Skip to content

Commit

Permalink
chore: 🤖 turn on psa audit for system namespaces (#2491)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jaskaransarkaria
jaskaransarkaria authored Oct 10, 2023
1 parent 22119a7 commit cfd4577
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 12 deletions.
20 changes: 10 additions & 10 deletions terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/components.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module "concourse" {
count = lookup(local.manager_workspace, terraform.workspace, false) ? 1 : 0
source = "github.com/ministryofjustice/cloud-platform-terraform-concourse?ref=1.18.3"
source = "github.com/ministryofjustice/cloud-platform-terraform-concourse?ref=1.18.4"

concourse_hostname = data.terraform_remote_state.cluster.outputs.cluster_domain_name
github_auth_client_id = var.github_auth_client_id
Expand Down Expand Up @@ -59,7 +59,7 @@ module "descheduler" {
]
}
module "cert_manager" {
source = "github.com/ministryofjustice/cloud-platform-terraform-certmanager?ref=1.7.0"
source = "github.com/ministryofjustice/cloud-platform-terraform-certmanager?ref=1.7.1"

cluster_domain_name = data.terraform_remote_state.cluster.outputs.cluster_domain_name
hostzone = lookup(local.hostzones, terraform.workspace, local.hostzones["default"])
Expand Down Expand Up @@ -90,7 +90,7 @@ module "external_secrets_operator" {
secrets_prefix = terraform.workspace
}
module "ingress_controllers_v1" {
source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.2"
source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.3"

replica_count = "12"
controller_name = "default"
Expand All @@ -108,7 +108,7 @@ module "ingress_controllers_v1" {
}

module "modsec_ingress_controllers_v1" {
source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.2"
source = "github.com/ministryofjustice/cloud-platform-terraform-ingress-controller?ref=1.4.3"

replica_count = "12"
controller_name = "modsec"
Expand All @@ -126,7 +126,7 @@ module "modsec_ingress_controllers_v1" {
}

module "kuberos" {
source = "github.com/ministryofjustice/cloud-platform-terraform-kuberos?ref=0.5.2"
source = "github.com/ministryofjustice/cloud-platform-terraform-kuberos?ref=0.5.3"

cluster_domain_name = data.terraform_remote_state.cluster.outputs.cluster_domain_name
oidc_kubernetes_client_id = data.terraform_remote_state.cluster.outputs.oidc_kubernetes_client_id
Expand All @@ -141,15 +141,15 @@ module "kuberos" {
}

module "logging" {
source = "github.com/ministryofjustice/cloud-platform-terraform-logging?ref=1.9.15"
source = "github.com/ministryofjustice/cloud-platform-terraform-logging?ref=1.9.16"

elasticsearch_host = lookup(var.elasticsearch_hosts_maps, terraform.workspace, "placeholder-elasticsearch")
elasticsearch_modsec_audit_host = lookup(var.elasticsearch_modsec_audit_hosts_maps, terraform.workspace, "placeholder-elasticsearch")
dependence_prometheus = module.monitoring.prometheus_operator_crds_status
}

module "monitoring" {
source = "github.com/ministryofjustice/cloud-platform-terraform-monitoring?ref=2.10.1"
source = "github.com/ministryofjustice/cloud-platform-terraform-monitoring?ref=2.10.2"

alertmanager_slack_receivers = local.enable_alerts ? var.alertmanager_slack_receivers : [{ severity = "dummy", webhook = "https://dummy.slack.com", channel = "#dummy-alarms" }]
pagerduty_config = local.enable_alerts ? var.pagerduty_config : "dummy"
Expand All @@ -175,7 +175,7 @@ module "monitoring" {
}

module "gatekeeper" {
source = "github.com/ministryofjustice/cloud-platform-terraform-gatekeeper?ref=1.6.1"
source = "github.com/ministryofjustice/cloud-platform-terraform-gatekeeper?ref=1.6.2"
depends_on = [module.monitoring, module.modsec_ingress_controllers_v1, module.cert_manager]

dryrun_map = {
Expand Down Expand Up @@ -218,7 +218,7 @@ module "starter_pack" {
}

module "velero" {
source = "github.com/ministryofjustice/cloud-platform-terraform-velero?ref=2.0.0"
source = "github.com/ministryofjustice/cloud-platform-terraform-velero?ref=2.0.1"

enable_velero = lookup(local.prod_2_workspace, terraform.workspace, false)
dependence_prometheus = module.monitoring.prometheus_operator_crds_status
Expand All @@ -234,7 +234,7 @@ module "kuberhealthy" {
}

module "trivy-operator" {
source = "github.com/ministryofjustice/cloud-platform-terraform-trivy-operator?ref=0.7.2"
source = "github.com/ministryofjustice/cloud-platform-terraform-trivy-operator?ref=0.7.3"

depends_on = [
module.monitoring.prometheus_operator_crds_status
Expand Down
3 changes: 2 additions & 1 deletion terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,9 @@ resource "null_resource" "kube_system_default_annotations" {
command = "kubectl annotate --overwrite namespace kube-system 'cloud-platform.justice.gov.uk/business-unit=Platforms', 'cloud-platform.justice.gov.uk/application=Cloud Platform', 'cloud-platform.justice.gov.uk/owner=Cloud Platform: [email protected]', 'cloud-platform.justice.gov.uk/source-code= https://github.com/ministryofjustice/cloud-platform-infrastructure', 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform-out-of-hours-alert=true'"
}
}

resource "null_resource" "kube_system_default_labels" {
provisioner "local-exec" {
command = "kubectl label --overwrite namespace kube-system 'component=kube-system' 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform.justice.gov.uk/is-production=true' 'cloud-platform.justice.gov.uk/environment-name=production'"
command = "kubectl label --overwrite namespace kube-system 'component=kube-system' 'cloud-platform.justice.gov.uk/slack-channel=cloud-platform' 'cloud-platform.justice.gov.uk/is-production=true' 'cloud-platform.justice.gov.uk/environment-name=production' 'pod-security.kubernetes.io/audit=privileged'"
}
}
2 changes: 1 addition & 1 deletion terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/networking.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ resource "kubectl_manifest" "calico_crds" {
}

module "tigera_calico" {
source = "github.com/ministryofjustice/cloud-platform-terraform-tigera-calico?ref=0.1.1"
source = "github.com/ministryofjustice/cloud-platform-terraform-tigera-calico?ref=0.1.2"

depends_on = [
kubectl_manifest.calico_crds
Expand Down

0 comments on commit cfd4577

Please sign in to comment.