) are the required kubectl manifests files for BIG-IP CIS installation * [`ingresslink`](./k8s-manifests/ingresslink/) are the required kubectl manifest files for CIS/IngressLink installation * [`datadog`](./k8s-manifests/datadog/) are the datadog agent manifest files. -* [`f5xc-icap`](./k8s-manifests/f5xc-icap/) is a F5XC ICAP deployment based upon clamAV from [UKHomeOffice](https://github.com/UKHomeOffice/clamav-http) +* [`f5xc-icap`](./k8s-manifests/f5xc-icap/) is a F5XC ICAP deployment based upon clamAV +* [`juice-shop`](./k8s-manifests/juice-shop) are service and deployment manifests for OWASP JuiceShop [`docker-builds`](./docker) contains the various `dockerbuild` files for demostacks diff --git a/resources/k8s-manifests/cis/as3.yaml b/resources/k8s-manifests/cis/otel/as3.yaml similarity index 100% rename from resources/k8s-manifests/cis/as3.yaml rename to resources/k8s-manifests/cis/otel/as3.yaml diff --git a/resources/k8s-manifests/cis/cis-deployment.yaml b/resources/k8s-manifests/cis/otel/cis-deployment.yaml similarity index 100% rename from resources/k8s-manifests/cis/cis-deployment.yaml rename to resources/k8s-manifests/cis/otel/cis-deployment.yaml diff --git a/resources/k8s-manifests/cis/opentelemetry-demo.yaml b/resources/k8s-manifests/cis/otel/opentelemetry-demo.yaml similarity index 100% rename from resources/k8s-manifests/cis/opentelemetry-demo.yaml rename to resources/k8s-manifests/cis/otel/opentelemetry-demo.yaml diff --git a/resources/k8s-manifests/cis/polsup/cis-deployment.yaml b/resources/k8s-manifests/cis/polsup/cis-deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6f3f3ab7d3d6f7a4271cb98f0111fe5213a8da1f --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/cis-deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: k8s-bigip-ctlr-deployment + namespace: kube-system +spec: +# DO NOT INCREASE REPLICA COUNT + replicas: 1 + selector: + matchLabels: + app: k8s-bigip-ctlr-deployment + template: + metadata: + labels: + app: k8s-bigip-ctlr-deployment + spec: + # Name of the Service Account bound to a Cluster Role with the required + # permissions + containers: + - name: k8s-bigip-ctlr + image: "f5networks/k8s-bigip-ctlr:2.7.1" + env: + - name: BIGIP_USERNAME + valueFrom: + secretKeyRef: + # Replace with the name of the Secret containing your login + # credentials + name: f5-bigip-ctlr-login + key: username + - name: BIGIP_PASSWORD + valueFrom: + secretKeyRef: + # Replace with the name of the Secret containing your login + # credentials + name: f5-bigip-ctlr-login + key: password + command: ["/app/bin/k8s-bigip-ctlr"] + args: [ + # See the k8s-bigip-ctlr documentation for information about + # all config options + # https://clouddocs.f5.com/containers/latest/ + "--bigip-username=$(BIGIP_USERNAME)", + "--bigip-password=$(BIGIP_PASSWORD)", + "--bigip-url=https://{$mgmtPublicIP}:8443", #Fill this with the BIG-IP's self IP address. Use https://IP:8443 for single NIC. + "--bigip-partition=cispartition", #Fill this with the name of the "create auth partition " you created previously. + "--pool-member-type=cluster", #Fill this with "cluster" if running in ClusterIP mode + #"--flannel-name=/Common/k8s-tunnel", #Uncomment this only when using ClusterIP mode. Replace k8s-tunnel with the name you created. + #"--custom-resource-mode=true", #Uncomment this only when deploying F5 ingresslink and as3 will not work + "--insecure", + "--log-as3-response=true", + "--log-level=DEBUG", + # for secure communication provide the internal ca certificates using config-map with below option and remove insecure parameter + #"--trusted-certs-cfgmap=", + ] + serviceAccount: bigip-ctlr + serviceAccountName: bigip-ctlr diff --git a/resources/k8s-manifests/cis/polsup/juiceshop.yaml b/resources/k8s-manifests/cis/polsup/juiceshop.yaml new file mode 100644 index 0000000000000000000000000000000000000000..178fec94f9428088d5ba9ef92c396a0a40bf84c4 --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/juiceshop.yaml @@ -0,0 +1,35 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: juice-shop +spec: + template: + metadata: + labels: + app: juice-shop + spec: + containers: + - name: juice-shop + image: bkimminich/juice-shop + selector: + matchLabels: + app: juice-shop +--- +kind: Service +apiVersion: v1 +metadata: + name: juice-shop + labels: + cis.f5.com/as3-tenant: polsup-demo #The following 3 labels need to match the AS3 declaration. + cis.f5.com/as3-app: juice-shop + cis.f5.com/as3-pool: pl-js +spec: + type: NodePort + selector: + app: juice-shop + ports: + - name: http + port: 3000 + targetPort: 3000 +--- \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/polsup-as3.yaml