added some more fixes, now for AWS as well

commjoen · commjoen · commit f7f3c7b82379 · 2022-09-21T19:03:47.000+02:00
diff --git a/aws/README.md b/aws/README.md
@@ -48,7 +48,8 @@ The terraform code is loosely based on [this EKS managed Node Group TF example](
 5. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
 6. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`
 7. Do `export KUBECONFIG=~/.kube/wrongsecrets`
-8. Run `cd .. && ./build-an-deploy-aws.sh` to install the helm chart for the wrongsecrets-ctf-party.
+8. Run `cd ..`
+9. Run `./build-an-deploy-aws.sh` to install the helm chart for the wrongsecrets-ctf-party.
 
 Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.amazon.com/eks/home?region=eu-west-1#/clusters) by default. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
diff --git a/aws/main.tf b/aws/main.tf
@@ -77,14 +77,14 @@ module "eks" {
 
   enable_irsa = true
 
+  # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"
   eks_managed_node_group_defaults = {
     disk_size       = 50
     disk_type       = "gp3"
     disk_throughput = 150
     disk_iops       = 3000
     instance_types  = ["t3a.xlarge"]
 
-    #todo: ADD iam_role_permissions_boundary = "arn"
     iam_role_additional_policies = [
       "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
       "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
diff --git a/build-an-deploy-aws.sh b/build-an-deploy-aws.sh
@@ -10,10 +10,15 @@ echo "Usage: ./build-and-deploy-aws.sh"
 version="$(uuidgen)"
 AWS_REGION="eu-west-1"
 
-helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
+helm upgrade -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
 echo "Install ACSP"
 kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
 
+echo "preparing calico via Helm"
+helm repo add projectcalico https://docs.projectcalico.org/charts
+helm upgrade calico projectcalico/tigera-operator --version v3.21.4
+
+
 echo "Generate secrets manager challenge secret 2"
 aws secretsmanager put-secret-value --secret-id wrongsecret-2 --secret-string "$(openssl rand -base64 24)" --region $AWS_REGION --output json --no-cli-pager
 
@@ -24,4 +29,4 @@ aws ssm put-parameter --name wrongsecretvalue --overwrite --type SecureString --
 wait
 
 #TODO: REWRITE ABOVE, REWRITE THE HARDCODED DEPLOYMENT VALS INTO VALUES AND OVERRIDE THEM HERE!
-helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.74aws" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
+helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.76aws" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -35,7 +35,7 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 0.74aws
+  tag: 0.76aws
   # -- Number of replicas of the wrongsecrets-balancer deployment
   replicas: 1
   service:
diff --git a/wrongsecrets-balancer/src/teams/teams.js b/wrongsecrets-balancer/src/teams/teams.js
@@ -387,6 +387,17 @@ async function createAWSTeam(req, res) {
     );
     res.status(500).send({ message: 'Failed to Create Instance' });
   }
+
+  try {
+    logger.info(`Creating network security policies for team '${team}'`);
+    await createNSPsforTeam(team);
+
+    logger.info(`Created network security policies for team  '${team}'`);
+  } catch (error) {
+    logger.error(`Error while network security policies for team ${team}: ${error}`);
+    res.status(500).send({ message: 'Failed to Create Instance' });
+  }
+  
   try {
     loginCounter.inc({ type: 'registration', userType: 'user' }, 1);
 
