Merge pull request #113 from OWASP/live/ctf

Clean up a bit with helpful things for CTF

Author: commjoen

aws/README.md

@@ -188,6 +188,7 @@ The documentation below is auto-generated to give insight on what's created via
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
 | <a name="input_extra_allowed_ip_ranges"></a> [extra\_allowed\_ip\_ranges](#input\_extra\_allowed\_ip\_ranges) | Allowed IP ranges in addition to creator IP | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
+| <a name="input_state_bucket_arn"></a> [state\_bucket\_arn](#input\_state\_bucket\_arn) | ARN of the state bucket to grant access to the s3 user | `string` | n/a | yes |
 
 ## Outputs
 

aws/main.tf

@@ -3,8 +3,8 @@ terraform {
   # Then uncomment and apply!
   # backend "s3" {
   #   region = "eu-west-1" # Change if desired
-  #   bucket = ""
-  #   key    = "wrongsecrets/terraform.tfstate"
+  #   bucket = "" # Put your bucket name here
+  #   key    = "wrongsecrets/terraform.tfstate" # Change if desired
   # }
 }
 
@@ -83,11 +83,11 @@ module "eks" {
 
   # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"
   eks_managed_node_group_defaults = {
-    disk_size       = 50
+    disk_size       = 256
     disk_type       = "gp3"
     disk_throughput = 150
     disk_iops       = 3000
-    instance_types  = ["t3a.large"]
+    instance_types  = ["t3a.medium"]
 
     iam_role_additional_policies = [
       "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
@@ -102,11 +102,11 @@ module "eks" {
     bottlerocket_default = {
       create_launch_template = false
       launch_template_name   = ""
-      min_size               = 1
+      min_size               = 3
       max_size               = 50
-      desired_size           = 1
+      desired_size           = 3
 
-      capacity_type = "SPOT"
+      capacity_type = "ON_DEMAND"
 
       ami_type = "BOTTLEROCKET_x86_64"
       platform = "bottlerocket"

aws/shared-state/README.md

@@ -36,5 +36,6 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Name of the terraform state bucket |
 | <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) | Name of the terraform state bucket |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

aws/shared-state/main.tf

@@ -11,7 +11,9 @@ provider "aws" {
   region = var.region
 }
 
-resource "aws_s3_bucket" "state" {}
+resource "aws_s3_bucket" "state" {
+  force_destroy = true
+}
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
   bucket = aws_s3_bucket.state.id

aws/shared-state/outputs.tf

@@ -2,3 +2,8 @@ output "s3_bucket_name" {
   description = "Name of the terraform state bucket"
   value       = aws_s3_bucket.state.id
 }
+
+output "s3_bucket_arn" {
+  description = "Name of the terraform state bucket"
+  value       = aws_s3_bucket.state.id
+}

aws/terraform.tfvars

@@ -1,2 +1,3 @@
 cluster_version = "1.22"
 region          = "eu-west-1"
+# state_bucket_arn = "...."

aws/variables.tf

@@ -21,3 +21,8 @@ variable "extra_allowed_ip_ranges" {
   type        = list(string)
   default     = []
 }
+
+variable "state_bucket_arn" {
+  description = "ARN of the state bucket to grant access to the s3 user"
+  type        = string
+}