diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..cca570cd --- /dev/null +++ b/.dockerignore @@ -0,0 +1,10 @@ +** +!LICENSE +!service/ +!vendor/ +!.gon-*.json +!map.json +!iam_definition.json +!*.go +!*.mod +!*.sum diff --git a/.gitignore b/.gitignore index 2abbfe87..5f3c704e 100644 --- a/.gitignore +++ b/.gitignore @@ -15,4 +15,11 @@ # vendor/ # Custom -iamlive \ No newline at end of file +iamlive + +# Ignore hidden files +.* +!.*ignore* +!.gon-*.json +!.github/ +!.goreleaser.yml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..307192b1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,38 @@ +ARG GO_VERSION=1.16.3 +ARG REPO_NAME="" +ARG APP_NAME="iamlive" +ARG APP_PATH="/go/src/iamlive" + + +# Dev +FROM golang:${GO_VERSION}-alpine AS dev +RUN apk add --update git +ARG APP_NAME +ARG APP_PATH +ENV APP_NAME="${APP_NAME}" \ + APP_PATH="${APP_PATH}" \ + GOOS="linux" +WORKDIR "${APP_PATH}" +COPY . "${APP_PATH}" +ENTRYPOINT ["sh"] + + +# Build +FROM dev as build +RUN go install +ENTRYPOINT [ "sh" ] + +# App +FROM alpine:3.12 AS app +RUN apk --update upgrade && \ + apk add --update ca-certificates && \ + update-ca-certificates +WORKDIR "/app/" +COPY --from=build "/go/bin/iamlive" ./iamlive +RUN addgroup -S "appgroup" && adduser -S "appuser" -G "appgroup" && \ + chown -R "appuser:appgroup" . + +USER "appuser" +EXPOSE 10080 +ENTRYPOINT ["./iamlive"] +CMD "" diff --git a/README.md b/README.md index caa2fb8a..ad1a6db7 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,94 @@ export HTTP_PROXY=http://127.0.0.1:10080 export HTTPS_PROXY=http://127.0.0.1:10080 ``` +#### Docker + +Build Docker image from source + +```bash +docker build -t iamlive . +``` + +Run Docker container in Proxy Mode + +```bash +docker run \ + -p 80:10080 \ + -p 443:10080 \ + --name iamlive \ + -it iamlive \ + --mode proxy \ + --bind-addr 0.0.0.0:10080 \ + --force-wildcard-resource \ + --output-file "/app/iamlive.log" +# Runs in the background ... +``` + +Instruct tools that use AWS SDK, such as [aws-cli](https://aws.amazon.com/cli/) and [terraform](https://www.terraform.io/docs/cli/commands/index.html), to use the local proxy server - `iamlive` Docker container. + +```bash +export HTTP_PROXY=http://127.0.0.1:80 \ + HTTPS_PROXY=http://127.0.0.1:443 \ + AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" +``` + +Copy the Certificate Authority Certificate (`ca.pem`) that was generated by the `iamlive` Docker container, to your local machine (Host). + +```bash +docker cp iamlive:/home/appuser/.iamlive/ ~/ +``` + +Test the local proxy server by invoking some `aws` command + +```bash +aws s3 ls +# Output +# An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied +``` + +Check the logs of the `iamlive` container, should look like this + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets" + ], + "Resource": "*" + } + ] +} +``` + +It's important to mention that `terraform init` cannot be proxied via `iamlive` since it attempts to access [registry.terraform.io](registry.terraform.io), and it's not covered by `iamlive`. So first, unset the proxy settings, and then execute `terraform init`. Following that, execute `terraform apply` and check the logs of the `iamlive` container. + +```bash +unset HTTP_PROXY HTTPS_PROXY AWS_CA_BUNDLE +terraform init +# Terraform has been successfully initialized! + +# Instruct CLIs to use iamlive local proxy server +export HTTP_PROXY=http://127.0.0.1:80 \ + HTTPS_PROXY=http://127.0.0.1:443 \ + AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" + +# In terraform-iamlive dir +terraform apply +``` + +To stop the `iamlive` Docker container hit `CTRL+C`. The `ca.pem` is preserved because the Docker container has stopped but wasn't removed. To re-run `iamlive` Docker container, execute the following command + +```bash +# Hit CTRL+C To stop the container + +docker start -i iamlive +# Keep it running in the background +``` + + #### SDKs To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting: