Framework Management

The Shipa provider for Terraform allows you to implement policies across multiple clusters by using the Shipa policy frameworks.

The example below shows the different options that can be leveraged when creating a policy framework using Terraform:

terraform {
  required_providers {
    shipa = {
      version = "0.0.6"
      source = "shipa-corp/shipa"
    }
  }
}

provider "shipa" {
  host = "http://target.shipa.cloud:8080"
  token = "<your-shipa-token>"
}

resource "shipa_framework" "framework1" {
  framework {
    name = "cinema-services"
    provisioner = "kubernetes"
    kubernetes_namespace = ""
    resources {
      general {
        setup {
          public = false
          default = false
        }
        security {
          disable_scan = true
          scan_platform_layers = false
          ignore_components = ["apt", "bash", "..."]
          ignore_cves = ["CVE-2020-27350", "CVE-2011-3374", "..."]
        }
        router = "traefik"
        app_quota {
          limit = "5"
        }
        access {
          append = ["shipa-team"]
        }
        plan {
          name = "shipa-plan"
        }
        network_policy {
          ingress {
             policy_mode = "allow-custom-rules-only"
             custom_rules {
              id = "rule-name"
              enabled = true
              description = "rule description"
              allowed_apps = ["app1", "app2"]
              ports {
                port = 8080
                protocol = "TCP"
              }
             }
          }
          egress {
             policy_mode = "allow-all"
          }
          disable_app_policies = "false"
        }
        container_policy {
          allowed_hosts = ["docker.io/shipasoftware", "docker.io/shiparepo"]
        }
      }
    }
  }
}

Top-Level Attributes

Here are the attributes that provide top-level information about each component definition.

Component

type

Description

name

string

provisioner

string

The provisioner that Shipa should use when creating the framework. Options are:

  • kubernetes
  • shipa

Required: Yes

kubernetes_namespace

string

If you want Shipa to use an existing namespace in the cluster instead of creating a new one for the framework, you can add the name of the existing namespace here.

Required: No
Condition: Only when provisioner is kubernetes

resources

resources

Resources

Component

type

Description

general

general

General

Type

Description

Component

setup

The basic information required by Shipa to set up your policy framework.

setup

security

The definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed using the policy framework.

security

router

The ingress controller that should be used by Shipa when applications are deployed using this policy framework.

Required: Yes
Options:

  • traefik
  • istio

router

app_quota

Implement application scalability limits.

app_quota

access

Restricts the teams that can leverage the policy framework to deploy their applications.

access

plan

Resource consumption limits that are automatically assigned to applications deployed using the policy framework.

plan

network_policy

The default network policies that should be assigned to each application deployed using the policy framework.

network_policy

container_policy

Implement limits on which container registries can be used when deploying applications using the policy framework.

container_policy

Setup

Component path: resource > framework > general > setup

Component

Description

Type

public

Defines if the framework should be made publicly available to all teams on Shipa

Required: No

bool

default

Marking a framework as default, when creating applications, if a framework is not entered, Shipa will automatically use the framework flagged as default.

Required: No

bool

Security

Component path: resource > framework > general > security

Component

Description

Type

disable_scan

If application scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework.

Required: No

bool

scan_platform_layers

If application image scan should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework.

Required: No

bool

ignore_components

By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to the framework. If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

string

ignore_cves

By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework. If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

string

Router

Component path: resource > framework > general > router

Component

Description

Type

router

The ingress controller that should be leveraged by Shipa when applications are deployed through the framework.

Current supported options are:

  • istio
  • traefik

Required: No

If not specified, Shipa will automatically use Traefik

string

Application Quota

Component path: resource > framework > general > app_quota

Component

Description

Type

limit

The number of container units that applications deployed to this framework can scale to.

Required: Yes

int

Access

Component path: resource > framework > general > access

Component

Description

Type

append

The teams that should be added to the framework, so they can deploy their applications. Multiple teams can be entered.

Required: Yes

string

blacklist

The teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered.

Required: No

string

Plan

Component path: resource > framework > general > plan

Component

Description

Type

name

The name of an existing Shipa plan that should be tied to this framework, so applications automatically receive limits around memory, CPU, and swap.

Required: Yes

string

Network Policy

Component path: resource > framework > general > network_policy

Component

Description

Type

ingress

Ingress definition that will be accepted by applications deployed using the framework

Required: No

If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework

policy_mode

The policy mode that should be applied to applications deployed through the framework

Current options from Terraform are:
allow-all
deny-all
allow-custom-rules-only

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

string

custom_rules

If policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

id

the name of the custom rule

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

string

enabled

if the custom rule is enabled by default or not when applications are deployed through the framework

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

bool

description

The description of the custom rule being enforced by the framework

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

string

allowed_apps

The specific applications that applications deployed through the framework can receive ingress or ingress from

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

string

ports

Port configuration where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

port

The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

int

protocol

The specific protocol where applications deployed through the framework can accept ingress or egress

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

string

egress

Egress definition that will be accepted by applications deployed using the framework

Required: No

If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework

disable_app_policies

Defines if application owners can change ingress and/or egress rules at the application-level post-deployment

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

bool

📘

Detailed Network Policies

Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.
Exporting the framework configuration, giving you your detailed network policy configuration in a file.

Container Policy

Component path: resource > framework > general > container_policy

Component

Description

Type

allowed_hosts

The container registry (or list of) developers can use when deploying their applications through the framework.

Required: No

If not specified, developers will be able to deploy images from any container registry

string

Listing a Framework Configuration

terraform {
  required_providers {
    shipa = {
      version = "0.0.5"
      source = "shipa.io/terraform/shipa"
    }
  }
}

provider "shipa" {}

data "shipa_framework" "f1" {
  id = "shipa-framework"
}

output "my_val" {
  value = data.shipa_framework.f1
}

Component

Description

Type

shipa_framework

shipa_framework is Shipa's component for returning data for a specific framework when using Terraform.

string

id

The name of the framework which you want to get the details from.

string


Did this page help you?