diff --git a/.github/workflows/stack.yml b/.github/workflows/stack.yml new file mode 100644 index 0000000..1a5a99b --- /dev/null +++ b/.github/workflows/stack.yml @@ -0,0 +1,50 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. +# + +# Creates and Publishes the Oracle Resource Manager stack + +name: Generate stacks and publish release + +on: + push: + branches: [ main ] + paths: ['terraform/VERSION'] + +jobs: + + publish_stack: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Create stacks + id: create_stacks + run: | + # + STACKNAME=${{ github.event.repository.name }} + FOLDER=terraform/ + RELEASE=$(cat terraform/VERSION) + ASSETS+="${STACKNAME}-stack.zip ${STACKNAME}-${RELEASE}.zip " + echo "::group::Processing $STACKNAME" + zip -r ${STACKNAME}-stack.zip $FOLDER || { printf '\n⛔ Unable to create %s stack.\n'; exit 1; } + cp ${STACKNAME}-stack.zip ${STACKNAME}-${RELEASE}.zip || { printf '\n⛔ Unable to create %s stack.\n'; exit 1; } + echo "::endgroup::" + echo "::set-output name=assets::$ASSETS" + echo "::set-output name=release::$RELEASE" + echo "::set-output name=prefix::$STACKNAME" + + - name: Prepare Release Notes + run: | + # + printf '%s\n' '${{ steps.create_stacks.outputs.prefix }} Stack - v${{ steps.create_stacks.outputs.release }}' >release.md + printf '%s\n' '' '## [![Deploy to Oracle Cloud][magic_button]][magic_stack]' >>release.md + printf '%s\n' '' '' >>release.md + printf '%s\n' '' '[magic_button]: https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg' >>release.md + printf '%s\n' '' '[magic_stack]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/${{ steps.create_stacks.outputs.release }}/${{ steps.create_stacks.outputs.prefix }}-${{ steps.create_stacks.outputs.release }}.zip' >>release.md + + - name: Create Release + run: gh release create ${{ steps.create_stacks.outputs.release }} --generate-notes -F release.md ${{ steps.create_stacks.outputs.assets }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index f4f7191..4747660 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ **/.DS_Store *.tgz *.zip +.vscode/ # Terraform ### ## Local .terraform directories diff --git a/README.md b/README.md index 9c32dd9..a7f4f92 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ![Sysdig Logo](./images/sysdig-logo-white-text.svg#gh-light-mode-only)![Sysdig Logo - Dark Mode](./images/sysdig-logo.svg#gh-dark-mode-only) [![Deploy to Oracle Cloud][magic_button]][magic_sysdig_stack] +# ![Sysdig Logo](./images/sysdig-logo.svg#gh-light-mode-only)![Sysdig Logo - Dark Mode](./images/sysdig-logo-white-text.svg#gh-dark-mode-only) [![Deploy to Oracle Cloud][magic_button]][magic_sysdig_stack] Terraform module that deploys the Sysdig Secure Agents in Oracle Kubernetes Engine (OKE) Cluster. diff --git a/images/sysdig-icon.svg b/images/sysdig-icon.svg new file mode 100644 index 0000000..014bc87 --- /dev/null +++ b/images/sysdig-icon.svg @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index aa6c015..700f694 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -70,33 +70,6 @@ provider "registry.terraform.io/hashicorp/local" { ] } -provider "registry.terraform.io/hashicorp/oci" { - version = "4.68.0" - constraints = ">= 4.68.0" - hashes = [ - "h1:+ibmD9qY8nGrxOtcxZf5JFSUWCHj9NnNdYb2+kYSgBI=", - "h1:aJ996CmyR4SBjvDI+hF8MVzD6yd241AKJ/pTtwqcvGY=", - "h1:bfj2Sj01ZRGFFCXJt2eBcjDYHVVa3fw0U4+jnUiQJHM=", - "h1:nagiVTWsneUlp4FMDgnMCDhC+x8uNlUH3MP2SvXL0Z0=", - "h1:pU9mgzYZ9fapGYfqWnn6F8q/VnqtG3xtJzXOom0KTmk=", - "zh:0eb113292d8c0dfb83af8b57603f3d87f539e3d6fd59101cdc90cb839a7a15d2", - "zh:38e135a2b40c4a72f21bfaa9761e5d541095726dbbd6c0e68b599f14626f4d15", - "zh:42034e5dccb0c8067390242f25c10c41da68afa6bfd5dfa8a29bacd7cf0acc72", - "zh:51e12d9aa6ae9fa2925d98e5b30249464ee11a0b79bbdf696bbb7d2a505b6e6c", - "zh:54b5bf9589b3ab0527f74c3054dd28dbb427fb3868d65388d2984cf2c7637a76", - "zh:55d017747528964b476c73068f4e0a419e58721eb2f654c10947d6756a66cf63", - "zh:6d5ef791501fd20e6a5cf8b1a674c5de2c30cb2219c54b619cc42d8da69739a5", - "zh:7bd75323793a6974d0e262a3e256d8ab6e323fdeca5c344a6ee4d2582a8e5ebe", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a381b0ae5bc8ccecaf8e3270e41e220e7f900052e2f34928d81e66e335f5afc6", - "zh:bbdcc854328cad0402534866d75b11275ea7dbef4d43e0ff4955c2e9782a40d2", - "zh:c1cf442599f7d87dcba638f291babd786c1384603a57af7b9525bfca9ce86a79", - "zh:c5f3c18b0ad41536cf6004a5b5d367bc3d28be6edaccd1cea133391a9d3b9424", - "zh:d5cd4b7e621ee421a119cc477cea6b0ff4d0619c78e997104388801711670365", - "zh:d8870c7bbce64613f9318f7251b803b7d018d6bd0757623c02ca2ebe0807f12f", - ] -} - provider "registry.terraform.io/hashicorp/random" { version = "3.1.0" constraints = "3.1.0" @@ -142,3 +115,30 @@ provider "registry.terraform.io/hashicorp/tls" { "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", ] } + +provider "registry.terraform.io/oracle/oci" { + version = "4.75.0" + constraints = ">= 4.75.0" + hashes = [ + "h1:7mA4N3Snal+MjgATEm2NCjiVlLYYAaNMFRn7+IYF3KE=", + "h1:RlYetIy/lQQ4uL3dfOY1Kq5MsRL86xxWyhPqp520fqs=", + "h1:RsrBRtygE17vqHmrclCu6vwggQta5nydw/S7Tt0SKZ0=", + "h1:fhuVWZ0a26hMLIOh2pKc78yR7ML/dr0ZPTTDnq56uhM=", + "h1:lV4Z/CuFOVjyivvAyZEJBAmFVLIm153a3Zi49lRHjKU=", + "zh:0390dd200ab50344f1014306dc186c21a8fb8fd881585b3a8299b1261ad41ca4", + "zh:0f46b164faaad0325006f3fdab4b699f1b26203e46cf9df33891ab483455c2ce", + "zh:0fb4c9ae86b24c11369bb8097a4461cde5f4f69736871c0c9d3401a2791fd402", + "zh:17bc369131353acdbce7dd132bac1caf44ec9a7ad5eb66dc33a1cf7c48eaac0e", + "zh:2cb11c8658480240e6f60ab6cc84b748bf76e08a821fc73a493a052bf8e17183", + "zh:3ae19ec595635b7fd5046669e1b0112db3bc7f378d6f8132955963a623520d20", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b342b03ef66c754d86e1296dbbed533b660bc477371b5ca0918eb06704503314", + "zh:b49b11491c9e4be5417f73766d05afbac0901659196aa03147db0a86eedae1f3", + "zh:c093376cb83d66d2c46f7f83534461728d2c8a9aff25df80bbd3826da09dd4bd", + "zh:cc7fa18d38f32bd7a49dc457d1b5131ded0ca402764594d88bbb288d52e25e7e", + "zh:d0da468726410393fe9546ee23eae7056ca9a517d5ccf90baf704f4ec49f621a", + "zh:d79f133c6add2bc9a901d6941bd6b87c6d0df07eb38eed4174625697e6283dd4", + "zh:d90c8340b74defee4c8d86df230e4135cfa08ac6339cc58d92c6a833a9a32070", + "zh:da871ab255a31ebfb7a97489cf84411df8c48968f97b8048930f5a52fb3914a0", + ] +} diff --git a/terraform/VERSION b/terraform/VERSION index afaf360..7f20734 100644 --- a/terraform/VERSION +++ b/terraform/VERSION @@ -1 +1 @@ -1.0.0 \ No newline at end of file +1.0.1 \ No newline at end of file diff --git a/terraform/oke-autoscaler.tf b/terraform/oke-autoscaler.tf index dff94f8..58d2ba3 100644 --- a/terraform/oke-autoscaler.tf +++ b/terraform/oke-autoscaler.tf @@ -3,7 +3,7 @@ # locals { - cluster_autoscaler_supported_k8s_versions = { "1.18" = "1.18.3-4", "1.19" = "1.19.1-8", "1.20" = "1.20.0-6", "1.21" = "1.21.1-3" } # There's no API to get that list. Need to be updated manually + cluster_autoscaler_supported_k8s_versions = { "1.18" = "1.18.3-4", "1.19" = "1.19.1-8", "1.20" = "1.20.0-6", "1.21" = "1.21.1-3", "1.22" = "1.22.2-4" } # There's no API to get that list. Need to be updated manually cluster_autoscaler_image_version = lookup(local.cluster_autoscaler_supported_k8s_versions, local.k8s_major_minor_version, reverse(values(local.cluster_autoscaler_supported_k8s_versions))[0]) cluster_autoscaler_image_region = "iad" # Available regions: iad, phx, fra, lhr cluster_autoscaler_image = "${local.cluster_autoscaler_image_region}.ocir.io/oracle/oci-cluster-autoscaler:${local.cluster_autoscaler_image_version}" diff --git a/terraform/oke-datasources.tf b/terraform/oke-datasources.tf index 5eea26a..fa36529 100644 --- a/terraform/oke-datasources.tf +++ b/terraform/oke-datasources.tf @@ -18,6 +18,9 @@ data "oci_containerengine_cluster_option" "oke" { data "oci_containerengine_node_pool_option" "oke" { node_pool_option_id = "all" } +data "oci_containerengine_clusters" "oke" { + compartment_id = local.oke_compartment_ocid +} # Gets a list of Availability Domains data "oci_identity_availability_domains" "ADs" { diff --git a/terraform/oke-outputs.tf b/terraform/oke-outputs.tf index 39c06c0..be55b45 100755 --- a/terraform/oke-outputs.tf +++ b/terraform/oke-outputs.tf @@ -7,7 +7,7 @@ output "comments" { } output "deployed_oke_kubernetes_version" { - value = (var.k8s_version == "Latest") ? local.cluster_k8s_latest_version : var.k8s_version + value = local.deployed_k8s_version } output "kubeconfig_for_kubectl" { value = "export KUBECONFIG=./generated/kubeconfig" diff --git a/terraform/oke-variables.tf b/terraform/oke-variables.tf index 6cc31a1..f7cc7b3 100644 --- a/terraform/oke-variables.tf +++ b/terraform/oke-variables.tf @@ -16,6 +16,10 @@ variable "existent_oke_cluster_id" { default = "" description = "Using existent OKE Cluster. Only the application and services will be provisioned. If select cluster autoscaler feature, you need to get the node pool id and enter when required" } +variable "existent_oke_cluster_compartment_ocid" { + default = "" + description = "Existent OKE Cluster Compartment" +} variable "create_new_compartment_for_oke" { default = false description = "Creates new compartment for OKE Nodes and OCI Services deployed. NOTE: The creation of the compartment increases the deployment time by at least 3 minutes, and can increase by 15 minutes when destroying" diff --git a/terraform/oke.tf b/terraform/oke.tf index 581278b..0e64a90 100644 --- a/terraform/oke.tf +++ b/terraform/oke.tf @@ -89,7 +89,8 @@ resource "oci_identity_compartment" "oke_compartment" { count = var.create_new_compartment_for_oke ? 