b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7905f9de942a0310f784e2b7ada75e5b6d82981e --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml @@ -0,0 +1,47 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: f5-cis-policysupervisor-demo + labels: + #Note that mypartition-name, myhttp-vs, and web_pool names below must match the label in the k8 service yaml file. + f5type: virtual-server + as3: "true" +data: + template: | + { + "class": "AS3", + "declaration": { + "class": "ADC", + "schemaVersion": "3.20.0", + "label": "http", + "remark": "JuiceShop Microservices", + "polsup-demo": { + "class": "Tenant", + "juice-shop": { + "class": "Application", + "template": "generic", + "vs-js": { + "class": "Service_HTTP", + "remark": "JuiceShop Service", + "virtualPort": 80, + "virtualAddresses": [ + "{$selfIP}" + ], + "pool": "pl-js" + }, + "pl-js": { + "class": "Pool", + "monitors": [ + "http" + ], + "members": [ + { + "servicePort": 3000, + "serverAddresses": [] + } + ] + } + } + } + } + } diff --git a/resources/k8s-manifests/f5xc-icap/notes.md b/resources/k8s-manifests/f5xc-icap/notes.md index 25969db7b92131eb1abbff279fc3ee1b95932323..e00fa82f426e4b627f078b5988460ef01b50f967 100644 --- a/resources/k8s-manifests/f5xc-icap/notes.md +++ b/resources/k8s-manifests/f5xc-icap/notes.md @@ -18,6 +18,15 @@ https://community.f5.com/t5/technical-forum/i-just-want-to-use-the-relative-uri- https://community.f5.com/t5/technical-articles/icap-204-response-frequently-asked-questions/ta-p/290391 https://f5-k8s-ctfd.docs.emea.f5se.com/en/latest/class7/module1/module1.html https://github.com/nergalex/f5-aks-kic-lab-admin/tree/master/playbooks/roles/poc-opswat +https://github.com/nakadaisuke/volterra-tutorial + + +## vmware references + +https://github.com/vmware/govmomi/tree/main +https://cloud-provider-vsphere.sigs.k8s.io/tutorials/deploying_cpi_with_multi_dc_vc_aka_zones.html +https://blah.cloud/kubernetes/creating-an-ubuntu-18-04-lts-cloud-image-for-cloning-on-vmware/ +https://rpi4cluster.com/ ## F5XC CE Deployment notes: @@ -51,17 +60,18 @@ docker push :/: - [Cisco-Talos](https://github.com/Cisco-Talos/clamav-docker) - [UKHomeOffice ClamAV (Legacy)](https://github.com/UKHomeOffice/docker-clamav/blob/master/Dockerfile) - [UKHomeOffice ClamAV](https://github.com/UKHomeOffice/clamav-http/blob/master/clamav/Dockerfile) - +- [ClamAV REST API k8s](https://github.com/benzino77/clamav-rest-api/tree/master) # TODO -- [ ] migrate `f5xc-icap` into two modules +- [x] migrate `f5xc-icap` into two modules * vk8s provisionin * clamav deployment -- [ ] declaritaive kubeconfig for k8s manifest +- [x] declaritaive kubeconfig for k8s manifest - [ ] add gitflow steps to readme for * image build/packer/docker * push to ghcr.io or private for edge clamav + # Random Thoughts diff --git a/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml b/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..992274c564dba89d734fa3513dfaf4425656439b --- /dev/null +++ b/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml @@ -0,0 +1,16 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: juice-shop +spec: + template: + metadata: + labels: + app: juice-shop + spec: + containers: + - name: juice-shop + image: bkimminich/juice-shop + selector: + matchLabels: + app: juice-shop \ No newline at end of file diff --git a/resources/k8s-manifests/juice-shop/juice-shop-service.yaml b/resources/k8s-manifests/juice-shop/juice-shop-service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f90f702bce763c3dfb74ff5373a01b565a80e9e8 --- /dev/null +++ b/resources/k8s-manifests/juice-shop/juice-shop-service.yaml @@ -0,0 +1,12 @@ +kind: Service +apiVersion: v1 +metadata: + name: juice-shop +spec: + type: NodePort + selector: + app: juice-shop + ports: + - name: http + port: 8000 + targetPort: 3000 \ No newline at end of file diff --git a/resources/terraform/README.md b/resources/terraform/README.md index 6b1c028a7ebd0ad28a4179b416d61c762d9b9c7e..fa57a0b9732ffe65b18ecee32b0656a6befdac4a 100644 --- a/resources/terraform/README.md +++ b/resources/terraform/README.md @@ -8,4 +8,7 @@ Located in this path are the terraform modules used for AATT Resources; * [`f5-shop-demo`](./f5xc-shop-demo/) is the Online vK8s shop demo * [`modules`](./modules/) are a WIP for supporting modules to simplify stacks * [`aws-microservices`](./aws-microservices/) is a WIP for turnkey ModernApplication (microservices) workloads - * [`f5xc-icap`](./f5xc-icap/) is a vk8s clamAV http/api deployment \ No newline at end of file + * [`f5xc-icap`](./f5xc-icap/) is a vk8s clamAV http/api deployment for F5XC Regional Edges (RE) + * [`f5xc-aws-icap`](./f5xc-aws-icap/) is a vk8s clamAV http/api deployment for F5XC Customer Edges (CE) in AWS + * [`polsup-eks-cis`](./polsup-eks-cis/) is a JuiceShop deployment using AWS EKS and BIG-IP AWAF & CIS for PolicySupervisor + * [`polsup-eks-nap`](./polsup-eks-nap/) is a JuiceShop deployment using AWS EKS and NGINX KIC & NAP for PolicySupervisor \ No newline at end of file diff --git a/resources/terraform/aws-eks-cbip-cis/README.md b/resources/terraform/aws-eks-cbip-cis/README.md index 426377ace49946d0a77d69bdf6c15fe50bffbf00..af1388a5f6fa4172e8de940df6bbcfa0ee8bb29c 100644 --- a/resources/terraform/aws-eks-cbip-cis/README.md +++ b/resources/terraform/aws-eks-cbip-cis/README.md @@ -69,7 +69,7 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop > **Note**: The policy resource is set as `*` to allow all resources, this is not a recommended practice. -You can find the policy [here](min-iam-policy.json) +You can find the policy [here](../f5xc-aws-polsup/min-iam-policy.json) ### Deployment Steps diff --git a/resources/terraform/f5xc-aws-icap/as_built.md b/resources/terraform/f5xc-aws-icap/as_built.md index e7ef805d706241f6df277f2bf4b8bbca44080abe..1868bd3a05d2af97113219959b2c4a4d4fca686a 100644 --- a/resources/terraform/f5xc-aws-icap/as_built.md +++ b/resources/terraform/f5xc-aws-icap/as_built.md @@ -65,4 +65,5 @@ k delete -f ukoffice-clamav.yaml -n aatt-solutions --kubeconfig ~/Downloads/ves_ ## TODO - [ ] deploy https/https application f5xc load balancer/nginx ingress -- [ ] validate auto-connet for appstack \ No newline at end of file +- [ ] validate auto-connet for appstack +- [ ] association with k8s api access for f5xc managed k8s local api access. \ No newline at end of file diff --git a/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars b/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars new file mode 100644 index 0000000000000000000000000000000000000000..1c55247a64bc6deed34d8434f825acf9ec417a9e --- /dev/null +++ b/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars @@ -0,0 +1,3 @@ +aws_access_key = "AKIAUDDKQQFGCT25WQZC" +aws_secret_key = "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" +ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKBTZPM67SHZ1V9URDUlwZLlgGf1l0znMrMdf0muAJCnTNHf8MS9VI3Ep4UPAAXVfd03eflwDK0PT1sI1ICYmYlDr/X7dtclT0s8pcxE/Nn1wkkDcvzhT8WslHJZv0KYavE7q4UEzFZpfJ6qcv9Vd/twYQIkei9YfB6vycAbF6u3uuNIaV5aJ7ZcDiBpaRLklhn9AyYJj2VGbaV0mNPO9rRoI5zNWtWfpj5FFTxYvkZMTP11bvWzF0nvOmdBYQYUtrQtpyR0J9WcoDiOjaZ/zxJXv1uMRShDHDi8C1b9wvhyrKfzuNRNBZHy2HIzfojD6bM2TNbBAHH2mbCkpt4yTVeMMzY3mi3wuMaekw4BvJmBi3s8Dgyhart3XBvuz2BBI3TyWnNM5NAN4oIIVmY6rnAw4kpJ6dS/cvjUsQ/bhi4XoMgcOiqJ1bFf43uzeaJrKb7aivPwD9QNtCK/ZgxFEVk4BUPgv95/RieUXG/j78dM3hx4OhDZQ0OwuBVt3MQT8= m.kennedy@C02G20XKML85" \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/README.md b/resources/terraform/polsup-eks-cis/README.md new file mode 100644 index 0000000000000000000000000000000000000000..fcc1f12fa8bf4385f3b302ada2a4cb9e9a0e0d90 --- /dev/null +++ b/resources/terraform/polsup-eks-cis/README.md @@ -0,0 +1,130 @@ +[![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) +[![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) + + +# PolicySupervisor with F5 BIG-IP AWAF & AWS EKS + + +___ +## Table of Contents + +
+Click to expand. + +- [Background](#background) +- [Value](#value) +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Configuration](#configuration) +- [Decommission](#decommission) +- [TODO](#todo) +- [Contributing](#contributing) +- [License](#license) +- [Credits](#credits) + +
+ +___ +## Background + + +___ +## Value + + +___ +## Prerequisites + + +___ +## Installation + + +___ +## Configuration + + +The following *Inputs* are `defauls` that may be superseeded when `TFVARS` files are provided; + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [app](#input\_app) | Deployment Application | `string` | `"OWASP JuiceShop"` | no | +| [cluster\_name](#input\_cluster\_name) | Name of cluster - used by Terratest for e2e test automation | `string` | `"polsup-cis"` | no | +| [cluster\_version](#input\_cluster\_version) | The Version of Kubernetes to deploy | `string` | `"1.25"` | no | +| [ec2\_key](#input\_ec2\_key) | EC2 Deployment Keypair | `string` | `"mkennedy@f5"` | no | +| [f5\_password](#input\_f5\_password) | BIG-IP Password or Secret ARN (value should be ARN of secret when aws\_secretmanager\_auth = true, ex. arn:aws:secretsmanager:us-west-2:1234:secret:bigip-secret-abcd) | `string` | `"Default12345!"