├── .python-version ├── .gitignore ├── 04_dsl ├── exceptions.json ├── input │ └── mock.json └── service.rego ├── 05_zero_trust ├── identity │ ├── users.auto.tfvars │ ├── editor.tf │ ├── variables.tf │ └── .terraform.lock.hcl └── policy │ ├── test_boundary.py │ └── plan.json ├── 01_sox_compliance ├── sox_compliance_fail_01.json ├── sox_compliance_fail_02.json ├── sox_compliance_pass.json └── test_sox_compliance.py ├── 03_bdd ├── tags.feature ├── azure.feature ├── gcp.feature └── mock.json ├── 02_infrastructure_configuration ├── infrastructure.json ├── infrastructure_pass.json └── test_infrastructure_configuration.py ├── requirements.txt ├── README.md └── LICENSE /.python-version: -------------------------------------------------------------------------------- 1 | 3.9.0 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | .pytest_cache -------------------------------------------------------------------------------- /04_dsl/exceptions.json: -------------------------------------------------------------------------------- 1 | { 2 | "exceptions": { 3 | "intentions": ["web"] 4 | } 5 | } -------------------------------------------------------------------------------- /05_zero_trust/identity/users.auto.tfvars: -------------------------------------------------------------------------------- 1 | users = { 2 | owner = ["operations"] 3 | editor = ["appdev"] 4 | editor = ["manager"] 5 | } -------------------------------------------------------------------------------- /01_sox_compliance/sox_compliance_fail_01.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "user": { 4 | "login": "team-lead" 5 | }, 6 | "state": "APPROVED" 7 | } 8 | ] -------------------------------------------------------------------------------- /03_bdd/tags.feature: -------------------------------------------------------------------------------- 1 | Feature: Tag Policies 2 | 3 | Scenario: Ensure that specific tags are defined 4 | Given I have resource that supports tags defined 5 | Then it must contain tags 6 | And its value must not be null -------------------------------------------------------------------------------- /01_sox_compliance/sox_compliance_fail_02.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "user": { 4 | "login": "team-lead" 5 | }, 6 | "state": "APPROVED" 7 | }, 8 | { 9 | "user": { 10 | "login": "team-lead" 11 | }, 12 | "state": "APPROVED" 13 | } 14 | ] -------------------------------------------------------------------------------- /01_sox_compliance/sox_compliance_pass.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "user": { 4 | "login": "team-lead" 5 | }, 6 | "state": "APPROVED" 7 | }, 8 | { 9 | "user": { 10 | "login": "product-manager" 11 | }, 12 | "state": "APPROVED" 13 | } 14 | ] 15 | -------------------------------------------------------------------------------- /02_infrastructure_configuration/infrastructure.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": [ 3 | { 4 | "mode": "managed", 5 | "type": "aws_security_group_rule", 6 | "name": "example", 7 | "instances": [ 8 | { 9 | "attributes": { 10 | "cidr_blocks": [ 11 | "0.0.0.0/0" 12 | ], 13 | "from_port": -1, 14 | "protocol": "udp", 15 | "to_port": -1, 16 | "type": "ingress" 17 | } 18 | } 19 | ] 20 | } 21 | ] 22 | } -------------------------------------------------------------------------------- /02_infrastructure_configuration/infrastructure_pass.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": [ 3 | { 4 | "mode": "managed", 5 | "type": "aws_security_group_rule", 6 | "name": "example", 7 | "instances": [ 8 | { 9 | "attributes": { 10 | "cidr_blocks": [ 11 | "172.16.0.0/16" 12 | ], 13 | "from_port": 5432, 14 | "protocol": "tcp", 15 | "to_port": 5432, 16 | "type": "ingress" 17 | } 18 | } 19 | ] 20 | } 21 | ] 22 | } -------------------------------------------------------------------------------- /03_bdd/azure.feature: -------------------------------------------------------------------------------- 1 | Feature: Azure Policies 2 | 3 | Scenario: Ensure that database firewall is not permissive 4 | Given I have azurerm_postgresql_firewall_rule defined 5 | When its start_ip_address has "0.0.0.0" 6 | And its end_ip_address has "255.255.255.255" 7 | Then it fails 8 | 9 | 10 | Scenario: Ensure database password conforms to Azure requirements (https://docs.microsoft.com/en-us/azure/postgresql/quickstart-create-server-database-portal) 11 | Given I have azurerm_postgresql_server defined 12 | When it contains administrator_login_password 13 | Then its value must match the "(^[a-zA-Z0-9\S]{8,128})" regex -------------------------------------------------------------------------------- /02_infrastructure_configuration/test_infrastructure_configuration.py: -------------------------------------------------------------------------------- 1 | import json 2 | import pytest 3 | 4 | 5 | @pytest.mark.parametrize('example', ['02_infrastructure_configuration/infrastructure.json']) 6 | def test_aws_security_group_rule_configuration(example): 7 | with open(example) as f: 8 | change = json.load(f) 9 | rule = change['resources'][0]['instances'][0]['attributes'] 10 | assert rule['type'] == "ingress", "rule should be defined as ingress" 11 | assert rule['protocol'] == "tcp", "protocol should be tcp" 12 | assert rule['to_port'] == 5432, "allow traffic to port 5432 for postgres" 13 | assert rule['from_port'] == 5432, "allow traffic from port 5432 for postgres" 14 | assert '0.0.0.0/0' not in rule['cidr_blocks'], "CIDR block should not be open" 15 | -------------------------------------------------------------------------------- /01_sox_compliance/test_sox_compliance.py: -------------------------------------------------------------------------------- 1 | import json 2 | import pytest 3 | 4 | examples = [ 5 | '01_sox_compliance/sox_compliance_pass.json', 6 | '01_sox_compliance/sox_compliance_fail_01.json', 7 | '01_sox_compliance/sox_compliance_fail_02.json' 8 | ] 9 | 10 | 11 | def check_two_different_reviewers(change): 12 | reviewers = [user['user']['login'] for user in change] 13 | return reviewers 14 | 15 | @pytest.mark.parametrize("example", examples) 16 | def test_change_should_have_two_different_reviewers(example): 17 | with open(example) as f: 18 | change = json.load(f) 19 | reviewers = check_two_different_reviewers(change) 20 | assert len(reviewers) >= 2, "you should have at least 2 reviewers" 21 | assert len(reviewers) == len(set(reviewers) 22 | ), "you should have two unique reviewers" 23 | -------------------------------------------------------------------------------- /05_zero_trust/identity/editor.tf: -------------------------------------------------------------------------------- 1 | ### GOOGLE ### 2 | 3 | resource "google_project_iam_member" "project" { 4 | project = var.project.gcp 5 | role = "roles/${var.access_mappings.editor.gcp}" 6 | member = var.user.gcp 7 | } 8 | 9 | ### AWS ### 10 | 11 | data "aws_iam_policy" "editor" { 12 | name = var.access_mappings.editor.aws 13 | } 14 | 15 | resource "aws_iam_user_policy_attachment" "attach" { 16 | user = var.user.aws 17 | policy_arn = data.aws_iam_policy.editor.arn 18 | } 19 | 20 | ### AZURE ### 21 | 22 | data "azurerm_subscription" "primary" {} 23 | 24 | data "azuread_service_principal" "user" { 25 | display_name = var.user.azure 26 | } 27 | 28 | resource "azurerm_role_assignment" "editor" { 29 | scope = data.azurerm_subscription.primary.id 30 | role_definition_name = var.access_mappings.editor.azure 31 | principal_id = data.azuread_service_principal.user.object_id 32 | } -------------------------------------------------------------------------------- /04_dsl/input/mock.