1 : 0 } locals { - oke_compartment_ocid = var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid + # oke_compartment_ocid = var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid + oke_compartment_ocid = var.create_new_oke_cluster ? (var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid) : var.existent_oke_cluster_compartment_ocid } # Local kubeconfig for when using Terraform locally. Not used by Oracle Resource Manager @@ -108,6 +109,8 @@ resource "tls_private_key" "oke_worker_node_ssh_key" { locals { cluster_k8s_latest_version = reverse(sort(data.oci_containerengine_cluster_option.oke.kubernetes_versions))[0] node_pool_k8s_latest_version = reverse(sort(data.oci_containerengine_node_pool_option.oke.kubernetes_versions))[0] + deployed_k8s_version = var.create_new_oke_cluster ? (var.k8s_version == "Latest") ? local.cluster_k8s_latest_version : var.k8s_version :[ + for x in data.oci_containerengine_clusters.oke.clusters : x.kubernetes_version if x.id == var.existent_oke_cluster_id][0] } # Checks if is using Flexible Compute Shapes diff --git a/terraform/providers.tf b/terraform/providers.tf index 0e7cff1..7328ff0 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -3,12 +3,12 @@ # terraform { - required_version = ">= 1.0" + required_version = ">= 1.1" required_providers { oci = { - source = "hashicorp/oci" - version = ">= 4.68.0" - # https://registry.terraform.io/providers/hashicorp/oci/4.68.0 + source = "oracle/oci" + version = ">= 4.75.0" + # https://registry.terraform.io/providers/oracle/oci/4.75.0 } kubernetes = { source = "hashicorp/kubernetes" diff --git a/terraform/schema.yaml b/terraform/schema.yaml new file mode 100644 index 0000000..9643925 --- /dev/null +++ b/terraform/schema.yaml @@ -0,0 +1,618 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. +# + +title: "Sysdig Secure for OKE" +description: "Sysdig Secure: Unified security and compliance for containers, Kubernetes and cloud" +informationalText: "This stack deploys Sysdig Secure and Sysdig Container on an existent OKE Cluster (optionally the stack allows create a new cluster before deploy)." +schemaVersion: 1.1.0 +version: "20190304" + +logoUrl: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDIzMC4zODIgODIuNzk4MiI+CiAgPGRlZnMvPgogIDxkZWZzPgogICAgPHN0eWxlPgogICAgICAuZjA0Y2E5MDYtMWU2OS00ZjI3LTg2MjEtYTdhYjA4NTFjYTExe2ZpbGw6IzU1NTY1Yn0uZTMzMGI4MzQtMTYxYi00ODdjLWJiMTMtOGJjYTU2MWU2NmRle2ZpbGw6IzAwYWJjN30KICAgIDwvc3R5bGU+CiAgPC9kZWZzPgogIDxnIGlkPSJlZjM0ZTc5OC01MThmLTQzODgtYWM3OS04ZTQ4MWZjYjMzMWYiIGRhdGEtbmFtZT0iTGF5ZXIgMSI+CiAgICA8cGF0aCBkPSJNOTguMzU4IDY1LjczODhhOC4wOTQ4IDguMDk0OCAwIDAxLTMuMDg3NCA2Ljg1NTEgMTIuMTMxNSAxMi4xMzE1IDAgMDEtNy42NDA1IDIuMTk3OSAxOC45ODc3IDE4Ljk4NzcgMCAwMS0xMi4wMzU3LTQuMjM4OGwzLjQwMTMtNS4yMzMycTQuNjA0NSAzLjM0OTYgOC44NDM5IDMuMzQ5MiAzLjM0ODQgMCAzLjM0OTEtMi4wOTMxdi0uMTA0OHEwLTEuMTUwMS0xLjcyNzEtMS45MzYyLS42Mjc4LS4yNjA4LTQuMDgxNS0xLjMwODItOC4zNzMyLTIuNDU5LTguMzcyOC04LjQyNXYtLjEwNDdhOC4wNTE5IDguMDUxOSAwIDAxMy4wMzUtNi41OTM5IDExLjA2NSAxMS4wNjUgMCAwMTcuMjIxNC0yLjMwMjZBMTguMzU4NyAxOC4zNTg3IDAgMDE5Ny43MyA0OS4wNDUzbC0zLjAzNTMgNS40OTQ0cS00LjQ0ODYtMi42MTU2LTcuNTg4LTIuNjE2NC0yLjkzMSAwLTIuOTMwNSAxLjkzNjJ2LjEwNDhxMCAxLjA0NzUgMS43MjcxIDEuODg0LjY3OTUuMzEzNiAzLjk3NzIgMS40NjVhMjAuMjYwNiAyMC4yNjA2IDAgMDE1LjcwMzggMi43MjEyIDYuODQzNCA2Ljg0MzQgMCAwMTIuNzczOCA1LjU5OTV6TTExNy43MDA2IDc0Ljk0ODdxLTEuNjIyNSA0LjM0MzEtMy42MTA3IDYuMDcwNmE4LjM2MTUgOC4zNjE1IDAgMDEtNS41OTkyIDEuNzc5IDEzLjcyMTMgMTMuNzIxMyAwIDAxLTcuMDY0Ni0xLjkzNjNsMi42NjktNS43NTZhNi42OTY0IDYuNjk2NCAwIDAwMy40MDEzIDEuMDk4NyAyLjkxOSAyLjkxOSAwIDAwMi43NzM2LTEuODMxNUw5OS4yODA1IDQ2LjIxOTVoOC40MjUzbDYuMzg0IDE5LjEwMDMgNi4xMjI5LTE5LjEwMDNoOC4yNjh6TTE1MC44ODk0IDY1LjczODhhOC4wOTQ4IDguMDk0OCAwIDAxLTMuMDg3NCA2Ljg1NTEgMTIuMTMxNSAxMi4xMzE1IDAgMDEtNy42NDA1IDIuMTk3OSAxOC45ODc3IDE4Ljk4NzcgMCAwMS0xMi4wMzU4LTQuMjM4OGwzLjQwMTMtNS4yMzMycTQuNjA0NiAzLjM0OTYgOC44NDQgMy4zNDkyIDMuMzQ4MyAwIDMuMzQ5LTIuMDkzMXYtLjEwNDhxMC0xLjE1MDEtMS43MjctMS45MzYyLS42Mjc5LS4yNjA4LTQuMDgxNS0xLjMwODItOC4zNzMyLTIuNDU5LTguMzcyOC04LjQyNXYtLjEwNDdhOC4wNTE5IDguMDUxOSAwIDAxMy4wMzQ5LTYuNTkzOSAxMS4wNjUgMTEuMDY1IDAgMDE3LjIyMTUtMi4zMDI2IDE4LjM1ODcgMTguMzU4NyAwIDAxMTAuNDY2MyAzLjI0NDhsLTMuMDM1MyA1LjQ5NDRxLTQuNDQ4Ni0yLjYxNTYtNy41ODc5LTIuNjE2NC0yLjkzMSAwLTIuOTMwNiAxLjkzNjJ2LjEwNDhxMCAxLjA0NzUgMS43MjcyIDEuODg0LjY3OTQuMzEzNiAzLjk3NyAxLjQ2NWEyMC4yNjA2IDIwLjI2MDYgMCAwMTUuNzA0IDIuNzIxMiA2Ljg0MzQgNi44NDM0IDAgMDEyLjc3MzYgNS41OTk1ek0xNzUuMTYwMyA3NC4yNjg1VjcxLjgwOWExMi42NDk3IDEyLjY0OTcgMCAwMS04LjczOTIgMi45ODI4IDExLjg1MzcgMTEuODUzNyAwIDAxLTguODQzOS0zLjcxNTVxLTMuOTI0Ni00LjA4MTctMy45MjQ2LTEwLjc4MDJ2LS4xMDQ3cTAtNi42OTc5IDMuODcyNC0xMC43Nzk3YTExLjkxNjEgMTEuOTE2MSAwIDAxOC44OTYxLTMuNzE1NSAxNC4yMDcgMTQuMjA3IDAgMDE4LjczOTIgMi42MTY0VjM2LjA2NzNoNy45NTQzdjM4LjIwMTJ6bS4xMDQ3LTE0LjA3N2E4LjAyOTggOC4wMjk4IDAgMDAtMS45ODgzLTUuNTk5MiA2LjIyMjkgNi4yMjI5IDAgMDAtNC44MTQ2LTIuMTQ1NyA2LjI5MTQgNi4yOTE0IDAgMDAtNC44MTQzIDIuMDkzMSA3Ljk3NjggNy45NzY4IDAgMDAtMi4wNDA5IDUuNjUxN3YuMTA0N2E3LjkwNDIgNy45MDQyIDAgMDAyLjA0MSA1LjU5OTYgNi40NzQgNi40NzQgMCAwMDkuNjI4OCAwIDguMDI5NSA4LjAyOTUgMCAwMDEuOTg4My01LjU5OTV6TTE4Ny45MjkyIDQzLjEzMnYtNy4wNjQ3aDguMzcyOHY3LjA2NDd6bS4yMDkgMzEuMTM2NXYtMjguMDQ5aDcuOTU0M3YyOC4wNDl6TTIzMC4zODIgNjcuOTM2NnEwIDcuNzk4MS0zLjkyNDYgMTEuMzU1Ni0zLjc2OCAzLjQ1MzgtMTEuNzIyMyAzLjQ1MzhhMjYuMTMyNyAyNi4xMzI3IDAgMDEtMTIuNDAyMS0yLjkzMDVsMi43MjExLTYuNDg4OGExOS4wNDk2IDE5LjA0OTYgMCAwMDkuNDcyIDIuNTY0MnE4LjAwNjIgMCA4LjAwNjQtNi41OTR2LS4zMTM3YTE0LjI5ODEgMTQuMjk4MSAwIDAxLTkuMTU3NyAyLjk4MjcgMTEuOTg1IDExLjk4NSAwIDAxLTguNjg3LTMuNDAxMyAxMi44ODkgMTIuODg5IDAgMDEtMy43Njc4LTkuNjgxNHYtLjEwNDdhMTIuNzk1MyAxMi43OTUzIDAgMDEzLjgyMDItOS42ODEgMTEuOTIxIDExLjkyMSAwIDAxOC42MzQ1LTMuNDAxMyAxNS42MjkgMTUuNjI5IDAgMDE5LjA1MyAyLjYxNjR2LTIuMDkzMWg3Ljk1NDN6bS03Ljg0OTUtOS4xNTgxYTYuMDU3IDYuMDU3IDAgMDAtMS45ODg0LTQuNjU3MyA3LjM4MiA3LjM4MiAwIDAwLTkuNzMzNiAwIDYuMTMyNCA2LjEzMjQgMCAwMC0xLjkzNjIgNC42NTczdi4xMDQ3YTYuMTkyNSA2LjE5MjUgMCAwMDEuOTM2MiA0LjcwOTkgNi45MTMgNi45MTMgMCAwMDQuODY2OCAxLjc3OTMgNi44MDMxIDYuODAzMSAwIDAwNC44NjY4LTEuODMxNSA2LjA1NjIgNi4wNTYyIDAgMDAxLjk4ODQtNC42NTc3eiIgY2xhc3M9ImYwNGNhOTA2LTFlNjktNGYyNy04NjIxLWE3YWIwODUxY2ExMSIvPgogICAgPGc+CiAgICAgIDxwYXRoIGQ9Ik00Mi4yMzY4IDc0LjEzNjRBMTkuOTAyNSAxOS45MDI1IDAgMDEyNC41NzUzIDYzLjgyNWMtMS41NTUtMi42OTMyLTUuNTY0My05LjgzMy01Ljc2NjItMTAuMTk1M2EyLjcwMjIgMi43MDIyIDAgMDE0LjcyMTMtMi42M2MuMDQ5Mi4wODg0IDQuMTkxIDcuNDY1NSA1LjcyNTQgMTAuMTIzIDMuODA1NSA2LjU5MTYgMTAuNzc1IDkuMTA5NiAxOC42NDQgNi43MzFhMi43MDIzIDIuNzAyMyAwIDAxMS41NjI2IDUuMTczOCAyNC45OTY1IDI0Ljk5NjUgMCAwMS03LjIyNTYgMS4xMDl6IiBjbGFzcz0iZTMzMGI4MzQtMTYxYi00ODdjLWJiMTMtOGJjYTU2MWU2NmRlIi8+CiAgICAgIDxwYXRoIGQ9Ik00Mi44MjI5IDgyLjcwODRjLTEwLjMwMiAwLTE5LjkxNzUtNC44MjA3LTI0Ljc1NTctMTMuMjAwOUw3LjAwOSA1MC4zNTQ1YTIuNzAyIDIuNzAyIDAgMDEuOTg4OS0zLjY5MTFsNy41MzIyLTQuMzQ4OGEyLjcwMjIgMi43MDIyIDAgMTEyLjcwMjMgNC42ODAybC01LjE5MjEgMi45OTc1IDkuNzA3IDE2LjgxMjljNS4yNjIxIDkuMTE0MiAxNy43NzMxIDEyLjkxNDcgMjkuMjU2MyA4Ljk1MTUgOS4xNzMzLTcuOTYyNiAxMi4xMzgtMjAuNjk4NCA2Ljg3NjMtMjkuODEyNmwtOS4yOTIxLTE2LjA5NGEyLjcwMjIgMi43MDIyIDAgMTE0LjY4MDEtMi43MDIzbDkuMjkyMSAxNi4wOTRjNi42MjM3IDExLjQ3MjUgMi45OTMgMjcuMzYzOS04LjQ0NDkgMzYuOTY0MmEyLjY5NzcgMi42OTc3IDAgMDEtLjgxMzcuNDY5NyAzMy41OTAzIDMzLjU5MDMgMCAwMS0xMS40Nzg2IDIuMDMyN3ptMTAuNTU0OS00LjU3MnoiIGNsYXNzPSJlMzMwYjgzNC0xNjFiLTQ4N2MtYmIxMy04YmNhNTYxZTY2ZGUiLz4KICAgICAgPHBhdGggZD0iTTQyLjAxMTEgNjUuMzc0NGMtNC4yNjggMC03Ljg4NTctMi44NDE4LTkuNzIzLTYuMDI0TC4zNjI3IDQuMDUzNmEyLjcwMjIgMi43MDIyIDAgMDE0LjY4MDEtMi43MDIzTDM2Ljk2ODMgNTYuNjQ4Yy44NzA4IDEuNTA3NyAzLjMzOTMgNC4wOTUgNi40NDUgMy4wOTI4YTIuNzAyMyAyLjcwMjMgMCAwMTEuNjU3OCA1LjE0NDEgOS45NDQyIDkuOTQ0MiAwIDAxLTMuMDYuNDg5NXpNMzUuMDk4IDM2LjgzOThhMi43MDI4IDIuNzAyOCAwIDAxLTIuMzQwMi0xLjM1MTFsLTguOTU4My0xNS41MTdhMi43MDIyIDIuNzAyMiAwIDAxNC42ODAxLTIuNzAyM2w3LjYwNzYgMTMuMTc2OSA0LjgzODYtMi43OTM4YTIuNzAyMiAyLjcwMjIgMCAwMTIuNzAyNCA0LjY4MDFsLTcuMTc5MSA0LjE0NWEyLjcwMzMgMi43MDMzIDAgMDEtMS4zNTEyLjM2MjJ6IiBjbGFzcz0iZTMzMGI4MzQtMTYxYi00ODdjLWJiMTMtOGJjYTU2MWU2NmRlIi8+CiAgICA8L2c+CiAgPC9nPgo8L3N2Zz4K + +source: + type: quickstart + +locale: "en" +variableGroups: + - title: "Basic Hidden" + variables: + - compartment_ocid + - tenancy_ocid + - region + visible: false + + - title: "Sysdig Configuration" + variables: + - sysdig_access_key + - sysdig_settings_collector + - sysdig_settings_collector_port + - sysdig_node_analyzer_api_endpoint + + - title: "Sysdig <> Snyk Integration" + variables: + - sysdig_snyk_integration + - snyk_integration_id + - snyk_deploy_goof_sample + - snyk_private_registry + - snyk_private_registry_url + - snyk_private_registry_username + - snyk_private_registry_password + + - title: "Snyk Hidden Variables" + variables: + - snyk_sysdig_integration + - sysdig_eve_secret_name + - sysdig_agent_namespace + visible: false + + - title: "OKE Cluster Configuration" + variables: + - create_new_oke_cluster + - existent_oke_cluster_compartment_ocid + - existent_oke_cluster_id + - show_advanced + - app_name + - k8s_version + - cluster_workers_visibility + - cluster_endpoint_visibility + - create_new_compartment_for_oke + + - title: "OKE Worker Nodes" + variables: + - cluster_autoscaler_enabled + - num_pool_workers + - cluster_autoscaler_min_nodes + - cluster_autoscaler_max_nodes + - node_pool_shape + - node_pool_node_shape_config_ocpus + - node_pool_node_shape_config_memory_in_gbs + - generate_public_ssh_key + - public_ssh_key + - image_operating_system + - image_operating_system_version + - node_pool_name + + - title: "Dynamic Group and Policies" + variables: + - create_dynamic_group_for_nodes_in_compartment + - existent_dynamic_group_for_nodes_in_compartment + - create_compartment_policies + - create_tenancy_policies + + - title: "Encryption using OCI Vault (KMS)" + variables: + - use_encryption_from_oci_vault + - create_new_encryption_key + - existent_encryption_key_id + - create_vault_policies_for_group + - user_admin_group_for_vault_policy + + - title: "Extras Hidden" + variables: + - user_ocid + - fingerprint + - private_key_path + - network_cidrs + - cluster_options_admission_controller_options_is_pod_security_policy_enabled + - cluster_options_add_ons_is_kubernetes_dashboard_enabled + - node_pool_boot_volume_size_in_gbs + - oke_compartment_description + - create_oci_service_user + - existent_oke_nodepool_id_for_autoscaler + visible: false + +variables: + compartment_ocid: + type: oci:identity:compartment:id + title: "Compartment" + description: "The compartment in which to create compute instance(s)" + required: true + + sysdig_access_key: + type: string + title: "Sysdig Agent Access Key" + required: true + + sysdig_settings_collector: + type: string + title: "Sysdig Agent Collector URL" + required: true + + sysdig_settings_collector_port: + type: string + title: "Sysdig Agent Collector Port" + required: true + + sysdig_node_analyzer_api_endpoint: + type: string + title: "Sysdig Node Analyzer API endpoint" + required: true + + sysdig_snyk_integration: + type: boolean + title: "Enable Snyk integration to Sysdig" + required: true + visible: yes + + snyk_integration_id: + type: string + title: "Snyk Integration id" + required: true + visible: + and: + - sysdig_snyk_integration + + snyk_deploy_goof_sample: + type: boolean + title: "Deploy Snyk's Goof Sample" + required: true + visible: + and: + - sysdig_snyk_integration + + snyk_private_registry: + type: boolean + title: "Configure Private Container Registry to be scanned by Snyk" + required: true + visible: + and: + - sysdig_snyk_integration + + snyk_private_registry_url: + type: string + title: "Container Private Registry URL" + required: true + visible: + and: + - sysdig_snyk_integration + - snyk_private_registry + + snyk_private_registry_username: + type: string + title: "Container Private Registry Username" + required: true + visible: + and: + - sysdig_snyk_integration + - snyk_private_registry + + snyk_private_registry_password: + type: string + title: "Container Private Registry Password or Auth Token" + required: true + visible: + and: + - sysdig_snyk_integration + - snyk_private_registry + + app_name: + type: string + title: "Cluster Name Prefix" + required: true + visible: + and: + - create_new_oke_cluster + + show_advanced: + type: boolean + title: "Show advanced options?" + description: "Shows advanced options, allowing enable customer-managed encryption keys, select your ssh key, select/unselect cluster utilities, do not create policies, and other advanced options" + visible: + and: + - create_new_oke_cluster + + create_oci_service_user: + type: boolean + title: "Creates OCI Service User" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + # OKE Cluster + create_new_oke_cluster: + type: boolean + title: "Create new OKE Cluster" + + existent_oke_cluster_compartment_ocid: + type: oci:identity:compartment:id + title: "Existent OKE Cluster Compartment" + description: "The compartment where you find the existent OKE Cluster" + default: compartment_ocid + required: true + visible: + not: + - create_new_oke_cluster + + existent_oke_cluster_id: + type: oci:container:cluster:id + title: "Existent OKE Cluster" + required: true + dependsOn: + compartmentId: existent_oke_cluster_compartment_ocid + visible: + not: + - create_new_oke_cluster + + k8s_version: + type: enum + enum: # Necessary hardcoded supported versions, as ORM does not retrieve the versions from OKE. + - "Latest" + - "v1.22.5" + - "v1.21.5" + - "v1.20.11" + - "v1.19.15" + title: "Kubernetes Version" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + cluster_workers_visibility: + type: enum + enum: + - "Private" + - "Public" + title: "Choose Worker Nodes visibility type" + required: true + visible: + and: + - create_new_oke_cluster + + cluster_endpoint_visibility: + type: enum + enum: + # - "Private" + - "Public" + title: "Choose Kubernetes API Endpoint visibility type" + required: true + visible: + and: + - create_new_oke_cluster + + create_new_compartment_for_oke: + type: boolean + title: "Create new Compartment" + visible: + and: + - create_new_oke_cluster + - show_advanced + + cluster_autoscaler_enabled: + type: boolean + title: "Enable Cluster Autoscaler" + visible: + and: + - create_new_oke_cluster + + num_pool_workers: + type: integer + title: "Number of Worker Nodes" + minimum: 1 + maximum: 1000 + required: true + visible: + and: + - and: + - create_new_oke_cluster + - not: + - cluster_autoscaler_enabled + + cluster_autoscaler_min_nodes: + type: integer + title: "Autoscaler: Minimum number of nodes" + minimum: 1 + maximum: 1000 + required: true + visible: + and: + - create_new_oke_cluster + - cluster_autoscaler_enabled + + cluster_autoscaler_max_nodes: + type: integer + title: "Autoscaler: Maximum number of nodes" + minimum: 1 + maximum: 1000 + required: true + visible: + and: + - create_new_oke_cluster + - cluster_autoscaler_enabled + + existent_oke_nodepool_id_for_autoscaler: + type: string + title: "OKE Nodepool id" + required: true + visible: + and: + - and: + - cluster_autoscaler_enabled + - not: + - create_new_oke_cluster + + node_pool_shape: + type: oci:core:instanceshape:name + title: "Select a shape for the Worker Nodes instances" + required: true + dependsOn: + compartmentId: compartment_ocid + visible: + and: + - create_new_oke_cluster + + node_pool_node_shape_config_ocpus: + type: integer + minimum: 1 + maximum: 64 + title: "Number of OCPUs" + visible: + and: + - and: + - create_new_oke_cluster + - or: + - eq: + - node_pool_shape + - "VM.Standard.E3.Flex" + - eq: + - node_pool_shape + - "VM.Standard.E4.Flex" + - eq: + - node_pool_shape + - "VM.Standard.A1.Flex" + + node_pool_node_shape_config_memory_in_gbs: + type: integer + minimum: 1 + maximum: 1024 + title: "Amount of memory (GB)" + visible: + and: + - and: + - create_new_oke_cluster + - or: + - eq: + - node_pool_shape + - "VM.Standard.E3.Flex" + - eq: + - node_pool_shape + - "VM.Standard.E4.Flex" + - eq: + - node_pool_shape + - "VM.Standard.A1.Flex" + + node_pool_name: + type: string + title: "Node Pool Name" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + cluster_options_add_ons_is_kubernetes_dashboard_enabled: + type: boolean + title: "Kubernetes Dashboard Enabled" + visible: false + + generate_public_ssh_key: + type: boolean + title: "Auto generate public ssh key?" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + public_ssh_key: + type: oci:core:ssh:publickey + title: "Import your own SSH public key" + additionalProps: + allowMultiple: true + required: false + pattern: "((^(ssh-rsa AAAAB3NzaC1yc2|ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNT|ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzOD|ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1Mj|ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|ssh-dss AAAAB3NzaC1kc3)[0-9A-Za-z+\/]+[=]{0,3})( [^,]*)?)(,((ssh-rsa AAAAB3NzaC1yc2|ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNT|ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzOD|ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1Mj|ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|ssh-dss AAAAB3NzaC1kc3)[0-9A-Za-z+\/]+[=]{0,3})( [^,]*)?)*$" + visible: + and: + - and: + - create_new_oke_cluster + - show_advanced + - not: + - generate_public_ssh_key + + image_operating_system: + type: enum + title: "Image OS" + enum: + - "Oracle Linux" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + image_operating_system_version: + type: string + title: "Image OS Version" + required: true + visible: + and: + - create_new_oke_cluster + - show_advanced + + # Dynamic Groups and Policies for Instance Principals and Autoscaler + create_dynamic_group_for_nodes_in_compartment: + type: boolean + title: "Create Dynamic Group for Worker Nodes in the Compartment" + required: true + visible: + and: + - show_advanced + + existent_dynamic_group_for_nodes_in_compartment: + type: string + title: "Existent Dynamic Group" + required: true + visible: + and: + - and: + - show_advanced + - or: + - create_compartment_policies + - create_tenancy_policies + - not: + - create_dynamic_group_for_nodes_in_compartment + + create_compartment_policies: + type: boolean + title: "Create Compartment Policies" + required: true + visible: + and: + - show_advanced + + create_tenancy_policies: + type: boolean + title: "Create Tenancy Policies" + required: true + visible: + and: + - show_advanced + + # Encryption options + use_encryption_from_oci_vault: + type: boolean + title: "Encrypt using Customer-Managed Keys instead of Oracle Managed Encryption" + visible: + and: + - create_new_oke_cluster + - show_advanced + + create_new_encryption_key: + type: boolean + title: "Create new Vault and Key" + visible: + and: + - create_new_oke_cluster + - show_advanced + - use_encryption_from_oci_vault + + existent_encryption_key_id: + type: string + title: "Existent Encryption Key OCID" + required: true + visible: + and: + - and: + - create_new_oke_cluster + - show_advanced + - use_encryption_from_oci_vault + - not: + - create_new_encryption_key + + create_vault_policies_for_group: + type: boolean + title: "Create policies for the user group to manage vault and keys" + visible: + and: + - create_new_oke_cluster + - show_advanced + - use_encryption_from_oci_vault + - create_new_encryption_key + + user_admin_group_for_vault_policy: + type: string + title: "Specify your group to include the policy" + visible: + and: + - create_new_oke_cluster + - show_advanced + - use_encryption_from_oci_vault + - create_new_encryption_key + - create_vault_policies_for_group + +outputGroups: + - title: Deployment Info + outputs: + - deploy_id + - deployed_to_region + - stack_version + + - title: Kubernetes Cluster Info + outputs: + - deployed_oke_kubernetes_version + - generated_private_key_pem + + - title: Snyk Goof App Notes + outputs: + - snyk_goof_sample_access + - snyk_goof_sample_mongodb_access + + - title: Dev Notes + outputs: + - dev + - comments + +outputs: + + deploy_id: + type: string + title: "Deployment Id" + visible: true + + deployed_to_region: + type: string + title: "Deployed using Region" + visible: true + + deployed_oke_kubernetes_version: + type: string + title: "OKE Kubernetes version deployed" + visible: true + + stack_version: + type: string + title: Stack Version + displayText: Stack Version deployed + visible: true + + generated_private_key_pem: + type: string + title: Generated Private Key + displayText: Generated Private Key + + comments: + type: string + title: Comments + displayText: Comments + visible: true + + dev: + type: string + title: dev + displayText: dev note from Oracle Developers + visible: true + + snyk_goof_sample_access: + type: string + title: Kubectl command to check goof sample + displayText: Kubectl command to check goof sample (http://localhost:8088) + visible: + and: + - snyk_deploy_goof_sample + + snyk_goof_sample_mongodb_access: + type: string + title: Kubectl command to check goof mongoDb + displayText: Kubectl command to check goof mongoDb + visible: + and: + - snyk_deploy_goof_sample + + kubeconfig_for_kubectl: + type: string + title: kubeconfig + displayText: kubeconfig for local kubectl run. Not used by ORM + visible: false diff --git a/terraform/snyk-goof-app.tf b/terraform/snyk-goof-app.tf new file mode 100644 index 0000000..358623d --- /dev/null +++ b/terraform/snyk-goof-app.tf @@ -0,0 +1,175 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. +# + +#======================================================================================= +# DO NOT deploy the following sample application in a production environment. +# This application is used for demo purposes and contains a number of vulnerabilities. +# It is highly recommended that you promptly uninstall the application after +# you've completed the test. +#======================================================================================= + +resource "kubernetes_namespace" "goof_app_namespace" { + metadata { + name = "goof" + } + + depends_on = [data.oci_containerengine_cluster_kube_config.oke] + + count = local.install_snyk ? (var.snyk_deploy_goof_sample ? 1 : 0) : 0 +} + +resource "kubernetes_deployment" "goof" { + metadata { + name = "goof" + namespace = kubernetes_namespace.goof_app_namespace.0.id + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "goof" + tier = "frontend" + } + } + + template { + metadata { + labels = { + app = "goof" + tier = "frontend" + } + } + + spec { + container { + image = "snyklabs/goof" + name = "goof" + + resources { + requests = { + cpu = "100m" + memory = "100Mi" + } + } + port { + container_port = 3001 + } + port { + container_port = 9229 + } + env { + name = "DOCKER" + value = "1" + } + + } + } + } + } + + count = local.install_snyk ? (var.snyk_deploy_goof_sample ? 1 : 0) : 0 +} + +resource "kubernetes_deployment" "goof_mongo" { + metadata { + name = "goof-mongo" + namespace = kubernetes_namespace.goof_app_namespace.0.id + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "goof" + tier = "backend" + } + } + + template { + metadata { + labels = { + app = "goof" + tier = "backend" + } + } + + spec { + container { + image = "mongo" + name = "goof-mongo" + port { + container_port = 27017 + } + } + } + } + } + + count = local.install_snyk ? (var.snyk_deploy_goof_sample ? 1 : 0) : 0 +} + +resource "kubernetes_service" "goof" { + metadata { + name = "goof" + namespace = kubernetes_namespace.goof_app_namespace.0.id + } + spec { + selector = { + app = "goof" + tier = "frontend" + } + port { + protocol = "TCP" + port = 80 + target_port = 3001 + name = "http" + } + port { + protocol = "TCP" + port = 9229 + target_port = 9229 + name = "debug" + } + + type = "ClusterIP" + } + + count = local.install_snyk ? (var.snyk_deploy_goof_sample ? 1 : 0) : 0 +} + +resource "kubernetes_service" "goof_mongo" { + metadata { + name = "goof-mongo" + namespace = kubernetes_namespace.goof_app_namespace.0.id + } + spec { + selector = { + app = "goof" + tier = "backend" + } + port { + protocol = "TCP" + port = 27017 + target_port = 27017 + name = "mongo" + } + + type = "ClusterIP" + } + + count = local.install_snyk ? (var.snyk_deploy_goof_sample ? 1 : 0) : 0 +} + +output "snyk_goof_sample_access" { + value = "kubectl -n goof port-forward svc/goof 8088:80" + description = "If using deployed the goof app, this command will allow you to access the app locally" +} + +output "snyk_goof_sample_mongodb_access" { + value = "kubectl -n goof port-forward svc/goof-mongo 27017:27017" + description = "If using deployed the goof app, this command will allow you to access the mongodb locally" +} diff --git a/terraform/snyk-monitor.tf b/terraform/snyk-monitor.tf new file mode 100644 index 0000000..a06ed35 --- /dev/null +++ b/terraform/snyk-monitor.tf @@ -0,0 +1,111 @@ +# Copyright (c) 2021 Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. +# + +# Namespace +resource "kubernetes_namespace" "snyk_monitor_namespace" { + metadata { + name = "snyk-monitor" + } + + depends_on = [data.oci_containerengine_cluster_kube_config.oke] + + count = local.install_snyk ? 1 : 0 +} + +# Helm Charts +## https://github.com/snyk/kubernetes-monitor/tree/staging/snyk-monitor +resource "helm_release" "snyk_monitor" { + name = "snyk-monitor" + repository = local.snyk_helm_repository.snyk_charts + chart = "snyk-monitor" + namespace = kubernetes_namespace.snyk_monitor_namespace.0.id + wait = true + + set { + name = "clusterName" + value = yamldecode(data.oci_containerengine_cluster_kube_config.oke.content)["users"][0]["user"]["exec"]["args"][4] + } + set { + name = "sysdig.enabled" + value = var.sysdig_snyk_integration + } + + depends_on = [helm_release.sysdig_agent] + + count = local.install_snyk ? 1 : 0 +} + +locals { + # Helm repos + snyk_helm_repository = { + snyk_charts = "https://snyk.github.io/kubernetes-monitor" + } +} + +# Secrets +resource "kubernetes_secret" "snyk_monitor" { + metadata { + name = "snyk-monitor" + namespace = kubernetes_namespace.snyk_monitor_namespace.0.id + } + data = { + integrationId = var.snyk_integration_id + "dockercfg.json" = jsonencode(local.snyk_dockercfg) + } + type = "Opaque" + + count = local.install_snyk ? 1 : 0 +} + +locals { + snyk_dockercfg = var.snyk_private_registry ? { + auths = { + "${var.snyk_private_registry_url}" = { + auth = "${base64encode("${var.snyk_private_registry_username}:${var.snyk_private_registry_password}")}" + } + } + } : {} +} + +# resource "kubernetes_secret" "snyk_docker_cfg" { +# metadata { +# name = "docker-cfg" +# } + +# data = { +# ".dockerconfigjson" = jsonencode({ + # auths = { + # "${var.registry_server}" = { + # auth = "${base64encode("${var.registry_username}:${var.registry_password}")}" + # } + # } + # }) +# } + +# type = "kubernetes.io/dockerconfigjson" +# } + +data "kubernetes_secret" "sysdig_eve" { + metadata { + name = var.sysdig_eve_secret_name + namespace = var.sysdig_agent_namespace + } + + depends_on = [helm_release.sysdig_agent] + + count = var.sysdig_snyk_integration ? 1 : 0 +} + +resource "kubernetes_secret" "sysdig_eve_for_snyk" { + metadata { + name = var.sysdig_eve_secret_name + namespace = kubernetes_namespace.snyk_monitor_namespace.0.id + } + data = data.kubernetes_secret.sysdig_eve.0.data + type = data.kubernetes_secret.sysdig_eve.0.type + + depends_on = [helm_release.sysdig_agent] + + count = var.sysdig_snyk_integration ? 1 : 0 +} \ No newline at end of file diff --git a/terraform/snyk-variables.tf b/terraform/snyk-variables.tf new file mode 100644 index 0000000..dc70a70 --- /dev/null +++ b/terraform/snyk-variables.tf @@ -0,0 +1,48 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. +# + +variable "snyk_integration_id" { + default = "" + description = "Snyk Integration Id" +} + +variable "snyk_deploy_goof_sample" { + default = false + description = "NOTE: DO NOT deploy the sample application in a production environment. This application is used for demo purposes and contains a number of vulnerabilities. It is highly recommended that you promptly uninstall the application after you've completed the tutorial." +} +variable "snyk_private_registry" { + default = false + description = "Enter credentials to scan private registry. If need more than one, update the created secret with the new credentials." +} +variable "snyk_private_registry_url" { + default = "" + description = "Enter private registry url. i.e. iad.ocir.io" +} +variable "snyk_private_registry_username" { + default = "" + description = "Enter private registry username. i.e. /oracleidentitycloudservice/" +} +variable "snyk_private_registry_password" { + default = "" + description = "Enter private registry password or auth token. Note: For ocir.io, the password is the auth token generated for the user." +} + +variable "snyk_sysdig_integration" { + default = false + description = "Enrich the issues detected by Snyk for workloads with runtime data provided by Sysdig. NOTE: The Sysdig agent must be installed and running on the same cluster." +} + +variable "sysdig_eve_secret_name" { + default = "sysdig-eve-secret" + description = "Sysdig Eve Secret Name" +} + +variable "sysdig_agent_namespace" { + default = "sysdig-agent" + description = "Sysdig Agent Namespace" +} + +locals { + install_snyk = var.sysdig_snyk_integration +} \ No newline at end of file diff --git a/terraform/sysdig-agent.tf b/terraform/sysdig-agent.tf index 3e03452..e1f7229 100644 --- a/terraform/sysdig-agent.tf +++ b/terraform/sysdig-agent.tf @@ -9,15 +9,17 @@ resource "kubernetes_namespace" "sysdig_agent_namespace" { } depends_on = [data.oci_containerengine_cluster_kube_config.oke] + + count = local.install_sysdig ? 1 : 0 } # Helm Charts ## https://github.com/sysdiglabs/charts/tree/master/charts/agent resource "helm_release" "sysdig_agent" { name = "sysdig-agent" - repository = local.helm_repository.sysdig_charts + repository = local.sysdig_helm_repository.sysdig_charts chart = "sysdig" - namespace = kubernetes_namespace.sysdig_agent_namespace.id + namespace = kubernetes_namespace.sysdig_agent_namespace.0.id wait = false set { @@ -44,11 +46,16 @@ resource "helm_release" "sysdig_agent" { name = "ebpf.enabled" value = true } + + count = local.install_sysdig ? 1 : 0 } locals { # Helm repos - helm_repository = { + sysdig_helm_repository = { sysdig_charts = "https://charts.sysdig.com" } + + # Sysdig Agent + install_sysdig = true } diff --git a/terraform/sysdig-variables.tf b/terraform/sysdig-variables.tf index edc6165..5a4bf99 100644 --- a/terraform/sysdig-variables.tf +++ b/terraform/sysdig-variables.tf @@ -21,3 +21,8 @@ variable "sysdig_node_analyzer_api_endpoint" { default = "" description = "Sysdig secure API endpoint, without protocol (i.e. secure.sysdig.com)" } + +variable "sysdig_snyk_integration" { + default = false + description = "Enrich security insights and automated remediation with Snyk and seamlessly integrated to more easily find, prioritize, and fix vulnerabilities in containers and open source dependencies." +} \ No newline at end of file