More README.md about securing load balancers

Author: edwinavalos

LICENSE

@@ -1,4 +1,4 @@
-Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+MIT No Attribution
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this
 software and associated documentation files (the "Software"), to deal in the Software

NOTICE

@@ -0,0 +1,2 @@
+Spinnaker Halyard Deployment on AWS
+Copyright 2018-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.

README.md

@@ -1,7 +1,74 @@
-## AWS EKS deployment with Spinnaker
+# Halyard deploy
 
-AWS CloudFormation templates and scripting around launching an EKS cluster to run Spinnaker. The Spinnaker installation will allow for EC2 and EKS deployments. 
+This repo is intended to:
 
-## License Summary
+1. Create an EKS cluster for Spinnaker to be deployed to
+1. Deploy Spinnaker using halyard
 
-This sample code is made available under a modified MIT license. See the LICENSE file.
+This is mostly for demo environment purposes, and there are some overly permissive IAM roles in places. If you wish to run this in production, you should modify the permissive roles to be more restrictive. This is intended to run as-is in a brand new AWS account.
+
+# Pre-requisites 
+
+This repository assumes you have a new AWS account and wish to test Spinnaker out, you will need:
+
+1. AWS CLI credentials setup for a user with at least Administrator access to create resources
+1. Access to create EC2 security groups
+ 
+# Quick Start
+
+1. Fork this repository on GitHub (or CodeCommit)
+2. Run the following from a terminal with aws cli access to your account (change GITHUB to CODECOMMIT if code is uploaded there)
+
+    ```
+    ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    aws cloudformation create-stack --stack-name codebuild-projects \
+        --template-body "$(cat resources/cloudformation/codebuild-projects.yaml)" \
+        --parameters ParameterKey=CodeBuildArtifactsBucketName,ParameterValue=codebuild-artifacts-${ACCOUNT_ID} \
+                     ParameterKey=SourceLocation,ParameterValue=https://github.com/aws-samples/aws-deploy-spinnaker-halyard \
+                     ParameterKey=SourceType,ParameterValue=GITHUB \
+        --capabilities CAPABILITY_NAMED_IAM
+    aws ec2 create-key-pair --key-name spinnaker-eks-keypair
+    ```
+3. Navigate to CodeBuild
+4. Start the create-eks CodeBuild project
+5. Create a security group in the EKS-VPC to lock-down the Spinnaker load balancers take note of the security group id.
+6. Start the deploy-spinnaker CodeBuild project, fill in the environment variable "SECURITY_GROUP_ID" with the security group id from the previous step 
+
+Spinnaker will be available at the UI/Deck address emitted at the end of the deploy-spinnaker CodeBuild job.
+
+# Cleaning up
+
+The CodeBuild project "cleanup-infrastructure" will delete all objects associated with all the cloudformation stacks in this project except the CodeBuild projects stack. For the stack to delete *everything* you must specify the FORCE_DELETE parameter to true, this will empty the Spinnaker infra bucket of data before deleting the CloudFormation stack that defines the Spinnaker data bucket. This at the moment is a best effort there might be resources created by Spinnaker or other processes that will need to be manually deleted before the Spinnaker CloudFormation can be deleted.
+
+# Accessing EKS
+
+You will need to add your user ARN to the EKS-Admin role, once this done you can download the EKS kubeconfig with the following command
+
+```$bash
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+aws s3 cp s3://codebuild-artifacts-${ACCOUNT_ID}/create-eks/files/resources/kubernetes/kubeconfig.yaml /tmp/kube/config
+export KUBECONFIG=/tmp/kube/config
+kubectl get pods -n spinnaker
+``` 
+
+Once it is downloaded you can run kubectl commands as normal to read and output logs and see pod status.
+
+# Exposing Services
+
+See the [buildspec section](#modifying-buildspec-for-authentication-and-security-groups) for some supplemental information.
+
+The code in this repository will create two load balancers using the EKS and EC2 integrations, these services are created in the deploy_spinnaker.sh. When created these load balancers are open to the world, so there are few flags in the deploy_spinnaker.sh to give you options on locking down the security groups, the flags in this example will apply the security group specified in the deploy_spinnaker.sh script to the load balancers to lock down load balancers.
+
+# Modifying the Spinnaker installation
+
+If you need to tweak the halyard settings that are applied to the Spinnaker installation this can be accomplished by modifying the `deploy_spinnaker.sh` script. Once modified you can upload your changes to the source control, and then rerun the deploy-spinnaker CodeBuild job to apply the changes.
+
+# Feedback
+
+This repository is meant to be an easy method of deploying Spinnaker to a brand new AWS account for demo purposes. Not all use cases are meant to be covered, but if new use cases can be added without making the repository difficult to use, then they are more than welcome. You can submit changes or fixes to this repository by submitting a pull request on this repository. We will review and provide feedback, we might need further follow up from pull request authors to make changes.
+
+
+
+
+
+ 

buildspec-cleanup.yaml

@@ -0,0 +1,17 @@
+## Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: MIT-0
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - apk add --no-cache curl bash
+      - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.11.0/bin/linux/amd64/kubectl
+      - chmod +x kubectl
+      - mv kubectl /usr/local/bin
+      - curl -LO https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator
+      - chmod +x aws-iam-authenticator
+      - mv aws-iam-authenticator /usr/local/bin/heptio-authenticator-aws
+      - ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+      - aws s3 cp s3://codebuild-artifacts-${ACCOUNT_ID}/create-eks/files/resources/kubernetes/kubeconfig-no-role.yaml /root/.kube/config
+      - ./scripts/cleanup.sh -f ${SECURITY_GROUP_ID} -d ${FORCE_DELETE}

buildspec-deploy.yaml

@@ -0,0 +1,19 @@
+## Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: MIT-0
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - curl -LO https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/kubectl
+      - chmod +x kubectl
+      - mv kubectl /usr/local/bin
+      - curl -LO https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator
+      - chmod +x aws-iam-authenticator
+      - mv aws-iam-authenticator /usr/local/bin/heptio-authenticator-aws
+      - curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
+      - unzip awscli-bundle.zip
+      - ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
+      - ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+      - aws s3 cp s3://codebuild-artifacts-${ACCOUNT_ID}/create-eks/files/resources/kubernetes/kubeconfig-no-role.yaml /home/spinnaker/.kube/config
+      - su spinnaker -c "./scripts/deploy_spinnaker.sh -f ${SECURITY_GROUP_ID}"

buildspec-infra.yaml

@@ -0,0 +1,20 @@
+## Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: MIT-0
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - apk add --no-cache curl bash
+      - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.11.0/bin/linux/amd64/kubectl
+      - chmod +x kubectl
+      - mv kubectl /usr/local/bin
+      - curl -LO https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator
+      - chmod +x aws-iam-authenticator
+      - mv aws-iam-authenticator /usr/local/bin/heptio-authenticator-aws
+      - ./scripts/create_eks_cluster.sh -k ${K8S_NAME} -s ${K8S_KEYPAIR} -b ${BUCKET_NAME}
+
+artifacts:
+  files:
+    - resources/kubernetes/kubeconfig.yaml
+    - resources/kubernetes/kubeconfig-no-role.yaml

resources/cloudformation/codebuild-projects.yaml

@@ -0,0 +1,185 @@
+## Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: MIT-0
+
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'CodeBuild Projects for EKS+Spinnaker'
+
+Parameters:
+
+  CodeBuildArtifactsBucketName:
+    Type: String
+    Default: codebuild-artifacts
+    Description: Name for the bucket where CodeBuild will save output artifacts
+
+  SourceLocation:
+    Type: String
+    Default: https://git-codecommit.us-west-2.amazonaws.com/v1/repos/myrepowithcode
+    Description: Location of source code for the create-eks and deploy spinnaker codebuild projects
+
+  SourceType:
+    Type: String
+    Default: GITHUB
+    AllowedValues:
+      - GITHUB
+      - CODECOMMIT
+
+Resources:
+
+  CreateEKSSpinnakerRole:
+      Type: AWS::IAM::Role
+      Properties:
+        RoleName: create-eks-spinnaker
+        AssumeRolePolicyDocument:
+          Statement:
+            - Action:
+                - sts:AssumeRole
+              Effect: Allow
+              Principal:
+                Service: codebuild.amazonaws.com
+          Version: '2012-10-17'
+        ManagedPolicyArns:
+          - arn:aws:iam::aws:policy/PowerUserAccess
+          - arn:aws:iam::aws:policy/IAMFullAccess
+
+  CodeBuildArtifactsBucket:
+    Type: "AWS::S3::Bucket"
+    Properties:
+      BucketName: !Ref CodeBuildArtifactsBucketName
+      Tags:
+        -
+          Key: cloudformation-stack
+          Value: !Ref AWS::StackId
+
+  CreateEKSProject:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Artifacts:
+        Name: files
+        Location: !Ref CodeBuildArtifactsBucket
+        OverrideArtifactName: true
+        NamespaceType: NONE
+        Packaging: NONE
+        Path: create-eks
+        Type: S3
+      BadgeEnabled: true
+      Cache:
+        Type: NO_CACHE
+      Description: Creates and EKS cluster and supporting infrastructure/roles/policies for managing a Spinnaker instance
+      EncryptionKey:
+        Fn::Join: [ "", [ "arn:aws:kms:", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":alias/aws/s3"]]
+      Environment:
+        ComputeType: BUILD_GENERAL1_SMALL
+        Image: infrastructureascode/aws-cli
+        PrivilegedMode: false
+        Type: LINUX_CONTAINER
+        EnvironmentVariables:
+          -
+            Name: K8S_NAME
+            Type: PLAINTEXT
+            Value: "spinnaker-infra"
+          -
+            Name: K8S_KEYPAIR
+            Type: PLAINTEXT
+            Value: "spinnaker-eks-keypair"
+          -
+            Name: BUCKET_NAME
+            Type: PLAINTEXT
+            Value: "spinnaker-infra"
+      Name: create-eks
+      ServiceRole: !Ref CreateEKSSpinnakerRole
+      Source:
+        BuildSpec: buildspec-infra.yaml
+        GitCloneDepth: 1
+        InsecureSsl: false
+        Location: !Ref SourceLocation
+        Type: !Ref SourceType
+      Tags:
+        -
+          Key: cloudformation-stack
+          Value: !Ref AWS::StackId
+      TimeoutInMinutes: 45
+
+  DeploySpinnakerProject:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      BadgeEnabled: true
+      Cache:
+        Type: NO_CACHE
+      Description: Deploys Spinnaker via Halyard
+      EncryptionKey:
+        Fn::Join: [ "", [ "arn:aws:kms:", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":alias/aws/s3"]]
+      Environment:
+        ComputeType: BUILD_GENERAL1_SMALL
+        Image: gcr.io/spinnaker-marketplace/halyard:stable
+        PrivilegedMode: false
+        Type: LINUX_CONTAINER
+        EnvironmentVariables:
+          -
+            Name: SECURITY_GROUP_ID
+            Type: PLAINTEXT
+            Value: ""
+      Name: deploy-spinnaker
+      ServiceRole: !Ref CreateEKSSpinnakerRole
+      Source:
+        BuildSpec: buildspec-deploy.yaml
+        GitCloneDepth: 1
+        InsecureSsl: false
+        Location: !Ref SourceLocation
+        Type: !Ref SourceType
+      Tags:
+        -
+          Key: cloudformation-stack
+          Value: !Ref AWS::StackId
+      TimeoutInMinutes: 45
+
+  CleanUpProject:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      BadgeEnabled: true
+      Cache:
+        Type: NO_CACHE
+      Description: Deploys Spinnaker via Halyard
+      EncryptionKey:
+        Fn::Join: [ "", [ "arn:aws:kms:", { Ref: "AWS::Region" }, ":", { Ref: "AWS::AccountId" }, ":alias/aws/s3"]]
+      Environment:
+        ComputeType: BUILD_GENERAL1_SMALL
+        Image: infrastructureascode/aws-cli
+        PrivilegedMode: false
+        Type: LINUX_CONTAINER
+        EnvironmentVariables:
+          -
+            Name: SECURITY_GROUP_ID
+            Type: PLAINTEXT
+            Value: ""
+          -
+            Name: FORCE_DELETE
+            Type: PLAINTEXT
+            Value: "false"
+      Name: cleanup-infrastructure
+      ServiceRole: !Ref CreateEKSSpinnakerRole
+      Source:
+        BuildSpec: buildspec-cleanup.yaml
+        GitCloneDepth: 1
+        InsecureSsl: false
+        Location: !Ref SourceLocation
+        Type: !Ref SourceType
+      Tags:
+        -
+          Key: cloudformation-stack
+          Value: !Ref AWS::StackId
+      TimeoutInMinutes: 45
+
+Outputs:
+
+  CodeBuildArtifactsBucket:
+    Description: Bucket where codebuild artifacts are placed
+    Value: !Ref CodeBuildArtifactsBucket
+
+  CreateEKSSpinnakerRole:
+    Description: Role that the codebuild projects use for EKS and Spinnaker deployments
+    Value: !Ref CreateEKSSpinnakerRole