GeoLite2 addon for Dogfood and Cloud (#15643)

2024-11-06 08:55:24 +00:00 · 2023-12-14 13:22:11 -06:00 · 2023-12-14 13:22:11 -06:00 · 255bcd8002
commit 255bcd8002
parent b045b462c5
10 changed files with 136 additions and 5 deletions
--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@ -30,6 +30,7 @@ env:
  TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
  TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
  TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
+  TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}

 permissions:
  id-token: write
--- a/infrastructure/dogfood/terraform/aws-tf-module/free.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/free.tf
@ -53,7 +53,7 @@ module "free" {
    cluster_name = local.customer_free
  }
  fleet_config = {
-    image               = local.fleet_image
+    image               = local.geolite2_image
    family              = local.customer_free
    security_group_name = local.customer_free
    autoscaling = {
@ -75,7 +75,7 @@ module "free" {
      }
    }
    extra_iam_policies          = module.ses-free.fleet_extra_iam_policies
-    extra_environment_variables = merge(module.ses-free.fleet_extra_environment_variables, local.extra_environment_variables_free)
+    extra_environment_variables = merge(module.ses-free.fleet_extra_environment_variables, local.extra_environment_variables_free, module.geolite2.extra_environment_variables)
  }
  alb_config = {
    name            = local.customer_free
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@ -32,6 +32,7 @@ variable "fleet_license" {}
 variable "fleet_image" {
  default = "160035666661.dkr.ecr.us-east-2.amazonaws.com/fleet:1f68e7a5e39339d763da26a0c8ae3e459b2e1f016538d7962312310493381f7c"
 }
+variable "geolite2_license" {}
 variable "fleet_sentry_dsn" {}
 variable "elastic_url" {}
 variable "elastic_token" {}
@ -41,6 +42,7 @@ data "aws_caller_identity" "current" {}
 locals {
  customer    = "fleet-dogfood"
  fleet_image = var.fleet_image # Set this to the version of fleet to be deployed
+  geolite2_image = "${aws_ecr_repository.fleet.repository_url}:${split(":", var.fleet_image)[1]}-geolite2"
  extra_environment_variables = {
    FLEET_LICENSE_KEY                          = var.fleet_license
    FLEET_LOGGING_DEBUG                        = "true"
@ -89,7 +91,7 @@ module "main" {
    cluster_name = local.customer
  }
  fleet_config = {
-    image  = local.fleet_image
+    image  = local.geolite2_image
    family = local.customer
    autoscaling = {
      min_capacity = 2
@ -111,7 +113,7 @@ module "main" {
    }
    extra_iam_policies           = concat(module.firehose-logging.fleet_extra_iam_policies, module.osquery-carve.fleet_extra_iam_policies, module.ses.fleet_extra_iam_policies)
    extra_execution_iam_policies = concat(module.mdm.extra_execution_iam_policies, [aws_iam_policy.sentry.arn]) #, module.saml_auth_proxy.fleet_extra_execution_policies)
-    extra_environment_variables  = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, module.ses.fleet_extra_environment_variables, local.extra_environment_variables)
+    extra_environment_variables  = merge(module.mdm.extra_environment_variables, module.firehose-logging.fleet_extra_environment_variables, module.osquery-carve.fleet_extra_environment_variables, module.ses.fleet_extra_environment_variables, local.extra_environment_variables, module.geolite2.extra_environment_variables)
    extra_secrets                = merge(module.mdm.extra_secrets, local.sentry_secrets)
    # extra_load_balancers         = [{
    #   target_group_arn = module.saml_auth_proxy.lb_target_group_arn
@ -425,4 +427,9 @@ resource "aws_s3_object" "idp_metadata" {
  acl    = "public-read"
 }

