Infrastructure-as-Code for the Wiz Solutions Engineering Manager technical exercise.
Internet → Load Balancer → K8s App → MongoDB (EC2) → S3 Backups
↓
(IAM Role: AdministratorAccess)
cd terraform
terraform init
terraform plan
terraform applyaws eks update-kubeconfig --region us-east-1 --name wiz-exercisehelm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.type=LoadBalancer# Get values from terraform output
EC2_PRIVATE_IP=$(terraform output -raw ec2_private_ip)
ECR_URL=$(terraform output -raw ecr_repository_url)
# Update secret and deployment
sed -i "s/REPLACE_WITH_EC2_PRIVATE_IP/$EC2_PRIVATE_IP/g" app/k8s/secret.yaml
sed -i "s|REPLACE_WITH_ECR_URL|$ECR_URL|g" app/k8s/deployment.yamlcd app
ECR_URL=$(terraform -chdir=../terraform output -raw ecr_repository_url)
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $ECR_URL
docker build -t $ECR_URL:latest .
docker push $ECR_URL:latestkubectl apply -f app/k8s/# Get Load Balancer URL
kubectl get ingress -n wiz-app
# Test endpoints
curl http://<LB_URL>/
curl http://<LB_URL>/wizexercise
curl http://<LB_URL>/items
# Verify wizexercise.txt in pod
kubectl exec -it deploy/wiz-app -n wiz-app -- cat /app/wizexercise.txt| Component | Misconfiguration | Detection |
|---|---|---|
| EC2 | SSH from 0.0.0.0/0 | GuardDuty |
| EC2 | AdministratorAccess IAM | Wiz |
| EC2 | Ubuntu 20.04 (EOL) | Wiz |
| MongoDB | v4.4 (EOL) | Wiz |
| S3 | Public read/list | AWS Config / Wiz |
| K8s | cluster-admin binding | Wiz |
- Terraform Pipeline:
.github/workflows/terraform.yml - App Pipeline:
.github/workflows/app.yml
Both pipelines include security scanning (tfsec, Trivy) in soft-fail mode.