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "SourceNS": "default", 4 | "SourceName": "web", 5 | "DestinationNS": "default", 6 | "DestinationName": "database", 7 | "SourceType": "consul", 8 | "Action": "allow", 9 | "Precedence": 9 10 | }, 11 | { 12 | "SourceNS": "default", 13 | "SourceName": "app", 14 | "DestinationNS": "default", 15 | "DestinationName": "database", 16 | "SourceType": "consul", 17 | "Action": "allow", 18 | "Precedence": 9 19 | }, 20 | { 21 | "SourceNS": "default", 22 | "SourceName": "web", 23 | "DestinationNS": "default", 24 | "DestinationName": "app", 25 | "SourceType": "consul", 26 | "Action": "allow", 27 | "Precedence": 9 28 | }, 29 | { 30 | "SourceNS": "default", 31 | "SourceName": "*", 32 | "DestinationNS": "default", 33 | "DestinationName": "*", 34 | "SourceType": "consul", 35 | "Action": "allow", 36 | "Precedence": 5 37 | } 38 | ] -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | appnope==0.1.2 2 | astroid==2.4.2 3 | attrs==20.3.0 4 | autopep8==1.5.7 5 | backcall==0.2.0 6 | colorful==0.5.4 7 | decorator==4.4.2 8 | diskcache==5.1.0 9 | docopt==0.6.2 10 | emoji==0.6.0 11 | filetype==1.0.7 12 | gitdb==4.0.5 13 | GitPython==3.1.11 14 | humanize==3.2.0 15 | iniconfig==1.1.1 16 | ipython==7.16.1 17 | ipython-genutils==0.2.0 18 | isort==5.7.0 19 | jedi==0.18.0 20 | junit-xml==1.9 21 | lazy-object-proxy==1.4.3 22 | lxml==4.6.2 23 | mccabe==0.6.1 24 | mock==4.0.3 25 | netaddr==0.8.0 26 | packaging==20.8 27 | parse==1.18.0 28 | parse-type==0.5.2 29 | parso==0.8.1 30 | pexpect==4.8.0 31 | pickleshare==0.7.5 32 | pluggy==0.13.1 33 | prompt-toolkit==3.0.9 34 | ptyprocess==0.7.0 35 | py==1.10.0 36 | pycodestyle==2.7.0 37 | Pygments==2.7.3 38 | pylint==2.6.0 39 | pyparsing==2.4.7 40 | pysingleton==0.2.1 41 | pytest==6.2.4 42 | radish-bdd==0.13.3 43 | semver==2.13.0 44 | six==1.15.0 45 | smmap==3.0.4 46 | tag-expressions==1.1.0 47 | terraform-compliance==1.3.8 48 | toml==0.10.2 49 | traitlets==5.0.5 50 | wcwidth==0.2.5 51 | wrapt==1.12.1 52 | -------------------------------------------------------------------------------- /05_zero_trust/identity/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = object({ 3 | gcp = string 4 | aws = string 5 | azure = string 6 | }) 7 | } 8 | 9 | variable "users" { 10 | type = object({ 11 | owner = list(string) 12 | editor = list(string) 13 | reader = list(string) 14 | }) 15 | } 16 | 17 | variable "access_mappings" { 18 | type = object({ 19 | owner = object({ 20 | gcp = string 21 | aws = string 22 | azure = string 23 | }) 24 | editor = object({ 25 | gcp = string 26 | aws = string 27 | azure = string 28 | }) 29 | reader = object({ 30 | gcp = string 31 | aws = string 32 | azure = string 33 | }) 34 | }) 35 | default = { 36 | owner = { 37 | gcp = "owner" 38 | aws = "AdministratorAccess" 39 | azure = "Owner" 40 | } 41 | editor = { 42 | gcp = "editor" 43 | aws = "SystemAdministrator" 44 | azure = "Contributor" 45 | } 46 | reader = { 47 | gcp = "reader" 48 | aws = "ReadOnlyAccess" 49 | azure = "Reader" 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /03_bdd/gcp.feature: -------------------------------------------------------------------------------- 1 | Feature: GCP Kubernetes Policies 2 | 3 | Scenario: Ensure cluster uses RBAC and not ABAC 4 | Given I have google_container_cluster defined 5 | Then its enable_legacy_abac must be "false" 6 | 7 | Scenario: Ensure cluster doesn't define username for authentication 8 | Given I have google_container_cluster defined 9 | When it contains master_auth 10 | Then its username must be "" 11 | 12 | Scenario: Ensure cluster doesn't allow password for authentication 13 | Given I have google_container_cluster defined 14 | When it contains master_auth 15 | Then its password must be "" 16 | 17 | Scenario: Ensure cluster doesn't allow client certificate for authentication 18 | Given I have google_container_cluster defined 19 | When it contains client_certificate_config 20 | Then its issue_client_certificate must be "false" 21 | 22 | @warning 23 | Scenario: Verify maximum Kubernetes cluster node count does not exceed recommended 24 | Given I have google_container_node_pool defined 25 | When it contains autoscaling 26 | And it contains max_node_count 27 | Then its value must be lesser and equal to 2 28 | 29 | Scenario: Ensure cluster only allows logging and monitoring for OAuth scopes 30 | Given I have google_container_node_pool defined 31 | When it contains node_config 32 | And it contains oauth_scopes 33 | Then its value must match the "https://www.googleapis.com/auth/logging.write|https://www.googleapis.com/auth/monitoring" regex -------------------------------------------------------------------------------- /04_dsl/service.rego: -------------------------------------------------------------------------------- 1 | package service.policies 2 | 3 | import input 4 | import data.exceptions 5 | 6 | soft_mandatory(type, elem) = true { 7 | exceptions[type][_] = elem 8 | } else = false { true } 9 | 10 | warn[msg] { 11 | num_intentions := count(input) 12 | num_intentions != 3 13 | msg = sprintf("number of intentions should be 3, currently %v", [num_intentions]) 14 | } 15 | 16 | deny[msg] { 17 | web := [intention.DestinationName | intention := input[_]; intention.SourceName == "web"] 18 | web != ["app"] 19 | not soft_mandatory("intentions", "web") 20 | msg = sprintf("traffic should only be allowed from web to app, currently web to %v", [web]) 21 | } 22 | 23 | deny[msg] { 24 | app := [intention.DestinationName | intention := input[_]; intention.SourceName == "app"] 25 | app != ["database"] 26 | not soft_mandatory("intentions", "app") 27 | msg = sprintf("traffic should only be allowed from app to database, currently app to %v", [app]) 28 | } 29 | 30 | deny[msg] { 31 | sources := [intention.SourceName | intention := input[_]; intention.DestinationName == "database"] 32 | sources != ["app"] 33 | not soft_mandatory("intentions", "database") 34 | msg = sprintf("traffic should only be allowed from app to database, currently %v to database", [sources]) 35 | } 36 | 37 | deny[msg] { 38 | actions := [intention.Action | intention := input[_]; intention.SourceName == "*"] 39 | actions != ["deny"] 40 | not soft_mandatory("intentions", "*") 41 | msg = sprintf("intention should deny all other traffic by default, currently %v", [actions]) 42 | } -------------------------------------------------------------------------------- /05_zero_trust/policy/test_boundary.py: -------------------------------------------------------------------------------- 1 | import json 2 | import pytest 3 | 4 | PLAN_FILE = './plan.json' 5 | 6 | 7 | @pytest.fixture 8 | def resources(): 9 | with open(PLAN_FILE, 'r') as f: 10 | plan = json.load(f) 11 | return plan['planned_values']['root_module']['resources'] 12 | 13 | 14 | @pytest.fixture 15 | def boundary_roles(resources): 16 | roles = [] 17 | for resource in resources: 18 | if resource['type'] == 'boundary_role': 19 | roles.append(resource) 20 | return roles 21 | 22 | 23 | @pytest.fixture 24 | def boundary_groups(resources): 25 | groups = [] 26 | for resource in resources: 27 | if resource['type'] == 'boundary_group': 28 | groups.append(resource) 29 | return groups 30 | 31 | 32 | def test_global_login_allows_auth( 33 | boundary_roles): 34 | GLOBAL_LOGIN_GRANTS = set([ 35 | 'id=*;type=auth-method;actions=list,authenticate', 36 | 'type=scope;actions=list', 37 | 'id={{account.id}};actions=read,change-password' 38 | ]) 39 | for role in boundary_roles: 40 | if role['name'] == 'global_anon_listing': 41 | assert set(role['values']['grant_strings']) \ 42 | == GLOBAL_LOGIN_GRANTS 43 | 44 | 45 | def test_only_operations_has_admin( 46 | boundary_roles, boundary_groups): 47 | OPERATIONS_TEAM = 'operations_team' 48 | for role in boundary_roles: 49 | if role['name'] == 'project_admin': 50 | principal_ids = \ 51 | role['values']['principal_ids'] 52 | for group in boundary_groups: 53 | if group['values']['id'] in principal_ids: 54 | assert group['name'] == OPERATIONS_TEAM 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Policy as Code 2 | 3 | This is a repository with examples for an O'Reilly Live Training. 4 | 5 | Examples are labeled numerically in order by which they appear 6 | in the training. 7 | 8 | There are a few different tools demonstrated: 9 | 10 | 1. Python 3 (test framework: pytest) 11 | 1. Install Python 3 12 | 1. Run `pip3 install -r requirements.txt` 13 | 1. Run `pytest -v` to check you installed the Python testing framework. 14 | 15 | 1. `terraform-compliance` v1.3.8 16 | 17 | 1. Open Policy Agent v0.25.2 18 | 19 | ## Python native testing 20 | 21 | You can run exercise 1 and 2 using `pytest`. Both exercises 22 | fail by default. 23 | 24 | ```shell 25 | $ pytest 01_sox_compliance 26 | 27 | 2 failed, 1 passed in 0.11s 28 | ``` 29 | 30 | ```shell 31 | $ pytest 02_infrastructure_configuration 32 | 33 | 1 failed in 0.22s 34 | ``` 35 | 36 | ## BDD-style Policy Frameworks 37 | 38 | When you run `terraform-compliance` via CLI, you will get failing scenarios. 39 | Correct `03_bdd/mock.json` until your tests pass! 40 | 41 | ```shell 42 | $ terraform-compliance --planfile 03_bdd/mock.json --features 03_bdd 43 | 44 | 3 features (0 passed, 3 failed) 45 | 9 scenarios (5 passed, 4 failed) 46 | ``` 47 | 48 | ## Open Policy Agent 49 | 50 | In this example, you parse the output of the Consul Intentions API. Intentions 51 | allow and deny network traffic between services, in this case a web service, app service, 52 | and a database. 53 | 54 | When you run OPA via CLI, you will get failures. 55 | Correct `mock.json` until the tests pass. 56 | 57 | ```shell 58 | $ opa eval --format pretty -i 04_dsl/input/mock.json -d 04_dsl "data.service.policies" 59 | 60 | { 61 | "deny": [ 62 | "traffic should only be allowed from web to app, currently web to [\"database\", \"app\"]", 63 | "intention should deny all other traffic by default, currently [\"allow\"]", 64 | "number of intentions should be 3, currently 4" 65 | ] 66 | } 67 | ``` -------------------------------------------------------------------------------- /05_zero_trust/identity/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.52.0" 6 | hashes = [ 7 | "h1:Fy/potyWfS8NVumHqWi6STgaQUX66diUmgZDfFNBeXU=", 8 | "zh:04a4f8a1b34292fd6a72c1efe03f6f10186ecbdc318df36d462d0be1c21ce72d", 9 | "zh:0601006f14f437489902555720dd8fb4e67450356438bab64b61cf6d0e1af681", 10 | "zh:14214e996b8db0a2038b74a2ddbea7356b3e53f73003cde2c9069294d9a6c421", 11 | "zh:17d1ecc280d776271b0fc0fd6a4033933be8e67eb6a39b7bfb3c242cd218645f", 12 | "zh:247ae4bc3b52fba96ed1593e7b23d62da0d2c99498fc0d968fcf28020df3c3aa", 13 | "zh:2e0432fabeb5e44d756a5566168768f1b6dea3cc0e5650fac966820e90d18367", 14 | "zh:34f6f95b88c5d8c105d9a3b7d2712e7df1181948bfbef33bb6a87d7a77c20c0d", 15 | "zh:3de6bf02b9499bf8dc13843da72a03db5ae8188b8157f0e7b3d5bf1d7cd1ac8b", 16 | "zh:43198a223ea6d6dfb82deac62b29181c3be18dc77b9ef9f8d44c32b08e44ea5c", 17 | "zh:a7de44c9445c100a2823c371df03fcaa9ecb1642750ccdc02294fa6cd1095859", 18 | "zh:c3c44bd07e5b6cdb776ff674e39feb708ba3ee3d0dff2c88d1d5db323094d942", 19 | ] 20 | } 21 | 22 | provider "registry.terraform.io/hashicorp/azuread" { 23 | version = "1.6.0" 24 | hashes = [ 25 | "h1:+8Cs8ACb9DnDF8lw8pPLlsGxw+QW5fyjG6H6kszCavU=", 26 | "zh:0db70045a464d325fdb3d71809f0467844c3e2fcf1349e568bc51ad5035c99d9", 27 | "zh:3629f1d7b4eba48d744b24c7cf7fe878d5ef5910a36b525507bd3d588010ccec", 28 | "zh:5a73a45b6d1ff353810cc9b00d7c90a2fb328ba0a9ef3d24392b1500fb98741a", 29 | "zh:7a6a9c390cf1bf752321abb8d0643c9f623e8c2ad871dfb378d64c9d90fada2d", 30 | "zh:7d6de55d326b046dabc16bd7b655f008ff780c36ffc884b139a7c7da37b446d5", 31 | "zh:8d725c618396ccae290e411296c892e08e776c3e9e5a82b0ef1f633a917146ec", 32 | "zh:a206d1d8042bf66ca12b97334bbd6fcdf12fd6131f8cb4547c82b9fa7a701612", 33 | "zh:b03ab4ff07dcb5ed8be8b0619c6ec9fb0da0c83594ccb0a1bff72f346083b530", 34 | "zh:b6131f9d438b340a4016c770b569139ec7ac2532358a8ab783234e8c93d141d5", 35 | "zh:ce9372d38e9e62accfd54f4669753000d3dcbae4b45686d74630eb63eb879f37", 36 | "zh:df9a607c333d464d8bdeb248b1ff41e493c1d0661453a1e1ce396b89952a74ee", 37 | ] 38 | } 39 | 40 | provider "registry.terraform.io/hashicorp/azurerm" { 41 | version = "2.70.0" 42 | hashes = [ 43 | "h1:DKWFjv0qSCA3MXHOUpLDnLD6jsXEFDv00pGz6mZ6178=", 44 | "zh:0a6d23a9831e00015ed61670264ddd9b1821b6933d8e11ba14cbb92c59f52bd3", 45 | "zh:1289692c8c06ddb4e55f0b0e92455118ce9d474131864e55307e851316685738", 46 | "zh:307e60c9ec348257bf1b5d76da9c63524199e0e95c01e78a28a9a2a5b9745001", 47 | "zh:38d7a006d03639df0a3c12b8df938b8715a3475fc8387e5750c844bc15644df9", 48 | "zh:3d0e2cfe276530d2e65aa6b303355c5222ef9d8e704f817361f7cb0ed9fd027f", 49 | "zh:704a57e9f3368fcae408e7c57a2b1c48a73b4e23b2205291e84780a78f4d0b3e", 50 | "zh:710b18d1cda476fb88461c7c946fbca7f944df90666a43b6df4c21de90fbf0b7", 51 | "zh:73174623687da01b7b7717ab0bf22cde921ac07842cf4301f702c9e676b59177", 52 | "zh:769868fe674c19ad851ef412987110efa86b3f2d53e092a3212f38b56027c6de", 53 | "zh:786e428fb2bbb0cad2b899a7ad0d8c7a4bc28cf007ab079ad801a81149c3e978", 54 | "zh:9847effeb71d43b04638f8d5b1b14d7c0ac4ea22aee71009529dbfe750b8898d", 55 | ] 56 | } 57 | 58 | provider "registry.terraform.io/hashicorp/google" { 59 | version = "3.78.0" 60 | hashes = [ 61 | "h1:Seut9gKb/KzzUMxa9Qo59LRWcgURfBWMarqNTRjxnXE=", 62 | "zh:027971c4689b6130619827fe57ce260aaca060db3446817d3a92869dba7cc07f", 63 | "zh:0876dbecc0d441bf2479edd17fe9141d77274b5071ea5f68ac26a2994bff66f3", 64 | "zh:2a5363ed6b1b880f5284e604567cfdabecca809584c30bbe7f19ff568d1ea4cd", 65 | "zh:2f5af69b70654bda91199f6393253e3e479107deebfeddc3fe5850b3a1e83dfb", 66 | "zh:52e6816ef11f5f799a6626dfff384e2153b37450d8320f1ef1eee8f71a2a87b2", 67 | "zh:59ae534607db13db35c0015c06d1ae6d4886f01f7e8fd4e07bc120236a01c494", 68 | "zh:65ab2ed1746ea02d0b1bbd8a22ff3a95d09dc8bdb3841fbc17e45e9feccfb327", 69 | "zh:877a71d24ff65ede3f0c5973168acfeaea0f2fea3757cab5600efcddfd3171d5", 70 | "zh:8b10c9643a4a53148f6758bfd60804b33c2b838482f2c39ed210b729e6b1e2e8", 71 | "zh:ba682648d9f6c11a6d04a250ac79eec39271f615f3ff60c5ae73ebfcc2cdb450", 72 | "zh:e946561921e0279450e9b9f705de9354ce35562ed4cc0d4cd3512aa9eb1f6486", 73 | ] 74 | } 75 | -------------------------------------------------------------------------------- /03_bdd/mock.json: -------------------------------------------------------------------------------- 1 | {"format_version":"0.1","terraform_version":"0.14.0","variables":{"azure":{"value":{"location":"Central US"}},"db_password":{"value":"Testing!123"},"db_username":{"value":"postgres"},"gcp":{"value":{"location":"us-central1-f","project":"my-project"}},"service":{"value":"demoapp"}},"planned_values":{"outputs":{"cluster_name":{"sensitive":false,"value":"demoapp"},"db_endpoint":{"sensitive":false},"db_name":{"sensitive":false,"value":"demoapp"},"db_password":{"sensitive":true,"value":"Testing!123"},"db_server":{"sensitive":false,"value":"demoapp-postgres-server"},"db_username":{"sensitive":true,"value":"postgres"},"google_location":{"sensitive":false,"value":"us-central1-f"}},"root_module":{"child_modules":[{"resources":[{"address":"module.database.azurerm_postgresql_database.example","mode":"managed","type":"azurerm_postgresql_database","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","schema_version":0,"values":{"charset":"UTF8","collation":"English_United States.1252","name":"demoapp","resource_group_name":"demoapp","server_name":"demoapp-postgres-server","timeouts":null}},{"address":"module.database.azurerm_postgresql_firewall_rule.example","mode":"managed","type":"azurerm_postgresql_firewall_rule","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","schema_version":0,"values":{"end_ip_address":"255.255.255.255","name":"demoapp","resource_group_name":"demoapp","server_name":"demoapp-postgres-server","start_ip_address":"0.0.0.0","timeouts":null}},{"address":"module.database.azurerm_postgresql_server.example","mode":"managed","type":"azurerm_postgresql_server","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","schema_version":0,"values":{"administrator_login":"postgres","administrator_login_password":"Testing!123","create_mode":"Default","creation_source_server_id":null,"identity":[],"infrastructure_encryption_enabled":null,"location":"centralus","name":"demoapp-postgres-server","public_network_access_enabled":true,"resource_group_name":"demoapp","restore_point_in_time":null,"sku_name":"B_Gen5_2","ssl_enforcement":"Enabled","ssl_enforcement_enabled":null,"ssl_minimal_tls_version_enforced":"TLSEnforcementDisabled","storage_profile":[{"backup_retention_days":7,"geo_redundant_backup":"Disabled","storage_mb":5120}],"tags":null,"threat_detection_policy":[],"timeouts":null,"version":"11"}},{"address":"module.database.azurerm_resource_group.example","mode":"managed","type":"azurerm_resource_group","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","schema_version":0,"values":{"location":"centralus","name":"demoapp","tags":null,"timeouts":null}}],"address":"module.database"},{"resources":[{"address":"module.kubernetes.google_container_cluster.engineering","mode":"managed","type":"google_container_cluster","name":"engineering","provider_name":"registry.terraform.io/hashicorp/google-beta","schema_version":1,"values":{"description":null,"enable_binary_authorization":false,"enable_intranode_visibility":false,"enable_kubernetes_alpha":false,"enable_legacy_abac":false,"enable_shielded_nodes":false,"enable_tpu":false,"initial_node_count":1,"ip_allocation_policy":[],"location":"us-central1-f","maintenance_policy":[],"master_auth":[{"client_certificate_config":[{"issue_client_certificate":false}],"password":"Testing!123","username":"admin"}],"master_authorized_networks_config":[],"min_master_version":null,"name":"demoapp","network":"default","pod_security_policy_config":[],"private_cluster_config":[],"remove_default_node_pool":true,"resource_labels":null,"resource_usage_export_config":[],"timeouts":null,"vertical_pod_autoscaling":[],"workload_identity_config":[]}},{"address":"module.kubernetes.google_container_node_pool.engineering_preemptible_nodes","mode":"managed","type":"google_container_node_pool","name":"engineering_preemptible_nodes","provider_name":"registry.terraform.io/hashicorp/google-beta","schema_version":1,"values":{"autoscaling":[{"max_node_count":3,"min_node_count":1}],"cluster":"demoapp","location":"us-central1-f","name":"demoapp-node-pool","node_config":[{"boot_disk_kms_key":null,"kubelet_config":[],"linux_node_config":[],"machine_type":"n1-standard-1","metadata":{"disable-legacy-endpoints":"true"},"min_cpu_platform":null,"oauth_scopes":["https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring"],"preemptible":true,"sandbox_config":[],"tags":null}],"node_count":1,"timeouts":null}}],"address":"module.kubernetes"}]}},"resource_changes":[{"address":"module.database.azurerm_postgresql_database.example","module_address":"module.database","mode":"managed","type":"azurerm_postgresql_database","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","change":{"actions":["create"],"before":null,"after":{"charset":"UTF8","collation":"English_United States.1252","name":"demoapp","resource_group_name":"demoapp","server_name":"demoapp-postgres-server","timeouts":null},"after_unknown":{"id":true}}},{"address":"module.database.azurerm_postgresql_firewall_rule.example","module_address":"module.database","mode":"managed","type":"azurerm_postgresql_firewall_rule","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","change":{"actions":["create"],"before":null,"after":{"end_ip_address":"255.255.255.255","name":"demoapp","resource_group_name":"demoapp","server_name":"demoapp-postgres-server","start_ip_address":"0.0.0.0","timeouts":null},"after_unknown":{"id":true}}},{"address":"module.database.azurerm_postgresql_server.example","module_address":"module.database","mode":"managed","type":"azurerm_postgresql_server","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","change":{"actions":["create"],"before":null,"after":{"administrator_login":"postgres","administrator_login_password":"Testing!123","create_mode":"Default","creation_source_server_id":null,"identity":[],"infrastructure_encryption_enabled":null,"location":"centralus","name":"demoapp-postgres-server","public_network_access_enabled":true,"resource_group_name":"demoapp","restore_point_in_time":null,"sku_name":"B_Gen5_2","ssl_enforcement":"Enabled","ssl_enforcement_enabled":null,"ssl_minimal_tls_version_enforced":"TLSEnforcementDisabled","storage_profile":[{"backup_retention_days":7,"geo_redundant_backup":"Disabled","storage_mb":5120}],"tags":null,"threat_detection_policy":[],"timeouts":null,"version":"11"},"after_unknown":{"auto_grow_enabled":true,"backup_retention_days":true,"fqdn":true,"geo_redundant_backup_enabled":true,"id":true,"identity":[],"storage_mb":true,"storage_profile":[{"auto_grow":true}],"threat_detection_policy":[]}}},{"address":"module.database.azurerm_resource_group.example","module_address":"module.database","mode":"managed","type":"azurerm_resource_group","name":"example","provider_name":"registry.terraform.io/hashicorp/azurerm","change":{"actions":["create"],"before":null,"after":{"location":"centralus","name":"demoapp","tags":null,"timeouts":null},"after_unknown":{"id":true}}},{"address":"module.kubernetes.google_container_cluster.engineering","module_address":"module.kubernetes","mode":"managed","type":"google_container_cluster","name":"engineering","provider_name":"registry.terraform.io/hashicorp/google-beta","change":{"actions":["create"],"before":null,"after":{"description":null,"enable_binary_authorization":false,"enable_intranode_visibility":false,"enable_kubernetes_alpha":false,"enable_legacy_abac":false,"enable_shielded_nodes":false,"enable_tpu":false,"initial_node_count":1,"ip_allocation_policy":[],"location":"us-central1-f","maintenance_policy":[],"master_auth":[{"client_certificate_config":[{"issue_client_certificate":false}],"password":"Testing!123","username":"admin"}],"master_authorized_networks_config":[],"min_master_version":null,"name":"demoapp","network":"default","pod_security_policy_config":[],"private_cluster_config":[],"remove_default_node_pool":true,"resource_labels":null,"resource_usage_export_config":[],"timeouts":null,"vertical_pod_autoscaling":[],"workload_identity_config":[]},"after_unknown":{"addons_config":true,"authenticator_groups_config":true,"cluster_autoscaling":true,"cluster_ipv4_cidr":true,"cluster_telemetry":true,"confidential_nodes":true,"database_encryption":true,"datapath_provider":true,"default_max_pods_per_node":true,"default_snat_status":true,"endpoint":true,"id":true,"instance_group_urls":true,"ip_allocation_policy":[],"label_fingerprint":true,"logging_service":true,"maintenance_policy":[],"master_auth":[{"client_certificate":true,"client_certificate_config":[{}],"client_key":true,"cluster_ca_certificate":true}],"master_authorized_networks_config":[],"master_version":true,"monitoring_service":true,"network_policy":true,"networking_mode":true,"node_config":true,"node_locations":true,"node_pool":true,"node_version":true,"notification_config":true,"operation":true,"pod_security_policy_config":[],"private_cluster_config":[],"project":true,"release_channel":true,"resource_usage_export_config":[],"self_link":true,"services_ipv4_cidr":true,"subnetwork":true,"tpu_ipv4_cidr_block":true,"vertical_pod_autoscaling":[],"workload_identity_config":[]}}},{"address":"module.kubernetes.google_container_node_pool.engineering_preemptible_nodes","module_address":"module.kubernetes","mode":"managed","type":"google_container_node_pool","name":"engineering_preemptible_nodes","provider_name":"registry.terraform.io/hashicorp/google-beta","change":{"actions":["create"],"before":null,"after":{"autoscaling":[{"max_node_count":3,"min_node_count":1}],"cluster":"demoapp","location":"us-central1-f","name":"demoapp-node-pool","node_config":[{"boot_disk_kms_key":null,"kubelet_config":[],"linux_node_config":[],"machine_type":"n1-standard-1","metadata":{"disable-legacy-endpoints":"true"},"min_cpu_platform":null,"oauth_scopes":["https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring"],"preemptible":true,"sandbox_config":[],"tags":null}],"node_count":1,"timeouts":null},"after_unknown":{"autoscaling":[{}],"id":true,"initial_node_count":true,"instance_group_urls":true,"management":true,"max_pods_per_node":true,"name_prefix":true,"node_config":[{"disk_size_gb":true,"disk_type":true,"guest_accelerator":true,"image_type":true,"kubelet_config":[],"labels":true,"linux_node_config":[],"local_ssd_count":true,"metadata":{},"oauth_scopes":[false,false],"sandbox_config":[],"service_account":true,"shielded_instance_config":true,"taint":true,"workload_metadata_config":true}],"node_locations":true,"project":true,"upgrade_settings":true,"version":true}}}],"output_changes":{"cluster_name":{"actions":["create"],"before":null,"after":"demoapp","after_unknown":false},"db_endpoint":{"actions":["create"],"before":null,"after_unknown":true},"db_name":{"actions":["create"],"before":null,"after":"demoapp","after_unknown":false},"db_password":{"actions":["create"],"before":null,"after":"Testing!123","after_unknown":false},"db_server":{"actions":["create"],"before":null,"after":"demoapp-postgres-server","after_unknown":false},"db_username":{"actions":["create"],"before":null,"after":"postgres","after_unknown":false},"google_location":{"actions":["create"],"before":null,"after":"us-central1-f","after_unknown":false}},"prior_state":{"format_version":"0.1","terraform_version":"0.14.0","values":{"outputs":{"cluster_name":{"sensitive":false,"value":"demoapp"},"db_name":{"sensitive":false,"value":"demoapp"},"db_password":{"sensitive":true,"value":"Testing!123"},"db_server":{"sensitive":false,"value":"demoapp-postgres-server"},"db_username":{"sensitive":true,"value":"postgres"},"google_location":{"sensitive":false,"value":"us-central1-f"}},"root_module":{}}},"configuration":{"provider_config":{"azurerm":{"name":"azurerm","version_constraint":"~\u003e 