Merge pull request #1273 from OWASP/fix/aws-k8s-1.29

fix: fix AWS for new EKS module and K8s 1.29
OWASP · Mar 5, 2024 · 5e93882 · 5e93882
2 parents 0f5175b + 584c3b2
commit 5e93882
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 44 deletions.
diff --git a/aws/.terraform.lock.hcl b/aws/.terraform.lock.hcl
diff --git a/aws/README.md b/aws/README.md
@@ -119,7 +119,7 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.39.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.39.1 |
 | <a name="provider_http"></a> [http](#provider\_http) | 3.4.2 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
 
@@ -162,7 +162,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.28"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.29"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags to apply to resources | `map(string)` | <pre>{<br>  "Application": "wrongsecrets"<br>}</pre> | no |
 

diff --git a/aws/iam_policy.json b/aws/iam_policy.json
@@ -38,7 +38,8 @@
                 "elasticloadbalancing:DescribeTargetGroups",
                 "elasticloadbalancing:DescribeTargetGroupAttributes",
                 "elasticloadbalancing:DescribeTargetHealth",
-                "elasticloadbalancing:DescribeTags"
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DescribeTrustStores"
             ],
             "Resource": "*"
         },

diff --git a/aws/k8s-aws-alb-script.sh b/aws/k8s-aws-alb-script.sh
@@ -24,7 +24,7 @@ fi
 ACCOUNT_ID=$(aws sts get-caller-identity | jq '.Account' -r)
 echo "ACCOUNT_ID=${ACCOUNT_ID}"
 
-LBC_VERSION="v2.5.4"
+LBC_VERSION="v2.7.1"
 echo "LBC_VERSION=$LBC_VERSION"
 
 # echo "executing eksctl utils associate-iam-oidc-provider"

diff --git a/aws/main.tf b/aws/main.tf
@@ -81,6 +81,8 @@ module "eks" {
 
   enable_irsa = true
 
+  enable_cluster_creator_admin_permissions = true
+
   eks_managed_node_group_defaults = {
     disk_size       = 50
     disk_type       = "gp3"

diff --git a/aws/variables.tf b/aws/variables.tf
@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The EKS cluster version to use"
   type        = string
-  default     = "1.28"
+  default     = "1.29"
 }
 
 variable "cluster_name" {

diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml
@@ -21,7 +21,7 @@ spec:
     metadata:
       annotations:
         vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/tls-skip-verify: 'true'
+        vault.hashicorp.com/tls-skip-verify: "true"
         vault.hashicorp.com/agent-inject-status: "update"
         vault.hashicorp.com/namespace: "default"
         vault.hashicorp.com/log-level: debug
@@ -46,7 +46,7 @@ spec:
           type: RuntimeDefault
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.4i-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.4k-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext: