Merge pull request #2157 from OWASP/renovate/major-terraform-aws

Update terraform-aws (major)

Author: bendehaan

aws/.terraform.lock.hcl

@@ -147,7 +147,7 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.33"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources | `map(string)` | <pre>{<br/>  "Application": "wrongsecrets"<br/>}</pre> | no |

aws/README.md

@@ -72,6 +72,7 @@ resource "aws_iam_role" "user_role" {
   name = "cant-read-secrets"
 
   assume_role_policy = data.aws_iam_policy_document.user_assume_role.json
+  tags               = var.tags
 }
 
 data "aws_iam_policy_document" "user_assume_role" {
@@ -94,6 +95,7 @@ resource "aws_iam_policy" "secret_deny" {
   name_prefix = "secret-deny"
   description = "Deny secrets manager and SSM"
   policy      = data.aws_iam_policy_document.user_policy.json
+  tags        = var.tags
 }
 
 data "aws_iam_policy_document" "user_policy" {
@@ -123,15 +125,16 @@ data "aws_iam_policy_document" "user_policy" {
 }
 
 module "ebs_csi_irsa_role" {
-  source                = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version               = "~> 5.5"
-  role_name             = "ebs-csi"
+  source                = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  version               = "~> 6.0"
+  name                  = "ebs-csi"
   attach_ebs_csi_policy = true
 
   oidc_providers = {
     ex = {
       provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["consul:server", "kube-system:ebs-csi-controller-sa"]
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
     }
   }
+  tags = var.tags
 }

aws/irsa.tf

@@ -28,24 +28,4 @@ echo "cleanup k8s ingress and service. This may take a while"
 kubectl delete service secret-challenge
 kubectl delete ingress wrongsecrets
 
-echo "Cleanup helm chart"
-helm uninstall aws-load-balancer-controller \
-  -n kube-system
-
-echo "Cleanup k8s ALB"
-kubectl delete -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
-
-echo "Cleanup iam serviceaccount and policy"
-eksctl delete iamserviceaccount \
-  --cluster $CLUSTERNAME \
-  --name aws-load-balancer-controller \
-  --namespace kube-system \
-  --region $AWS_REGION
-
-sleep 5 # Prevents race condition - command below may error out because it's still 'attached'
-
-aws iam delete-policy \
-  --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/AWSLoadBalancerControllerIAMPolicy
-
-echo "Wait for 10 seconds to let the AWS resources be cleaned up"
 sleep 10

aws/k8s-aws-alb-script-cleanup.sh

@@ -5,89 +5,11 @@
 
 source ../scripts/check-available-commands.sh
 
-checkCommandsAvailable aws cat docker eksctl grep helm jq kubectl sed terraform vault
+checkCommandsAvailable kubectl
 
-if test -n "${AWS_REGION-}"; then
-  echo "AWS_REGION is set to <$AWS_REGION>"
-else
-  AWS_REGION=eu-west-1
-  echo "AWS_REGION is not set or empty, defaulting to ${AWS_REGION}"
-fi
-
-if test -n "${CLUSTERNAME-}"; then
-  echo "CLUSTERNAME is set to <$CLUSTERNAME>"
-else
-  CLUSTERNAME=wrongsecrets-exercise-cluster
-  echo "CLUSTERNAME is not set or empty, defaulting to ${CLUSTERNAME}"
-fi
-
-ACCOUNT_ID=$(aws sts get-caller-identity | jq '.Account' -r)
-echo "ACCOUNT_ID=${ACCOUNT_ID}"
-
-LBC_VERSION="v2.13.4"
-echo "LBC_VERSION=$LBC_VERSION"
-
-# echo "executing eksctl utils associate-iam-oidc-provider"
-# eksctl utils associate-iam-oidc-provider \
-#     --region ${AWS_REGION} \
-#     --cluster ${CLUSTERNAME} \
-#     --approve
-
-echo "creating iam policy"
-curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/"${LBC_VERSION}"/docs/install/iam_policy.json
-aws iam create-policy \
-  --policy-name AWSLoadBalancerControllerIAMPolicy \
-  --policy-document file://iam_policy.json
-
-echo "creating iam service account for cluster ${CLUSTERNAME}"
-eksctl create iamserviceaccount \
-  --cluster $CLUSTERNAME \
-  --namespace kube-system \
-  --name aws-load-balancer-controller \
-  --attach-policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/AWSLoadBalancerControllerIAMPolicy \
-  --override-existing-serviceaccounts \
-  --region $AWS_REGION \
-  --approve
-
-echo "setting up kubectl"
-
-aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTERNAME --kubeconfig ~/.kube/wrongsecrets
-
-export KUBECONFIG=~/.kube/wrongsecrets
-
-echo "applying aws-lbc with kubectl"
-
-kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
-
-kubectl get crd
-
-echo "do helm eks application"
-helm repo add eks https://aws.github.io/eks-charts
-helm repo update eks
-
-echo "upgrade alb controller with helm"
-helm upgrade -i aws-load-balancer-controller \
-  eks/aws-load-balancer-controller \
-  -n kube-system \
-  --set clusterName=${CLUSTERNAME} \
-  --set serviceAccount.create=false \
-  --set serviceAccount.name=aws-load-balancer-controller \
-  --set image.tag="${LBC_VERSION}" \
-  --set region=${AWS_REGION} \
-  --set image.repository=602401143452.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-load-balancer-controller
-# You may need to modify the account ID above if you're operating in af-south-1, ap-east-1, ap-southeast-3, cn-north and cn-northwest, eu-south-1, me-south-1, or the govcloud.
-# See the full list of accounts per regions here: https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
-
-echo "wait with rollout for 10 s"
-sleep 10
-
-echo "rollout status deployment"
-kubectl -n kube-system rollout status deployment aws-load-balancer-controller
-
-echo "wait after rollout for 10 s"
-sleep 10
-
-EKS_CLUSTER_VERSION=$(aws eks describe-cluster --name $CLUSTERNAME --region $AWS_REGION --query cluster.version --output text)
+echo "set up ingress class"
+kubectl apply -f ./k8s/ingress-class-params.yaml
+kubectl apply -f ./k8s/ingress-class.yaml
 
 echo "apply -f k8s/secret-challenge-vault-service.yml in 10 s"
 sleep 10

aws/k8s-aws-alb-script.sh

@@ -17,7 +17,7 @@ fi
 if test -n "${CLUSTERNAME-}"; then
   echo "CLUSTERNAME is set to <$CLUSTERNAME>"
 else
-  CLUSTERNAME=wrongsecrets-exercise-cluster
+  CLUSTERNAME=wrongsecrets
   echo "CLUSTERNAME is not set or empty, defaulting to ${CLUSTERNAME}"
 fi
 
@@ -61,18 +61,8 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-helm list -n | grep 'aws-ebs-csi-driver' &> /dev/null
-if [ $? == 0 ]; then
-  echo "AWS EBS CSI driver is already installed"
-else
-  echo "Installing AWS EBS CSI driver"
-  helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
-  helm repo update
-  helm upgrade --install aws-ebs-csi-driver --version 2.32.0 \
-    --namespace kube-system \
-    aws-ebs-csi-driver/aws-ebs-csi-driver \
-    --values ./k8s/ebs-csi-driver-values.yaml
-fi
+echo "Setting up gp3 storage class..."
+kubectl apply -f ./k8s/ebs-csi-gp3.yaml
 
 source ../scripts/install-vault.sh
 

aws/k8s-vault-aws-start.sh

@@ -0,0 +1,20 @@
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: gp3
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+allowedTopologies:
+- matchLabelExpressions:
+  - key: eks.amazonaws.com/compute-type
+    values:
+    - auto
+provisioner: ebs.csi.eks.amazonaws.com
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: Delete
+allowVolumeExpansion: true
+  # The following parameters are specific to the EBS CSI driver.
+parameters:
+  type: gp3
+  encrypted: "true"
+  tagSpecification_1: Application=wrongsecrets

aws/k8s/ebs-csi-driver-values.yaml

@@ -0,0 +1,6 @@
+apiVersion: eks.amazonaws.com/v1
+kind: IngressClassParams
+metadata:
+  name: alb
+spec:
+  scheme: internet-facing

aws/k8s/ebs-csi-gp3.yaml

@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: alb
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: "true"
+spec:
+  controller: eks.amazonaws.com/alb
+  parameters:
+    apiGroup: eks.amazonaws.com
+    kind: IngressClassParams
+    name: alb