💾 Archived View for tilde.pink › ~nagi › tf-neuvector.gmi captured on 2024-03-21 at 16:09:27. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-02-05)

🚧 View Differences

-=-=-=-=-=-=-

Terraform NeuVector provider

2023-06-04

This project is used to manage NeuVector's configuration and its most revelant resources. I was asked to automate the configuration of the solution in a fairly specific context. Initially, I had made a rather well-organized bash script that could apply these resources, but not destroy them.

I then asked around and very quickly found Terraform. So I learned how to use it and made a module that could manage any NeuVector resource, including creation and destruction only.

A huge problem was the token that NeuVector provides tends to timeout quite quickly (300 seconds by default).

So I decided to create a Terraform provider to handle all this cleanly. The language best suited for this is Go, so I learned it. Hashicorp explains that it's best to separate the client library from the provider.

So I created a Go SDK for NeuVector before using it in the provider.

Now the provider is able to fully manage the implemented resources (create, delete, update and import).

Use cases

The provider Terraform block looks like below.

terraform {
  required_providers {
    neuvector = {
      source = "theobori/neuvector"
      version = "0.4.1"
    }
  }
}

provider "neuvector" {
  base_url = "https://127.0.0.1:10443/v1/"
  username = "admin"
  password = "admin"
}

Once it is declared in the configuration, you can start using it as you want. Here's a Terraform example that could be applied after installing NeuVector.

resource "neuvector_eula" "eula" {
    accepted = true
}

resource "neuvector_registry" "registry_test" {
  name                   = "docker.io"
  registry_type          = "Docker Registry"
  filters                = ["*"]
  registry               = "https://registry.hub.docker.com/"
  rescan_after_db_update = true
  auth_with_token        = false
  scan_layers            = true
}

resource "neuvector_group" "group_test" {
  name = "mytestgroup"

  criteria {
    key   = "pattern"
    value = "[a-z]"
    op    = "regex"
  }

  criteria {
    key   = "namespace"
    value = "example"
    op    = "="
  }
}

data "neuvector_group_metadata" "group_metadata" {
    name = neuvector_group.group_test.id
}

resource "neuvector_service_config" "service_config_test" {
  services = data.neuvector_group_services.group_metadata.services

  not_scored = true
}

Links

https://github.com/theobori/terraform-provider-neuvector

https://registry.terraform.io/providers/theobori/neuvector