2.0","expressions":{"features":[{}]}},"google":{"name":"google","version_constraint":"~\u003e 3.10","expressions":{"project":{"references":["var.gcp"]}}},"google-beta":{"name":"google-beta","version_constraint":"~\u003e 3.12","expressions":{"project":{"references":["var.gcp"]}}}},"root_module":{"outputs":{"cluster_name":{"expression":{"references":["var.service"]}},"db_endpoint":{"expression":{"references":["module.database.endpoint"]}},"db_name":{"expression":{"references":["module.database.name"]}},"db_password":{"sensitive":true,"expression":{"references":["var.db_password"]}},"db_server":{"expression":{"references":["module.database.server"]}},"db_username":{"sensitive":true,"expression":{"references":["var.db_username"]}},"google_location":{"expression":{"references":["var.gcp"]}}},"module_calls":{"database":{"source":"./azure_db","expressions":{"location":{"references":["var.azure"]},"name":{"references":["var.service"]},"password":{"references":["var.db_password"]},"username":{"references":["var.db_username"]}},"module":{"outputs":{"endpoint":{"expression":{"references":["azurerm_postgresql_server.example"]}},"name":{"expression":{"references":["azurerm_postgresql_database.example"]}},"server":{"expression":{"references":["azurerm_postgresql_server.example"]}}},"resources":[{"address":"azurerm_postgresql_database.example","mode":"managed","type":"azurerm_postgresql_database","name":"example","provider_config_key":"database:azurerm","expressions":{"charset":{"constant_value":"UTF8"},"collation":{"constant_value":"English_United States.1252"},"name":{"references":["var.name"]},"resource_group_name":{"references":["azurerm_resource_group.example"]},"server_name":{"references":["azurerm_postgresql_server.example"]}},"schema_version":0},{"address":"azurerm_postgresql_firewall_rule.example","mode":"managed","type":"azurerm_postgresql_firewall_rule","name":"example","provider_config_key":"database:azurerm","expressions":{"end_ip_address":{"constant_value":"255.255.255.255"},"name":{"references":["var.name"]},"resource_group_name":{"references":["azurerm_resource_group.example"]},"server_name":{"references":["azurerm_postgresql_server.example"]},"start_ip_address":{"constant_value":"0.0.0.0"}},"schema_version":0},{"address":"azurerm_postgresql_server.example","mode":"managed","type":"azurerm_postgresql_server","name":"example","provider_config_key":"database:azurerm","expressions":{"administrator_login":{"references":["var.username"]},"administrator_login_password":{"references":["var.password"]},"location":{"references":["azurerm_resource_group.example"]},"name":{"references":["var.name"]},"resource_group_name":{"references":["azurerm_resource_group.example"]},"sku_name":{"constant_value":"B_Gen5_2"},"ssl_enforcement":{"constant_value":"Enabled"},"storage_profile":[{"backup_retention_days":{"constant_value":7},"geo_redundant_backup":{"constant_value":"Disabled"},"storage_mb":{"constant_value":5120}}],"version":{"constant_value":"11"}},"schema_version":0},{"address":"azurerm_resource_group.example","mode":"managed","type":"azurerm_resource_group","name":"example","provider_config_key":"database:azurerm","expressions":{"location":{"references":["var.location"]},"name":{"references":["var.name"]}},"schema_version":0}],"variables":{"location":{"description":"Azure region"},"name":{"description":"Name of database and server"},"password":{"description":"Database password"},"username":{"description":"Database username"}}}},"kubernetes":{"source":"./gcp_k8s","expressions":{"cluster_name":{"references":["var.service"]},"google_project":{"references":["var.gcp"]},"location":{"references":["var.gcp"]},"password":{"references":["var.db_password"]},"username":{"constant_value":"admin"}},"module":{"resources":[{"address":"google_container_cluster.engineering","mode":"managed","type":"google_container_cluster","name":"engineering","provider_config_key":"kubernetes:google-beta","expressions":{"initial_node_count":{"constant_value":1},"location":{"references":["var.location"]},"master_auth":[{"client_certificate_config":[{"issue_client_certificate":{"constant_value":false}}],"password":{"references":["var.password"]},"username":{"references":["var.username"]}}],"name":{"references":["var.cluster_name"]},"remove_default_node_pool":{"constant_value":true}},"schema_version":1},{"address":"google_container_node_pool.engineering_preemptible_nodes","mode":"managed","type":"google_container_node_pool","name":"engineering_preemptible_nodes","provider_config_key":"kubernetes:google-beta","expressions":{"autoscaling":[{"max_node_count":{"constant_value":3},"min_node_count":{"constant_value":1}}],"cluster":{"references":["google_container_cluster.engineering"]},"location":{"references":["var.location"]},"name":{"references":["var.cluster_name"]},"node_config":[{"machine_type":{"constant_value":"n1-standard-1"},"metadata":{"constant_value":{"disable-legacy-endpoints":"true"}},"oauth_scopes":{"constant_value":["https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring"]},"preemptible":{"constant_value":true}}],"node_count":{"constant_value":1}},"schema_version":1}],"variables":{"cluster_name":{"description":"Name of cluster"},"google_project":{"description":"Google project to deploy cluster"},"location":{"description":"Google region to deploy cluster"},"password":{"default":"","description":"password for cluster"},"username":{"default":"","description":"username for cluster"}}}}},"variables":{"azure":{"default":{"location":""}},"db_password":{},"db_username":{},"gcp":{"default":{"location":"","project":""}},"service":{}}}}} 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /05_zero_trust/policy/plan.json: -------------------------------------------------------------------------------- 1 | { 2 | "planned_values": { 3 | "outputs": { 4 | "boundary_auth_method_id": { 5 | "sensitive": false, 6 | "value": "ampw_ePAfzW6AYk" 7 | }, 8 | "boundary_endpoint": { 9 | "sensitive": false, 10 | "value": "http://zero-controller-mutt-145356253.us-east-2.elb.amazonaws.com:9200" 11 | }, 12 | "boundary_operations_password": { 13 | "sensitive": true, 14 | "value": "REDACTED_SENSITIVE" 15 | }, 16 | "boundary_products_password": { 17 | "sensitive": true, 18 | "value": "REDACTED_SENSITIVE" 19 | }, 20 | "boundary_target_eks": { 21 | "sensitive": false, 22 | "value": "ttcp_jwREIXrmDA" 23 | }, 24 | "boundary_target_frontend": { 25 | "sensitive": false, 26 | "value": "" 27 | }, 28 | "boundary_target_postgres": { 29 | "sensitive": false, 30 | "value": "ttcp_fTABul4BSY" 31 | } 32 | }, 33 | "root_module": { 34 | "resources": [ 35 | { 36 | "address": "boundary_account.leadership_user_acct[\"manager\"]", 37 | "index": "manager", 38 | "mode": "managed", 39 | "name": "leadership_user_acct", 40 | "provider_name": "registry.terraform.io/hashicorp/boundary", 41 | "schema_version": 0, 42 | "sensitive_values": {}, 43 | "type": "boundary_account", 44 | "values": { 45 | "auth_method_id": "ampw_ePAfzW6AYk", 46 | "description": "User account for manager", 47 | "id": "acctpw_Dq9PcQCYAy", 48 | "login_name": "manager", 49 | "name": "manager", 50 | "password": "foofoofoo", 51 | "type": "password" 52 | } 53 | }, 54 | { 55 | "address": "boundary_account.operations_user_acct[\"ops\"]", 56 | "index": "ops", 57 | "mode": "managed", 58 | "name": "operations_user_acct", 59 | "provider_name": "registry.terraform.io/hashicorp/boundary", 60 | "schema_version": 0, 61 | "sensitive_values": { 62 | "password": true 63 | }, 64 | "type": "boundary_account", 65 | "values": { 66 | "auth_method_id": "ampw_ePAfzW6AYk", 67 | "description": "User account for ops", 68 | "id": "acctpw_LA07Vmkasq", 69 | "login_name": "ops", 70 | "name": "ops", 71 | "password": "REDACTED_SENSITIVE", 72 | "type": "password" 73 | } 74 | }, 75 | { 76 | "address": "boundary_account.products_user_acct[\"appdev\"]", 77 | "index": "appdev", 78 | "mode": "managed", 79 | "name": "products_user_acct", 80 | "provider_name": "registry.terraform.io/hashicorp/boundary", 81 | "schema_version": 0, 82 | "sensitive_values": { 83 | "password": true 84 | }, 85 | "type": "boundary_account", 86 | "values": { 87 | "auth_method_id": "ampw_ePAfzW6AYk", 88 | "description": "User account for appdev", 89 | "id": "acctpw_87tgbiQEvu", 90 | "login_name": "appdev", 91 | "name": "appdev", 92 | "password": "REDACTED_SENSITIVE", 93 | "type": "password" 94 | } 95 | }, 96 | { 97 | "address": "boundary_auth_method.password", 98 | "mode": "managed", 99 | "name": "password", 100 | "provider_name": "registry.terraform.io/hashicorp/boundary", 101 | "schema_version": 0, 102 | "sensitive_values": {}, 103 | "type": "boundary_auth_method", 104 | "values": { 105 | "description": "Password auth method for Corp org", 106 | "id": "ampw_ePAfzW6AYk", 107 | "min_login_name_length": 3, 108 | "min_password_length": 8, 109 | "name": "corp_password_auth_method", 110 | "scope_id": "o_t0QCJQwZTb", 111 | "type": "password" 112 | } 113 | }, 114 | { 115 | "address": "boundary_group.leadership", 116 | "mode": "managed", 117 | "name": "leadership", 118 | "provider_name": "registry.terraform.io/hashicorp/boundary", 119 | "schema_version": 0, 120 | "sensitive_values": { 121 | "member_ids": [ 122 | false 123 | ] 124 | }, 125 | "type": "boundary_group", 126 | "values": { 127 | "description": "Organization group for leadership team", 128 | "id": "g_4Hgtx9vh5U", 129 | "member_ids": [ 130 | "u_bbeqHylc1I" 131 | ], 132 | "name": "leadership_team", 133 | "scope_id": "o_t0QCJQwZTb" 134 | } 135 | }, 136 | { 137 | "address": "boundary_group.operations_team", 138 | "mode": "managed", 139 | "name": "operations_team", 140 | "provider_name": "registry.terraform.io/hashicorp/boundary", 141 | "schema_version": 0, 142 | "sensitive_values": { 143 | "member_ids": [ 144 | false 145 | ] 146 | }, 147 | "type": "boundary_group", 148 | "values": { 149 | "description": "Operations team group", 150 | "id": "g_7RM2jGyYaW", 151 | "member_ids": [ 152 | "u_429i2oSGHx" 153 | ], 154 | "name": "operations", 155 | "scope_id": "p_Wm0QdQfo3B" 156 | } 157 | }, 158 | { 159 | "address": "boundary_group.products_team", 160 | "mode": "managed", 161 | "name": "products_team", 162 | "provider_name": "registry.terraform.io/hashicorp/boundary", 163 | "schema_version": 0, 164 | "sensitive_values": { 165 | "member_ids": [ 166 | false 167 | ] 168 | }, 169 | "type": "boundary_group", 170 | "values": { 171 | "description": "Products team group", 172 | "id": "g_bTOy0vI7Pn", 173 | "member_ids": [ 174 | "u_7f70Kc9YQ8" 175 | ], 176 | "name": "products", 177 | "scope_id": "p_ziYr7jV1zt" 178 | } 179 | }, 180 | { 181 | "address": "boundary_host.consul", 182 | "mode": "managed", 183 | "name": "consul", 184 | "provider_name": "registry.terraform.io/hashicorp/boundary", 185 | "schema_version": 0, 186 | "sensitive_values": {}, 187 | "type": "boundary_host", 188 | "values": { 189 | "address": "zero.private.consul.11eaeb92-853e-2d98-8405-0242ac110009.aws.hashicorp.cloud", 190 | "description": "HCP Consul Endpoint", 191 | "host_catalog_id": "hcst_dZNxaEN3hB", 192 | "id": "hst_UderMyTdt5", 193 | "name": "hcp_consul", 194 | "type": "static" 195 | } 196 | }, 197 | { 198 | "address": "boundary_host.eks_nodes[\"10.0.1.209\"]", 199 | "index": "10.0.1.209", 200 | "mode": "managed", 201 | "name": "eks_nodes", 202 | "provider_name": "registry.terraform.io/hashicorp/boundary", 203 | "schema_version": 0, 204 | "sensitive_values": {}, 205 | "type": "boundary_host", 206 | "values": { 207 | "address": "10.0.1.209", 208 | "description": "EKS Node #10.0.1.209", 209 | "host_catalog_id": "hcst_FB3T8SSGNM", 210 | "id": "hst_ZqZnn7P5nr", 211 | "name": "eks_nodes_10.0.1.209", 212 | "type": "static" 213 | } 214 | }, 215 | { 216 | "address": "boundary_host.eks_nodes[\"10.0.2.62\"]", 217 | "index": "10.0.2.62", 218 | "mode": "managed", 219 | "name": "eks_nodes", 220 | "provider_name": "registry.terraform.io/hashicorp/boundary", 221 | "schema_version": 0, 222 | "sensitive_values": {}, 223 | "type": "boundary_host", 224 | "values": { 225 | "address": "10.0.2.62", 226 | "description": "EKS Node #10.0.2.62", 227 | "host_catalog_id": "hcst_FB3T8SSGNM", 228 | "id": "hst_S2GnQmE1bq", 229 | "name": "eks_nodes_10.0.2.62", 230 | "type": "static" 231 | } 232 | }, 233 | { 234 | "address": "boundary_host.eks_nodes[\"10.0.3.51\"]", 235 | "index": "10.0.3.51", 236 | "mode": "managed", 237 | "name": "eks_nodes", 238 | "provider_name": "registry.terraform.io/hashicorp/boundary", 239 | "schema_version": 0, 240 | "sensitive_values": {}, 241 | "type": "boundary_host", 242 | "values": { 243 | "address": "10.0.3.51", 244 | "description": "EKS Node #10.0.3.51", 245 | "host_catalog_id": "hcst_FB3T8SSGNM", 246 | "id": "hst_Z2Legm5U8E", 247 | "name": "eks_nodes_10.0.3.51", 248 | "type": "static" 249 | } 250 | }, 251 | { 252 | "address": "boundary_host.products_database", 253 | "mode": "managed", 254 | "name": "products_database", 255 | "provider_name": "registry.terraform.io/hashicorp/boundary", 256 | "schema_version": 0, 257 | "sensitive_values": {}, 258 | "type": "boundary_host", 259 | "values": { 260 | "address": "zero-products.c4pet3aulkup.us-east-2.rds.amazonaws.com", 261 | "description": "products database", 262 | "host_catalog_id": "hcst_nPwG69vs6n", 263 | "id": "hst_i4ePfVCrTq", 264 | "name": "products_database", 265 | "type": "static" 266 | } 267 | }, 268 | { 269 | "address": "boundary_host.vault", 270 | "mode": "managed", 271 | "name": "vault", 272 | "provider_name": "registry.terraform.io/hashicorp/boundary", 273 | "schema_version": 0, 274 | "sensitive_values": {}, 275 | "type": "boundary_host", 276 | "values": { 277 | "address": "zero.private.vault.11eaeb92-853e-2d98-8405-0242ac110009.aws.hashicorp.cloud", 278 | "description": "HCP Vault Endpoint", 279 | "host_catalog_id": "hcst_g88dKKVcJh", 280 | "id": "hst_cVMoSJtH7o", 281 | "name": "hcp_vault", 282 | "type": "static" 283 | } 284 | }, 285 | { 286 | "address": "boundary_host_catalog.consul", 287 | "mode": "managed", 288 | "name": "consul", 289 | "provider_name": "registry.terraform.io/hashicorp/boundary", 290 | "schema_version": 0, 291 | "sensitive_values": {}, 292 | "type": "boundary_host_catalog", 293 | "values": { 294 | "description": "HCP Consul Endpoint", 295 | "id": "hcst_dZNxaEN3hB", 296 | "name": "hcp_consul", 297 | "scope_id": "p_Wm0QdQfo3B", 298 | "type": "static" 299 | } 300 | }, 301 | { 302 | "address": "boundary_host_catalog.eks_nodes", 303 | "mode": "managed", 304 | "name": "eks_nodes", 305 | "provider_name": "registry.terraform.io/hashicorp/boundary", 306 | "schema_version": 0, 307 | "sensitive_values": {}, 308 | "type": "boundary_host_catalog", 309 | "values": { 310 | "description": "EKS nodes for operations team", 311 | "id": "hcst_FB3T8SSGNM", 312 | "name": "eks_nodes", 313 | "scope_id": "p_Wm0QdQfo3B", 314 | "type": "static" 315 | } 316 | }, 317 | { 318 | "address": "boundary_host_catalog.products_database", 319 | "mode": "managed", 320 | "name": "products_database", 321 | "provider_name": "registry.terraform.io/hashicorp/boundary", 322 | "schema_version": 0, 323 | "sensitive_values": {}, 324 | "type": "boundary_host_catalog", 