final changes

Signed-off-by: osamamagdy <[email protected]>

.pre-commit-config.yaml

@@ -15,21 +15,21 @@ repos:
     rev: v1.71.0
     hooks:
       - id: terraform_fmt
-      # - id: terraform_tflint
-      #   args:
-      #     - "--args=--only=terraform_deprecated_interpolation"
-      #     - "--args=--only=terraform_deprecated_index"
-      #     - "--args=--only=terraform_unused_declarations"
-      #     - "--args=--only=terraform_comment_syntax"
-      #     - "--args=--only=terraform_documented_outputs"
-      #     - "--args=--only=terraform_documented_variables"
-      #     - "--args=--only=terraform_typed_variables"
-      #     - "--args=--only=terraform_module_pinned_source"
-      #     - "--args=--only=terraform_naming_convention"
-      #     - "--args=--only=terraform_required_version"
-      #     - "--args=--only=terraform_required_providers"
-      #     - "--args=--only=terraform_standard_module_structure"
-      #     - "--args=--only=terraform_workspace_remote"
+      - id: terraform_tflint
+        args:
+          - "--args=--only=terraform_deprecated_interpolation"
+          - "--args=--only=terraform_deprecated_index"
+          - "--args=--only=terraform_unused_declarations"
+          - "--args=--only=terraform_comment_syntax"
+          - "--args=--only=terraform_documented_outputs"
+          - "--args=--only=terraform_documented_variables"
+          - "--args=--only=terraform_typed_variables"
+          - "--args=--only=terraform_module_pinned_source"
+          - "--args=--only=terraform_naming_convention"
+          - "--args=--only=terraform_required_version"
+          - "--args=--only=terraform_required_providers"
+          - "--args=--only=terraform_standard_module_structure"
+          - "--args=--only=terraform_workspace_remote"
       - id: terraform_docs
   - repo: https://github.com/norwoodj/helm-docs
     rev: v1.2.0

azure/README.md

@@ -7,13 +7,13 @@ Please make sure that the account in which you run this exercise has either Log
 
 Have the following tools installed:
 
--   az CLI - [Installation](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
--   Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
--   Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
--   Wget - [Installation](https://www.jcchouinard.com/wget/)
--   Helm [Installation](https://helm.sh/docs/intro/install/)
--   Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
--   jq [Installation](https://stedolan.github.io/jq/download/)
+- az CLI - [Installation](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
+- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+- Wget - [Installation](https://www.jcchouinard.com/wget/)
+- Helm [Installation](https://helm.sh/docs/intro/install/)
+- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
+- jq [Installation](https://stedolan.github.io/jq/download/)
 
 Make sure you have an active subscription at Azure for which you have configured the credentials on the system where you will execute the steps below.
 
@@ -23,7 +23,7 @@ Please note that this setup relies on bash scripts that have been tested in MacO
 
 **Note-I**: We create resources in `east us` by default. You can set the region by editing `terraform.tfvars`.
 
-**Note-II**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
+**Note-II**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally. If you switched to a different network, you'll need to run `terraform apply` again to update the firewall rules.
 
