Merge pull request #24 from commjoen/awsrun

First iteration to run on AWS

Author: commjoen

.gitignore

@@ -0,0 +1,12 @@
+# Terraform
+kubeconfig_wrongsecrets-exercise-cluster
+.terraform
+.terraform.lock.hcl
+.terraform*
+terraform.tfstate*
+aws/terraform.tfstate.*
+aws/terraform.tfstate.backup
+aws/.terraform.tfstate.lock.info
+
+.idea
+.DS_Store

.idea/aws.xml

@@ -0,0 +1,29 @@
+# WARNING: File managed by eadf-bot, changes committed to individual repo will be overwritten
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: check-yaml
+      - id: end-of-file-fixer
+        exclude: ^(src/test/resources/yourkey.txt|src/test/resources/secondkey.txt)
+      - id: trailing-whitespace
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.71.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_tflint
+        args:
+          - "--args=--only=terraform_deprecated_interpolation"
+          - "--args=--only=terraform_deprecated_index"
+          - "--args=--only=terraform_unused_declarations"
+          - "--args=--only=terraform_comment_syntax"
+          - "--args=--only=terraform_documented_outputs"
+          - "--args=--only=terraform_documented_variables"
+          - "--args=--only=terraform_typed_variables"
+          - "--args=--only=terraform_module_pinned_source"
+          - "--args=--only=terraform_naming_convention"
+          - "--args=--only=terraform_required_version"
+          - "--args=--only=terraform_required_providers"
+          - "--args=--only=terraform_standard_module_structure"
+          - "--args=--only=terraform_workspace_remote"
+      - id: terraform_docs

.idea/azure/azureSettings.xml

@@ -2,4 +2,4 @@ Original Attirbution file of Multijuicer from which we Forked:
 
 MultiJuicer uses multiple Icons / Emojis from OpenMoji: https://openmoji.org/
 
-The Logo was originally created by [Straight outta Mane](https://en.99designs.de/profiles/2794862) via [99Desgins](https://en.99designs.de/logo-brand-guide/contests/create-juicy-logo-open-source-project-multijuicer-1075365/entries).
+The Logo was originally created by [Straight outta Mane](https://en.99designs.de/profiles/2794862) via [99Desgins](https://en.99designs.de/logo-brand-guide/contests/create-juicy-logo-open-source-project-multijuicer-1075365/entries).

.idea/codeStyles/codeStyleConfig.xml

@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

.idea/inspectionProfiles/Project_Default.xml

@@ -0,0 +1,160 @@
+# Setup your secrets in AWS
+
+In this setup we integrate the secrets-exercise online with AWS EKS and let Pods consume secrets from the AWS Parameter Store and AWS Secrets Manager.
+We use managed node groups so as we don't want the hassle of managing the EC2 instances ourselves, and Fargate doesn't suit our needs since we use a StatefulSet. If you want to know more about integrating secrets with EKS, check [EKS and SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/integrating_csi_driver.html) and [EKS and Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html).
+Please make sure that the account in which you run this exercise has either CloudTrail enabled, or is not linked to your current organization and/or DTAP environment.
+
+## Pre-requisites
+
+Have the following tools installed:
+
+-   AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
+-   EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
+-   Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
+-   Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+-   Wget - [Installation](https://www.jcchouinard.com/wget/)
+-   Helm [Installation](https://helm.sh/docs/intro/install/)
+-   Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
+-   jq [Installation](https://stedolan.github.io/jq/download/)
+
+Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as `awsuser`.
+
+### Multi-user setup: shared state
+
+If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform S3 backend.
+
+First, create an s3 bucket (optionally add `-var="region=YOUR_DESIRED_REGION"` to the apply to use a region other than the default eu-west-1):
+
+```bash
+cd shared-state
+terraform init
+terraform apply
+```
+
+The bucket name should be in the output. Please use that to configure the Terraform backend in `main.tf`.
+
+## Installation
+
+The terraform code is loosely based on [this EKS managed Node Group TF example](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_managed_node_group).
+
+**Note**: Applying the Terraform means you are creating cloud infrastructure which actually costs you money. The authors are not responsible for any cost coming from following the instructions below.
+
+**Note-II**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
+
+1. export your AWS credentials (`export AWS_PROFILE=awsuser`)
+2. check whether you have the right profile by doing `aws sts get-caller-identity` and make sure you have enough rights with the caller its identity and that the actual accountnumber displayed is the account designated for you to apply this TF to.
+3. Do `terraform init` (if required, use tfenv to select TF 0.13.1 or higher )
+4. Do `terraform plan`
+5. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
+6. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`
+7. Do `export KUBECONFIG=~/.kube/wrongsecrets`
+8. Run `cd .. && ./build-and-deploy-aws.sh` to install the helm chart for the wrongsecrets-ctf-party.
+
+Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.amazon.com/eks/home?region=eu-west-1#/clusters) by default. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
+
+Are you done playing? Please run `terraform destroy` twice to clean up.
+
+### Test it
+When you have completed the installation steps, you can do `kubectl port-forward service/wrongsecrets-balancer 3000:3000` and then go to [http://localhost:3000](http://localhost:3000).
+
+### Clean it up
+
+When you're done:
+
+1. Kill the port forward.
+2. Run `terraform destroy` to clean up the infrastructure.
+    1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
+3. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
+4. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
+5. Run `rm terraform.tfstate*` to remove local state files.
+
+### A few things to consider
+
+1. Does your worker node now have access as well?
+2. Can you easily obtain the instance profile of the Node?
+3. Can you get the secrets in the SSM Parameter Store and Secrets Manager easily? Which paths do you see?
+4. Which of the 2 (SSM Parameter Store and Secrets Manager) works cross-account?
+5. If you have applied the secrets to the cluster, you should see at the configuration details of the cluster that Secrets encryption is "Disabled", what does that mean?
+
+### When you want to share your environment with others (experimental)
+
+We added additional scripts for adding an ALB and ingress so that you can use your cloudsetup with multiple people.
+Do the following:
+
+1. Follow the installation section first.
+2. Run `k8s-aws-alb-script.sh` and the script will return the url at which you can reach the application.
+3. When you are done, before you do cleanup, first run `k8s-aws-alb-script-cleanup.sh`.
+
+Note that you might have to do some manual cleanups after that.
+
+## Terraform documentation
+The documentation below is auto-generated to give insight on what's created via Terraform.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.1 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.31.0 |
+| <a name="provider_http"></a> [http](#provider\_http) | 3.1.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.29.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.14.4 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.secret_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.user_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.irsa_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.user_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.secret_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_policy.policy_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_ssm_parameter.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_password.password2](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_role_with_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.user_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.22"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. |
+| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
+| <a name="output_irsa_role"></a> [irsa\_role](#output\_irsa\_role) | The role ARN used in the IRSA setup |
+| <a name="output_secrets_manager_secret_name"></a> [secrets\_manager\_secret\_name](#output\_secrets\_manager\_secret\_name) | The name of the secrets manager secret |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

.idea/misc.xml

@@ -0,0 +1,15 @@
+{
+  "unseal_keys_b64": [
+    "OCPHUjxNTQPb+NSIp9T/7ZWe0LB5UdQg8Yns9w1hL7g="
+  ],
+  "unseal_keys_hex": [
+    "3823c7523c4d4d03dbf8d488a7d4ffed959ed0b07951d420f189ecf70d612fb8"
+  ],
+  "unseal_shares": 1,
+  "unseal_threshold": 1,
+  "recovery_keys_b64": [],
+  "recovery_keys_hex": [],
+  "recovery_keys_shares": 5,
+  "recovery_keys_threshold": 3,
+  "root_token": "s.376aF6IRjo3ZMGfvERl3vCj2"
+}