mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00

History

Robert Fairburn dd7be66029 Terraform module example update (#17466 )		2024-03-13 10:30:52 -05:00
..
scripts	Terraform module example update (#17466 )	2024-03-13 10:30:52 -05:00
.header.md	Terraform module example update (#17466 )	2024-03-13 10:30:52 -05:00
.terraform-docs.yml	Add addon modules for s3 firehose logging and automatic migrations (#9377 )	2023-01-18 11:09:18 -05:00
main.tf	Terraform module example update (#17466 )	2024-03-13 10:30:52 -05:00
mdm-secrets.tf	Terraform module example update (#17466 )	2024-03-13 10:30:52 -05:00
README.md	Terraform module example update (#17466 )	2024-03-13 10:30:52 -05:00

README.md

Fleet Terraform Module Example

This code provides some example usage of the Fleet Terraform module, including how some addons can be used to extend functionality. Prior to applying, edit the locals in main.tf to match the settings you want for your Fleet instance including:

domain name
route53 zone name (may match the domain name)
license key (if premium)
uncommenting the mdm module if mdm is desired
any extra settings to be passed to Fleet via ENV var.

Due to Terraform issues, this code requires 3 applies "from scratch":

terraform apply -target module.fleet.module.vpc
terraform apply -target module.osquery-carve -target module.firehose-logging
If enabling mdm: terraform apply -target module.mdm. It will need to be uncommented as well as the KMS section below it.
terraform apply -target module.fleet
terraform apply
If enabling mdm do the following:

Record the KMS key from step 5 output.
Use fleetctl to obtain all of the mdm certs. Use https://fleetdm.com/docs/using-fleet/mdm-macos-setup#apple-push-notification-service-apns and https://fleetdm.com/docs/using-fleet/mdm-macos-setup#apple-business-manager-abm for reference.
Place the certificates in the resources folder with the following names based upon their function:

scep.crt
scep.key
apns.crt
apns.key
abm.crt
abm.key
abm_token.p7m

Using the encrypt.sh script, KMS encrypt all of these secrets as follows:

cd resources
for i in *; do ../scripts/encrypt.sh <kms-key-id-from-terraform-output> $i $i.encrypted; done
for i in *.encrypted; do rm ${i/.encrypted/}; done

This will encrypt all of the mdm secrets and add the .encrypted extension to them. It will also remove the non-encrypted version of the secrets so that they are encrypted at rest even locally.

Uncomment all of the resources and data sources in mdm-secrets.tf.
Re-run terraform apply to populate the Secrets Manager secrets.
Uncomment the sections in the fleet_config portion of main.tf for mdm and run a final terraform apply. Services will restart with mdm enabled.

Requirements

Name	Version
aws	5.36.0

Providers

Name	Version
aws	5.36.0

Modules

Name	Source	Version
acm	terraform-aws-modules/acm/aws	4.3.1
firehose-logging	github.com/fleetdm/fleet//terraform/addons/logging-destination-firehose	tf-mod-addon-logging-destination-firehose-v1.1.0
fleet	github.com/fleetdm/fleet//terraform	tf-mod-root-v1.7.1
migrations	github.com/fleetdm/fleet//terraform/addons/migrations	tf-mod-addon-migrations-v2.0.0
osquery-carve	github.com/fleetdm/fleet//terraform/addons/osquery-carve	tf-mod-addon-osquery-carve-v1.0.1

Resources

Name	Type
aws_route53_record.main	resource
aws_route53_zone.main	resource

Inputs

No inputs.

Outputs

Name	Description
route53_name_servers	Ensure that these records are added to the parent DNS zone Delete this output if you switched the route53 zone above to a data source.