Skip to content

A terraform module for installing Rad Security plugins

Notifications You must be signed in to change notification settings

rad-security/terraform-helm-rad-security-plugins

Repository files navigation

terraform-helm-rad-security-plugins

A terraform module for installing Rad Security Plugins through Terraform.

Description

This module provides a flexible way to deploy Rad Security plugins using Helm. It allows you to configure various components of the Rad Security suite, including Guard, SBOM, Sync, Watch, Node Agent, and K9.

Features

  • Automatic cluster API key generation
  • Optional installation of cert-manager
  • Installs Rad Security plugins using Helm
  • Configurable components of the Rad Security plugins (Guard, SBOM, Sync, Watch, Node Agent, K9)

Requirements

Cert Manager must be installed prior to installing the plugins. It can be installed by setting install_cert_manager to true. This will install the Cert Manager Helm Chart in the cert-manager namespace. If it is already installed or you do not want to install it using this method, you can set install_cert_manager to false.

Usage

To use this module, two providers are required. The rad-security provider and the helm provider.

To configure the rad-security provider, the cloud api keys must be provided.

provider "rad-security" {
  access_key_id        = "YOUR_ACCESS_KEY_ID"
  secret_key           = "YOUR_SECRET_KEY"
}

The second provider is the helm provider. This provider requires a kubernetes configuration. This can be provided in multiple ways. Here are two examples of configuring the helm provider.

  1. By using the config_path attribute to point to a local kubeconfig file.
  2. By providing the kubernetes host, token, and cluster_ca_certificate.

Local Kubeconfig

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

AWS EKS

provider "helm" {
  kubernetes {
    host                   = module.eks_cluster.eks_cluster_endpoint
    token                  = data.aws_eks_cluster_auth.kubernetes.token
    cluster_ca_certificate = base64decode(module.eks_cluster.eks_cluster_certificate_authority_data)
  }
}

Additional Usecases

The namespace and service account name for SBOM is exported as outputs. This allows for easy integration with IRSA or EKS Pod Identity.

EKS Pod Identity:

resource "aws_eks_pod_identity_association" "rad_sbom" {
  cluster_name    = aws_eks_cluster.example.name
  namespace       = module.rad_plugin.rad_plugin_namespace
  service_account = module.rad_plugin.sbom_service_account_name
  role_arn        = aws_iam_role.example.arn
}

IRSA:

module "iam_assumable_role_example" {
  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
  version                       = "3.6.0"
  create_role                   = true
  role_name                     = local.example_role_name
  provider_url                  = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
  role_policy_arns              = [aws_iam_policy.cluster_autoscaler.arn]
  oidc_fully_qualified_subjects = ["system:serviceaccount:${module.rad_plugin.rad_plugin_namespace}:${module.rad_plugin.sbom_service_account_name}"]
}


module "rad_install" {
  source = "../"
  # version = "1.0.0"

  install_cert_manager = true

  cluster_name = "Example"

  helm_settings = [{
    name = "ksocSbom.serviceAccount.annotations.eks.amazonaws.com/role-arn"
    value = module.iam_assumable_role_example.iam_role_arn
    type = "string"
  }]

  plugin_configuration_file = ["${file("./values.yaml")}"]
}

Requirements

No requirements.

Providers

Name Version
helm n/a
rad-security n/a

Modules

No modules.

Resources

Name Type
helm_release.cert-manager resource
helm_release.plugins resource
rad-security_cluster_api_key.this resource

Inputs

Name Description Type Default Required
cluster_name Cluster Name to use within the Rad Platform string "" no
enable_guard Toggles the Guard component bool true no
enable_k9 Toggles the K9 component bool false no
enable_node_agent Toggles the Node Agent component bool false no
enable_openshift Toggles support for OpenShift bool false no
enable_sbom Toggles the SBOM component bool true no
enable_sync Toggles the Sync component bool true no
enable_watch Toggles the Watch component bool true no
helm_settings List of Helm configuration values to set
list(object({
name = string
value = string
type = string
}
))
[] no
install_cert_manager Set to toggle the installation of cert-manager before the installation of plugins bool true no
plugin_configuration_file Location of the values.yaml file to use with rad plugins list(string) [] no
rad_plugin_namespace Namespace to install the Rad Platform plugins into string "ksoc" no
rad_plugin_version Helm chart version to use string "" no

Outputs

Name Description
rad_plugin_namespace n/a
sbom_service_account_name n/a

About

A terraform module for installing Rad Security plugins

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages