add s3 installers to loadtest (#22306)

fleetdm · Sep 23, 2024 · 631dc60 · 631dc60
1 parent b14f7fa
commit 631dc60
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 11 deletions.
diff --git a/infrastructure/loadtesting/terraform/ecs.tf b/infrastructure/loadtesting/terraform/ecs.tf
@@ -203,7 +203,11 @@ resource "aws_ecs_task_definition" "backend" {
           {
             name  = "FLEET_OSQUERY_ASYNC_HOST_REDIS_SCAN_KEYS_COUNT"
             value = "10000"
-          }
+          },
+          {
+            name  = "FLEET_S3_SOFTWARE_INSTALLERS_BUCKET"
+            value = aws_s3_bucket.software_installers.bucket
+          },
         ], local.additional_env_vars)
       }
   ])
@@ -329,18 +333,18 @@ resource "aws_appautoscaling_policy" "ecs_policy_cpu" {
 resource "random_password" "fleet_server_private_key" {
   length  = 32
   special = true
-} 
-    
-resource "aws_secretsmanager_secret" "fleet_server_private_key" { 
+}
+
+resource "aws_secretsmanager_secret" "fleet_server_private_key" {
   name = "${terraform.workspace}-fleet-server-private-key"
 
   recovery_window_in_days = "0"
   lifecycle {
     create_before_destroy = true
   }
-} 
-  
+}
+
 resource "aws_secretsmanager_secret_version" "fleet_server_private_key" {
   secret_id     = aws_secretsmanager_secret.fleet_server_private_key.id
   secret_string = random_password.fleet_server_private_key.result
-} 
+}
diff --git a/infrastructure/loadtesting/terraform/rds.tf b/infrastructure/loadtesting/terraform/rds.tf
@@ -26,10 +26,10 @@ module "aurora_mysql" { #tfsec:ignore:aws-rds-enable-performance-insights-encryp
   source  = "terraform-aws-modules/rds-aurora/aws"
   version = "7.7.1"
 
-  name                  = "${local.name}-mysql"
-  engine                = "aurora-mysql"
-  engine_version        = "8.0.mysql_aurora.3.05.2"
-  instance_class         = var.db_instance_type
+  name           = "${local.name}-mysql"
+  engine         = "aurora-mysql"
+  engine_version = "8.0.mysql_aurora.3.05.2"
+  instance_class = var.db_instance_type
 
   instances = {
     one = {}

diff --git a/infrastructure/loadtesting/terraform/s3.tf b/infrastructure/loadtesting/terraform/s3.tf
@@ -0,0 +1,46 @@
+data "aws_iam_policy_document" "software_installers" {
+  statement {
+    actions = [
+      "s3:GetObject*",
+      "s3:PutObject*",
+      "s3:ListBucket*",
+      "s3:ListMultipartUploadParts*",
+      "s3:DeleteObject",
+      "s3:CreateMultipartUpload",
+      "s3:AbortMultipartUpload",
+      "s3:ListMultipartUploadParts",
+      "s3:GetBucketLocation"
+    ]
+    resources = [aws_s3_bucket.software_installers.arn, "${aws_s3_bucket.software_installers.arn}/*"]
+  }
+}
+
+resource "aws_iam_policy" "software_installers" {
+  policy = data.aws_iam_policy_document.software_installers.json
+}
+
+resource "aws_iam_role_policy_attachment" "software_installers" {
+  policy_arn = aws_iam_policy.software_installers.arn
+  role       = aws_iam_role.main.name
+}
+
+resource "aws_s3_bucket" "software_installers" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01  #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
+  bucket_prefix = terraform.workspace
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "software_installers" {
+  bucket = aws_s3_bucket.software_installers.bucket
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "software_installers" {
+  bucket                  = aws_s3_bucket.software_installers.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}