 ### (Optional) Multi-user setup: shared state
 
@@ -43,12 +43,11 @@ terraform init
 terraform apply
 ```
 
-The storage account name should be in the output. Please use that to configure the Terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"`.
+The storage account name should be in the output. Please use that to configure the Terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"` inside the `terraform` block. Assign the `storage_account_name` to the one from the output.
 
-**Note**: You'll need to follow the description below for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
+**Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
 
-
-### WrongSecrets
+### WrongSecrets-ctf-party
 
 1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
 2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
@@ -59,20 +58,45 @@ The storage account name should be in the output. Please use that to configure t
 4. Run `terraform init` (if required, use `tfenv` to select TF 0.14.0 or higher )
 5. Run `terraform plan` to see what will be created (optional).
 6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
-7. Run `./k8s-vault-azure-start.sh`. Your kubeconfig file will automatically be updated.
-8. (Optional) To make the app available over a load balancer, run `kubectl apply -f ./k8s/lb.yml`, then look for the public IP using `kubectl describe service wrongsecrets-lb`. The app should be available on HTTP port 80 within a few minutes.
+7. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
 Are you done playing? Please run `terraform destroy` twice to clean up.
 
 ### Test it
 
-Run `./k8s-vault-azure-start.sh` and connect to [http://localhost:8080](http://localhost:8080) when it's ready to accept connections (you'll read the line `Forwarding from 127.0.0.1:8080 -> 8080` in your console). Now challenge 9 and 10 should be available as well.
+When you have completed the installation steps, you can do `kubectl port-forward service/wrongsecrets-balancer 3000:3000` and then go to [http://localhost:3000](http://localhost:3000).
+
+Want to know how well your cluster is holding up? Check with
+
+```sh
+    kubectl top nodes
+    kubectl top pods
+```
+
+### Configuring CTFd
+
+You can use the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf) to generate CTFd configuration files.
+
+Follow the following steps:
+
+```shell
+    npm install -g [email protected]
+    juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.
+```
 
-### Resume it
+Now visit the CTFd instance and setup your CTF. To test things locally before setting up a load balancer/ingress, you can use `kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "app.kubernetes.io/name=ctfd,app.kubernetes.io/instance=ctfd" -o jsonpath="{.items[0].metadata.name}") 8000:8000` and go to `localhost:8000` to visit CTFd.
 
-When you stopped the `k8s-vault-azure-start.sh` script and want to resume the port forward run: `k8s-vault-azure-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
+_!!NOTE:_ **The following can be dangerous if you use CTFd `>= 3.5.0` with wrongsecrets `< 1.5.11`. Check the `challenges.json` and make sure it's 1-indexed - a 0-indexed file will break CTFd!** _/NOTE!!_
+
+Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
+After that you will still need to override the flags with their actual values if you do use the 2-domain configuration. For a guide on how to do this see the 2-domain setup steps in the general [README](../readme.md)
+Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
+
+Want to make the CTFD instance look pretty? Include the fragment located at [./k8s/ctfd_resources/index_fragment.html](/k8s/ctfd_resources/index_fragment.html) in your index.html via the admin panel.
+
+If you want to share with others go to the [When you want to share your environment with others (experimental)](#when-you-want-to-share-your-environment-with-others-experimental) section.
 
 ### Clean it up
 
@@ -89,7 +113,19 @@ When you're done:
 2. Can you easily obtain the AKS managed identity of the Node?
 3. Can you get the secrets in the Key vault? Which paths do you see?
 
+### When you want to share your environment with others (experimental)
+
+We added additional scripts for adding a Load Balancer and ingress so that you can use your cloud setup with multiple people.
+Do the following:
+
+1. Follow the installation section first.
+2. Run `./k8s-nginx-lb-script.sh` and the script will return the url at which you can reach the application. (Be aware this opens the url's to the internet in general, if you'd like to limit the access please do this using the security groups in Azure)
+3. When you are done, before you do cleanup, first run `./k8s-nginx-lb-script-cleanup.sh`.
+
+Note that you might have to do some manual cleanups after that.
+
 ## Terraform documentation
+
 The documentation below is auto-generated to give insight on what's created via Terraform.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

azure/build-and-deploy-azure.sh

@@ -57,56 +57,6 @@ export AZ_KEY_VAULT_NAME="$(terraform output -raw vault_name)"
 az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
 
 
-# Installing the cluster autoscaler
-
-echo "Deploying the k8s autoscaler for eks through kubectl"
-
-# This will create a new service principal with "Contributor" role scoped to your subscription.
-az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$AZURE_SUBSCRIPTION_ID" --output json > mycredentials.json
-
-
-curl -o cluster-autoscaler-autodiscover.yaml https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/azure/examples/cluster-autoscaler-aks.yaml
-
-export CLIENT_ID_BASE64="$(echo mycredentials.json | jq -r .appId | base64)"
-
-export CLIENT_SECRET_BASE64="$( echo mycredentials.json | jq -r .password | base64)"
-
-export RESOURCE_GROUP_BASE64="$(echo $RESOURCE_GROUP | base64)"
-
-export SUBSCRIPTION_ID_BASE64="$(echo $AZURE_SUBSCRIPTION_ID | base64)"
-
-export TENANT_ID_BASE64="$(echo $AZURE_TENANT_ID | base64)"
-
-export CLUSTERNAME="$(echo $CLUSTER_NAME | base64)"
-
-export NODE_RESOURCE_GROUP="$(echo $IDENTITY_RESOURCE_GROUP | base64)"
-
-# Replace the values in the cluster-autoscaler-autodiscover.yaml file
-sed -i -e "s/<base64-encoded-client-id>/$CLIENT_ID_BASE64/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-client-secret>/$CLIENT_SECRET_BASE64/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-resource-group>/$RESOURCE_GROUP_BASE64/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-subscription-id>/$SUBSCRIPTION_ID_BASE64/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-tenant-id>/$TENANT_ID_BASE64/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-clustername>/$CLUSTERNAME/g" cluster-autoscaler-autodiscover.yaml
-
-sed -i -e "s/<base64-encoded-node-resource-group>/$NODE_RESOURCE_GROUP/g" cluster-autoscaler-autodiscover.yaml
-
-# Then deploy cluster-autoscaler by running
-kubectl apply -f cluster-autoscaler-aks.yaml
-
-
-# In the cluster-autoscaler spec, find the image: field and replace {{ ca_version }} with a specific cluster autoscaler release.
-kubectl set image deployment cluster-autoscaler \
-  -n kube-system \
-  cluster-autoscaler=k8s.gcr.io/autoscaling/cluster-autoscaler:v1.25.0
-
-
-
 # Install the secrets store CSI driver
 helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
 helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
@@ -183,7 +133,7 @@ wait
 
 if [[ -z $APP_PASSWORD ]]; then
   echo "No app password passed, creating a new one"
-  APP_PASSWORD="$(uuidgen)"
+  APP_PASSWORD="$( uuidgen | sed 's/[-]//g')"
 else
   echo "App password already set"
 fi
@@ -202,13 +152,13 @@ fi
 
 echo "App password is ${APP_PASSWORD}"
 helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
-  --set="balancer.env.K8S_ENV=aws" \
-  --set="balancer.env.IRSA_ROLE=${IRSA_ROLE_ARN}" \
+  --set="balancer.env.K8S_ENV=azure" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
-  --set="balancer.env.REACT_APP_S3_BUCKET_URL=s3://${STATE_BUCKET}" \
   --set="balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY=${CREATE_TEAM_HMAC}" \
   --set="balancer.cookie.cookieParserSecret=${COOKIE_PARSER_SECRET}"
 
+  # TODO: Support azure storage account instead
+  # --set="balancer.env.REACT_APP_S3_BUCKET_URL=s3://${STATE_BUCKET}" \
 # Install CTFd
 echo "Installing CTFd"