` | no | +| [f5\_username](#input\_f5\_username) | User name for the BIG-IP (Note: currently not used. Defaults to 'admin' based on AMI | `string` | `"admin"` | no | +| [instance](#input\_instance) | Deployment EC2 instance type | `string` | `"t3.xlarge"` | no | +| [name](#input\_name) | Name prefix of deployment | `string` | `"polsup-cis"` | no | +| [owner](#input\_owner) | Deployment owner | `string` | `"f5-aatt"` | no | +| [region](#input\_region) | Name of AWS deployment region | `string` | `"ap-southeast-2"` | no | +| [vpc\_cidr](#input\_vpc\_cidr) | CIDR of deployment VPC | `string` | `"10.0.0.0/16"` | no | + + +## Outputs + +| Name | Description | +|------|-------------| +| [eks\_cluster\_name](#output\_eks\_cluster\_name) | EKS cluster ID | +| [f5vm01\_mgmt\_pip\_url](#output\_f5vm01\_mgmt\_pip\_url) | f5vm01 management public URL | +| [f5vm01\_mgmt\_private\_ip](#output\_f5vm01\_mgmt\_private\_ip) | f5vm01 management private IP address | +| [f5vm01\_mgmt\_public\_ip](#output\_f5vm01\_mgmt\_public\_ip) | f5vm01 management public IP address | +| [jumpbox\_public\_dns](#output\_jumpbox\_public\_dns) | Public DNS address of Jumpbox | +| [region](#output\_region) | AWS region | +| [vpc\_cidr](#output\_vpc\_cidr) | VPC CIDR | +| [vpc\_management\_subnet\_cidr](#output\_vpc\_management\_subnet\_cidr) | VPC Management subnet CIDR | +| [vpc\_private\_subnet\_cidr](#output\_vpc\_private\_subnet\_cidr) | VPC private subnet CIDR | +| [vpc\_public\_subnet\_cidr](#output\_vpc\_public\_subnet\_cidr) | VPC public subnet CIDR | + + +___ +## Decommission + + +___ +## TODO + +- [ ] `README.md` + + +___ +## Support + +The contents of this repository are meant to serve as examples and are not covered by F5 support. +If you come across a bug or other issue when using these recipes, please open a GitHub issue to help our team keep track +of content that needs improvement. +Note, the code in this repository is community supported and is not supported by F5 Inc. For a complete list of +supported projects please reference [SUPPORT.md](../../SUPPORT.md). + + +___ +## Community Code of Conduct + +Please refer to the [F5 DevCentral Community Code of Conduct](../../code_of_conduct.md). + + +___ +## License + +The contents of this repository are made available under two license. +All documentation, specifically any Markdown files, is licensed under +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode). +Everything else is licensed under [Apache 2.0](../../LICENSE). + + +___ +## Copyright + +Copyright 2014-2022 F5 Networks Inc. + + +___ +## Contributing + +See [the contributing file](../../CONTRIBUTING.md)! + + +___ +## Credits \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/as_built.md b/resources/terraform/polsup-eks-cis/as_built.md new file mode 100644 index 0000000000000000000000000000000000000000..25e571e4076ff1fa7320de18a820619302ae47f4 --- /dev/null +++ b/resources/terraform/polsup-eks-cis/as_built.md @@ -0,0 +1,76 @@ +# AsBuilt Raw PolicySupervisor with cBIP/CIS/EKS + +## WorkFlow + +This is a quick how to for readme; + +### Deploy AWS EKS and BIG-IP EC2 Infrastructure + +1. Set `AWS_REGION` & `AWS_TOKEN` + +2. After GitClone/Get, update `TFVARS`, then +```shell +terraform init --upgrade +``` + +3. Validate; +```shell +terraform validate +``` + +4. Build; +```shell +terraform apply -auto-approve +``` + +5. Update `~/.kube/config`; +```shell +aws eks --region update-kubeconfig --name +``` + +6. Connect/Update BIG-IP admin password; +```shell +ssh -i ~/.ssh/id_rsa admin@ +tmsh modify auth password admin +``` + +7. Connect/Create CIS BIG-IP Partition; +```shell +tmsh create auth partition cispartition +tmsh save sys config +exit +``` + +8. Add CIS/k8s secret creds; +```shell +kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password= +``` + +9. Deploy RBAC for CIS/k8s with ServiceAccount; +```shell +kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/rbac/clusterrole.yaml +``` + + +### `bigip-ctl-cis` Deployment Preparation + +10. Update `src/k8s-manifests/cis/polsup/polsup-as3.yaml` to reflect the *selfIP* of the BIG-IP Virtual Server; + * Replace `"virtualAddresses": ["{$selfIP}"],` with the VS IP. For single NIC, this is the self IP address. + +11. Update `src/k8s-manifests/cis/cis-deployment.yaml` to reflect the Public ManagementIP of the BIG-IP; + * Replace `"--bigip-url=https://{$mgmtPublicIP}:8443"` with the ManagementIP. For single NIC, this is the self IP address. + + +### Deploy JuiceShop & BIG-IP CIS Definitions + +12. Create namespace & deploy Astro OTel microservices; +```shell +kubectl apply -f ../../k8s-manifests/cis/polsup/juiceshop.yaml +``` + +13. Create and deploy BIG-IP Container Ingress Service and application pods with `as3` definition; +```shell +kubectl create -f ../../k8s-manifests/cis/polsup/cis-deployment.yaml +sleep 10; +kubectl create -f ../../k8s-manifests/cis/polsup/polsup-as3.yaml +``` \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/main.tf b/resources/terraform/polsup-eks-cis/main.tf new file mode 100644 index 0000000000000000000000000000000000000000..a498cc660d9e6af64d8ade1be16aa16a76ca953d --- /dev/null +++ b/resources/terraform/polsup-eks-cis/main.tf @@ -0,0 +1,241 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } +} + +data "aws_availability_zones" "available" { + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "random_id" "id" { + byte_length = 2 +} + +locals { + region = var.region + vpc_cidr = var.vpc_cidr + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + build = random_id.id.hex + name = coalesce(var.name, local.build) + # var.cluster_name is for Terratest + cluster_name = coalesce(var.cluster_name, local.name) + + # Mapping + cluster_version = var.cluster_version + metrics_server = true + aws_load_balancer_controller = true + cert_manager = true + cloudwatch_metrics = true + vpa = true + kubecost = true + + tags = { + Owner = var.owner + Application = var.app + } +} + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.cluster_name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + cluster_addons = { + coredns = {} + kube-proxy = {} + vpc-cni = {} + } + + eks_managed_node_groups = { + (local.cluster_name) = { + node_group_name = "managed-ondemand" + instance_types = [var.instance] + min_size = 3 + max_size = 3 + desired_size = 3 + subnet_ids = module.vpc.private_subnets + } + } + + tags = local.tags +} + + +module "eks_blueprints_addons" { + source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" + + eks_cluster_id = module.eks.cluster_name + eks_cluster_endpoint = module.eks.cluster_endpoint + eks_cluster_version = module.eks.cluster_version + eks_oidc_provider = module.eks.oidc_provider + eks_oidc_provider_arn = module.eks.oidc_provider_arn + + # Add-ons + enable_amazon_eks_aws_ebs_csi_driver = true + amazon_eks_aws_ebs_csi_driver_config = { + most_recent = true + kubernetes_version = local.cluster_version + resolve_conflicts = "OVERWRITE" + } + enable_aws_load_balancer_controller = true + aws_load_balancer_controller_helm_config = { + service_account = "aws-lb-sa" + } + enable_cert_manager = true + enable_metrics_server = true + + tags = local.tags +} + +module "ebs_csi_driver_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driver-" + + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } + + tags = local.tags +} + +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-vpc-cni-" + + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # using the database subnet method since it allows a public route + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# F5/NGINX Resources +#--------------------------------------------------------------- + +module "jumphost" { + source = "../modules/jumphost" + + prefix = local.name + region = var.region + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.database_subnets + random = local.build + ec2_key = var.ec2_key +} + +module "big-ip" { + source = "../modules/bigip" + + projectPrefix = local.name + random = local.build + region = var.region + vpcId = module.vpc.vpc_id + mgmt_subnet_ids = module.vpc.database_subnets + f5_username = var.f5_username + f5_password = var.f5_password + ec2_key_name = var.ec2_key + eks_cluster_sg = module.eks.cluster_security_group_id + eks_node_sg = module.eks.node_security_group_id +} + diff --git a/resources/terraform/polsup-eks-cis/min-iam-policy.json b/resources/terraform/polsup-eks-cis/min-iam-policy.json new file mode 100644 index 0000000000000000000000000000000000000000..cf716ea167ec7fdde14585ac904d7251f24ec93c --- /dev/null +++ b/resources/terraform/polsup-eks-cis/min-iam-policy.json @@ -0,0 +1,105 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagInstanceProfile", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] +} diff --git a/resources/terraform/polsup-eks-cis/outputs.tf b/resources/terraform/polsup-eks-cis/outputs.tf new file mode 100644 index 0000000000000000000000000000000000000000..b4156d259fdd9cec43fe4b0947b8d4827668a715 --- /dev/null +++ b/resources/terraform/polsup-eks-cis/outputs.tf @@ -0,0 +1,80 @@ +output "vpc_private_subnet_cidr" { + description = "VPC private subnet CIDR" + value = module.vpc.private_subnets_cidr_blocks +} + +output "vpc_public_subnet_cidr" { + description = "VPC public subnet CIDR" + value = module.vpc.public_subnets_cidr_blocks +} + +output "vpc_management_subnet_cidr" { + description = "VPC Management subnet CIDR" + value = module.vpc.database_subnets_cidr_blocks +} + +output "vpc_cidr" { + description = "VPC CIDR" + value = module.vpc.vpc_cidr_block +} + +output "eks_cluster_name" { + description = "EKS cluster ID" + value = module.eks.cluster_name +} +/* +output "eks_managed_nodegroups" { + description = "EKS managed node groups" + value = module.eks.node_groups +} + +output "eks_managed_nodegroup_ids" { + description = "EKS managed node group ids" + value = module.eks.managed_node_groups_id +} + +output "eks_managed_nodegroup_arns" { + description = "EKS managed node group arns" + value = module.eks.managed_node_group_arn +} + +output "eks_managed_nodegroup_role_name" { + description = "EKS managed node group role name" + value = module.eks.managed_node_group_iam_role_names +} + +output "eks_managed_nodegroup_status" { + description = "EKS managed node group status" + value = module.eks.managed_node_groups_status +} + +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks.configure_kubectl +} +*/ +# Region used for Terratest +output "region" { + description = "AWS region" + value = local.region +} + +output "jumpbox_public_dns" { + description = "Public DNS address of Jumpbox" + value = module.jumphost.public_dns[0] +} + +output "f5vm01_mgmt_private_ip" { + description = "f5vm01 management private IP address" + value = module.big-ip.f5vm01_mgmt_private_ip +} + +output "f5vm01_mgmt_public_ip" { + description = "f5vm01 management public IP address" + value = module.big-ip.f5vm01_mgmt_public_ip +} + +output "f5vm01_mgmt_pip_url" { + description = "f5vm01 management public URL" + value = "https://${module.big-ip.f5vm01_mgmt_public_ip}:8443" +} \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/variables.tf b/resources/terraform/polsup-eks-cis/variables.tf new file mode 100644 index 0000000000000000000000000000000000000000..ea78f6387c6c78222eb093387bb32d5e4239f49b --- /dev/null +++ b/resources/terraform/polsup-eks-cis/variables.tf @@ -0,0 +1,66 @@ +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Name of cluster - used by Terratest for e2e test automation" + type = string + default = "polsup-cis" +} + +variable "cluster_version" { + description = "The Version of Kubernetes to deploy" + type = string + default = "1.25" +} + +variable "region" { + description = "Name of AWS deployment region" + type = string + default = "ap-southeast-2" +} + +variable "vpc_cidr" { + description = "CIDR of deployment VPC" + type = string + default = "10.0.0.0/16" +} + +variable "name" { + description = "Name prefix of deployment" + type = string + default = "polsup-cis" +} + +variable "owner" { + description = "Deployment owner" + type = string + default = "f5-aatt" +} + +variable "instance" { + description = "Deployment EC2 instance type" + type = string + default = "t3.xlarge" +} + +variable "app" { + description = "Deployment Application" + type = string + default = "OWASP JuiceShop" +} + +variable "ec2_key" { + description = "EC2 Deployment Keypair" + type = string + default = "mjk-aatt-fy23q3" +} + +variable "f5_username" { + description = "User name for the BIG-IP (Note: currently not used. Defaults to 'admin' based on AMI" + type = string + default = "admin" +} + +variable "f5_password" { + description = "BIG-IP Password or Secret ARN (value should be ARN of secret when aws_secretmanager_auth = true, ex. arn:aws:secretsmanager:us-west-2:1234:secret:bigip-secret-abcd)" + type = string + default = "Default12345!" +} diff --git a/resources/terraform/polsup-eks-cis/versions.tf b/resources/terraform/polsup-eks-cis/versions.tf new file mode 100644 index 0000000000000000000000000000000000000000..62c74d370777115da6e291d59839105617e6d45c --- /dev/null +++ b/resources/terraform/polsup-eks-cis/versions.tf @@ -0,0 +1,29 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + volterra = { + source = "volterraedge/volterra" + version = ">= 0.7" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +} diff --git a/resources/terraform/polsup-eks-nginx/README.md b/resources/terraform/polsup-eks-nginx/README.md new file mode 100644 index 0000000000000000000000000000000000000000..df9d97ac22718ba7f5f2c49013eed0cd9cb6ed68 --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/README.md @@ -0,0 +1,94 @@ +[![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) +[![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) + +# PolicySupervisor with NGINX NAP & AWS EKS + + +___ +## Table of Contents + +
+Click to expand. + +- [Background](#background) +- [Value](#value) +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Configuration](#configuration) +- [Decommission](#decommission) +- [TODO](#todo) +- [Contributing](#contributing) +- [License](#license) +- [Credits](#credits) + +
+ +___ +## Background + + +___ +## Value + + +___ +## Prerequisites + + +___ +## Installation + + +___ +## Configuration + + +___ +## Decommission + + +___ +## TODO + +- [ ] `README.md` + + +___ +## Support + +The contents of this repository are meant to serve as examples and are not covered by F5 support. +If you come across a bug or other issue when using these recipes, please open a GitHub issue to help our team keep track +of content that needs improvement. +Note, the code in this repository is community supported and is not supported by F5 Inc. For a complete list of +supported projects please reference [SUPPORT.md](../../SUPPORT.md). + + +___ +## Community Code of Conduct + +Please refer to the [F5 DevCentral Community Code of Conduct](../../code_of_conduct.md). + + +___ +## License + +The contents of this repository are made available under two license. +All documentation, specifically any Markdown files, is licensed under +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode). +Everything else is licensed under [Apache 2.0](../../LICENSE). + + +___ +## Copyright + +Copyright 2014-2022 F5 Networks Inc. + + +___ +## Contributing + +See [the contributing file](../../CONTRIBUTING.md)! + + +___ +## Credits \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/as_built.md b/resources/terraform/polsup-eks-nginx/as_built.md new file mode 100644 index 0000000000000000000000000000000000000000..1077bfa5dd7d384b7a1b3573469093b4630e0f79 --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/as_built.md @@ -0,0 +1,29 @@ +# AsBuilt Raw PolicySupervisor with cBIP/CIS/EKS + +## WorkFlow + +This is a quick how to for readme; + +### Deploy AWS EKS and NGINX NAP Infrastructure + +1. Set `AWS_REGION` & `AWS_TOKEN` + +2. After GitClone/Get, update `TFVARS`, then +```shell +terraform init --upgrade +``` + +3. Validate; +```shell +terraform validate +``` + +4. Build; +```shell +terraform apply -auto-approve +``` + +5. Update `~/.kube/config`; +```shell +aws eks --region update-kubeconfig --name +``` \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/main.tf b/resources/terraform/polsup-eks-nginx/main.tf new file mode 100644 index 0000000000000000000000000000000000000000..7eb486566844692409767ad2c9b85dc57a56bcf1 --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/main.tf @@ -0,0 +1,226 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } +} + +data "aws_availability_zones" "available" { + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "random_id" "id" { + byte_length = 2 +} + +locals { + region = var.region + vpc_cidr = var.vpc_cidr + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + build = random_id.id.hex + name = coalesce(var.name, local.build) + # var.cluster_name is for Terratest + cluster_name = coalesce(var.cluster_name, local.name) + + # Mapping + cluster_version = var.cluster_version + metrics_server = true + aws_load_balancer_controller = true + cert_manager = true + cloudwatch_metrics = true + vpa = true + kubecost = true + + tags = { + Owner = var.owner + Application = var.app + } +} + + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.cluster_name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + cluster_addons = { + coredns = {} + kube-proxy = {} + vpc-cni = {} + } + + eks_managed_node_groups = { + (local.cluster_name) = { + node_group_name = "managed-ondemand" + instance_types = [var.instance] + min_size = 3 + max_size = 3 + desired_size = 3 + subnet_ids = module.vpc.private_subnets + } + } + + tags = local.tags +} + + +module "eks_blueprints_addons" { + source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" + + eks_cluster_id = module.eks.cluster_name + eks_cluster_endpoint = module.eks.cluster_endpoint + eks_cluster_version = module.eks.cluster_version + eks_oidc_provider = module.eks.oidc_provider + eks_oidc_provider_arn = module.eks.oidc_provider_arn + + # Add-ons + enable_amazon_eks_aws_ebs_csi_driver = true + amazon_eks_aws_ebs_csi_driver_config = { + most_recent = true + kubernetes_version = local.cluster_version + resolve_conflicts = "OVERWRITE" + } + enable_aws_load_balancer_controller = true + aws_load_balancer_controller_helm_config = { + service_account = "aws-lb-sa" + } + enable_cert_manager = true + enable_metrics_server = true + + tags = local.tags +} + +module "ebs_csi_driver_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driver-" + + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } + + tags = local.tags +} + +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-vpc-cni-" + + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # using the database subnet method since it allows a public route + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# F5/NGINX Resources +#--------------------------------------------------------------- + +module "jumphost" { + source = "../modules/jumphost" + + prefix = local.name + region = var.region + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.database_subnets + random = local.build + ec2_key = var.ec2_key +} \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/min-iam-policy.json b/resources/terraform/polsup-eks-nginx/min-iam-policy.json new file mode 100644 index 0000000000000000000000000000000000000000..cf716ea167ec7fdde14585ac904d7251f24ec93c --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/min-iam-policy.json @@ -0,0 +1,105 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagInstanceProfile", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] +} diff --git a/resources/terraform/polsup-eks-nginx/outputs.tf b/resources/terraform/polsup-eks-nginx/outputs.tf new file mode 100644 index 0000000000000000000000000000000000000000..40ca9975fed3ebab940fb8add081f0e25fe9d075 --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/outputs.tf @@ -0,0 +1,65 @@ +output "vpc_private_subnet_cidr" { + description = "VPC private subnet CIDR" + value = module.vpc.private_subnets_cidr_blocks +} + +output "vpc_public_subnet_cidr" { + description = "VPC public subnet CIDR" + value = module.vpc.public_subnets_cidr_blocks +} + +output "vpc_management_subnet_cidr" { + description = "VPC Management subnet CIDR" + value = module.vpc.database_subnets_cidr_blocks +} + +output "vpc_cidr" { + description = "VPC CIDR" + value = module.vpc.vpc_cidr_block +} +/* +output "eks_cluster_name" { + description = "EKS cluster ID" + value = module.eks_blueprints_addons.eks_cluster_name +} + +output "eks_managed_nodegroups" { + description = "EKS managed node groups" + value = module.eks_blueprints.managed_node_groups +} + +output "eks_managed_nodegroup_ids" { + description = "EKS managed node group ids" + value = module.eks_blueprints.managed_node_groups_id +} + +output "eks_managed_nodegroup_arns" { + description = "EKS managed node group arns" + value = module.eks_blueprints.managed_node_group_arn +} + +output "eks_managed_nodegroup_role_name" { + description = "EKS managed node group role name" + value = module.eks_blueprints.managed_node_group_iam_role_names +} + +output "eks_managed_nodegroup_status" { + description = "EKS managed node group status" + value = module.eks_blueprints.managed_node_groups_status +} + +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks_blueprints.configure_kubectl +} +*/ +# Region used for Terratest +output "region" { + description = "AWS region" + value = local.region +} + +output "jumpbox_public_dns" { + description = "Public DNS address of Jumpbox" + value = module.jumphost.public_dns +} diff --git a/resources/terraform/polsup-eks-nginx/variables.tf b/resources/terraform/polsup-eks-nginx/variables.tf new file mode 100644 index 0000000000000000000000000000000000000000..10af7f06603722ef7828142af0079644de62559c --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/variables.tf @@ -0,0 +1,54 @@ +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Name of cluster - used by Terratest for e2e test automation" + type = string + default = "polsup-nap" +} + +variable "cluster_version" { + description = "The Version of Kubernetes to deploy" + type = string + default = "1.25" +} + +variable "region" { + description = "Name of AWS deployment region" + type = string + default = "ap-southeast-2" +} + +variable "vpc_cidr" { + description = "CIDR of deployment VPC" + type = string + default = "10.0.0.0/16" +} + +variable "name" { + description = "Name prefix of deployment" + type = string + default = "polsup-nap" +} + +variable "owner" { + description = "Deployment owner" + type = string + default = "f5-aatt" +} + +variable "instance" { + description = "Deployment EC2 instance type" + type = string + default = "t3.xlarge" +} + +variable "app" { + description = "Deployment Application" + type = string + default = "OTel AstroShop" +} + +variable "ec2_key" { + description = "EC2 Deployment Keypair" + type = string + default = "mjk-aatt-fy23q2" +} diff --git a/resources/terraform/polsup-eks-nginx/versions.tf b/resources/terraform/polsup-eks-nginx/versions.tf new file mode 100644 index 0000000000000000000000000000000000000000..a967321a965441b1c48d4c51b276ea55ad591dad --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/versions.tf @@ -0,0 +1,25 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +}