-
Notifications
You must be signed in to change notification settings - Fork 3
/
Makefile
185 lines (139 loc) · 5.18 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
OUTPUT ?= golang_example
REGISTRY ?= strongjz
NAME=codemash
IMAGE ?= golang_example-$(NAME)
GOLANG_VERSION ?= 1.17.8
AWS_REGION ?= us-west-2
AWS_DEFAULT_REGION ?= us-west-2
NODE_ROLE_NAME ?= node-group-1
DB_HOST ?= db
DB_USER ?= postgres
DB_NAME ?= pqgotest
DB_PORT ?= 5432
MY_NODE_NAME ?= test
MY_POD_IP ?= 1.1.1.1
PORT ?= 8080
VERSION=$(shell cat VERSION.txt)
EKS_KUBECTL_ROLE_NAME ?= devsecops-codebuild
EKS_CLUSTER_NAME ?= devsecops
REPO_INFO ?= $(shell git config --get remote.origin.url)
COMMIT_SHA ?= git-$(shell git rev-parse --short HEAD)
ACCOUNT_ID ?=$(shell aws sts get-caller-identity --query Account --output text)
DB_PASSWORD = test
export
.PHONY: test clean install
aws_account:
echo ${ACCOUNT_ID}
pretty:
go fmt
test:
go test
clean:
rm -f $(OUTPUT)
install:
env GIT_TERMINAL_PROMPT=1 go get -d -v .
build: install
go build -o $(OUTPUT) main.go
run: install
go run main.go
go_report:
rm -rf goreporter/
git clone https://github.com/qax-os/goreporter.git && \
cd goreporter/ && \
go mod init github.com/360EntSecGroup-Skylar/goreporter && \
go build && \
ls -la
chmod u+x ./goreporter
cd ..
./goreporter/goreporter -p . -f html
go_sec:
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s v2.9.5
./bin/gosec -fmt=json -out=security.json -stdout .
test_local:
curl localhost:8080/
curl localhost:8080/data
compose_up:
docker-compose up &
compose_down:
docker-compose down --volumes
docker_build:
docker build -t $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION) .
.SILENT: ecr_auth
ecr_auth:
docker login --username AWS -p $(shell aws ecr get-login-password --region $(AWS_REGION) ) $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
docker_push: ecr_auth docker_build
docker push $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)
ecr_scan:
aws ecr start-image-scan --repository-name $(IMAGE) --image-id imageTag=$(VERSION)
ecr_scan_findings:
aws ecr describe-image-scan-findings --repository-name $(IMAGE) --image-id imageTag=$(VERSION)
docker_run:
docker run --env-file=.env -it --rm -p 8080:8080 -p 8090:8090 $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)
cluster:
eksctl create cluster -f eks-config.yml
cluster_iam:
eksctl create iamidentitymapping --cluster devsecops --arn arn:aws:iam::$(ACCOUNT_ID):role/devsecops-$(NAME)-codebuild --username admin \
--group system:masters
kube_update:
aws eks update-kubeconfig --name "${EKS_CLUSTER_NAME}" --region ${AWS_REGION}
kube_deploy: kube_update
awk -v IMAGE="$(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)" '{sub(/CONTAINERIMAGE/, IMAGE); print> "app.yml"}' app.yml
kubectl apply -f app.yml
clean_cluster:
eksctl delete cluster -f eks-config.yml
helm_update:
helm repo add stable https://charts.helm.sh/stable && \
helm repo update
prom: helm_update
kubectl apply -f namespace_prometheus.yml && \
helm install prometheus stable/prometheus \
--namespace prometheus \
--set alertmanager.persistentVolume.storageClass="gp2",server.persistentVolume.storageClass="gp2"
check:
terraform -v >/dev/null 2>&1 || echo "Terraform not installed" || exit 1 && \
aws --version >/dev/null 2>&1 || echo "AWS not installed" || exit 1 && \
helm version >/dev/null 2>&1 || echo "Helm not installed" || exit 1 && \
eksctl version >/dev/null 2>&1 || echo "eksctl not installed" || exit 1 && \
kubectl --help >/dev/null 2>&1 || echo "kubectl not installed" || exit 1
codebuild:
./scripts/codebuild.sh -i ubuntu:latest -a .
tf_clean:
cd terraform/ && \
rm -rf .terraform \
rm -rf plan.out
tf_init:
cd terraform/ && \
terraform init
tf_get:
cd terraform/ && \
terraform get
tf_plan:
cd terraform/ && \
terraform plan -var="name=${NAME}" -out=plan.out
tf_apply:
cd terraform/ && \
terraform apply -var="name=${NAME}" -auto-approve
tf_destroy:
cd terraform/ && \
terraform apply -destroy -var="name=${NAME}" -auto-approve
falco_deploy: deploy-fluent-bit deploy-falco
deploy-falco:
helm repo add falcosecurity https://falcosecurity.github.io/charts; \
helm repo update; \
helm install --generate-name falcosecurity/falco
deploy-fluent-iam:
aws iam create-policy --policy-name EKS-CloudWatchLogs-"${EKS_CLUSTER_NAME}" --policy-document file://./fluent-bit/aws/iam_role_policy.json --region $(AWS_REGION)|| true
aws iam attach-role-policy --role-name $(shell aws eks describe-nodegroup --cluster-name $(NAME) --nodegroup-name node-group-1 --region $(AWS_REGION) | jq .nodegroup.nodeRole -r | cut -d/ -f2) --policy-arn `aws iam list-policies --region $(AWS_REGION) | jq -r '.[][] | select(.PolicyName == "EKS-CloudWatchLogs-${EKS_CLUSTER_NAME}") | .Arn'` || true
deploy-fluent-bit:
kubectl apply -f fluent-bit/kubernetes/
falco_clean: clean-fluent-bit clean-falco
clean-fluent-bit:
kubectl delete -f fluent-bit/kubernetes/
clean-falco:
helm del falco
sign:
cosign sign --key awskms:///alias/$(NAME) $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)
key_gen:
cosign generate-key-pair --kms awskms:///alias/$(NAME) $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)
verify: key_gen
cosign verify --key cosign.pub $(ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(IMAGE):$(VERSION)