Skip to content
Permalink
Browse files

Merge pull request #300 from asvoboda/upgrade/terraform-0.12

Upgrade to terraform 0.12
  • Loading branch information...
clong committed Jun 13, 2019
2 parents 95d1fb3 + c3a1503 commit 85070d8f40f76f7cd30e9e6f76d7539f5c004d86
Showing with 70 additions and 60 deletions.
  1. +2 −2 .circleci/config.yml
  2. +1 −0 Terraform/locals.tf
  3. +43 −40 Terraform/main.tf
  4. +10 −9 Terraform/outputs.tf
  5. +10 −9 Terraform/variables.tf
  6. +4 −0 Terraform/versions.tf
@@ -8,11 +8,11 @@ jobs:
- run:
name: Download and Install Terraform
command: |
wget -O terraform.zip https://releases.hashicorp.com/terraform/0.11.7/terraform_0.11.7_linux_amd64.zip
wget -O terraform.zip https://releases.hashicorp.com/terraform/0.12.2/terraform_0.12.2_linux_amd64.zip
unzip terraform.zip
sudo mv terraform /usr/local/bin/terraform
- run: for dir in $(find . -name \*.tf -exec dirname {} \; | sort | uniq); do echo ${dir} && terraform validate -check-variables=false ${dir}; done
- run: for dir in $(find . -name \*.tf -exec dirname {} \; | sort | uniq); do echo ${dir} && terraform init ${dir} && terraform validate ${dir}; done
- run: terraform fmt -check

hold:
@@ -3,3 +3,4 @@ locals {
splunk_url = "https://${aws_instance.logger.public_ip}:8000"
ata_url = "https://${aws_instance.wef.public_ip}"
}

@@ -1,8 +1,8 @@
# Specify the provider and access details
provider "aws" {
shared_credentials_file = "${var.shared_credentials_file}"
region = "${var.region}"
profile = "${var.profile}"
shared_credentials_file = var.shared_credentials_file
region = var.region
profile = var.profile
}

# Create a VPC to launch our instances into
@@ -12,64 +12,64 @@ resource "aws_vpc" "default" {

# Create an internet gateway to give our subnet access to the outside world
resource "aws_internet_gateway" "default" {
vpc_id = "${aws_vpc.default.id}"
vpc_id = aws_vpc.default.id
}

# Grant the VPC internet access on its main route table
resource "aws_route" "internet_access" {
route_table_id = "${aws_vpc.default.main_route_table_id}"
route_table_id = aws_vpc.default.main_route_table_id
destination_cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.default.id}"
gateway_id = aws_internet_gateway.default.id
}

# Create a subnet to launch our instances into
resource "aws_subnet" "default" {
vpc_id = "${aws_vpc.default.id}"
vpc_id = aws_vpc.default.id
cidr_block = "192.168.38.0/24"
availability_zone = "${var.availability_zone}"
availability_zone = var.availability_zone
map_public_ip_on_launch = true
}

# Adjust VPC DNS settings to not conflict with lab
resource "aws_vpc_dhcp_options" "default" {
domain_name = "windomain.local"
domain_name_servers = ["${aws_instance.dc.private_ip}", "${var.external_dns_servers}"]
netbios_name_servers = ["${aws_instance.dc.private_ip}"]
domain_name_servers = concat([aws_instance.dc.private_ip], var.external_dns_servers)
netbios_name_servers = [aws_instance.dc.private_ip]
}

resource "aws_vpc_dhcp_options_association" "default" {
vpc_id = "${aws_vpc.default.id}"
dhcp_options_id = "${aws_vpc_dhcp_options.default.id}"
vpc_id = aws_vpc.default.id
dhcp_options_id = aws_vpc_dhcp_options.default.id
}

# Our default security group for the logger host
resource "aws_security_group" "logger" {
name = "logger_security_group"
description = "DetectionLab: Security Group for the logger host"
vpc_id = "${aws_vpc.default.id}"
vpc_id = aws_vpc.default.id

# SSH access
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# Splunk access
ingress {
from_port = 8000
to_port = 8000
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# Fleet access
ingress {
from_port = 8412
to_port = 8412
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# Allow all traffic from the private subnet
@@ -92,30 +92,30 @@ resource "aws_security_group" "logger" {
resource "aws_security_group" "windows" {
name = "windows_security_group"
description = "DetectionLab: Security group for the Windows hosts"
vpc_id = "${aws_vpc.default.id}"
vpc_id = aws_vpc.default.id

# RDP
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# WinRM
ingress {
from_port = 5985
to_port = 5986
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# Windows ATA
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
cidr_blocks = var.ip_whitelist
}

# Allow all traffic from the private subnet
@@ -136,23 +136,24 @@ resource "aws_security_group" "windows" {
}

resource "aws_key_pair" "auth" {
key_name = "${var.public_key_name}"
public_key = "${file("${var.public_key_path}")}"
key_name = var.public_key_name
public_key = file(var.public_key_path)
}

resource "aws_instance" "logger" {
instance_type = "t2.medium"
ami = "${coalesce(data.aws_ami.logger_ami.image_id, var.logger_ami)}"
ami = coalesce(data.aws_ami.logger_ami.image_id, var.logger_ami)

tags {
tags = {
Name = "logger"
}

subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.logger.id}"]
key_name = "${aws_key_pair.auth.key_name}"
subnet_id = aws_subnet.default.id
vpc_security_group_ids = [aws_security_group.logger.id]
key_name = aws_key_pair.auth.key_name
private_ip = "192.168.38.105"

# Provision the AWS Ubuntu 16.04 AMI from scratch.
# Provision the AWS Ubuntu 16.04 AMI from scratch.
provisioner "remote-exec" {
inline = [
@@ -172,9 +173,10 @@ resource "aws_instance" "logger" {
]

connection {
host = coalesce(self.public_ip, self.private_ip)
type = "ssh"
user = "ubuntu"
private_key = "${file("${var.private_key_path}")}"
private_key = file(var.private_key_path)
}
}

@@ -188,14 +190,14 @@ resource "aws_instance" "dc" {
instance_type = "t2.medium"

# Uses the local variable if external data source resolution fails
ami = "${coalesce(data.aws_ami.dc_ami.image_id, var.dc_ami)}"
ami = coalesce(data.aws_ami.dc_ami.image_id, var.dc_ami)

tags {
tags = {
Name = "dc.windomain.local"
}

subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
subnet_id = aws_subnet.default.id
vpc_security_group_ids = [aws_security_group.windows.id]
private_ip = "192.168.38.102"

root_block_device {
@@ -207,14 +209,14 @@ resource "aws_instance" "wef" {
instance_type = "t2.medium"

# Uses the local variable if external data source resolution fails
ami = "${coalesce(data.aws_ami.wef_ami.image_id, var.wef_ami)}"
ami = coalesce(data.aws_ami.wef_ami.image_id, var.wef_ami)

tags {
tags = {
Name = "wef.windomain.local"
}

subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
subnet_id = aws_subnet.default.id
vpc_security_group_ids = [aws_security_group.windows.id]
private_ip = "192.168.38.103"

root_block_device {
@@ -226,17 +228,18 @@ resource "aws_instance" "win10" {
instance_type = "t2.medium"

# Uses the local variable if external data source resolution fails
ami = "${coalesce(data.aws_ami.win10_ami.image_id, var.win10_ami)}"
ami = coalesce(data.aws_ami.win10_ami.image_id, var.win10_ami)

tags {
tags = {
Name = "win10.windomain.local"
}

subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
subnet_id = aws_subnet.default.id
vpc_security_group_ids = [aws_security_group.windows.id]
private_ip = "192.168.38.104"

root_block_device {
delete_on_termination = true
}
}

@@ -1,31 +1,32 @@
output region {
value = "${var.region}"
output "region" {
value = var.region
}

output "logger_public_ip" {
value = "${aws_instance.logger.public_ip}"
value = aws_instance.logger.public_ip
}

output "dc_public_ip" {
value = "${aws_instance.dc.public_ip}"
value = aws_instance.dc.public_ip
}

output "wef_public_ip" {
value = "${aws_instance.wef.public_ip}"
value = aws_instance.wef.public_ip
}

output "win10_public_ip" {
value = "${aws_instance.win10.public_ip}"
value = aws_instance.win10.public_ip
}

output "ata_url" {
value = "${local.ata_url}"
value = local.ata_url
}

output "fleet_url" {
value = "${local.fleet_url}"
value = local.fleet_url
}

output "splunk_url" {
value = "${local.splunk_url}"
value = local.splunk_url
}

@@ -13,7 +13,7 @@ variable "availability_zone" {

variable "shared_credentials_file" {
description = "Path to your AWS credentials file"
type = "string"
type = string
default = "/home/username/.aws/credentials"
}

@@ -24,25 +24,25 @@ variable "public_key_name" {

variable "public_key_path" {
description = "Path to the public key to be loaded into the logger authorized_keys file"
type = "string"
type = string
default = "/home/username/.ssh/id_logger.pub"
}

variable "private_key_path" {
description = "Path to the private key to use to authenticate to logger."
type = "string"
type = string
default = "/home/username/.ssh/id_logger"
}

variable "ip_whitelist" {
description = "A list of CIDRs that will be allowed to access the EC2 instances"
type = "list"
type = list(string)
default = [""]
}

variable "external_dns_servers" {
description = "Configure lab to allow external DNS resolution"
type = "list"
type = list(string)
default = ["8.8.8.8"]
}

@@ -93,21 +93,22 @@ data "aws_ami" "win10_ami" {
# The default values for us-west-1 have been provied for you
# You will have to change the default values if you use a different region
variable "logger_ami" {
type = "string"
type = string
default = "ami-0ad16744583f21877"
}

variable "dc_ami" {
type = "string"
type = string
default = "ami-03e2df055c632a0dd"
}

variable "wef_ami" {
type = "string"
type = string
default = "ami-03c82482c03a740c5"
}

variable "win10_ami" {
type = "string"
type = string
default = "ami-0a4644e74768900f7"
}

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

0 comments on commit 85070d8

Please sign in to comment.
You can’t perform that action at this time.