diff --git a/terraform/dca/aws/README.md b/terraform/dca/aws/README.md new file mode 100644 index 0000000..764d023 --- /dev/null +++ b/terraform/dca/aws/README.md @@ -0,0 +1,80 @@ +# Detect, Correct, Automate - Effortless Automaton Demo + +This directory contains some minimal terraform capible of spinning up 1-n linux servers (defined in a `node_count` variable in `terraform.tfvars`) on which we can apply some simple detect & correct content. + +## Usage + +### Before you begin + +This project is designed to work with Terraform >= 0.12. + +Before you launch any servers, you must decide whether or not you wish to launch a Chef Automate instance. Running Chef Automate is optional, but recommended. + +To run **without** a Chef Automate server: +- Ensure the `event-stream-enabled` parameter is set to `false` in your `terraform.tfvars` file. + +To run **with** a Chef Automate server: +- First launch a Chef Automate instance (this can be done with the tf plan found in `../../chef-automate/aws`). Save the output variables once complete. +- Ensure the `event-stream-enabled` parameter is set to `false` in your `terraform.tfvars` file. +- Ensure the `automate_hostname`, `automate_url`, `automate_ip`, and `automate_token` are set with the proper information (NOTE: `automate_ip` refers to the public IP of the automate server) +- Set the `node_count` variable to your prefered number of nodes. + +### OPTIONAL: Define your detect/correct Chef Habitat artifacts + +I have created two packages to run through content quickly & easily: +- `nrycar/dca-audit`: Identical to the audit-baseline package, but without the patching scan +- `nrycar/dca-hardening`: As above for config-baseline, skips the yum update to make things speedy + +If this serves your purposes, you don't need to make any changes to `terraform.tfvars`. However, the origin and package are configurable, so long as they're publicly available on `bldr.habitat.sh`. If you'd like to substitute an effortless package of your own, it's supported! Just make sure you test it ahead of time. + +### Launch your server(s) + +Once your `terraform.tfvars` has been updated with the above variables, and your usual keys & tags, you should now be able to run `terraform apply` + +### Running the demo + +Once your instances are provisioned, you can run a Detect/Correct/Automate motnion via some shell scripts provided in the ./scripts/ directory. + +All scripts will use the SSH information provided in your local SSH config, or optionally you can pass the path to your ssh key of choice as a parameter like so: +`./scripts/detect.sh ~/.ssh/my_ssh_key.pem` + +To run through the demo narrative, there are three scripts you'll be using: + +- `./scripts/detect.sh`: Loads the audit package, and sends the output to Chef Automate +- `./scripts/waivers.sh`: Loads `waivers.toml` from `/.effortless_dca/files/` and applies it to the running audit package. By default, sets up a wavier for the `sysctl-14` and `os-08` controls (inhereted from the `linux-baseline` profile). +- `./scripts/correct.sh`: Loads the infra package as above. Takes ~30-60 seconds for results and audits to show up in Automate by default. + +### Re-Running the demo + +The easiest way to re-run the demo after running through the correct step is to spin everything down and back up (`terraform destroy` followed by a `terraform apply`). + +Your old instances will still show up in Automate, but will go stale at whatever setting you have for missing nodes in your automate config (default: 1 day). If you have the EAS dashboard enabled, you'll also see those instances show up as "disconnected" in fairly short order once they're spun down. + +## Under the hood + +### Terraform Plans + +The terraform is pretty lightweight and straightforward. The code is largely ripped from the national-parks instances with a few differences: + +- Chef Habitat and Chef Infra Client are pre-installed to ensure the included shell scripts execute quickly +- The effortless audit/infra packages are installed (again for speed), but not loaded. This ensures no data shows up in Chef Automate until you're ready for it to. + +### The effortless_dca cookbook + +The cookbook has been kept very simple for ease of use and readability. The bulk of the content is handed via simple execute blocks with guards to load the appropriate hab packages if they're not already loaded like so: + +``` +execute 'Run Audits' do + command "hab svc load #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" + action :run + not_if "hab sup status #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" +end +``` + +### The shell scripts + +The shell scripts are all using a combination of `chef-run` with the outputs of your `terraform apply` to ensure that no matter how many nodes you spin up, you can run the dca audits on the lot of them. The commands all run some form of: + +`chef-run ``terraform output dca_public_ips`` effortless_dca::correct --user centos` + +While the number of nodes is arbitrary, please note that chef-run will perform updates in parallel from your local machine. This shouldn't make much difference with default settings, but if you run a custom cookbook that needs to transfer any large files/binaries, you may see slowdown with higher numbers of nodes. \ No newline at end of file diff --git a/terraform/dca/aws/dca.tf b/terraform/dca/aws/dca.tf new file mode 100644 index 0000000..6da77b9 --- /dev/null +++ b/terraform/dca/aws/dca.tf @@ -0,0 +1,75 @@ +# Launch var.node_count CentOS instances for DCA Demos +resource "aws_instance" "dca" { + connection { + host = coalesce(self.public_ip, self.private_ip) + type = "ssh" + user = var.aws_ami_user + private_key = file(var.aws_key_pair_file) + } + + ami = data.aws_ami.centos.id + instance_type = var.test_server_instance_type + key_name = var.aws_key_pair_name + subnet_id = aws_subnet.dca_subnet.id + vpc_security_group_ids = [aws_security_group.dca.id] + associate_public_ip_address = true + count = var.node_count + + tags = { + Name = "dca_${random_id.instance_id.hex}" + X-Dept = var.tag_dept + X-Customer = var.tag_customer + X-Project = var.tag_project + X-Application = var.tag_application + X-Contact = var.tag_contact + X-TTL = var.tag_ttl + } + + provisioner "file" { + content = data.template_file.install_hab.rendered + destination = "/tmp/install_hab.sh" + } + + provisioner "file" { + content = data.template_file.sup_service.rendered + destination = "/home/${var.aws_ami_user}/hab-sup.service" + } + + provisioner "file" { + content = data.template_file.audit_toml_linux.rendered + destination = "/home/${var.aws_ami_user}/audit_linux.toml" + } + + provisioner "file" { + content = data.template_file.config_toml_linux.rendered + destination = "/home/${var.aws_ami_user}/config_linux.toml" + } + + provisioner "remote-exec" { + inline = [ + "sudo rm -rf /etc/machine-id", + "sudo systemd-machine-id-setup", + "sudo hostname dca-${count.index}", + "curl -L https://omnitruck.chef.io/install.sh | sudo bash", + "sudo groupadd hab", + "sudo adduser hab -g hab", + "chmod +x /tmp/install_hab.sh", + "sudo /tmp/install_hab.sh", + "sudo hab license accept", + "sudo hab pkg install ${var.hab-sup-version}", + "sudo mv /home/${var.aws_ami_user}/hab-sup.service /etc/systemd/system/hab-sup.service", + "sudo systemctl daemon-reload", + "sudo systemctl start hab-sup", + "sudo systemctl enable hab-sup", + "sudo /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0", + "sudo /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0", + "sudo /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0", + "sudo /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0", + "sudo mkdir -p /hab/user/${var.infra_package}/config /hab/user/${var.audit_package}/config", + "sudo cp /home/${var.aws_ami_user}/audit_linux.toml /hab/user/${var.audit_package}/config/user.toml", + "sudo cp /home/${var.aws_ami_user}/config_linux.toml /hab/user/${var.infra_package}/config/user.toml", + "sudo hab pkg install ${var.infra_origin}/${var.infra_package} --channel stable", + "sudo hab pkg install ${var.audit_origin}/${var.audit_package} --channel stable", + ] + } +} diff --git a/terraform/dca/aws/effortless_dca/.delivery/project.toml b/terraform/dca/aws/effortless_dca/.delivery/project.toml new file mode 100644 index 0000000..2868a95 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/.delivery/project.toml @@ -0,0 +1,34 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "chef exec rspec spec/" +lint = "chef exec cookstyle" +# Foodcritic includes rules only appropriate for community cookbooks +# uploaded to Supermarket. We turn off any rules tagged "supermarket" +# by default. If you plan to share this cookbook you should remove +# '-t ~supermarket' below to enable supermarket rules. +syntax = "chef exec foodcritic . -t ~supermarket" +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/terraform/dca/aws/effortless_dca/.gitignore b/terraform/dca/aws/effortless_dca/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/terraform/dca/aws/effortless_dca/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/terraform/dca/aws/effortless_dca/CHANGELOG.md b/terraform/dca/aws/effortless_dca/CHANGELOG.md new file mode 100644 index 0000000..e983c2d --- /dev/null +++ b/terraform/dca/aws/effortless_dca/CHANGELOG.md @@ -0,0 +1,11 @@ +# effortless_dca CHANGELOG + +This file is used to list changes made in each version of the effortless_dca cookbook. + +# 0.1.0 + +Initial release. + +- change 0 +- change 1 + diff --git a/terraform/dca/aws/effortless_dca/LICENSE b/terraform/dca/aws/effortless_dca/LICENSE new file mode 100644 index 0000000..10b5688 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/LICENSE @@ -0,0 +1,3 @@ +Copyright 2019 The Authors + +All rights reserved, do not redistribute. diff --git a/terraform/dca/aws/effortless_dca/Policyfile.rb b/terraform/dca/aws/effortless_dca/Policyfile.rb new file mode 100644 index 0000000..505085a --- /dev/null +++ b/terraform/dca/aws/effortless_dca/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile.html + +# A name that describes what the system you're building with Chef does. +name 'effortless_dca' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'effortless_dca::default' + +# Specify a custom source for a single cookbook: +cookbook 'effortless_dca', path: '.' diff --git a/terraform/dca/aws/effortless_dca/README.md b/terraform/dca/aws/effortless_dca/README.md new file mode 100644 index 0000000..7080f77 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/README.md @@ -0,0 +1,4 @@ +# effortless_dca + +TODO: Enter the cookbook description here. + diff --git a/terraform/dca/aws/effortless_dca/attributes/default.rb b/terraform/dca/aws/effortless_dca/attributes/default.rb new file mode 100644 index 0000000..d94cb2c --- /dev/null +++ b/terraform/dca/aws/effortless_dca/attributes/default.rb @@ -0,0 +1,4 @@ +default['effortless_dca']['audit_origin'] = 'nrycar' +default['effortless_dca']['infra_origin'] = 'nrycar' +default['effortless_dca']['audit_package'] = 'dca-audit' +default['effortless_dca']['infra_package'] = 'dca-hardening' diff --git a/terraform/dca/aws/effortless_dca/chefignore b/terraform/dca/aws/effortless_dca/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/terraform/dca/aws/effortless_dca/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/terraform/dca/aws/effortless_dca/files/waivers.toml b/terraform/dca/aws/effortless_dca/files/waivers.toml new file mode 100644 index 0000000..6772620 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/files/waivers.toml @@ -0,0 +1,11 @@ +interval = 30 +splay = 5 + +[waivers] +[waivers.'sysctl-14'] +run = false +justification = "Conflict with corporate networking policy. Skip." +[waivers.'os-08'] +expiration_date = "2020-04-01" +run = false +justification = "We have a plan to fix this in Q1. Alert after spring." diff --git a/terraform/dca/aws/effortless_dca/kitchen.yml b/terraform/dca/aws/effortless_dca/kitchen.yml new file mode 100644 index 0000000..e5bbf3c --- /dev/null +++ b/terraform/dca/aws/effortless_dca/kitchen.yml @@ -0,0 +1,32 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest via +## localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/config_yml_kitchen.html + # product_name: chef + # product_version: 15 + +verifier: + name: inspec + +platforms: + - name: ubuntu-18.04 + - name: centos-7 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default + attributes: diff --git a/terraform/dca/aws/effortless_dca/metadata.rb b/terraform/dca/aws/effortless_dca/metadata.rb new file mode 100644 index 0000000..0a42137 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/metadata.rb @@ -0,0 +1,20 @@ +name 'effortless_dca' +maintainer 'The Authors' +maintainer_email 'you@example.com' +license 'All Rights Reserved' +description 'Installs/Configures effortless_dca' +long_description 'Installs/Configures effortless_dca' +version '0.1.0' +chef_version '>= 14.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//effortless_dca/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//effortless_dca' diff --git a/terraform/dca/aws/effortless_dca/recipes/correct.rb b/terraform/dca/aws/effortless_dca/recipes/correct.rb new file mode 100644 index 0000000..757fd6f --- /dev/null +++ b/terraform/dca/aws/effortless_dca/recipes/correct.rb @@ -0,0 +1,5 @@ +execute 'Run Remediation' do + command "hab svc load #{node['effortless_dca']['infra_origin']}/#{node['effortless_dca']['infra_package']}" + action :run + not_if "hab sup status #{node['effortless_dca']['infra_origin']}/#{node['effortless_dca']['infra_package']}" +end diff --git a/terraform/dca/aws/effortless_dca/recipes/default.rb b/terraform/dca/aws/effortless_dca/recipes/default.rb new file mode 100644 index 0000000..1c7c994 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/recipes/default.rb @@ -0,0 +1,5 @@ +# +# Cookbook:: effortless_dca +# Recipe:: default +# +# Copyright:: 2019, The Authors, All Rights Reserved. diff --git a/terraform/dca/aws/effortless_dca/recipes/detect.rb b/terraform/dca/aws/effortless_dca/recipes/detect.rb new file mode 100644 index 0000000..a01e08c --- /dev/null +++ b/terraform/dca/aws/effortless_dca/recipes/detect.rb @@ -0,0 +1,5 @@ +execute 'Run Audits' do + command "hab svc load #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" + action :run + not_if "hab sup status #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" +end diff --git a/terraform/dca/aws/effortless_dca/recipes/install_hab.rb b/terraform/dca/aws/effortless_dca/recipes/install_hab.rb new file mode 100644 index 0000000..0535cd7 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/recipes/install_hab.rb @@ -0,0 +1,5 @@ +execute 'Install Habitat' do + command 'curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash' + action :run + not_if 'hab -v' +end diff --git a/terraform/dca/aws/effortless_dca/recipes/waivers.rb b/terraform/dca/aws/effortless_dca/recipes/waivers.rb new file mode 100644 index 0000000..468a533 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/recipes/waivers.rb @@ -0,0 +1,18 @@ +cookbook_file "#{Chef::Config[:file_cache_path]}/waivers.toml" do + owner 'root' + group 'root' + mode '0755' + action :create_if_missing +end + +execute 'Implementing Waivers' do + command "hab config apply dca-audit.default $(date +%s) #{Chef::Config[:file_cache_path]}/waivers.toml" + action :run + only_if "hab sup status #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" +end + +execute 'Reload dca-audit' do + command "hab svc unload #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']} && sleep 10 && hab svc load #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" + action :run + only_if "hab sup status #{node['effortless_dca']['audit_origin']}/#{node['effortless_dca']['audit_package']}" +end diff --git a/terraform/dca/aws/effortless_dca/spec/spec_helper.rb b/terraform/dca/aws/effortless_dca/spec/spec_helper.rb new file mode 100644 index 0000000..6cd61e5 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/spec/spec_helper.rb @@ -0,0 +1,2 @@ +require 'chefspec' +require 'chefspec/policyfile' diff --git a/terraform/dca/aws/effortless_dca/spec/unit/recipes/default_spec.rb b/terraform/dca/aws/effortless_dca/spec/unit/recipes/default_spec.rb new file mode 100644 index 0000000..f6702bd --- /dev/null +++ b/terraform/dca/aws/effortless_dca/spec/unit/recipes/default_spec.rb @@ -0,0 +1,29 @@ +# +# Cookbook:: effortless_dca +# Spec:: default +# +# Copyright:: 2019, The Authors, All Rights Reserved. + +require 'spec_helper' + +describe 'effortless_dca::default' do + context 'When all attributes are default, on Ubuntu 18.04' do + # for a complete list of available platforms and versions see: + # https://github.com/chefspec/fauxhai/blob/master/PLATFORMS.md + platform 'ubuntu', '18.04' + + it 'converges successfully' do + expect { chef_run }.to_not raise_error + end + end + + context 