TrendMicro::CloudOneContainer::Helm
An AWS CloudFormation resource type that deploys Trend Micro Cloud One Container Security into EKS clusters using helm.
Prerequisites
IAM role
An IAM role is used by CloudFormation to execute this resource type handler code.
A CloudFormation template to create the exeecution role is available
here
EKS clusters use IAM to allow access to the kubernetes API, as the CloudFormation resource types in this project
interact with the kubernetes API, the IAM execution role must be granted access to the kubernetes API. This can be done
in one of two ways:
- Create the cluster using CloudFormation: Currently there is no native way to manage EKS auth using CloudFormation
(+1 this GitHub issue to help prioritize native support).
For this reason we have published
AWSQS::EKS::Cluster
. Instructions on activation and usage can be found
here.
- Manually: to allow this resource type to access the kubernetes API, follow the
instructions in the EKS documentation adding
the IAM execution role created above to the
system:masters
group. (Note: you can scope this down if you plan to use
the resource type to only perform specific operations on the kubernetes cluster)
Activating the resource type
Activation can be done in one of the following ways:
Note that this must be done in each region you plan to use this resource type in.
Usage
Properties and return values for the resource type are documented here.
Documentation for the helm chart and it's values are available here.
Examples
Deploy Trend Micro Cloud One Container Security fetching credentials stored in AWS Secrets Manager
AWSTemplateFormatVersion: "2010-09-09"
Resources:
CloudOneHelmRelease:
Type: "TrendMicro::CloudOneContainer::Helm"
Properties:
ClusterID: my-cluster-name
Name: trendmicro-cloudone
Namespace: trendmicro-cloudone
Values:
cloudOne.admissionController.apiKey: {{resolve:secretsmanager:cloudone-api:SecretString:api-key}}
cloudOne.runtimeSecurity.apiKey: {{resolve:secretsmanager:cloudone-api:SecretString:api-key}}
cloudOne.runtimeSecurity.secret: {{resolve:secretsmanager:cloudone-api:SecretString:api-secret}}