-
+module "geolite2" {
+  source = "github.com/fleetdm/fleet//terraform/addons/geolite2?ref=tf-mod-addon-geolite2-v1.0.0"
+  fleet_image = var.fleet_image
+  destination_image = local.geolite2_image
+  license_key = var.geolite2_license
+}
--- a/terraform/addons/geolite2/.header.md
+++ b/terraform/addons/geolite2/.header.md
@ -0,0 +1,9 @@
+# Geoip Terraform module for Fleet
+
+This module adds Geoip data to the Fleet docker image for use with the Fleet Terraform module.
+
+See the [documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration#geoip) for some basic information about what happens under the hood.
+
+You will need to supply a Maxmind license key and a destination docker registry (such as ECR) to hold the new image.
+
+Outputs will be added to the environment variables in Fleet via the `extra_environment_variables` list.
--- a/terraform/addons/geolite2/.terraform-docs.yml
+++ b/terraform/addons/geolite2/.terraform-docs.yml
@ -0,0 +1 @@
+header-from: .header.md
--- a/terraform/addons/geolite2/Dockerfile
+++ b/terraform/addons/geolite2/Dockerfile
@ -0,0 +1,17 @@
+ARG FLEET_IMAGE
+
+FROM ${FLEET_IMAGE}
+
+ARG LICENSE_KEY
+USER root
+
+RUN mkdir -p /opt/GeoLite2 && cd /opt/GeoLite2 &&\
+    wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${LICENSE_KEY}&suffix=tar.gz" -O GeoLite2-City.tar.gz &&\
+    wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${LICENSE_KEY}&suffix=tar.gz.sha256" -O GeoLite2-City.tar.gz.sha256 &&\
+    [ "$(awk '{ print $1 }' GeoLite2-City.tar.gz.sha256)" == "$(sha256sum GeoLite2-City.tar.gz | awk '{ print $1 }')" ] &&\
+    (tar -xzvf GeoLite2-City.tar.gz "*/GeoLite2-City.mmdb" --strip-components 1 2>/dev/null || true) &&\
+    rm -f GeoLite2-City.tar.gz*
+
+USER fleet
+# Might not be needed again, but keep it just in case
+CMD ["fleet", "serve"]
--- a/terraform/addons/geolite2/README.md
+++ b/terraform/addons/geolite2/README.md
@ -0,0 +1,48 @@
+# Geoip Terraform module for Fleet
+
+This module adds Geoip data to the Fleet docker image for use with the Fleet Terraform module.
+
+See the [documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration#geoip) for some basic information about what happens under the hood.
+
+You will need to supply a Maxmind license key and a destination docker registry (such as ECR) to hold the new image.
+
+Outputs will be added to the environment variables in Fleet via the `extra_environment_variables` list.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_docker"></a> [docker](#requirement\_docker) | 3.0.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_docker"></a> [docker](#provider\_docker) | 3.0.2 |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.4.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [docker_image.maxmind_fleet](https://registry.terraform.io/providers/kreuzwerker/docker/3.0.2/docs/resources/image) | resource |
+| [docker_registry_image.maxmind_fleet](https://registry.terraform.io/providers/kreuzwerker/docker/3.0.2/docs/resources/registry_image) | resource |
+| [local_file.dockerfile](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_destination_image"></a> [destination\_image](#input\_destination\_image) | n/a | `string` | n/a | yes |
+| <a name="input_fleet_image"></a> [fleet\_image](#input\_fleet\_image) | n/a | `string` | n/a | yes |
+| <a name="input_license_key"></a> [license\_key](#input\_license\_key) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_extra_environment_variables"></a> [extra\_environment\_variables](#output\_extra\_environment\_variables) | n/a |
--- a/terraform/addons/geolite2/main.tf
+++ b/terraform/addons/geolite2/main.tf
@ -0,0 +1,32 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+  }
+}
+
+# Build the new image
+resource "docker_image" "maxmind_fleet" {
+  name = var.destination_image
+
+  build {
+    context  = path.module
+    platform = "linux/amd64"
+    build_args = {
+      FLEET_IMAGE = var.fleet_image
+      LICENSE_KEY = var.license_key
+    }
+    pull_parent = true
+  }
+}
+
+# push it to the specified repo
+resource "docker_registry_image" "maxmind_fleet" {
+  triggers = {
+    fleet_digest = docker_image.maxmind_fleet.repo_digest
+  }
+  name          = docker_image.maxmind_fleet.name
+  keep_remotely = true
+}
--- a/terraform/addons/geolite2/outputs.tf
+++ b/terraform/addons/geolite2/outputs.tf
@ -0,0 +1,5 @@
+output "extra_environment_variables" {
+  value = {
+    FLEET_GEOIP_DATABASE_PATH = "/opt/GeoLite2/GeoLite2-City.mmdb"
+  }
+}
--- a/terraform/addons/geolite2/variables.tf
+++ b/terraform/addons/geolite2/variables.tf
@ -0,0 +1,11 @@
+variable "fleet_image" {
+  type = string
+}
+
+variable "destination_image" {
+  type = string
+}
+
+variable "license_key" {
+  type = string
+}