Framework Management
The Shipa provider for Terraform allows you to implement policies across multiple clusters by using the Shipa policy frameworks.
The example below shows the different options that can be leveraged when creating a policy framework using Terraform:
terraform {
required_providers {
shipa = {
version = "0.0.13"
source = "shipa-corp/shipa"
}
}
}
provider "shipa" {
host = "http://target.shipa.cloud:80"
token = "<your-shipa-token>"
}
resource "shipa_framework" "framework1" {
framework {
name = "cinema-services"
provisioner = "kubernetes"
kubernetes_namespace = ""
resources {
general {
setup {
public = false
default = false
}
security {
disable_scan = true
scan_platform_layers = false
ignore_components = ["apt", "bash", "..."]
ignore_cves = ["CVE-2020-27350", "CVE-2011-3374", "..."]
}
router = "traefik"
app_quota {
limit = "5"
}
access {
append = ["shipa-team"]
}
plan {
name = "shipa-plan"
}
network_policy {
ingress {
policy_mode = "allow-custom-rules-only"
custom_rules {
id = "rule-name"
enabled = true
description = "rule description"
allowed_apps = ["app1", "app2"]
ports {
port = 8080
protocol = "TCP"
}
}
}
egress {
policy_mode = "allow-all"
}
disable_app_policies = "false"
}
container_policy {
allowed_hosts = ["docker.io/shipasoftware", "docker.io/shiparepo"]
}
}
}
}
}
Top-Level Attributes
Here are the attributes that provide top-level information about each component definition.
| Component | type | Description |
|---|---|---|
| name | string | |
| provisioner | string | The provisioner that Shipa should use when creating the framework. Options are: kubernetes shipa Required: Yes |
| kubernetes_namespace | string | If you want Shipa to use an existing namespace in the cluster instead of creating a new one for the framework, you can add the name of the existing namespace here. Required: No Condition: Only when provisioner is kubernetes |
| resources | resources |
Resources
| Component | type | Description |
|---|---|---|
| general | general |
General
| Type | Description | Component |
|---|---|---|
| setup | The basic information required by Shipa to set up your policy framework. | setup |
| security | The definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed using the policy framework. | security |
| router | The ingress controller that should be used by Shipa when applications are deployed using this policy framework. Required: Yes Options: traefik istio | router |
| app_quota | Implement application scalability limits. | app_quota |
| access | Restricts the teams that can leverage the policy framework to deploy their applications. | access |
| plan | Resource consumption limits that are automatically assigned to applications deployed using the policy framework. | plan |
| network_policy | The default network policies that should be assigned to each application deployed using the policy framework. | network_policy |
| container_policy | Implement limits on which container registries can be used when deploying applications using the policy framework. | container_policy |
Setup
Component path: resource > framework > general > setup
| Component | Description | Type |
|---|---|---|
| public | Defines if the framework should be made publicly available to all teams on Shipa Required: No | bool |
| default | Marking a framework as default, when creating applications, if a framework is not entered, Shipa will automatically use the framework flagged as default. Required: No | bool |
Security
Component path: resource > framework > general > security
| Component | Description | Type |
|---|---|---|
| disable_scan | If application scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework. Required: No | bool |
| scan_platform_layers | If application image scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework. Required: No | bool |
| ignore_components | By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to the framework. If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No | string |
| ignore_cves | By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework. If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No | string |
Router
Component path: resource > framework > general > router
| Component | Description | Type |
|---|---|---|
| router | The ingress controller that should be leveraged by Shipa when applications are deployed through the framework. Current supported options are: istio traefik Required: No If not specified, Shipa will automatically use Traefik | string |
Application Quota
Component path: resource > framework > general > app_quota
| Component | Description | Type |
|---|---|---|
| limit | The number of container units that applications deployed to this framework can scale to. Required: Yes | int |
Access
Component path: resource > framework > general > access
| Component | Description | Type |
|---|---|---|
| append | The teams that should be added to the framework, so they can deploy their applications. Multiple teams can be entered. Required: Yes | string |
| blacklist | The teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered. Required: No | string |
Plan
Component path: resource > framework > general > plan
| Component | Description | Type |
|---|---|---|
| name | The name of an existing Shipa plan that should be tied to this framework, so applications automatically receive limits around memory, CPU, and swap. Required: Yes | string |
Network Policy
Component path: resource > framework > general > network_policy
| Component | Description | Type |
|---|---|---|
| ingress | Ingress definition that will be accepted by applications deployed using the framework Required: No If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework | |
| policy_mode | The policy mode that should be applied to applications deployed through the framework Current options from Terraform are: allow-all deny-all allow-custom-rules-only Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | string |
| custom_rules | If policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
| id | the name of the custom rule Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | string |
| enabled | if the custom rule is enabled by default or not when applications are deployed through the framework Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | bool |
| description | The description of the custom rule being enforced by the framework Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | string |
| allowed_apps | The specific applications that applications deployed through the framework can receive ingress or ingress from Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | string |
| ports | Port configuration where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
| port | The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | int |
| protocol | The specific protocol where applications deployed through the framework can accept ingress or egress Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | string |
| egress | Egress definition that will be accepted by applications deployed using the framework Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework | |
| disable_app_policies | Defines if application owners can change ingress and/or egress rules at the application-level post-deployment Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | bool |
Detailed Network Policies
Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.
Exporting the framework configuration, giving you your detailed network policy configuration in a file.
Container Policy
Component path: resource > framework > general > container_policy
| Component | Description | Type |
|---|---|---|
| allowed_hosts | The container registry (or list of) developers can use when deploying their applications through the framework. Required: No If not specified, developers will be able to deploy images from any container registry | string |
Listing a Framework Configuration
terraform {
required_providers {
shipa = {
version = "0.0.13"
source = "shipa.io/terraform/shipa"
}
}
}
provider "shipa" {}
data "shipa_framework" "f1" {
id = "shipa-framework"
}
output "my_val" {
value = data.shipa_framework.f1
}
| Component | Description | Type |
|---|---|---|
| shipa_framework | shipa_framework is Shipa's component for returning data for a specific framework when using Terraform. | string |
| id | The name of the framework which you want to get the details from. | string |
Updated 9 months ago