From b2fba8a71cd745fdc79fa4c0e4cd026a7b22baf7 Mon Sep 17 00:00:00 2001 From: Bal Purewal Date: Tue, 18 Feb 2025 12:17:52 +0000 Subject: [PATCH 1/3] add cis bottlerocket variables --- deploy/aws/infra/eks-cluster.tf | 3 +++ deploy/aws/infra/variables.tf | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/deploy/aws/infra/eks-cluster.tf b/deploy/aws/infra/eks-cluster.tf index 38ca533..a4be447 100644 --- a/deploy/aws/infra/eks-cluster.tf +++ b/deploy/aws/infra/eks-cluster.tf @@ -16,5 +16,8 @@ module "eks" { vpc_id = module.vpc.id vpc_private_subnets = module.vpc.private_subnet_ids + cis_bootstrap_image = var.cis_bootstrap_image + enable_cis_bootstrap = var.enable_cis_bootstrap + tags = local.default_tags } diff --git a/deploy/aws/infra/variables.tf b/deploy/aws/infra/variables.tf index fedae06..0a15f33 100644 --- a/deploy/aws/infra/variables.tf +++ b/deploy/aws/infra/variables.tf @@ -142,3 +142,18 @@ variable "external_dns_namespace" { type = string description = "The Namespace that External DNS will be deployed to" } + +######################################## +# CIS Bottlerocket +######################################## +variable "enable_cis_bootstrap" { + type = string + default = false + description = "If true, the EKS cluster will be bootstrapped with the CIS Bottlerocket image to ensure the OS is CIS level compliant" +} + +variable "cis_bootstrap_image" { + type = string + default = "ensonostackseuweirdfmu.azurecr.io/ensono/bottlerocket-cis-bootstrap:1.1.265-amd64" + description = "The location of the CIS Bottlerocket image" +} From 3e339d204be75aa717833a8a6753655ae62692ca Mon Sep 17 00:00:00 2001 From: Bal Purewal Date: Tue, 18 Feb 2025 12:32:01 +0000 Subject: [PATCH 2/3] set to true and check plan before applying --- deploy/aws/infra/variables.tf | 2 +- taskctl.yaml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/deploy/aws/infra/variables.tf b/deploy/aws/infra/variables.tf index 0a15f33..0077989 100644 --- a/deploy/aws/infra/variables.tf +++ b/deploy/aws/infra/variables.tf @@ -148,7 +148,7 @@ variable "external_dns_namespace" { ######################################## variable "enable_cis_bootstrap" { type = string - default = false + default = true description = "If true, the EKS cluster will be bootstrapped with the CIS Bottlerocket image to ensure the OS is CIS level compliant" } diff --git a/taskctl.yaml b/taskctl.yaml index 6f62306..84aa423 100644 --- a/taskctl.yaml +++ b/taskctl.yaml @@ -29,8 +29,6 @@ pipelines: - task: infra:init - task: infra:plan depends_on: infra:init - - task: infra:apply - depends_on: infra:plan helm: - task: infra:helm:apply From c1cb14f7d29b7a6794bcd3978003678277543793 Mon Sep 17 00:00:00 2001 From: Bal Purewal Date: Tue, 18 Feb 2025 12:38:14 +0000 Subject: [PATCH 3/3] apply cis changes to nonprod --- taskctl.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/taskctl.yaml b/taskctl.yaml index 84aa423..6f62306 100644 --- a/taskctl.yaml +++ b/taskctl.yaml @@ -29,6 +29,8 @@ pipelines: - task: infra:init - task: infra:plan depends_on: infra:init + - task: infra:apply + depends_on: infra:plan helm: - task: infra:helm:apply