From 304a423106d3f5f6482c46f8b7ffc95849fbaa4e Mon Sep 17 00:00:00 2001 From: Benjamin Edwards Date: Mon, 12 Feb 2024 13:25:45 -0500 Subject: [PATCH] add vuln processing module to dogfood --- .../aws-tf-module/.terraform.lock.hcl | 1 + .../dogfood/terraform/aws-tf-module/free.tf | 2 +- .../dogfood/terraform/aws-tf-module/main.tf | 29 +++++++++++++++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/infrastructure/dogfood/terraform/aws-tf-module/.terraform.lock.hcl b/infrastructure/dogfood/terraform/aws-tf-module/.terraform.lock.hcl index 072933147273..caa67b71decb 100644 --- a/infrastructure/dogfood/terraform/aws-tf-module/.terraform.lock.hcl +++ b/infrastructure/dogfood/terraform/aws-tf-module/.terraform.lock.hcl @@ -154,6 +154,7 @@ provider "registry.terraform.io/kreuzwerker/docker" { constraints = "3.0.2" hashes = [ "h1:XjdpVL61KtTsuPE8swok3GY8A+Bu3TZs8T2DOEpyiXo=", + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", diff --git a/infrastructure/dogfood/terraform/aws-tf-module/free.tf b/infrastructure/dogfood/terraform/aws-tf-module/free.tf index 8da10e191e3b..8a6336d0be6e 100644 --- a/infrastructure/dogfood/terraform/aws-tf-module/free.tf +++ b/infrastructure/dogfood/terraform/aws-tf-module/free.tf @@ -15,7 +15,7 @@ locals { } module "free" { - source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.8.0" + source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.8.1" vpc_config = { name = local.customer_free vpc_id = module.main.vpc.vpc_id diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf index 2dbf70d4376d..82dc6ca43c75 100644 --- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf +++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf @@ -63,7 +63,7 @@ locals { } module "main" { - source = "github.com/fleetdm/fleet//terraform?ref=tf-mod-root-v1.7.0" + source = "github.com/fleetdm/fleet//terraform?ref=tf-mod-root-v1.7.1" certificate_arn = module.acm.acm_certificate_arn vpc = { name = local.customer @@ -93,6 +93,8 @@ module "main" { fleet_config = { image = local.geolite2_image family = local.customer + cpu = 256 + mem = 512 autoscaling = { min_capacity = 2 max_capacity = 5 @@ -113,7 +115,15 @@ module "main" { } extra_iam_policies = concat(module.firehose-logging.fleet_extra_iam_policies, module.osquery-carve.fleet_extra_iam_policies, module.ses.fleet_extra_iam_policies) extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies, [aws_iam_policy.sentry.arn]) #, module.saml_auth_proxy.fleet_extra_execution_policies) - extra_environment_variables = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, module.ses.fleet_extra_environment_variables, local.extra_environment_variables, module.geolite2.extra_environment_variables) + extra_environment_variables = merge( + module.mdm.extra_environment_variables, + module.firehose-logging.fleet_extra_environment_variables, + module.osquery-carve.fleet_extra_environment_variables, + module.ses.fleet_extra_environment_variables, + local.extra_environment_variables, + module.geolite2.extra_environment_variables, + module.vuln-processing.extra_environment_variables + ) extra_secrets = merge(module.mdm.extra_secrets, local.sentry_secrets) # extra_load_balancers = [{ # target_group_arn = module.saml_auth_proxy.lb_target_group_arn @@ -440,3 +450,18 @@ module "geolite2" { destination_image = local.geolite2_image license_key = var.geolite2_license } + +module "vuln-processing" { + source = "github.com/fleetdm/fleet//terraform/addons/external-vuln-scans?ref=tf-mod-addon-external-vuln-scans-v2.0.0" + ecs_cluster = module.main.byo-vpc.byo-db.byo-ecs.service.cluster + execution_iam_role_arn = module.main.byo-vpc.byo-db.byo-ecs.execution_iam_role_arn + subnets = module.main.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].subnets + security_groups = module.main.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].security_groups + fleet_config = module.main.byo-vpc.byo-db.byo-ecs.fleet_config + task_role_arn = module.main.byo-vpc.byo-db.byo-ecs.iam_role_arn + awslogs_config = { + group = module.main.byo-vpc.byo-db.byo-ecs.fleet_config.awslogs.name + region = module.main.byo-vpc.byo-db.byo-ecs.fleet_config.awslogs.region + prefix = module.main.byo-vpc.byo-db.byo-ecs.fleet_config.awslogs.prefix + } +}