This Terraform project creates a Kubernetes environment in Azure (AKS) and protects it with Check Point technologies. In this case, we use four different Terraform providers: Azure, Kubernetes, Helm, CloudGuard.
Once deployed we will have an AKS Cluster with an example application running protected by CloudGuard CSPM, CloudGuard Workload and CloudGuard AppSec.
As per my deployments (made in France Central), this project creates all of the following in less than 10 minutes.
The project creates the following resources and combines them:
- Azure: AKS Cluster: it connects to Azure and create a managed instance of Kubernetes (AKS) with its nodepool
- Azure: DNS Zone: it creates a dns zone in Azure which will then be used to publish the application FQDN
- K8s: Juice Shop Deployment: it deploys a Juice Shop application on the Kubernetes Cluster
- Cloudguard CSPM: Cluster Onboarding: it creates the K8s environment in the CloudGuard Portal for CSPM and Worklaod
- Cloudguard CSPM: Notification: it creates a notification to send the findings via mail
- Cloudguard CSPM: Continuous Compliance Policy: it creates a continuous policy with the Kubernetes Best Practice Ruleset
- Helm: Cloudguard CSPM components: it creates all the CPSM components needed in AKS using a Helm Chart
- Helm: Cloudguard AppSec components: it creates all the Appsec components needed in the cluster using a Helm Chart
First, you need to have a CloudGuard CSPM account, and if you don't, you can create one with these links:
- Create an account in Europe Region
- Create an account in Asia Pacific Region
- Create an account in United States Region
Then you will need to get the API credentials that you will be using with Terraform to onboard the accounts.
Remember to copy these two values! You will need to enter them in the .tfvars file later on.
You will need to use them for the Infinity Portal configuration, in the INFINITY POLICY application.
If you don't have a Portal you can create one following this link: Register
Under the Infinity Policy Tab go to "Getting Started" > "Assets" > "New Asset" > "Web Application"
Then follow this configuration steps:
On the profile page copy then the token! You will need to enter them in the .tfvars file later on.
The only thing that you need to do is changing the terraform.tfvars file located in this directory.
# Set in this file your deployment variables
azure-client-id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
azure-client-secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
azure-tenant = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
azure-subscription = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
location = "France Central"
log-analytics-location = "francecentral"
mydns-zone = "<yourzone>.com"
cspm-mail = "<youremail>@<yourdomain>.com"
cspm-key-id = "xxxxxxxxxxxxxx"
cspm-key-secret = "xxxxxxxxxxxxxx"
cspm-org-unit = "xxxxxxxxxxxxxx"
# CSPM API endpoint: - for US use: 'https://api.dome9.com/v2/'
# - for EU use: 'https://api.eu1.dome9.com/v2/'
cspm-api-endpoint = "https://api.dome9.com/v2/"
# Where is your CSPM platform instanced? usea1 [default], euwe1, apso1
cspm-residency = "usea1"
appsec-token = "cp-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"If you want (or need) to further customize other project details, you can change defaults in the different name-variables.tf files. Here you will also be able to find the descriptions that explain what each variable is used for.
To prepare the current working directory (and install the required providers) run :
terraform init To create an execution plan (and see the changes that will be made in your environment) run :
terraform planTo apply the changes required to reach the desired state (and create your environment) run :
terraform applyOnce the project will be applied correctly, you will receive two output with the FQDN to connect to the application.
The first is the one where the application lives behind appsec, the second one is the directly exposed application.
Outputs:
juiceshop-protected-fqdn = "http://juiceshop-protected.<yourzone>.com"
juiceshop-unprotected-fqdn = "http://juiceshop-unprotected.<yourzone>.com"