Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "Secure Mode" to the complete example #112

Merged
merged 26 commits into from
Apr 4, 2023
Merged

Add "Secure Mode" to the complete example #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
29da7fa
wip
RothAndrew Mar 23, 2023
c2496cf
wip
RothAndrew Mar 24, 2023
c48d612
Delete complete-self-managed-nodegroup example since secure mode cove…
RothAndrew Mar 24, 2023
5be5d46
wip
RothAndrew Mar 24, 2023
33f4f82
wip
RothAndrew Mar 27, 2023
6902720
Change keycloak_enabled back to true
RothAndrew Mar 27, 2023
898169d
undo the managed stuff and change keycloak_enabled back to false
RothAndrew Mar 27, 2023
29af182
wip
RothAndrew Mar 27, 2023
28b5a4e
Update providers to use eks module output instead of data object
RothAndrew Mar 27, 2023
b2d0b5e
Change keycloak_enabled back to true
RothAndrew Mar 27, 2023
9aad202
wip
RothAndrew Mar 27, 2023
bce548a
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Mar 28, 2023
ef3bbf3
Merge branch 'main' into feature/secure-mode-to-complete-example
zack-is-cool Mar 29, 2023
7cc6609
Increase the sleep to 3 minutes
RothAndrew Mar 29, 2023
5818e84
wip
RothAndrew Mar 29, 2023
49ba458
wip
RothAndrew Mar 29, 2023
06cb1e0
wip
RothAndrew Mar 29, 2023
d288fc5
wip
RothAndrew Mar 29, 2023
5939e8e
Merge branch 'main' into feature/secure-mode-to-complete-example
ntwkninja Mar 30, 2023
2445893
wip
RothAndrew Mar 30, 2023
add42b5
wip
RothAndrew Mar 31, 2023
9a4a7ec
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Apr 3, 2023
1a7082f
wip
RothAndrew Apr 3, 2023
20d1430
wip
RothAndrew Apr 3, 2023
2c9a5a4
Merge branch 'main' into feature/secure-mode-to-complete-example
RothAndrew Apr 3, 2023
a8172e9
wip
RothAndrew Apr 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ crash.*.log
# Except ones that we do want to commit because they are used for automated tests
!examples/complete/fixtures.common.tfvars
!examples/complete/fixtures.insecure.tfvars
!examples/complete/fixtures.secure.tfvars

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
Expand Down
44 changes: 36 additions & 8 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# The version of the build harness container to use
BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/not-a-build-harness/not-a-build-harness
BUILD_HARNESS_VERSION := 0.0.8
BUILD_HARNESS_VERSION := 0.0.12

.DEFAULT_GOAL := help

Expand All @@ -24,26 +24,31 @@ help: ## Show a list of all targets
| sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \
| column -t -s ":"

.PHONY: _test-all
_test-all:
.PHONY: _create-folders
_create-folders:
mkdir -p .cache/go
mkdir -p .cache/go-build
mkdir -p .cache/tmp
mkdir -p .cache/.terraform.d/plugin-cache

.PHONY: _test-all
_test-all: _create-folders
echo "Running automated tests. This will take several minutes. At times it does not log anything to the console. If you interrupt the test run you will need to log into AWS console and manually delete any orphaned infrastructure."
docker run $(TTY_ARG) --rm \
--cap-add=NET_ADMIN \
--cap-add=NET_RAW \
-v "${PWD}:/app" \
-v "${PWD}/.cache/tmp:/tmp" \
-v "${PWD}/.cache/go:/root/go" \
-v "${PWD}/.cache/go-build:/root/.cache/go-build" \
-v "${PWD}/.cache/.terraform.d/plugin-cache:/root/.terraform.d/plugin-cache" \
--workdir "/app/test/e2e" \
-e TF_LOG_PATH \
-e TF_LOG \
-e GOPATH=/root/go \
-e GOCACHE=/root/.cache/go-build \
-e TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE=true \
-e TF_PLUGIN_CACHE_DIR=/root/.terraform.d/plugin-cache \
-e REPO_URL \
-e GIT_BRANCH \
-e AWS_REGION \
-e AWS_DEFAULT_REGION \
-e AWS_ACCESS_KEY_ID \
Expand All @@ -54,7 +59,31 @@ _test-all:
-e SKIP_SETUP \
-e SKIP_TEST \
-e SKIP_TEARDOWN \
$(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) bash -c 'asdf install && go test -v $(EXTRA_TEST_ARGS) ./...'
$(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) \
bash -c 'asdf install && go test -count 1 -v $(EXTRA_TEST_ARGS) .'

.PHONY: bastion-connect
bastion-connect: _create-folders ## To be used after deploying "secure mode" of examples/complete. It (a) creates a tunnel through the bastion host using sshuttle, and (b) sets up the KUBECONFIG so that the EKS cluster is able to be interacted with. Requires the standard AWS cred environment variables to be set. We recommend using 'aws-vault' to set them.
# TODO: Figure out a better way to deal with the bastion's SSH password. Ideally it should come from a terraform output but you can't directly pass inputs to outputs (at least not when you are using "-target")
cd examples/complete && terraform init
docker run $(TTY_ARG) --rm \
--cap-add=NET_ADMIN \
--cap-add=NET_RAW \
-v "${PWD}:/app" \
--workdir "/app/examples/complete" \
-e AWS_REGION \
-e AWS_DEFAULT_REGION \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN \
-e AWS_SECURITY_TOKEN \
-e AWS_SESSION_EXPIRATION \
$(BUILD_HARNESS_REPO):$(BUILD_HARNESS_VERSION) \
bash -c 'asdf install \
&& sshuttle -D -e '"'"'sshpass -p "my-password" ssh -q -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="aws ssm --region $(shell cd examples/complete && terraform output -raw bastion_region) start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"'"'"' --dns --disable-ipv6 -vr ec2-user@$(shell cd examples/complete && terraform output -raw bastion_instance_id) $(shell cd examples/complete && terraform output -raw vpc_cidr) \
&& aws eks --region $(shell cd examples/complete && terraform output -raw bastion_region) update-kubeconfig --name $(shell cd examples/complete && terraform output -raw eks_cluster_name) \
&& echo "SShuttle is running and KUBECONFIG has been set. Try running kubectl get nodes." \
&& bash'

.PHONY: test
test: ## Run all automated tests. Requires access to an AWS account. Costs real money.
Expand All @@ -66,8 +95,7 @@ test-complete-insecure: ## Run one test (TestExamplesCompleteInsecure). Requires

.PHONY: test-complete-secure
test-complete-secure: ## Run one test (TestExamplesCompleteSecure). Requires access to an AWS account. Costs real money.
#$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteSecure"
echo "TestExamplesCompleteSecure is still being worked on. For now feel free to use the complete-self-managed-nodegroup example."
$(MAKE) _test-all EXTRA_TEST_ARGS="-timeout 2h -run TestExamplesCompleteSecure"

.PHONY: docker-save-build-harness
docker-save-build-harness: ## Pulls the build harness docker image and saves it to a tarball
Expand Down
Loading