'When all attributes are default, on CentOS 7' do + # for a complete list of available platforms and versions see: + # https://github.com/chefspec/fauxhai/blob/master/PLATFORMS.md + platform 'centos', '7' + + it 'converges successfully' do + expect { chef_run }.to_not raise_error + end + end +end diff --git a/terraform/dca/aws/effortless_dca/test/integration/default/default_test.rb b/terraform/dca/aws/effortless_dca/test/integration/default/default_test.rb new file mode 100644 index 0000000..c3d6dd4 --- /dev/null +++ b/terraform/dca/aws/effortless_dca/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# InSpec test for recipe effortless_dca::default + +# The InSpec reference, with examples and extensive documentation, can be +# found at https://www.inspec.io/docs/reference/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/terraform/dca/aws/files/hab_sup b/terraform/dca/aws/files/hab_sup new file mode 100644 index 0000000..a46f10a --- /dev/null +++ b/terraform/dca/aws/files/hab_sup @@ -0,0 +1,33 @@ +# Provides: +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start daemon at boot time +# Description: Enable service provided by daemon. +### END INIT INFO + +dir="" +cmd="" +user="" + +name=`basename $0` +pid_file="/var/run/$name.pid" +stdout_log="/var/log/$name.log" +stderr_log="/var/log/$name.err" + +case "$1" in + start) + echo "Starting habitat supervisor" + nohup hab run --auto-update --listen-gossip 0.0.0.0:9638 --listen-http 0.0.0.0:9631 > /var/log/hab-sup.log 2>&1& + ;; + stop) + echo "Stopping habitat supervisor" + hab term + ;; + restart) + $0 stop + $0 start + ;; +esac +exit 0 \ No newline at end of file diff --git a/terraform/dca/aws/main.tf b/terraform/dca/aws/main.tf new file mode 100644 index 0000000..f42e109 --- /dev/null +++ b/terraform/dca/aws/main.tf @@ -0,0 +1,74 @@ +terraform { + required_version = ">= 0.12" +} + +provider "aws" { + region = var.aws_region + profile = var.aws_profile + shared_credentials_file = "~/.aws/credentials" +} + +resource "random_id" "instance_id" { + byte_length = 4 +} + +//////////////////////////////// +// VPC + +resource "aws_vpc" "dca_vpc" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "${var.tag_name}-vpc" + X-Dept = var.tag_dept + X-Customer = var.tag_customer + X-Project = var.tag_project + X-Contact = var.tag_contact + X-Application = var.tag_application + X-TTL = var.tag_ttl + } +} + +resource "aws_internet_gateway" "dca_gateway" { + vpc_id = aws_vpc.dca_vpc.id + + tags = { + Name = "${var.tag_name}_dca_gateway-${var.tag_application}" + } +} + +resource "aws_route" "dca_internet_access" { + route_table_id = aws_vpc.dca_vpc.main_route_table_id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.dca_gateway.id +} + +resource "aws_subnet" "dca_subnet" { + vpc_id = aws_vpc.dca_vpc.id + cidr_block = "10.0.1.0/24" + map_public_ip_on_launch = true + + tags = { + Name = "${var.tag_name}_dca_subnet-${var.tag_application}" + } +} + +//////////////////////////////// +// Instance Data + +data "aws_ami" "centos" { + most_recent = true + + filter { + name = "name" + values = ["chef-highperf-centos7-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["446539779517"] +} + diff --git a/terraform/dca/aws/outputs.tf b/terraform/dca/aws/outputs.tf new file mode 100644 index 0000000..b121fca --- /dev/null +++ b/terraform/dca/aws/outputs.tf @@ -0,0 +1,3 @@ +output "dca_public_ips" { + value = join(",",aws_instance.dca.*.public_ip) +} diff --git a/terraform/dca/aws/scripts/correct.sh b/terraform/dca/aws/scripts/correct.sh new file mode 100755 index 0000000..e56c712 --- /dev/null +++ b/terraform/dca/aws/scripts/correct.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +printf "Running Command:\n" +printf "\e[1mchef-run \`terraform output dca_public_ips\` effortless_dca::correct --user centos\e[0m\n" + +if [ -z "$1" ] +then +chef-run `terraform output dca_public_ips` effortless_dca::correct --user centos +else +chef-run `terraform output dca_public_ips` effortless_dca::correct --user centos -i $1 +fi \ No newline at end of file diff --git a/terraform/dca/aws/scripts/detect.sh b/terraform/dca/aws/scripts/detect.sh new file mode 100755 index 0000000..24e834b --- /dev/null +++ b/terraform/dca/aws/scripts/detect.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +printf "Running Command:\n" +printf "\e[1mchef-run \`terraform output dca_public_ips\` effortless_dca::detect --user centos\e[0m\n" + +if [ -z "$1" ] +then +chef-run `terraform output dca_public_ips` effortless_dca::detect --user centos +else +chef-run `terraform output dca_public_ips` effortless_dca::detect --user centos -i $1 +fi \ No newline at end of file diff --git a/terraform/dca/aws/scripts/waivers.sh b/terraform/dca/aws/scripts/waivers.sh new file mode 100755 index 0000000..d505eb9 --- /dev/null +++ b/terraform/dca/aws/scripts/waivers.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +printf "\e[32;3mPulling in waivers from files/waivers.toml...\e[0m\n" +printf "Running Command:\n" +printf "\e[1mchef-run \`terraform output dca_public_ips\` effortless_dca::waivers --user centos\e[0m\n" + +if [ -z "$1" ] +then +chef-run `terraform output dca_public_ips` effortless_dca::waivers --user centos +else +chef-run `terraform output dca_public_ips` effortless_dca::waivers --user centos -i $1 +fi \ No newline at end of file diff --git a/terraform/dca/aws/security.tf b/terraform/dca/aws/security.tf new file mode 100644 index 0000000..e257750 --- /dev/null +++ b/terraform/dca/aws/security.tf @@ -0,0 +1,45 @@ +resource "aws_security_group" "dca" { + name = "dca_${random_id.instance_id.hex}" + description = "base rules for DCA demo" + vpc_id = aws_vpc.dca_vpc.id + + tags = { + Name = "${var.tag_customer}-${var.tag_project}_${random_id.instance_id.hex}_${var.tag_application}_security_group" + X-Dept = var.tag_dept + X-Customer = var.tag_customer + X-Project = var.tag_project + X-Application = var.tag_application + X-Contact = var.tag_contact + X-TTL = var.tag_ttl + } +} + +////////////////////////// +// DCA SG Rules +resource "aws_security_group_rule" "ingress_allow_22_tcp_all" { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.dca.id +} + +resource "aws_security_group_rule" "ingress_allow_9631_tcp_all" { + type = "ingress" + from_port = 9631 + to_port = 9631 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.dca.id +} + +# Egress: ALL +resource "aws_security_group_rule" "linux_egress_allow_0-65535_all" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.dca.id +} diff --git a/terraform/dca/aws/templates.tf b/terraform/dca/aws/templates.tf new file mode 100644 index 0000000..d902e1e --- /dev/null +++ b/terraform/dca/aws/templates.tf @@ -0,0 +1,41 @@ +//////////////////////////////// +// Templates + +# Template vars are conditionally set via the `event-stream-enabled` variable. +# If true, seeds in the appropriate Chef Automate information. If false, launches the stock supervisor. +data "template_file" "sup_service" { + template = file("${path.module}/../../templates/hab-sup.service") + + vars = { + stream_env = var.event-stream-enabled == "true" ? var.event-stream-env-var : "" + flags = var.event-stream-enabled == "true" ? "--auto-update --listen-gossip 0.0.0.0:9638 --listen-http 0.0.0.0:9631 --event-stream-application=${var.event-stream-application} --event-stream-environment=${var.event-stream-environment} --event-stream-site=${var.aws_region} --event-stream-url=${var.automate_ip}:4222 --event-stream-token=${var.automate_token}" : "--auto-update --listen-gossip 0.0.0.0:9638 --listen-http 0.0.0.0:9631" + } +} + +data "template_file" "install_hab" { + template = file("${path.module}/../../templates/install-hab.sh") + + vars = { + opts = var.hab_install_opts + } +} + +data "template_file" "audit_toml_linux" { + template = file("${path.module}/../../templates/audit_linux.toml") + + vars = { + automate_url = var.automate_url + automate_token = var.automate_token + automate_user = var.automate_user + } +} + +data "template_file" "config_toml_linux" { + template = file("${path.module}/../../templates/config_linux.toml") + + vars = { + automate_url = var.automate_url + automate_token = var.automate_token + automate_user = var.automate_user + } +} \ No newline at end of file diff --git a/terraform/dca/aws/tfvars.example b/terraform/dca/aws/tfvars.example new file mode 100644 index 0000000..2bcb3b2 --- /dev/null +++ b/terraform/dca/aws/tfvars.example @@ -0,0 +1,58 @@ +///////////////////////////////////// +//Cloud Credentials + +// AWS Profile to be used +aws_profile = "solutions-architects" +// AWS Key Pair Name +aws_key_pair_name = "my_key" +// SSH Key to use (local path) +aws_key_pair_file = "~/.ssh/my_key.pem" + +/////////////////////////////////// +// Project tags +tag_customer = "MyCustoemr" + +tag_project = "MyProject" + +tag_name = "MyName" + +tag_dept = "MyDepartment" + +tag_contact = "me@chef.io" + +tag_application = "dca" + +//////////////////////////////////// +// Chef Automate Information (optional) +// Copy from the terraform outputs from launching chef-automate +automate_url = "https://nrycar-demo.chef-demo.com" + +automate_hostname = "nrycar-demo.chef-demo.com" + +automate_ip = "54.200.232.236" + +automate_user = "admin" + +automate_token = "V7v2k1fSYnr_eoF8HkZeBfkgaEE=" + +// Set to 'false' if not using Chef Automate +event-stream-enabled = "true" + +///////////////////////////////////////// +// Habitat Information +// Leave with defaults, or replace with your own effortless packages +// Note: Private packages not yet supported. Must be public on bldr. + +infra_origin = "nrycar" + +infra_package = "dca-hardening" + +audit_origin = "nrycar" + +audit_package = "dca-audit" + +///////////////////////////////////////// +// Environment Information + +// How many nodes to launch for DCA +node_count = "1" diff --git a/terraform/dca/aws/variables.tf b/terraform/dca/aws/variables.tf new file mode 100644 index 0000000..f9d0fd8 --- /dev/null +++ b/terraform/dca/aws/variables.tf @@ -0,0 +1,148 @@ +//////////////////////////////// +// AWS Connection + +variable "aws_profile" { +} + +variable "aws_region" { + default = "us-west-2" +} + +//////////////////////////////// +// Server Settings + +variable "aws_centos_image_user" { + default = "centos" +} + +variable "aws_ami_user" { + default = "centos" +} + +variable "aws_amazon_image_user" { + default = "ec2-user" +} + +variable "test_instance_type" { + default = "t3.micro" +} + +variable "test_server_instance_type" { + default = "t3.micro" +} + +//////////////////////////////// +// Tags + +variable "tag_customer" { +} + +variable "tag_project" { +} + +variable "tag_name" { +} + +variable "tag_dept" { +} + +variable "tag_contact" { +} + +variable "tag_application" { +} + +variable "tag_ttl" { + default = 4 +} + +variable "aws_key_pair_file" { +} + +variable "aws_key_pair_name" { +} + +variable "automate_server_instance_type" { + default = "m5.xlarge" +} + +variable "vpc_id" { + default = "" +} + +variable "subnet_id" { + default = "" +} + +variable "node_count" { + default = "1" +} + +//////////////////////////////// +// Effortless Package Info + +variable "infra_origin" { + default = "effortless" +} + +variable "infra_package" { + default = "config-baseline" +} + +variable "audit_origin" { + default = "effortless" +} + +variable "audit_package" { + default = "audit-baseline" +} + +variable "group" { + default = "default" +} + +//////////////////////////////// +// Automate Info + +variable "automate_url" { +} + +variable "automate_hostname" { +} + +variable "automate_token" { +} + +variable "automate_user" { +} + +variable "automate_ip" { +} + +//////////////////////////////// +// Automate EAS Beta + +variable "hab_install_opts" { + default = "" +} + +variable "event-stream-enabled" { + default = "false" +} + +variable "event-stream-env-var" { + default = "Environment=\"HAB_FEAT_EVENT_STREAM=1\"" +} + +variable "hab-sup-version" { + default = "core/hab-sup" +} + +variable "event-stream-application" { + default = "dca" +} + +variable "event-stream-environment" { + default = "demo" +} + diff --git a/terraform/templates/config_linux.toml b/terraform/templates/config_linux.toml index 4217417..d380070 100644 --- a/terraform/templates/config_linux.toml +++ b/terraform/templates/config_linux.toml @@ -4,7 +4,15 @@ splay_first_run = 0 run_lock_timeout = 1800 log_level = "warn" +[chef_license] +acceptance = "accept-no-persist" + [data_collector] enable = "true" server_url = "${automate_url}/data-collector/v0/" +token = "${automate_token}" + +[automate] +enable = "true" +server_url = "${automate_url}/data-collector/v0/" token = "${automate_token}" \ No newline at end of file