/terraform-aws-snykbroker

Primary LanguageHCLApache License 2.0Apache-2.0

Snyk logo

terraform-aws-snykbroker

snyk-oss-category

Terraform reference implementation example to create and run Snyk Broker as an AWS Elastic Container Service (ECS) Fargate Service.

Note

Requires a public hosted domain name managed by AWS Route53 Domain Name System (DNS) zone

Usage

Prerequisites

  1. Create a S3 bucket to store deployment terraform state
  2. Create GitHub repository dev environment
  3. Modify env/dev/config.s3.backend
  4. Modify env/dev/terraform.tfvars

GitHub Action

This GitHub CI workflow (ci.yml) accepts input for running Snyk broker and deploys necessary AWS resources running SnykBroker as a Fargate Service.

Variables

GitHub Repository secrets

  1. AWS_ACCESS_KEY_ID
  2. AWS_SECRET_ACCESS_KEY
  3. DOCKERHUB_ACCESS_TOKEN
  4. DOCKERHUB_USERNAME
  5. SNYK_TOKEN

GitHub Environment secrets

  1. AWS_REGION
  2. BROKER_ENV_VARS

Broker Environment Variables (BROKER_ENV_VARS) format

This Environment variable value is specified as a map(string). Example:

{"BROKER_TOKEN":"xxx","GITHUB_TOKEN":"yyy"}

Command Line Interface method

Deployment Modes

Mode Description Variable Settings
HTTP No SSL certificate broker_protocol="http", private_ssl_cert=false
HTTPS/HTTP Public SSL certificate, internal HTTP broker_protocol="https", private_ssl_cert=false
HTTPS Public SSL certificate, internal private SSL cert broker_protocol="https", private_ssl_cert=true

Public SSL certificate

Public SSL certificate for <broker_hostname>.<public_domain_name> is created and managed by AWS Certificate Manager (ACM) with its renewal automatically handled.

Private SSL certificate/Key

  • Upload private SSL certificate (.pem) and its private key (.key) to a S3 bucket
  • Verify S3 bucket and these objects are accessible to Terraform assumed credentials
  • Set variable config_bucket_name="<S3_bucket_name>"
  • Set variable broker_private_key_object="<S3_folder>/<key_name.key>"
  • Set variable broker_ssl_cert_object="<S3_folder>/<cert_name.pem>"

Private SSL certificate validity and renewal are handled independently by Customer.

Custom approved listing filter

  • Upload custom integration type accept.json to S3 bucket
  • Verify S3 bucket and accept.json are accessible to Terraform assumed credentials
  • Set variable config_bucket_name="<S3_bucket_name>"
  • Set variable custom_listing_filter="<S3_folder>/accept.json"

Deployment steps

  1. Configure S3 backend for terraform state
  2. Setup Terraform input tfvars
  3. Invoke the commands defined below to create the Fargate Service that launches corresponding SnykBroker dockerized container.
$ terraform init -backend-config="env/dev/config.s3.tfbackend"
$ terraform plan -input=false -var-file="env/dev/terraform.tfvars" -out=tfplan
$ terraform apply "tfplan"

Requirements

Name Version
terraform >= 1.0
aws >= 4.9

Providers

Name Version
aws 4.25.0
null 3.1.1

Modules

Name Source Version
public_route53_zone terraform-aws-modules/route53/aws//modules/zones 2.9.0
snykbroker_acm terraform-aws-modules/acm/aws 4.0.1
snykbroker_cert_handler_lambda terraform-aws-modules/lambda/aws 4.0.1
snykbroker_ecs_cluster terraform-aws-modules/ecs/aws 4.1.1
snykbroker_ecs_task_definition umotif-public/ecs-fargate-task-definition/aws 2.1.2
snykbroker_efs terraform-iaac/efs/aws 2.0.4
snykbroker_kms terraform-aws-modules/kms/aws 1.1.0
snykbroker_kms_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 3.5.0
snykbroker_lambda_security_group terraform-aws-modules/security-group/aws 4.13.0
snykbroker_lb terraform-aws-modules/alb/aws 7.0.0
snykbroker_lb_route53_record terraform-aws-modules/route53/aws//modules/records 2.9.0
snykbroker_lb_security_group terraform-aws-modules/security-group/aws 4.13.0
snykbroker_log_group terraform-aws-modules/cloudwatch/aws//modules/log-group 3.3.0
snykbroker_secrets lgallard/secrets-manager/aws 0.6.0
snykbroker_security_group terraform-aws-modules/security-group/aws 4.13.0
snykbroker_vpc terraform-aws-modules/vpc/aws 3.14.3

Resources

Name Type
aws_ecs_service.snykbroker_service resource
aws_efs_access_point.snykbroker_cert_access_point resource
aws_iam_role_policy_attachment.snykbroker_fargate_exe_efs resource
aws_iam_role_policy_attachment.snykbroker_fargate_exe_kms resource
aws_iam_role_policy_attachment.snykbroker_fargate_task_efs resource
aws_lambda_invocation.snykbroker_lambda_invocation resource
aws_ssm_parameter.tokens resource
null_resource.wait_lambda_efs resource
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy_document.snykbroker_logs_policy_doc data source
aws_iam_policy_document.snykbroker_secrets_policy_doc data source
aws_partition.current data source
aws_region.current data source
aws_route53_zone.public_zone data source

Inputs

Name Description Type Default Required
additional_env_vars Additional environment variables map(string) {} no
broker_accept_json_object S3 object of SnykBroker listing filter accept.json. Example /accept.json string null no
broker_env_vars SnykBroker environment variables key-value pairs. PORT, BROKER_CLIENT_URL not required map(string) {} yes
broker_hostname SnykBroker hostname. <broker_hostname>.<public_domain_name> forms its FQDN for SCM webhooks calls string "snykbroker" no
broker_port Default snykbroker client port. Set a non-system port i.e. >= 1024 as container run-as non-root user number 7341 no
broker_private_key_object S3 object of SnykBroker certificate private key. Example /.key string null no
broker_protocol Protocol for running connections to SnykBroker. Either http or https string "https" no
broker_ssl_cert_object S3 object of SnykBroker certificate. Example /.pem string null no
cloudwatch_log_group_name SnykBroker CloudWatch log group name string "/aws/ecs/snykbroker" no
cloudwatch_log_retention_days SnykBroker CloudWatch log retention in days number 7 no
config_bucket_name Configuration S3 bucket name storing SnykBroker private key, SSL certificate, accept.json filter, etc string null no
container_name Snyk broker container name behind the Service string "snykbroker" no
cpu Broker service task CPU. min 256 i.e. 0.25 vCPU, max 4096 i.e. 4 vCPU number 256 no
custom_listing_filter Use custom approved listing filter i.e. a revised accept.json bool false no
default_tags Default Tags at aws provider scope map(string)
{
"Snyk": "SnykBroker"
}
no
dockerhub_access_token DockerHub personal access token string null no
dockerhub_username DockerHub username string null no
fargate_capacity_base Fargate capacity provider base as minimum number of Tasks. Only this or fargate_spot_capacity_base can be >0 number 0 no
fargate_capacity_weight Fargate capacity provider weight as a relative percentage of total service_desired_count Tasks number 50 no
fargate_spot_capacity_base Fargate Spot capacity provider base as minimum number of Tasks. Only this or fargate_capacity_base can be >0 number 0 no
fargate_spot_capacity_weight Fargate Spot capacity provider weight as a relative percentage of total service_desired_count Tasks number 50 no
image Broker image to pull from DockerHub. May be custom derived broker image string null no
integration_type Snyk Integration type. Choice of artifactory, azurerepos, bitbucket, gh, ghe, gitlab, jira or nexus string "" yes
lambda_runtime Lambda function runtime. Defined by AWS supported versions. string "python3.9" no
launch_type SnykBroker service launch type string "FARGATE" no
log_bucket_name snykbbroker requests access log bucket name for logging webhooks requests string null no
memory Broker service memory in MiB. Min 512, max 30720 number 512 no
private_ssl_cert Use private SSL certificate at SnykBroker client bool false no
public_domain_name Customer public domain e.g. example.com string null yes
scheduling_strategy Snyk broker scheduling strategy string "REPLICA" no
service_azs count of service availability zones to use number 2 no
service_desired_count Snyk broker service instance count number 1 no
service_name Snyk broker service name string "snykbroker" no
snyk_integration_env_vars Map of Snyk integration type to environment values at the broker container map(list(string))
{
"artifactory": [
"BROKER_TOKEN",
"ARTIFACTORY_URL"
],
"azurerepos": [
"BROKER_TOKEN",
"AZURE_REPOS_TOKEN",
"AZURE_REPOS_ORG",
"AZURE_REPOS_HOST",
"PORT",
"BROKER_CLIENT_URL"
],
"bitbucket": [
"BROKER_TOKEN",
"BITBUCKET_USERNAME",
"BITBUCKET_PASSWORD",
"BITBUCKET",
"BITBUCKET_API",
"BROKER_CLIENT_URL",
"PORT"
],
"gh": [
"BROKER_TOKEN",
"GITHUB_TOKEN",
"PORT",
"BROKER_CLIENT_URL"
],
"ghe": [
"BROKER_TOKEN",
"GITHUB_TOKEN",
"GITHUB",
"GITHUB_API",
"GITHUB_GRAPHQL",
"PORT",
"BROKER_CLIENT_URL"
],
"gitlab": [
"BROKER_TOKEN",
"GITLAB_TOKEN",
"GITLAB",
"PORT",
"BROKER_CLIENT_URL"
],
"jira": [
"BROKER_TOKEN",
"JIRA_USERNAME",
"JIRA_PASSWORD",
"JIRA_HOSTNAME",
"BROKER_CLIENT_URL",
"PORT"
],
"nexus": [
"BROKER_TOKEN",
"BASE_NEXUS_URL",
"BROKER_CLIENT_VALIDATION_URL",
"RES_BODY_URL_SUB"
]
}
no
snyk_integration_images Map of Snyk integration type to default official Snyk Docker image tag map(string)
{
"artifactory": "artifactory",
"azurerepos": "azure-repos",
"bitbucket": "bitbucket-server",
"gh": "github-com",
"ghe": "github-enterprise",
"gitlab": "gitlab",
"jira": "jira",
"nexus": "nexus"
}
no
snykbroker_repo DockerHub snyk broker repo string "snyk/broker" no
tags Tags map(string) {} no
use_existing_route53_zone Use existing public hosted zone of <public_domain_name> or create new zone bool true no
vpc_cidr SnykBroker VPC cidr. Linked to service_azs to be created string "192.168.0.0/20" no

Outputs

Name Description
snykbroker_aws_dns_name SnykBroker Client AWS DNS name
snykbroker_client_healthcheck_url SnykBroker Client healthcheck URL
snykbroker_client_systemcheck_url SnykBroker Client systemcheck URL
snykbroker_lb_dns_name SnykBroker Client hosted domain DNS name