terraform-k8s-devsecops-sandbox

Terraform module for provisioning an ephemeral DevSecOps Sandbox to a Kubernetes cluster

Introduction

Purpose

The purpose of this module is to deploy a DevSecOps "sandbox" to a kubernetes cluster. It is intended to be a "turn-key" module, so it includes (almost) everything needed to have the sandbox tools up and running, including AWS resources like Route53 records.

High-level design

Resources provisioned

• Deploys GitLab using Helmfile
• Applies GitLab configuration
• Deploys Jenkins using Helmfile
• Applies Jenkins configuration
• Creates Route53 records for GitLab, Jenkins, Minio, and Registry
• Configures the root password and provides it as an output
• Creates a Personal Access Token for the root user and provides it as an output

Usage

Prerequisites

1. Terraform v0.13+ - Uses the new way to pull down 3rd party providers.
2. *nix operating system - Windows not supported. If you need to use this on Windows you can run it from a Docker container.
3. Since this module uses a local-exec, the following tools also need to be installed on the machine using this module:
   1. kubectl
   2. helm
   3. helmfile
   4. helm-diff plugin

Instructions

Complete Example

See examples/complete for an example of how to use this module. For your convenience a Taskfile has been provided to be used with go-task.

cd examples/complete
task init
task plan
task apply
task destroy

There are a few parameters that are specific to your AWS account and your domain name you want to use that are not included in the example terraform.tfvars. You should create a override.tfvars file and add the missing parameters to that.

Here's a minimal example:

provider "aws" {
  region = var.region
}

provider "local" {}

provider "null" {}

provider "random" {}

module "k8s-devsecops-sandbox" {
  source                   = "git::https://github.com/saic-oss/terraform-k8s-devsecops-sandbox.git?ref=tags/X.Y.Z"
  cluster_issuer           = "letsencrypt-${var.letsencrypt_environment}"
  kubeconfig_file_contents = module.rancher-k8s-cluster.cluster_kubeconfig
  gitlab_host_name         = "gl.${random_pet.default.id}.${var.hosted_zone_domain_name}"
  registry_host_name       = "reg.gl.${random_pet.default.id}.${var.hosted_zone_domain_name}"
  minio_host_name          = "min.gl.${random_pet.default.id}.${var.hosted_zone_domain_name}"
  hosted_zone_id           = var.hosted_zone_id
  elb_dns_name             = module.rancher-k8s-cluster.elb_dns_name
  elb_zone_id              = module.rancher-k8s-cluster.elb_zone_id
  depends_on = [
    module.rancher-k8s-cluster
  ]
  providers = {
    aws    = aws,
    local  = local,
    null   = null,
    random = random
  }
}

Contributing

Contributors to this module should make themselves familiar with this section

Prerequisites

• Terraform v0.13+
• pre-commit
• Pre-commit hook dependencies
  • nodejs (for the prettier hook)
  • tflint
  • terraform-docs
  • tfsec
• Run pre-commit install in root dir of repo (installs the pre-commit hooks so they run automatically when you try to do a git commit)
• Run terraform init in root dir of repo so the pre-commit hooks can work

Versioning

This module will use SemVer, and will stay on v0.X for the foreseeable future

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 2.0.0
local	>= 1.0.0
null	>= 2.0.0
random	>= 2.0.0

Providers

Name	Version
aws	>= 2.0.0
local	>= 1.0.0
null	>= 2.0.0
random	>= 2.0.0

Inputs

Name	Description	Type	Default	Required
cluster_issuer	Name of Cert Manager ClusterIssuer to use	string	n/a	yes
elb_dns_name	DNS name of the ELB that points at the cluster	string	n/a	yes
elb_zone_id	Zone ID of the ELB that points at the cluster	string	n/a	yes
gitlab_host_name	FQDN of desired GitLab endpoint e.g. gitlab.example.com. Max length 63 chars	string	n/a	yes
hosted_zone_id	ID of the Hosted Zone to create Route53 Records in	string	n/a	yes
jenkins_admin_email	email address of the Jenkins admin	string	n/a	yes
jenkins_host_name	FQDN of desired Jenkins endpoint e.g. jenkins.example.com. Max length 63 chars	string	n/a	yes
kubeconfig_file_contents	Contents of kubeconfig file to use to connect to the cluster	string	n/a	yes
minio_host_name	FQDN of desired GitLab Minio endpoint e.g. minio.gitlab.example.com. Max length 63 chars	string	n/a	yes
registry_host_name	FQDN of desired GitLab Registry endpoint e.g. registry.gitlab.example.com. Max length 63 chars	string	n/a	yes

Outputs

Name	Description
gitlab_endpoint	Endpoint for GitLab
gitlab_minio_endpoint	Endpoint for GitLab's Minio
gitlab_registry_endpoint	Endpoint for GitLab Registry
gitlab_root_password	Password for the 'root' user in GitLab
gitlab_root_user_personal_access_token	Personal Access Token for the GitLab root user
jenkins_admin_password	Password for the 'admin' user in Jenkins
jenkins_endpoint	Endpoint for Jenkins