Add changes for v4.32.0 to sandbox (#12066)

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).

infrastructure/sandbox/JITProvisioner/jitprovisioner.tf

@@ -206,7 +206,7 @@ resource "random_uuid" "jitprovisioner" {
 
 # Use the local to make the trigger work.
 locals {
-  fleet_tag = "v4.31.0"
+  fleet_tag = "v4.32.0"
 }
 
 resource "null_resource" "standard-query-library" {

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/templates/deployment.yaml

@@ -58,6 +58,8 @@ spec:
             value: "1"
           - name: FLEET_LICENSE_ENFORCE_HOST_LIMIT
             value: "true"
+          - name: FLEET_LICENSE
+            value: "{{ .Values.fleet.licenseKey }}"
           - name: FLEET_VULNERABILITIES_DATABASES_PATH
             value: /tmp/vuln
           {{- if ne .Values.packaging.enrollSecret "" }}

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/fleet/values.yaml

@@ -54,6 +54,7 @@ fleet:
   listenPort: 8080
   # Name of the Secret resource storing TLS and S3 bucket secrets
   secretName: fleet
+  licenseKey: ""
   # Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet
   autoApplySQLMigrations: true
   tls:

infrastructure/sandbox/PreProvisioner/lambda/deploy_terraform/main.tf

@@ -55,6 +55,7 @@ variable "oidc_provider_arn" {}
 variable "oidc_provider" {}
 variable "kms_key_arn" {}
 variable "ecr_url" {}
+variable "license_key" {}
 
 resource "mysql_user" "main" {
   user               = terraform.workspace
@@ -162,7 +163,7 @@ resource "helm_release" "main" {
 
   set {
     name  = "imageTag"
-    value = "v4.31.0"
+    value = "v4.32.0"
   }
 
   set {
@@ -194,6 +195,11 @@ resource "helm_release" "main" {
     name  = "crons.vulnerabilities"
     value = "${random_integer.cron_offset.result}\\,${random_integer.cron_offset.result + 15}\\,${random_integer.cron_offset.result + 30}\\,${random_integer.cron_offset.result + 45} * * * *"
   }
+
+  set {
+    name  = "fleet.license_key"
+    value = var.license_key
+  }
 }
 
 data "aws_iam_policy_document" "main" {

infrastructure/sandbox/PreProvisioner/main.tf

@@ -295,6 +295,10 @@ resource "aws_ecs_task_definition" "main" {
             name  = "TF_VAR_ecr_url"
             value = var.ecr.repository_url
           },
+          {
+            name  = "TF_VAR_license_key"
+            value = var.license_key
+          },
         ]),
         secrets = concat([
           {

infrastructure/sandbox/PreProvisioner/variables.tf

@@ -12,3 +12,4 @@ variable "installer_bucket" {}
 variable "oidc_provider_arn" {}
 variable "oidc_provider" {}
 variable "ecr" {}
+variable "license_key" {}

infrastructure/sandbox/SharedInfrastructure/eks.tf

@@ -103,8 +103,8 @@ module "aws-eks-accelerator-for-terraform" {
       node_group_name = "managed-ondemand"
       instance_types  = ["t3.medium"]
       subnet_ids      = var.vpc.private_subnets
-      max_size        = 15
+      max_size        = 20
-      min_size        = 15
+      min_size        = 20
     }
   }
 

infrastructure/sandbox/main.tf

@@ -194,6 +194,7 @@ module "pre-provisioner" {
   oidc_provider_arn = module.shared-infrastructure.oidc_provider_arn
   oidc_provider     = module.shared-infrastructure.oidc_provider
   ecr               = module.shared-infrastructure.ecr
+  license_key       = var.license_key
 }
 
 module "jit-provisioner" {
@@ -291,3 +292,4 @@ resource "aws_ecs_cluster" "main" {
 }
 
 variable "slack_webhook" {}
+variable "license_key" {}