Merge pull request #153 from OWASP/migrate-1513

Migrate to 1.5.13 of WrongSecrets

Author: commjoen

aws/README.md

@@ -45,7 +45,7 @@ The terraform code is loosely based on [this EKS managed Node Group TF example](
 1. export your AWS credentials (`export AWS_PROFILE=awsuser`)
 2. check whether you have the right profile by doing `aws sts get-caller-identity` and make sure you have enough rights with the caller its identity and that the actual accountnumber displayed is the account designated for you to apply this TF to.
 3. Do `terraform init` (if required, use tfenv to select TF 0.13.1 or higher )
-4. The bucket ARN will be asked for in the next 2 steps. Take the one provided to you and add `arn:aws:s3:::` to the start. e.g. ``arn:aws:s3:::terraform-20221208123456789100000001`
+4. The bucket ARN will be asked for in the next 2 steps. Take the one provided to you and add `arn:aws:s3:::` to the start. e.g. ``arn:aws:s3:::terraform-20230102231352749300000001`
 5. Do `terraform plan`
 6. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
 7. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`

aws/build-an-deploy-aws.sh

@@ -139,6 +139,24 @@ helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
 
 # Install CTFd
 
+echo "Installing EBS CSI driver"
+eksctl create iamserviceaccount \
+  --name ebs-csi-controller-sa \
+  --namespace kube-system \
+  --cluster $CLUSTERNAME \
+  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
+  --approve \
+  --role-only \
+  --role-name AmazonEKS_EBS_CSI_DriverRole
+  --region $AWS_REGION
+
+echo "managing EBS CSI Driver as a separate eks addon"
+eksctl create addon --name aws-ebs-csi-driver \
+  --cluster $CLUSTERNAME \
+  --service-account-role-arn arn:aws:iam::${ACCOUNT_ID}:role/AmazonEKS_EBS_CSI_DriverRole \
+  --force \
+  --region $AWS_REGION
+
 export HELM_EXPERIMENTAL_OCI=1
 kubectl create namespace ctfd
 helm -n ctfd install ctfd oci://ghcr.io/bman46/ctfd/ctfd \

aws/cleanup-aws-autoscaling-and-helm.sh

@@ -50,3 +50,12 @@ sleep 5 # Prevents race condition - command below may error out because it's sti
 
 aws iam delete-policy \
   --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/AmazonEKSClusterAutoscalerPolicy
+
+
+echo "Cleanup CSI driver SA"
+
+eksctl delete iamserviceaccount \
+  --cluster $CLUSTERNAME \
+  --name ebs-csi-controller-sa \
+  --namespace kube-system \
+  --region $AWS_REGION

aws/cluster-autoscaler-policy.json

@@ -6,7 +6,10 @@
             "Effect": "Allow",
             "Action": [
                 "autoscaling:SetDesiredCapacity",
-                "autoscaling:TerminateInstanceInAutoScalingGroup"
+                "autoscaling:TerminateInstanceInAutoScalingGroup",
+                "ec2:DescribeImages",
+                "ec2:GetInstanceTypesFromInstanceRequirements",
+                "eks:DescribeNodegroup"
             ],
             "Resource": "*",
             "Condition": {
@@ -19,11 +22,13 @@
             "Sid": "VisualEditor1",
             "Effect": "Allow",
             "Action": [
-                "autoscaling:DescribeAutoScalingInstances",
                 "autoscaling:DescribeAutoScalingGroups",
-                "ec2:DescribeLaunchTemplateVersions",
+                "autoscaling:DescribeAutoScalingInstances",
+                "autoscaling:DescribeLaunchConfigurations",
+                "autoscaling:DescribeScalingActivities",
                 "autoscaling:DescribeTags",
-                "autoscaling:DescribeLaunchConfigurations"
+                "ec2:DescribeInstanceTypes",
+                "ec2:DescribeLaunchTemplateVersions"
             ],
             "Resource": "*"
         }

aws/s3-user.tf

@@ -7,7 +7,7 @@ resource "aws_iam_access_key" "state_user_key" {
 }
 
 resource "aws_iam_user_policy" "state_user_policy" {
-  user   = aws_iam_user.state_user.id
+  user   = aws_iam_user.state_user.name
   policy = data.aws_iam_policy_document.state_user_policy.json
 }
 

aws/terraform.tfvars

@@ -1,3 +1,3 @@
-cluster_version = "1.22"
+cluster_version = "1.23"
 region          = "eu-west-1"
-# state_bucket_arn = "...."
+# state_bucket_arn = "..."

helm/wrongsecrets-ctf-party/values.yaml

@@ -97,7 +97,7 @@ wrongsecrets:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets
-  tag: 1.5.12-no-vault
+  tag: 1.5.13-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
   # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file
@@ -184,7 +184,7 @@ virtualdesktop:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
-  tag: ctf-party1
+  tag: 1.5.13
   repository: commjoenie/wrongSecrets
   resources:
     request: