Framework Management

The Shipa provider for Terraform allows you to implement policies across multiple clusters by using the Shipa policy frameworks.

The example below shows the different options that can be leveraged when creating a policy framework using Terraform:

terraform {
  required_providers {
    shipa = {
      version = "0.0.13"
      source = "shipa-corp/shipa"
    }
  }
}

provider "shipa" {
  host = "http://target.shipa.cloud:80"
  token = "<your-shipa-token>"
}

resource "shipa_framework" "framework1" {
  framework {
    name = "cinema-services"
    provisioner = "kubernetes"
    kubernetes_namespace = ""
    resources {
      general {
        setup {
          public = false
          default = false
        }
        security {
          disable_scan = true
          scan_platform_layers = false
          ignore_components = ["apt", "bash", "..."]
          ignore_cves = ["CVE-2020-27350", "CVE-2011-3374", "..."]
        }
        router = "traefik"
        app_quota {
          limit = "5"
        }
        access {
          append = ["shipa-team"]
        }
        plan {
          name = "shipa-plan"
        }
        network_policy {
          ingress {
             policy_mode = "allow-custom-rules-only"
             custom_rules {
              id = "rule-name"
              enabled = true
              description = "rule description"
              allowed_apps = ["app1", "app2"]
              ports {
                port = 8080
                protocol = "TCP"
              }
             }
          }
          egress {
             policy_mode = "allow-all"
          }
          disable_app_policies = "false"
        }
        container_policy {
          allowed_hosts = ["docker.io/shipasoftware", "docker.io/shiparepo"]
        }
      }
    }
  }
}

Top-Level Attributes

Here are the attributes that provide top-level information about each component definition.

ComponenttypeDescription
namestring
provisionerstringThe provisioner that Shipa should use when creating the framework. Options are:
kubernetes
shipa

Required: Yes
kubernetes_namespacestringIf you want Shipa to use an existing namespace in the cluster instead of creating a new one for the framework, you can add the name of the existing namespace here.

Required: No
Condition: Only when provisioner is kubernetes
resourcesresources

Resources

ComponenttypeDescription
generalgeneral

General

TypeDescriptionComponent
setupThe basic information required by Shipa to set up your policy framework.setup
securityThe definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed using the policy framework.security
routerThe ingress controller that should be used by Shipa when applications are deployed using this policy framework.

Required: Yes
Options:
traefik
istio
router
app_quotaImplement application scalability limits.app_quota
accessRestricts the teams that can leverage the policy framework to deploy their applications.access
planResource consumption limits that are automatically assigned to applications deployed using the policy framework.plan
network_policyThe default network policies that should be assigned to each application deployed using the policy framework.network_policy
container_policyImplement limits on which container registries can be used when deploying applications using the policy framework.container_policy

Setup

Component path: resource > framework > general > setup

ComponentDescriptionType
publicDefines if the framework should be made publicly available to all teams on Shipa

Required: No
bool
defaultMarking a framework as default, when creating applications, if a framework is not entered, Shipa will automatically use the framework flagged as default.

Required: No
bool

Security

Component path: resource > framework > general > security

ComponentDescriptionType
disable_scanIf application scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework.

Required: No
bool
scan_platform_layersIf application image scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework.

Required: No
bool
ignore_componentsBy default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to the framework. If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No
string
ignore_cvesBy default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework. If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No
string

Router

Component path: resource > framework > general > router

ComponentDescriptionType
routerThe ingress controller that should be leveraged by Shipa when applications are deployed through the framework.

Current supported options are:
istio
traefik

Required: No

If not specified, Shipa will automatically use Traefik
string

Application Quota

Component path: resource > framework > general > app_quota

ComponentDescriptionType
limitThe number of container units that applications deployed to this framework can scale to.

Required: Yes
int

Access

Component path: resource > framework > general > access

ComponentDescriptionType
appendThe teams that should be added to the framework, so they can deploy their applications. Multiple teams can be entered.

Required: Yes
string
blacklistThe teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered.

Required: No
string

Plan

Component path: resource > framework > general > plan

ComponentDescriptionType
nameThe name of an existing Shipa plan that should be tied to this framework, so applications automatically receive limits around memory, CPU, and swap.

Required: Yes
string

Network Policy

Component path: resource > framework > general > network_policy

ComponentDescriptionType
ingressIngress definition that will be accepted by applications deployed using the framework

Required: No

If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework
policy_modeThe policy mode that should be applied to applications deployed through the framework

Current options from Terraform are:
allow-all
deny-all
allow-custom-rules-only

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
string
custom_rulesIf policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
idthe name of the custom rule

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
string
enabledif the custom rule is enabled by default or not when applications are deployed through the framework

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
bool
descriptionThe description of the custom rule being enforced by the framework

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
string
allowed_appsThe specific applications that applications deployed through the framework can receive ingress or ingress from

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
string
portsPort configuration where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
portThe specific port (or list of ports) where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
int
protocolThe specific protocol where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
string
egressEgress definition that will be accepted by applications deployed using the framework

Required: No

If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework
disable_app_policiesDefines if application owners can change ingress and/or egress rules at the application-level post-deployment

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only
bool

📘

Detailed Network Policies

Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.
Exporting the framework configuration, giving you your detailed network policy configuration in a file.

Container Policy

Component path: resource > framework > general > container_policy

ComponentDescriptionType
allowed_hostsThe container registry (or list of) developers can use when deploying their applications through the framework.

Required: No

If not specified, developers will be able to deploy images from any container registry
string

Listing a Framework Configuration

terraform {
  required_providers {
    shipa = {
      version = "0.0.13"
      source = "shipa.io/terraform/shipa"
    }
  }
}

provider "shipa" {}

data "shipa_framework" "f1" {
  id = "shipa-framework"
}

output "my_val" {
  value = data.shipa_framework.f1
}
ComponentDescriptionType
shipa_frameworkshipa_framework is Shipa's component for returning data for a specific framework when using Terraform.string
idThe name of the framework which you want to get the details from.string