diff --git a/Makefile b/Makefile index 4646e9a..921f52e 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,15 @@ deploy: ## deploy uninstall: ## uninstall $(DOCKER_RUN_IT) /bin/bash -c "./scripts/uninstall_all_deployments.sh" +.PHONY: grafana-pwd +CURRENT_NAMESPACE=$(shell kubectl config view --minify --output 'jsonpath={..namespace}') +grafana-pwd: ## generate default grafana password for admin +ifeq ($(CURRENT_NAMESPACE),development) + @kubectl get secret --namespace grafana grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo + else + @echo "This command can only be run in the development namespace." + endif + .PHONY: generate_diagrams generate_diagrams: ## generate_diagrams docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/architecture_diagram.py diff --git a/k8s-helm-charts/cns-team-monitoring-non-production/values-development.yaml b/k8s-helm-charts/cns-team-monitoring-non-production/values-development.yaml new file mode 100644 index 0000000..8031bad --- /dev/null +++ b/k8s-helm-charts/cns-team-monitoring-non-production/values-development.yaml @@ -0,0 +1,18 @@ +environment: "" +production_account_id: "" +pre_production_account_id: "" +development_account_id: "" +dhcpApiBasicAuthUsername: "" +dhcpApiBasicAuthPassword: "" +cloudwatch_iam_role: "" +cloudwatchExporterDevelopmentArn: "" +cloudwatchExporterPreProductionArn: "" +alertmanager: + smtp: + from: "" + username: "" + password: "" + alert_rules: + ima_slack_webhook_url: "" + network_access_control_pre_production_slack_webhook_url: "" + development_pre_production_dhcp_dns_slack_webhook_url: "" diff --git a/modules/eks/policies/aws_load_balancer_iam_policy.json b/modules/eks/policies/aws_load_balancer_iam_policy.json index 693125b..9f268fc 100644 --- a/modules/eks/policies/aws_load_balancer_iam_policy.json +++ b/modules/eks/policies/aws_load_balancer_iam_policy.json @@ -1,219 +1,191 @@ { "Version": "2012-10-17", "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" + { + "Effect": "Allow", + "Action": ["iam:CreateServiceLinkedRole"], + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": ["ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress"], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": ["ec2:CreateSecurityGroup"], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": ["ec2:CreateTags"], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSecurityGroup" + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": ["ec2:CreateTags", "ec2:DeleteTags"], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": ["ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup"], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": ["elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateTargetGroup"], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": ["elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags"], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": ["elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags"], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": ["elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets"], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*" + } ] -} \ No newline at end of file +} diff --git a/outputs.tf b/outputs.tf index dfc7b61..832dbf4 100644 --- a/outputs.tf +++ b/outputs.tf @@ -23,7 +23,7 @@ output "vpc" { private_subnets = module.vpc[0].private_subnets_cidr_blocks public_subnets = module.vpc[0].public_subnets_cidr_blocks } : null - sensitive = true + sensitive = false } output "certificate" { diff --git a/scripts/deploy.sh b/scripts/deploy.sh index a954ff8..31f96e6 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -250,28 +250,45 @@ deploy_grafana() { deploy_cns_team_monitoring() { printf "\n${ORANGE}############# ${PURPLE}Deploying CNS Team monitoring helm chart ${ORANGE}#############${NC}\n" - helm upgrade --install cns-team-monitoring ./k8s-helm-charts/cns-team-monitoring \ - -n monitoring \ - --set dhcpApiBasicAuthUsername=$dhcpApiBasicAuthUsername \ - --set dhcpApiBasicAuthPassword=$dhcpApiBasicAuthPassword \ - --set environment=$namespace \ - --set production_account_id=$production_account_id \ - --set pre_production_account_id=$pre_production_account_id \ - --set development_account_id=$development_account_id \ - --set cloudwatch_iam_role=$cloudwatch_iam_role_arn \ - --set