The Shipa provider for Terraform allows you to implement policies across multiple clusters by using the Shipa policy frameworks.

The example below shows the different options that can be leveraged when creating a policy framework using Terraform:

terraform {
  required_providers {
    shipa = {
      version = "0.0.6"
      source = "shipa-corp/shipa"
    }
  }
}

provider "shipa" {
  host = "http://target.shipa.cloud:8080"
  token = "<your-shipa-token>"
}

resource "shipa_framework" "framework1" {
  framework {
    name = "cinema-services"
    provisioner = "kubernetes"
    kubernetes_namespace = ""
    resources {
      general {
        setup {
          public = false
          default = false
        }
        security {
          disable_scan = true
          scan_platform_layers = false
          ignore_components = ["apt", "bash", "..."]
          ignore_cves = ["CVE-2020-27350", "CVE-2011-3374", "..."]
        }
        router = "traefik"
        app_quota {
          limit = "5"
        }
        access {
          append = ["shipa-team"]
        }
        plan {
          name = "shipa-plan"
        }
        network_policy {
          ingress {
             policy_mode = "allow-custom-rules-only"
             custom_rules {
              id = "rule-name"
              enabled = true
              description = "rule description"
              allowed_apps = ["app1", "app2"]
              ports {
                port = 8080
                protocol = "TCP"
              }
             }
          }
          egress {
             policy_mode = "allow-all"
          }
          disable_app_policies = "false"
        }
        container_policy {
          allowed_hosts = ["docker.io/shipasoftware", "docker.io/shiparepo"]
        }
      }
    }
  }
}

Top-Level Attributes

Here are the attributes that provide top-level information about each component definition.

Component	type	Description
name	string
provisioner	string	The provisioner that Shipa should use when creating the framework. Options are: kubernetes shipa Required: Yes
kubernetes_namespace	string	If you want Shipa to use an existing namespace in the cluster instead of creating a new one for the framework, you can add the name of the existing namespace here. Required: No Condition: Only when provisioner is kubernetes
resources	resources

Resources

Component	type	Description
general	general

General

Type	Description	Component
setup	The basic information required by Shipa to set up your policy framework.	setup
security	The definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed using the policy framework.	security
router	The ingress controller that should be used by Shipa when applications are deployed using this policy framework. Required: Yes Options: traefik istio	router
app_quota	Implement application scalability limits.	app_quota
access	Restricts the teams that can leverage the policy framework to deploy their applications.	access
plan	Resource consumption limits that are automatically assigned to applications deployed using the policy framework.	plan
network_policy	The default network policies that should be assigned to each application deployed using the policy framework.	network_policy
container_policy	Implement limits on which container registries can be used when deploying applications using the policy framework.	container_policy

Setup

Component path: resource > framework > general > setup

Component	Description	Type
public	Defines if the framework should be made publicly available to all teams on Shipa Required: No	bool
default	Marking a framework as default, when creating applications, if a framework is not entered, Shipa will automatically use the framework flagged as default. Required: No	bool

Component

Description

Type

public

Defines if the framework should be made publicly available to all teams on Shipa

Required: No

bool

default

Marking a framework as default, when creating applications, if a framework is not entered, Shipa will automatically use the framework flagged as default.

Required: No

bool

Security

Component path: resource > framework > general > security

Component	Description	Type
disable_scan	If application scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework. Required: No	bool
scan_platform_layers	If application image scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework. Required: No	bool
ignore_components	By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to the framework. If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No	string
ignore_cves	By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework. If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No	string

Router

Component path: resource > framework > general > router

Component	Description	Type
router	The ingress controller that should be leveraged by Shipa when applications are deployed through the framework. Current supported options are: istio traefik Required: No If not specified, Shipa will automatically use Traefik	string

Component

Description

Type

router

The ingress controller that should be leveraged by Shipa when applications are deployed through the framework.

Current supported options are:

istio
traefik

Required: No

If not specified, Shipa will automatically use Traefik

string

Application Quota

Component path: resource > framework > general > app_quota

Component	Description	Type
limit	The number of container units that applications deployed to this framework can scale to. Required: Yes	int

Component

Description

Type

limit

The number of container units that applications deployed to this framework can scale to.

Required: Yes

int

Access

Component path: resource > framework > general > access

Component	Description	Type
append	The teams that should be added to the framework, so they can deploy their applications. Multiple teams can be entered. Required: Yes	string
blacklist	The teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered. Required: No	string

Component

Description

Type

append

The teams that should be added to the framework, so they can deploy their applications. Multiple teams can be entered.

Required: Yes

string

blacklist

The teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered.

Required: No

string

Plan

Component path: resource > framework > general > plan

Component	Description	Type
name	The name of an existing Shipa plan that should be tied to this framework, so applications automatically receive limits around memory, CPU, and swap. Required: Yes	string

Component

Description

Type

name

The name of an existing Shipa plan that should be tied to this framework, so applications automatically receive limits around memory, CPU, and swap.

Required: Yes

string

Network Policy

Component path: resource > framework > general > network_policy

Component	Description	Type
ingress	Ingress definition that will be accepted by applications deployed using the framework Required: No If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework
policy_mode	The policy mode that should be applied to applications deployed through the framework Current options from Terraform are: allow-all deny-all allow-custom-rules-only Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	string
custom_rules	If policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
id	the name of the custom rule Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	string
enabled	if the custom rule is enabled by default or not when applications are deployed through the framework Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	bool
description	The description of the custom rule being enforced by the framework Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	string
allowed_apps	The specific applications that applications deployed through the framework can receive ingress or ingress from Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	string
ports	Port configuration where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
port	The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	int
protocol	The specific protocol where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	string
egress	Egress definition that will be accepted by applications deployed using the framework Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework
disable_app_policies	Defines if application owners can change ingress and/or egress rules at the application-level post-deployment Required: No Condition: Only when policy_mode is set to allow-custom-rules-only	bool

📘
Detailed Network Policies
Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.
Exporting the framework configuration, giving you your detailed network policy configuration in a file.

Container Policy

Component path: resource > framework > general > container_policy

Component	Description	Type
allowed_hosts	The container registry (or list of) developers can use when deploying their applications through the framework. Required: No If not specified, developers will be able to deploy images from any container registry	string

Component

Description

Type

allowed_hosts

The container registry (or list of) developers can use when deploying their applications through the framework.

Required: No

If not specified, developers will be able to deploy images from any container registry

string

Listing a Framework Configuration

terraform {
  required_providers {
    shipa = {
      version = "0.0.5"
      source = "shipa.io/terraform/shipa"
    }
  }
}

provider "shipa" {}

data "shipa_framework" "f1" {
  id = "shipa-framework"
}

output "my_val" {
  value = data.shipa_framework.f1
}

Component	Description	Type
shipa_framework	shipa_framework is Shipa's component for returning data for a specific framework when using Terraform.	string
id	The name of the framework which you want to get the details from.	string

Framework Management

Top-Level Attributes

Resources

General

Setup

Security

Router

Application Quota

Access

Plan

Network Policy

📘
Detailed Network Policies

Container Policy

Listing a Framework Configuration

Top-Level Attributes

Resources

General

Setup

Security

Router

Application Quota

Access

Plan

Network Policy

📘Detailed Network Policies

Container Policy

Listing a Framework Configuration

📘
Detailed Network Policies