325 | "values": { 326 | "description": "Products database", 327 | "id": "hcst_nPwG69vs6n", 328 | "name": "products_database", 329 | "scope_id": "p_ziYr7jV1zt", 330 | "type": "static" 331 | } 332 | }, 333 | { 334 | "address": "boundary_host_catalog.vault", 335 | "mode": "managed", 336 | "name": "vault", 337 | "provider_name": "registry.terraform.io/hashicorp/boundary", 338 | "schema_version": 0, 339 | "sensitive_values": {}, 340 | "type": "boundary_host_catalog", 341 | "values": { 342 | "description": "HCP Vault Endpoint", 343 | "id": "hcst_g88dKKVcJh", 344 | "name": "hcp_vault", 345 | "scope_id": "p_Wm0QdQfo3B", 346 | "type": "static" 347 | } 348 | }, 349 | { 350 | "address": "boundary_host_set.consul", 351 | "mode": "managed", 352 | "name": "consul", 353 | "provider_name": "registry.terraform.io/hashicorp/boundary", 354 | "schema_version": 0, 355 | "sensitive_values": { 356 | "host_ids": [ 357 | false 358 | ] 359 | }, 360 | "type": "boundary_host_set", 361 | "values": { 362 | "description": "Host set for HCP Consul", 363 | "host_catalog_id": "hcst_dZNxaEN3hB", 364 | "host_ids": [ 365 | "hst_UderMyTdt5" 366 | ], 367 | "id": "hsst_yRMhECTF4p", 368 | "name": "hcp_consul", 369 | "type": "static" 370 | } 371 | }, 372 | { 373 | "address": "boundary_host_set.eks_nodes", 374 | "mode": "managed", 375 | "name": "eks_nodes", 376 | "provider_name": "registry.terraform.io/hashicorp/boundary", 377 | "schema_version": 0, 378 | "sensitive_values": { 379 | "host_ids": [ 380 | false, 381 | false, 382 | false 383 | ] 384 | }, 385 | "type": "boundary_host_set", 386 | "values": { 387 | "description": "Host set for EKS nodes", 388 | "host_catalog_id": "hcst_FB3T8SSGNM", 389 | "host_ids": [ 390 | "hst_S2GnQmE1bq", 391 | "hst_Z2Legm5U8E", 392 | "hst_ZqZnn7P5nr" 393 | ], 394 | "id": "hsst_0Mec3mN9CH", 395 | "name": "eks_nodes", 396 | "type": "static" 397 | } 398 | }, 399 | { 400 | "address": "boundary_host_set.products_database", 401 | "mode": "managed", 402 | "name": "products_database", 403 | "provider_name": "registry.terraform.io/hashicorp/boundary", 404 | "schema_version": 0, 405 | "sensitive_values": { 406 | "host_ids": [ 407 | false 408 | ] 409 | }, 410 | "type": "boundary_host_set", 411 | "values": { 412 | "description": "Host set for Product Database", 413 | "host_catalog_id": "hcst_nPwG69vs6n", 414 | "host_ids": [ 415 | "hst_i4ePfVCrTq" 416 | ], 417 | "id": "hsst_kPw56ZI9KF", 418 | "name": "products_database", 419 | "type": "static" 420 | } 421 | }, 422 | { 423 | "address": "boundary_host_set.vault", 424 | "mode": "managed", 425 | "name": "vault", 426 | "provider_name": "registry.terraform.io/hashicorp/boundary", 427 | "schema_version": 0, 428 | "sensitive_values": { 429 | "host_ids": [ 430 | false 431 | ] 432 | }, 433 | "type": "boundary_host_set", 434 | "values": { 435 | "description": "Host set for HCP Vault", 436 | "host_catalog_id": "hcst_g88dKKVcJh", 437 | "host_ids": [ 438 | "hst_cVMoSJtH7o" 439 | ], 440 | "id": "hsst_qSkHkDB9pU", 441 | "name": "hcp_vault", 442 | "type": "static" 443 | } 444 | }, 445 | { 446 | "address": "boundary_role.global_anon_listing", 447 | "mode": "managed", 448 | "name": "global_anon_listing", 449 | "provider_name": "registry.terraform.io/hashicorp/boundary", 450 | "schema_version": 0, 451 | "sensitive_values": { 452 | "grant_strings": [ 453 | false, 454 | false, 455 | false 456 | ], 457 | "principal_ids": [ 458 | false 459 | ] 460 | }, 461 | "type": "boundary_role", 462 | "values": { 463 | "default_role": null, 464 | "description": "", 465 | "grant_scope_id": "global", 466 | "grant_strings": [ 467 | "id=*;type=auth-method;actions=list,authenticate", 468 | "id={{account.id}};actions=read,change-password", 469 | "type=scope;actions=list" 470 | ], 471 | "id": "r_kJT5BPFcJQ", 472 | "name": "", 473 | "principal_ids": [ 474 | "u_anon" 475 | ], 476 | "scope_id": "global" 477 | } 478 | }, 479 | { 480 | "address": "boundary_role.org_admin", 481 | "mode": "managed", 482 | "name": "org_admin", 483 | "provider_name": "registry.terraform.io/hashicorp/boundary", 484 | "schema_version": 0, 485 | "sensitive_values": { 486 | "grant_strings": [ 487 | false 488 | ], 489 | "principal_ids": [ 490 | false 491 | ] 492 | }, 493 | "type": "boundary_role", 494 | "values": { 495 | "default_role": null, 496 | "description": "", 497 | "grant_scope_id": "o_t0QCJQwZTb", 498 | "grant_strings": [ 499 | "id=*;type=*;actions=*" 500 | ], 501 | "id": "r_UXciSDNR9t", 502 | "name": "", 503 | "principal_ids": [ 504 | "g_7RM2jGyYaW" 505 | ], 506 | "scope_id": "global" 507 | } 508 | }, 509 | { 510 | "address": "boundary_role.org_anon_listing", 511 | "mode": "managed", 512 | "name": "org_anon_listing", 513 | "provider_name": "registry.terraform.io/hashicorp/boundary", 514 | "schema_version": 0, 515 | "sensitive_values": { 516 | "grant_strings": [ 517 | false, 518 | false, 519 | false 520 | ], 521 | "principal_ids": [ 522 | false 523 | ] 524 | }, 525 | "type": "boundary_role", 526 | "values": { 527 | "default_role": null, 528 | "description": "", 529 | "grant_scope_id": "o_t0QCJQwZTb", 530 | "grant_strings": [ 531 | "id=*;type=auth-method;actions=list,authenticate", 532 | "id={{account.id}};actions=read,change-password", 533 | "type=scope;actions=list" 534 | ], 535 | "id": "r_LCTkufjcYW", 536 | "name": "", 537 | "principal_ids": [ 538 | "u_anon" 539 | ], 540 | "scope_id": "o_t0QCJQwZTb" 541 | } 542 | }, 543 | { 544 | "address": "boundary_role.org_readonly", 545 | "mode": "managed", 546 | "name": "org_readonly", 547 | "provider_name": "registry.terraform.io/hashicorp/boundary", 548 | "schema_version": 0, 549 | "sensitive_values": { 550 | "grant_strings": [ 551 | false, 552 | false, 553 | false 554 | ], 555 | "principal_ids": [ 556 | false, 557 | false 558 | ] 559 | }, 560 | "type": "boundary_role", 561 | "values": { 562 | "default_role": null, 563 | "description": "Read-only role", 564 | "grant_scope_id": "o_t0QCJQwZTb", 565 | "grant_strings": [ 566 | "id=*;type=*;actions=read", 567 | "id=*;type=session;actions=read,list", 568 | "id=*;type=target;actions=read,list,authorize-session" 569 | ], 570 | "id": "r_Qf9JqqMKrl", 571 | "name": "readonly", 572 | "principal_ids": [ 573 | "g_4Hgtx9vh5U", 574 | "g_bTOy0vI7Pn" 575 | ], 576 | "scope_id": "global" 577 | } 578 | }, 579 | { 580 | "address": "boundary_role.project_admin", 581 | "mode": "managed", 582 | "name": "project_admin", 583 | "provider_name": "registry.terraform.io/hashicorp/boundary", 584 | "schema_version": 0, 585 | "sensitive_values": { 586 | "grant_strings": [ 587 | false 588 | ], 589 | "principal_ids": [ 590 | false 591 | ] 592 | }, 593 | "type": "boundary_role", 594 | "values": { 595 | "default_role": null, 596 | "description": "Administrator role for core infra", 597 | "grant_scope_id": "p_Wm0QdQfo3B", 598 | "grant_strings": [ 599 | "id=*;type=*;actions=*" 600 | ], 601 | "id": "r_cKvSBRzu4x", 602 | "name": "core_infra_admin", 603 | "principal_ids": [ 604 | "g_7RM2jGyYaW" 605 | ], 606 | "scope_id": "o_t0QCJQwZTb" 607 | } 608 | }, 609 | { 610 | "address": "boundary_role.project_admin_products", 611 | "mode": "managed", 612 | "name": "project_admin_products", 613 | "provider_name": "registry.terraform.io/hashicorp/boundary", 614 | "schema_version": 0, 615 | "sensitive_values": { 616 | "grant_strings": [ 617 | false 618 | ], 619 | "principal_ids": [ 620 | false, 621 | false 622 | ] 623 | }, 624 | "type": "boundary_role", 625 | "values": { 626 | "default_role": null, 627 | "description": "Administrator role for products infra", 628 | "grant_scope_id": "p_ziYr7jV1zt", 629 | "grant_strings": [ 630 | "id=*;type=*;actions=*" 631 | ], 632 | "id": "r_JvwxpU1xyd", 633 | "name": "products_infra_admin", 634 | "principal_ids": [ 635 | "g_7RM2jGyYaW", 636 | "g_bTOy0vI7Pn" 637 | ], 638 | "scope_id": "o_t0QCJQwZTb" 639 | } 640 | }, 641 | { 642 | "address": "boundary_scope.core_infra", 643 | "mode": "managed", 644 | "name": "core_infra", 645 | "provider_name": "registry.terraform.io/hashicorp/boundary", 646 | "schema_version": 0, 647 | "sensitive_values": {}, 648 | "type": "boundary_scope", 649 | "values": { 650 | "auto_create_admin_role": true, 