cloudwatchExporterDevelopmentArn=$cloudwatch_exporter_development_iam_role_arn \ - --set cloudwatchExporterPreProductionArn=$cloudwatch_exporter_pre_production_iam_role_arn \ - --set alertmanager.alert_rules.pagerduty_routing_key=`base64_encode $pagerduty_routing_key` \ - --set alertmanager.alert_rules.ima_slack_webhook_url=`base64_encode $ima_slack_webhook_url` \ - --set alertmanager.alert_rules.dhcp_dns_slack_webhook_url=`base64_encode $dhcp_dns_slack_webhook_url` \ - --set alertmanager.alert_rules.development_pre_production_dhcp_dns_slack_webhook_url=`base64_encode $development_pre_production_dhcp_dns_slack_webhook_url` \ - --set alertmanager.alert_rules.certificate_services_slack_webhook_url=`base64_encode $certificate_services_slack_webhook_url` \ - --set alertmanager.alert_rules.networks_slack_webhook_url=`base64_encode $networks_slack_webhook_url` \ - --set alertmanager.alert_rules.ost_slack_webhook_url=`base64_encode $ost_slack_webhook_url` \ - --set alertmanager.alert_rules.network_access_control_production_slack_webhook_url=`base64_encode $network_access_control_production_slack_webhook_url` \ - --set alertmanager.alert_rules.network_access_control_pre_production_slack_webhook_url=`base64_encode $network_access_control_pre_production_slack_webhook_url` \ - --set alertmanager.alert_rules.network_access_control_critical_slack_webhook_url=`base64_encode $network_access_control_critical_slack_webhook_url` -} + # Check environment and set values file path or reconfigure values + if [ "$namespace" == "production" ]; then + helm upgrade --install cns-team-monitoring ./k8s-helm-charts/cns-team-monitoring \ + -n monitoring \ + --set dhcpApiBasicAuthUsername="$dhcpApiBasicAuthUsername" \ + --set dhcpApiBasicAuthPassword="$dhcpApiBasicAuthPassword" \ + --set environment="$namespace" \ + --set production_account_id="$production_account_id" \ + --set pre_production_account_id="$pre_production_account_id" \ + --set development_account_id="$development_account_id" \ + --set cloudwatch_iam_role="$cloudwatch_iam_role_arn" \ + --set cloudwatchExporterDevelopmentArn="$cloudwatch_exporter_development_iam_role_arn" \ + --set cloudwatchExporterPreProductionArn="$cloudwatch_exporter_pre_production_iam_role_arn" \ + --set alertmanager.alert_rules.pagerduty_routing_key=$(base64_encode "$pagerduty_routing_key") \ + --set alertmanager.alert_rules.ima_slack_webhook_url=$(base64_encode "$ima_slack_webhook_url") \ + --set alertmanager.alert_rules.dhcp_dns_slack_webhook_url=$(base64_encode "$dhcp_dns_slack_webhook_url") \ + --set alertmanager.alert_rules.development_pre_production_dhcp_dns_slack_webhook_url=$(base64_encode "$development_pre_production_dhcp_dns_slack_webhook_url") \ + --set alertmanager.alert_rules.certificate_services_slack_webhook_url=$(base64_encode "$certificate_services_slack_webhook_url") \ + --set alertmanager.alert_rules.networks_slack_webhook_url=$(base64_encode "$networks_slack_webhook_url") \ + --set alertmanager.alert_rules.ost_slack_webhook_url=$(base64_encode "$ost_slack_webhook_url") \ + --set alertmanager.alert_rules.network_access_control_production_slack_webhook_url=$(base64_encode "$network_access_control_production_slack_webhook_url") \ + --set alertmanager.alert_rules.network_access_control_pre_production_slack_webhook_url=$(base64_encode "$network_access_control_pre_production_slack_webhook_url") \ + --set alertmanager.alert_rules.network_access_control_critical_slack_webhook_url=$(base64_encode "$network_access_control_critical_slack_webhook_url") + else + values_file="./k8s-helm-charts/cns-team-monitoring-non-production/values-$namespace.yaml" + helm upgrade --install cns-team-monitoring ./k8s-helm-charts/cns-team-monitoring \ + -n monitoring \ + --set dhcpApiBasicAuthUsername="$dhcpApiBasicAuthUsername" \ + --set dhcpApiBasicAuthPassword="$dhcpApiBasicAuthPassword" \ + --set environment="$namespace" \ + --set production_account_id="$production_account_id" \ + --set pre_production_account_id="$pre_production_account_id" \ + --set development_account_id="$development_account_id" \ + --set cloudwatch_iam_role="$cloudwatch_iam_role_arn" \ + --set cloudwatchExporterDevelopmentArn="$cloudwatch_exporter_development_iam_role_arn" \ + --set cloudwatchExporterPreProductionArn="$cloudwatch_exporter_pre_production_iam_role_arn" \ + --values "$values_file" + fi + } main() { set_variables