| #!/usr/bin/env bash |
| |
| |
| |
| |
| |
|
|
| set -euo pipefail |
|
|
| ENV="${1:?Usage: $0 <dev|staging|prod>}" |
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| PLATFORM_DIR="$(dirname "$SCRIPT_DIR")" |
|
|
| echo "============================================" |
| echo " DevSecOps Platform Bootstrap — ${ENV^^}" |
| echo "============================================" |
|
|
| |
| echo "[1/8] Checking prerequisites..." |
| command -v terraform >/dev/null || { echo "ERROR: terraform not found"; exit 1; } |
| command -v kubectl >/dev/null || { echo "ERROR: kubectl not found"; exit 1; } |
| command -v helm >/dev/null || { echo "ERROR: helm not found"; exit 1; } |
| command -v aws >/dev/null || { echo "ERROR: aws CLI not found"; exit 1; } |
| command -v trivy >/dev/null || { echo "ERROR: trivy not found"; exit 1; } |
| echo "Prerequisites OK" |
|
|
| |
| echo "[2/8] Applying Terraform infrastructure..." |
| cd "${PLATFORM_DIR}/terraform/environments/${ENV}" |
| terraform init -backend-config="key=${ENV}/terraform.tfstate" |
| terraform plan -out=tfplan |
| terraform apply tfplan |
|
|
| |
| echo "[3/8] Updating kubeconfig..." |
| CLUSTER_NAME=$(terraform output -raw cluster_id 2>/dev/null || echo "${ENV}-eks") |
| aws eks update-kubeconfig --name "${CLUSTER_NAME}" --region us-east-1 |
|
|
| |
| echo "[4/8] Creating namespaces and base resources..." |
| kubectl apply -f "${PLATFORM_DIR}/k8s/base/namespaces/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/base/rbac/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/base/network-policies/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/base/resource-quotas/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/base/limit-ranges/" |
|
|
| |
| echo "[5/8] Installing platform services..." |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/cert-manager/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/external-secrets/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/istio/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/argo-cd/" |
|
|
| |
| echo "[6/8] Installing security tools..." |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/trivy-operator/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/falco/" |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/kyverno/" |
|
|
| |
| echo "[7/8] Installing observability stack..." |
| kubectl apply -f "${PLATFORM_DIR}/k8s/manifests/prometheus-stack/" |
| kubectl apply -f "${PLATFORM_DIR}/monitoring/prometheus/" |
| kubectl apply -f "${PLATFORM_DIR}/monitoring/alertmanager/" |
| kubectl apply -f "${PLATFORM_DIR}/monitoring/otel/" |
|
|
| |
| echo "[8/8] Running initial security scan..." |
| trivy k8s --report all --severity CRITICAL,HIGH |
|
|
| echo "============================================" |
| echo " Platform ${ENV^^} bootstrap complete!" |
| echo "============================================" |
| echo "" |
| echo "Next steps:" |
| echo " 1. Configure ArgoCD: kubectl get svc -n platform-system argocd-server" |
| echo " 2. Access Grafana: kubectl get svc -n monitoring kube-prometheus-stack-grafana" |
| echo " 3. Check security: kubectl get configauditreports -A" |
| echo " 4. Deploy workloads: kubectl apply -f k8s/workloads/" |
|
|
