OWASP
diff --git a/‎aws/.terraform.lock.hcl
Lines changed: 68 additions & 72 deletions b/‎aws/.terraform.lock.hcl
Lines changed: 68 additions & 72 deletions
diff --git a/‎aws/README.md
Lines changed: 5 additions & 5 deletions b/‎aws/README.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎aws/build-and-deploy-aws.sh
Lines changed: 3 additions & 6 deletions b/‎aws/build-and-deploy-aws.sh
Lines changed: 3 additions & 6 deletions
diff --git a/‎aws/k8s/ctfd-ingress.yaml
Lines changed: 1 addition & 0 deletions b/‎aws/k8s/ctfd-ingress.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎aws/k8s/wrongsecrets-balancer-ingress.yml
Lines changed: 1 addition & 0 deletions b/‎aws/k8s/wrongsecrets-balancer-ingress.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎aws/main.tf
Lines changed: 34 additions & 15 deletions b/‎aws/main.tf
Lines changed: 34 additions & 15 deletions
@@ -72,7 +72,7 @@ You can use the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf
 Follow the following steps:
 
 ```shell
-    npm install -g juice-shop-ctf-cli@9.1.2
+    npm install -g juice-shop-ctf-cli@10.0.1
     juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.
 ```
 
@@ -150,18 +150,18 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.69.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | 3.4.5 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.44.0 |
-| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.44.0 |
+| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.46 |
+| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.46 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.24.2 |
-| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.44.0 |
+| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.46 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.13.0 |
 
 ## Resources
 
@@ -101,7 +101,7 @@ kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-
 
 echo "preparing calico via Helm"
 helm repo add projectcalico https://docs.projectcalico.org/charts
-helm upgrade --install calico projectcalico/tigera-operator --version v3.21.4
+helm upgrade --install calico projectcalico/tigera-operator --version v3.28.2
 
 echo "Generate secrets manager challenge secret 2"
 aws secretsmanager put-secret-value --secret-id wrongsecret-2 --secret-string "$(openssl rand -base64 24)" --region $AWS_REGION --output json --no-cli-pager
@@ -140,7 +140,7 @@ echo "App password is ${APP_PASSWORD}"
 echo "executing helm install of wrongsecrets"
 helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
   --set="balancer.env.K8S_ENV=aws" \
-  --set="balancer.tag=1.9.0alpha5-cloud" \
+  --set="balancer.tag=1.9.1beta5-cloud" \
   --set="balancer.env.IRSA_ROLE=${IRSA_ROLE_ARN}" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
   --set="balancer.env.REACT_APP_S3_BUCKET_URL=s3://${STATE_BUCKET}" \
@@ -150,11 +150,8 @@ helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
 # Install CTFd
 echo "Installing CTFd"
 
-export HELM_EXPERIMENTAL_OCI=1
-kubectl create namespace ctfd
-
 # Double base64 encoding to prevent weird character errors in ctfd
-helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.6.3\
+helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --create-namespace --version v0.9.3\
   --set="redis.auth.password=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.rootPassword=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.password=$(openssl rand -base64 24 | base64)" \
 
@@ -6,6 +6,7 @@ metadata:
   annotations:
     alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/target-type: instance
+    alb.ingress.kubernetes.io/success-codes: 200-399
     acme.cert-manager.io/http01-edit-in-place: "true"
     # cert-manager.io/issue-temporary-certificate: "true"
     #uncomment and configure below if you want to use tls, don't forget to override the cookie to a secure value!
 
@@ -6,6 +6,7 @@ metadata:
   annotations:
     alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/target-type: instance
+    alb.ingress.kubernetes.io/success-codes: 200-399
     acme.cert-manager.io/http01-edit-in-place: "true"
     # cert-manager.io/issue-temporary-certificate: "true"
     #uncomment and configure below if you want to use tls, don't forget to override the cookie to a secure value!
 
@@ -74,9 +74,18 @@ module "eks" {
     aws-ebs-csi-driver = {
       most_recent              = true
       service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
+      configuration_values = jsonencode({
+        defaultStorageClass = {
+          enabled = true
+        }
+      })
     }
   }
 
+  cluster_upgrade_policy = {
+    support_type = "STANDARD"
+  }
+
 
   cluster_endpoint_private_access = true
   cluster_endpoint_public_access  = true
@@ -89,32 +98,42 @@ module "eks" {
 
   create_cloudwatch_log_group            = true
   cluster_enabled_log_types              = ["api", "audit", "authenticator"]
-  cloudwatch_log_group_retention_in_days = 14 #it's a ctf , we don't need non-necessary costs!
+  cloudwatch_log_group_retention_in_days = 14 #it's a ctf , we don't need unnecessary costs!
 
   # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"
   eks_managed_node_group_defaults = {
-    disk_size       = 256
-    disk_type       = "gp3"
-    disk_throughput = 150
-    disk_iops       = 3000
-    instance_types  = ["t3a.medium"]
+    instance_types = ["m5a.xlarge"]
+    block_device_mappings = [
+      {
+        device_name = "/dev/xvda"
+        ebs = {
+          volume_size           = 200
+          volume_type           = "gp3"
+          iops                  = 3000
+          throughput            = 150
+          delete_on_termination = true
+        }
+      }
+    ]
+    metadata_options = {
+      http_tokens = "required",
+    }
 
     iam_role_additional_policies = {
       AmazonEKSWorkerNodePolicy : "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
       AmazonEKS_CNI_Policy : "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
       AmazonEC2ContainerRegistryReadOnly : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
       AmazonSSMManagedInstanceCore : "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
-      AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+      AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
+      AmazonEBSCSIDriverPolicy : "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
     }
   }
 
   eks_managed_node_groups = {
     bottlerocket_default = {
-      use_custom_launch_template = false
-      min_size                   = 3
-      max_size                   = 50
-      desired_size               = 3
-
+      min_size      = 3
+      max_size      = 50
+      desired_size  = 3
       capacity_type = "ON_DEMAND"
 
       ami_type = "BOTTLEROCKET_x86_64"
@@ -144,7 +163,7 @@ module "eks" {
 # Cluster Autoscaler IRSA
 module "cluster_autoscaler_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
 
   role_name                        = "wrongsecrets-cluster-autoscaler"
@@ -161,7 +180,7 @@ module "cluster_autoscaler_irsa_role" {
 
 module "ebs_csi_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
   role_name             = "wrongsecrets-ebs-csi"
   attach_ebs_csi_policy = true
@@ -176,7 +195,7 @@ module "ebs_csi_irsa_role" {
 
 module "load_balancer_controller_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
   role_name                              = "wrongsecrets-load-balancer-controller"
   attach_load_balancer_controller_policy = true