Merge pull request #567 from OWASP/cloudtest

Fixes for new TF provider in AWS

Author: commjoen

aws/README.md

@@ -102,15 +102,15 @@ The documentation below is auto-generated to give insight on what's created via
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.48.0 |
-| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.1 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.2.1 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.48.0 |
-| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.1 |
+| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.2.1 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
 
 ## Modules
@@ -160,6 +160,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description |
 |------|-------------|
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | The id of the cluster |
 | <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
 | <a name="output_irsa_role"></a> [irsa\_role](#output\_irsa\_role) | The role ARN used in the IRSA setup |
 | <a name="output_secrets_manager_secret_name"></a> [secrets\_manager\_secret\_name](#output\_secrets\_manager\_secret\_name) | The name of the secrets manager secret |

aws/irsa.tf

@@ -39,7 +39,7 @@ resource "aws_iam_role_policy_attachment" "irsa_role_attachment" {
 
 resource "aws_iam_policy" "secret_manager" {
   name_prefix = "secret-manager"
-  description = "EKS secret manager policy for cluster ${module.eks.cluster_id}"
+  description = "EKS secret manager policy for cluster ${module.eks.cluster_name}"
   policy      = data.aws_iam_policy_document.secret_manager.json
 }
 

aws/k8s/secret-challenge-vault-deployment.yml

@@ -39,7 +39,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.12-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.13RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

aws/main.tf

@@ -72,6 +72,7 @@ module "eks" {
 
 
   cluster_endpoint_private_access = true
+  cluster_endpoint_public_access  = true
 
   cluster_endpoint_public_access_cidrs = ["${data.http.ip.response_body}/32"]
 
@@ -84,24 +85,23 @@ module "eks" {
     disk_iops       = 3000
     instance_types  = ["t3a.large"]
 
-    iam_role_additional_policies = [
-      "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-      "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
-      "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
-      "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
-      "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
-      "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-    ]
+    iam_role_additional_policies = {
+      AmazonEKSWorkerNodePolicy : "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+      AmazonEKS_CNI_Policy : "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+      AmazonEC2ContainerRegistryReadOnly : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+      AmazonSSMManagedInstanceCore : "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+      AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
+      AmazonEBSCSIDriverPolicy : "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+    }
   }
 
   eks_managed_node_groups = {
     bottlerocket_default = {
-      create_launch_template = false
-      launch_template_name   = ""
-      min_size               = 1
-      max_size               = 3
-      desired_size           = 1
-      capacity_type          = "SPOT"
+      use_custom_launch_template = false
+      min_size                   = 1
+      max_size                   = 3
+      desired_size               = 1
+      capacity_type              = "SPOT"
 
       ami_type = "BOTTLEROCKET_x86_64"
       platform = "bottlerocket"

aws/outputs.tf

@@ -17,3 +17,8 @@ output "secrets_manager_secret_name" {
   description = "The name of the secrets manager secret"
   value       = aws_secretsmanager_secret.secret.name
 }
+
+output "cluster_id" {
+  description = "The id of the cluster"
+  value       = module.eks.cluster_id
+}

aws/versions.tf

@@ -9,7 +9,7 @@ terraform {
       version = "~> 3.4.3"
     }
     http = {
-      version = "~> 3.1"
+      version = "~> 3.2.1"
     }
   }
 }

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -41,7 +41,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.12-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.13RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -39,7 +39,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.12-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.13RC1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports: