-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMakefile.compliance
More file actions
222 lines (188 loc) · 7.71 KB
/
Makefile.compliance
File metadata and controls
222 lines (188 loc) · 7.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
# LCopilot Compliance Hardening Makefile
# Sprint 8.1 - Encryption, Residency, DR, and Observability
.PHONY: help compliance_init infra_init k8s_obs_install db_migrate_compliance seed_compliance backups_full backups_incr dr_drill export_dashboards compliance_test compliance_clean
# Default target
help:
@echo "LCopilot Compliance Hardening Commands"
@echo "======================================="
@echo ""
@echo "Infrastructure:"
@echo " compliance_init - Initialize all compliance infrastructure"
@echo " infra_init - Initialize Terraform infrastructure (AWS/MinIO)"
@echo " k8s_obs_install - Install observability stack (Prometheus/Grafana/Loki)"
@echo ""
@echo "Database:"
@echo " db_migrate_compliance - Run compliance-specific database migrations"
@echo " seed_compliance - Seed compliance demo data (policies, etc.)"
@echo ""
@echo "Backup & DR:"
@echo " backups_full - Run full backup (PostgreSQL + Object Storage)"
@echo " backups_incr - Run incremental backup"
@echo " dr_drill - Execute disaster recovery drill"
@echo ""
@echo "Observability:"
@echo " export_dashboards - Export Grafana dashboards to repository"
@echo " update_alerts - Update Prometheus alert rules"
@echo ""
@echo "Testing & Validation:"
@echo " compliance_test - Run all compliance tests"
@echo " test_encryption - Test encryption functionality"
@echo " test_residency - Test data residency controls"
@echo " test_backups - Validate backup integrity"
@echo ""
@echo "Cleanup:"
@echo " compliance_clean - Clean up compliance infrastructure"
# Master initialization target
compliance_init: infra_init k8s_obs_install db_migrate_compliance seed_compliance
@echo "✅ Compliance hardening initialization complete!"
@echo ""
@echo "Next steps:"
@echo "1. Run 'make backups_full' to create initial backup"
@echo "2. Run 'make dr_drill' to test disaster recovery"
@echo "3. Access Grafana at http://localhost:3000 (admin/admin)"
@echo "4. Check compliance status at /admin/compliance"
# Infrastructure initialization
infra_init:
@echo "🏗️ Initializing compliance infrastructure..."
@if [ "$(ENVIRONMENT)" = "aws" ]; then \
echo "Setting up AWS infrastructure..."; \
cd infra/terraform/aws/s3_kms && terraform init && terraform plan && terraform apply -auto-approve; \
cd ../iam_policies && terraform init && terraform plan && terraform apply -auto-approve; \
else \
echo "Setting up MinIO infrastructure..."; \
cd infra/minio && docker-compose up -d; \
sleep 30; \
echo "MinIO setup complete"; \
fi
@echo "✅ Infrastructure initialized"
# Observability stack installation
k8s_obs_install:
@echo "📊 Installing observability stack..."
@# Add Prometheus Helm repo
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
@# Install Prometheus
helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \
--namespace monitoring --create-namespace \
--values infra/helm/prometheus/values.yaml \
--wait
@# Install Loki
helm upgrade --install loki grafana/loki-stack \
--namespace monitoring \
--values infra/helm/loki/values.yaml \
--wait
@# Install Tempo (optional)
helm upgrade --install tempo grafana/tempo \
--namespace monitoring \
--values infra/helm/tempo/values.yaml \
--wait
@echo "✅ Observability stack installed"
@echo "Grafana: kubectl port-forward -n monitoring svc/prometheus-grafana 3000:80"
# Database migrations
db_migrate_compliance:
@echo "🗄️ Running compliance database migrations..."
cd apps/api && alembic upgrade head
@echo "✅ Database migrations completed"
# Seed compliance demo data
seed_compliance:
@echo "🌱 Seeding compliance demo data..."
cd apps/api && python scripts/seed_compliance_data.py
@echo "✅ Compliance demo data seeded"
# Backup operations
backups_full:
@echo "💾 Starting full backup..."
@# PostgreSQL full backup
cd scripts/backup && ./pgbackrest_full.sh
@# Object storage backup verification
cd scripts/backup && python verify_object_integrity.py
@echo "✅ Full backup completed"
backups_incr:
@echo "💾 Starting incremental backup..."
cd scripts/backup && ./pgbackrest_incr.sh
@echo "✅ Incremental backup completed"
# Disaster recovery drill
dr_drill:
@echo "🚨 Starting disaster recovery drill..."
cd scripts/dr && python run_failover_drill.py
cd scripts/dr && python generate_dr_report.py
@echo "✅ DR drill completed - check reports in artifacts/"
# Export Grafana dashboards
export_dashboards:
@echo "📊 Exporting Grafana dashboards..."
cd scripts/observability && ./export_grafana_dashboards.sh
@echo "✅ Dashboards exported to ops/grafana/dashboards/"
# Update Prometheus alerts
update_alerts:
@echo "🚨 Updating Prometheus alert rules..."
kubectl apply -f ops/prometheus/rules/ -n monitoring
@echo "✅ Alert rules updated"
# Testing targets
compliance_test: test_encryption test_residency test_backups test_observability
@echo "✅ All compliance tests completed"
test_encryption:
@echo "🔐 Testing encryption functionality..."
cd apps/api && python -m pytest tests/compliance/test_encryption_events.py -v
test_residency:
@echo "🌍 Testing residency enforcement..."
cd apps/api && python -m pytest tests/compliance/test_residency_enforcement.py -v
test_backups:
@echo "💾 Testing backup integrity..."
cd apps/api && python -m pytest tests/compliance/test_backups_and_drills.py -v
test_observability:
@echo "📊 Testing observability metrics..."
cd apps/api && python -m pytest tests/compliance/test_metrics_and_alerts.py -v
# Validation targets
validate_encryption:
@echo "🔐 Validating encryption setup..."
@cd apps/api && python scripts/validate_encryption.py
validate_residency:
@echo "🌍 Validating residency policies..."
@cd apps/api && python scripts/validate_residency.py
validate_slo:
@echo "📈 Validating SLO metrics..."
@cd scripts/observability && python validate_slo_metrics.py
# Cleanup
compliance_clean:
@echo "🧹 Cleaning up compliance infrastructure..."
@if [ "$(ENVIRONMENT)" = "aws" ]; then \
cd infra/terraform/aws/s3_kms && terraform destroy -auto-approve; \
cd ../iam_policies && terraform destroy -auto-approve; \
else \
cd infra/minio && docker-compose down -v; \
fi
helm uninstall prometheus -n monitoring || true
helm uninstall loki -n monitoring || true
helm uninstall tempo -n monitoring || true
kubectl delete namespace monitoring || true
@echo "✅ Cleanup completed"
# Demo targets for quick testing
demo_encryption:
@echo "🔐 Demo: Testing encryption flow..."
@cd apps/api && python scripts/demo_encryption.py
demo_residency:
@echo "🌍 Demo: Testing residency enforcement..."
@cd apps/api && python scripts/demo_residency.py
demo_dr:
@echo "🚨 Demo: Disaster recovery simulation..."
@cd scripts/dr && python demo_dr_scenario.py
# Environment-specific targets
setup_dev: compliance_init
@echo "🚀 Development environment setup complete"
setup_staging: infra_init k8s_obs_install db_migrate_compliance
@echo "🚀 Staging environment setup complete"
setup_prod: infra_init k8s_obs_install db_migrate_compliance backups_full
@echo "🚀 Production environment setup complete"
# Health checks
health_check:
@echo "🏥 Running compliance health checks..."
@cd apps/api && python scripts/compliance_health_check.py
# Documentation generation
generate_docs:
@echo "📚 Generating compliance documentation..."
@cd docs && python generate_compliance_docs.py
# Compliance attestation
generate_attestation:
@echo "📋 Generating compliance attestation..."
@cd docs && python generate_attestation.py > COMPLIANCE_ATTESTATION_$(shell date +%Y%m%d).md
@echo "✅ Attestation generated"