651 | "auto_create_default_role": true, 652 | "description": "Operations infrastructure project", 653 | "global_scope": null, 654 | "id": "p_Wm0QdQfo3B", 655 | "name": "core_infra", 656 | "scope_id": "o_t0QCJQwZTb" 657 | } 658 | }, 659 | { 660 | "address": "boundary_scope.global", 661 | "mode": "managed", 662 | "name": "global", 663 | "provider_name": "registry.terraform.io/hashicorp/boundary", 664 | "schema_version": 0, 665 | "sensitive_values": {}, 666 | "type": "boundary_scope", 667 | "values": { 668 | "auto_create_admin_role": null, 669 | "auto_create_default_role": null, 670 | "description": "Global Scope", 671 | "global_scope": true, 672 | "id": "global", 673 | "name": "global", 674 | "scope_id": "global" 675 | } 676 | }, 677 | { 678 | "address": "boundary_scope.org", 679 | "mode": "managed", 680 | "name": "org", 681 | "provider_name": "registry.terraform.io/hashicorp/boundary", 682 | "schema_version": 0, 683 | "sensitive_values": {}, 684 | "type": "boundary_scope", 685 | "values": { 686 | "auto_create_admin_role": null, 687 | "auto_create_default_role": null, 688 | "description": "Organization scope", 689 | "global_scope": null, 690 | "id": "o_t0QCJQwZTb", 691 | "name": "organization", 692 | "scope_id": "global" 693 | } 694 | }, 695 | { 696 | "address": "boundary_scope.products_infra", 697 | "mode": "managed", 698 | "name": "products_infra", 699 | "provider_name": "registry.terraform.io/hashicorp/boundary", 700 | "schema_version": 0, 701 | "sensitive_values": {}, 702 | "type": "boundary_scope", 703 | "values": { 704 | "auto_create_admin_role": true, 705 | "auto_create_default_role": true, 706 | "description": "Products infrastructure project", 707 | "global_scope": null, 708 | "id": "p_ziYr7jV1zt", 709 | "name": "products_infra", 710 | "scope_id": "o_t0QCJQwZTb" 711 | } 712 | }, 713 | { 714 | "address": "boundary_target.consul", 715 | "mode": "managed", 716 | "name": "consul", 717 | "provider_name": "registry.terraform.io/hashicorp/boundary", 718 | "schema_version": 0, 719 | "sensitive_values": { 720 | "application_credential_library_ids": [], 721 | "host_set_ids": [ 722 | false 723 | ] 724 | }, 725 | "type": "boundary_target", 726 | "values": { 727 | "application_credential_library_ids": [], 728 | "default_port": 443, 729 | "description": "HCP Consul Target", 730 | "host_set_ids": [ 731 | "hsst_yRMhECTF4p" 732 | ], 733 | "id": "ttcp_CYrRMsT0dY", 734 | "name": "hcp_consul", 735 | "scope_id": "p_Wm0QdQfo3B", 736 | "session_connection_limit": -1, 737 | "session_max_seconds": 28800, 738 | "type": "tcp", 739 | "worker_filter": "" 740 | } 741 | }, 742 | { 743 | "address": "boundary_target.eks_nodes_ssh", 744 | "mode": "managed", 745 | "name": "eks_nodes_ssh", 746 | "provider_name": "registry.terraform.io/hashicorp/boundary", 747 | "schema_version": 0, 748 | "sensitive_values": { 749 | "application_credential_library_ids": [], 750 | "host_set_ids": [ 751 | false 752 | ] 753 | }, 754 | "type": "boundary_target", 755 | "values": { 756 | "application_credential_library_ids": [], 757 | "default_port": 22, 758 | "description": "EKS Nodes SSH target", 759 | "host_set_ids": [ 760 | "hsst_0Mec3mN9CH" 761 | ], 762 | "id": "ttcp_jwREIXrmDA", 763 | "name": "eks_nodes_ssh", 764 | "scope_id": "p_Wm0QdQfo3B", 765 | "session_connection_limit": -1, 766 | "session_max_seconds": 28800, 767 | "type": "tcp", 768 | "worker_filter": "" 769 | } 770 | }, 771 | { 772 | "address": "boundary_target.products_database_postgres", 773 | "mode": "managed", 774 | "name": "products_database_postgres", 775 | "provider_name": "registry.terraform.io/hashicorp/boundary", 776 | "schema_version": 0, 777 | "sensitive_values": { 778 | "application_credential_library_ids": [], 779 | "host_set_ids": [ 780 | false 781 | ] 782 | }, 783 | "type": "boundary_target", 784 | "values": { 785 | "application_credential_library_ids": [], 786 | "default_port": 5432, 787 | "description": "Products Database Postgres Target", 788 | "host_set_ids": [ 789 | "hsst_kPw56ZI9KF" 790 | ], 791 | "id": "ttcp_fTABul4BSY", 792 | "name": "products_database_postgres", 793 | "scope_id": "p_ziYr7jV1zt", 794 | "session_connection_limit": -1, 795 | "session_max_seconds": 28800, 796 | "type": "tcp", 797 | "worker_filter": "" 798 | } 799 | }, 800 | { 801 | "address": "boundary_target.vault", 802 | "mode": "managed", 803 | "name": "vault", 804 | "provider_name": "registry.terraform.io/hashicorp/boundary", 805 | "schema_version": 0, 806 | "sensitive_values": { 807 | "application_credential_library_ids": [], 808 | "host_set_ids": [ 809 | false 810 | ] 811 | }, 812 | "type": "boundary_target", 813 | "values": { 814 | "application_credential_library_ids": [], 815 | "default_port": 8200, 816 | "description": "HCP Vault Target", 817 | "host_set_ids": [ 818 | "hsst_qSkHkDB9pU" 819 | ], 820 | "id": "ttcp_BeAafyUlvY", 821 | "name": "hcp_vault", 822 | "scope_id": "p_Wm0QdQfo3B", 823 | "session_connection_limit": -1, 824 | "session_max_seconds": 28800, 825 | "type": "tcp", 826 | "worker_filter": "" 827 | } 828 | }, 829 | { 830 | "address": "boundary_user.leadership[\"manager\"]", 831 | "index": "manager", 832 | "mode": "managed", 833 | "name": "leadership", 834 | "provider_name": "registry.terraform.io/hashicorp/boundary", 835 | "schema_version": 0, 836 | "sensitive_values": { 837 | "account_ids": [ 838 | false 839 | ] 840 | }, 841 | "type": "boundary_user", 842 | "values": { 843 | "account_ids": [ 844 | "acctpw_Dq9PcQCYAy" 845 | ], 846 | "description": "WARNING: Managers should be read-only", 847 | "id": "u_bbeqHylc1I", 848 | "name": "manager", 849 | "scope_id": "o_t0QCJQwZTb" 850 | } 851 | }, 852 | { 853 | "address": "boundary_user.operations[\"ops\"]", 854 | "index": "ops", 855 | "mode": "managed", 856 | "name": "operations", 857 | "provider_name": "registry.terraform.io/hashicorp/boundary", 858 | "schema_version": 0, 859 | "sensitive_values": { 860 | "account_ids": [ 861 | false 862 | ] 863 | }, 864 | "type": "boundary_user", 865 | "values": { 866 | "account_ids": [ 867 | "acctpw_LA07Vmkasq" 868 | ], 869 | "description": "Operations user: ops", 870 | "id": "u_429i2oSGHx", 871 | "name": "ops", 872 | "scope_id": "o_t0QCJQwZTb" 873 | } 874 | }, 875 | { 876 | "address": "boundary_user.products[\"appdev\"]", 877 | "index": "appdev", 878 | "mode": "managed", 879 | "name": "products", 880 | "provider_name": "registry.terraform.io/hashicorp/boundary", 881 | "schema_version": 0, 882 | "sensitive_values": { 883 | "account_ids": [ 884 | false 885 | ] 886 | }, 887 | "type": "boundary_user", 888 | "values": { 889 | "account_ids": [ 890 | "acctpw_87tgbiQEvu" 891 | ], 892 | "description": "Products user: appdev", 893 | "id": "u_7f70Kc9YQ8", 894 | "name": "appdev", 895 | "scope_id": "o_t0QCJQwZTb" 896 | } 897 | }, 898 | { 899 | "address": "random_password.operations_team", 900 | "mode": "managed", 901 | "name": "operations_team", 902 | "provider_name": "registry.terraform.io/hashicorp/random", 903 | "schema_version": 0, 904 | "sensitive_values": {}, 905 | "type": "random_password", 906 | "values": { 907 | "id": "none", 908 | "keepers": null, 909 | "length": 16, 910 | "lower": true, 911 | "min_lower": 0, 912 | "min_numeric": 0, 913 | "min_special": 0, 914 | "min_upper": 0, 915 | "number": true, 916 | "override_special": "_%@", 917 | "result": "REDACTED_SENSITIVE", 918 | "special": true, 919 | "upper": true 920 | } 921 | }, 922 | { 923 | "address": "random_password.products_team", 924 | "mode": "managed", 925 | "name": "products_team", 926 | "provider_name": "registry.terraform.io/hashicorp/random", 927 | "schema_version": 0, 928 | "sensitive_values": {}, 929 | "type": "random_password", 930 | "values": { 931 | "id": "none", 932 | "keepers": null, 933 | "length": 16, 934 | "lower": true, 935 | "min_lower": 0, 936 | "min_numeric": 0, 937 | "min_special": 0, 938 | "min_upper": 0, 939 | "number": true, 940 | "override_special": "_%@", 941 | "result": "REDACTED_SENSITIVE", 942 | "special": true, 943 | "upper": true 944 | } 945 | } 946 | ] 947 | } 948 | } 949 | } --------------------------------------------------------------------------------