From 0890f4d9189bc325b2332a56c6f43d0b9152add4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Oct 2024 13:47:49 -0400 Subject: [PATCH 01/15] Bump cisagov/pre-commit-packer from 0.1.0 to 0.3.0 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e528140..7b2d8240 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -204,7 +204,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.1.0 + rev: v0.3.0 hooks: - id: packer_validate - id: packer_fmt From 502da8be9d81528acc842a2eac9869d2b6c22f04 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 16:26:39 -0400 Subject: [PATCH 02/15] Add a Packer configuration block This will provide settings for Packer such as a minimum version of Packer required and any external plugins that the templates require. --- packer/packer.pkr.hcl | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 packer/packer.pkr.hcl diff --git a/packer/packer.pkr.hcl b/packer/packer.pkr.hcl new file mode 100644 index 00000000..9017550e --- /dev/null +++ b/packer/packer.pkr.hcl @@ -0,0 +1,16 @@ +packer { + required_plugins { + amazon = { + source = "github.com/hashicorp/amazon" + version = "~> 1.2" + } + ansible = { + source = "github.com/hashicorp/ansible" + version = "~> 1.1" + } + } + # The required_plugins section is only supported in Packer 1.7.0 and + # later. We also want to avoid jumping to Packer v2 until we are + # ready. + required_version = "~> 1.7" +} From 218a1c49902916129cf2b553f0b76cc670fbcf9a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:09:41 -0400 Subject: [PATCH 03/15] Configure the variables and locals for the Packer templates --- packer/locals.pkr.hcl | 3 +++ packer/variables.pkr.hcl | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 packer/locals.pkr.hcl create mode 100644 packer/variables.pkr.hcl diff --git a/packer/locals.pkr.hcl b/packer/locals.pkr.hcl new file mode 100644 index 00000000..90911c57 --- /dev/null +++ b/packer/locals.pkr.hcl @@ -0,0 +1,3 @@ +locals { + timestamp = regex_replace(timestamp(), "[- TZ:]", "") +} diff --git a/packer/variables.pkr.hcl b/packer/variables.pkr.hcl new file mode 100644 index 00000000..13a82abd --- /dev/null +++ b/packer/variables.pkr.hcl @@ -0,0 +1,38 @@ +# ------------------------------------------------------------------------------ +# REQUIRED PARAMETERS +# +# You must provide a value for each of these parameters. +# ------------------------------------------------------------------------------ + +# ------------------------------------------------------------------------------ +# OPTIONAL PARAMETERS +# +# These parameters have reasonable defaults. +# ------------------------------------------------------------------------------ +variable "ami_prefix" { + default = "cyhy" + description = "The prefix to use for the names of AMIs created." + type = string +} + +variable "ami_regions" { + default = [ + "us-east-1", + "us-west-1", + "us-west-2", + ] + description = "The list of AWS regions to copy the AMI to once it has been created. Example: [\"us-east-1\"]" + type = list(string) +} + +variable "build_region" { + default = "us-east-2" + description = "The region in which to retrieve the base AMI from and build the new AMI." + type = string +} + +variable "is_prerelease" { + default = false + description = "The pre-release status to use for the tags applied to the created AMI." + type = bool +} From eaf0f7bfc549678b3e39e422fbf50d571e6a5269 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:11:31 -0400 Subject: [PATCH 04/15] Establish the source AMIs used in the Packer templates Currently we use Debian Buster and Debian Bookworm for our Packer templates so we define them both as data sources for use. --- packer/base_images.pkr.hcl | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 packer/base_images.pkr.hcl diff --git a/packer/base_images.pkr.hcl b/packer/base_images.pkr.hcl new file mode 100644 index 00000000..f4c8aa79 --- /dev/null +++ b/packer/base_images.pkr.hcl @@ -0,0 +1,21 @@ +data "amazon-ami" "debian_buster" { + filters = { + name = "debian-10-amd64-*" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["136693071363"] + region = var.build_region +} + +data "amazon-ami" "debian_bookworm" { + filters = { + name = "debian-12-amd64-*" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["136693071363"] + region = var.build_region +} From 986e9a96650957128e166cd47338b586a0367d14 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:22:53 -0400 Subject: [PATCH 05/15] Convert the `bastion` Packer template to HCL2 --- packer/bastion.json | 86 ------------------------------------------ packer/bastion.pkr.hcl | 58 ++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 packer/bastion.json create mode 100644 packer/bastion.pkr.hcl diff --git a/packer/bastion.json b/packer/bastion.json deleted file mode 100644 index e23e0ec3..00000000 --- a/packer/bastion.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-bastion-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.small", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-12-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Bookworm", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "bastion" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "bastion" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "bastion" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/bastion.pkr.hcl b/packer/bastion.pkr.hcl new file mode 100644 index 00000000..7139a079 --- /dev/null +++ b/packer/bastion.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "bastion" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-bastion-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.small" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_bookworm.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_bookworm.name + OS_Version = "Debian Bookworm" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.bastion"] + + provisioner "ansible" { + groups = ["bastion"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["bastion"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["bastion"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From 554b15988c7868c2b1809611e5c01c8dd8f2c274 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:32:19 -0400 Subject: [PATCH 06/15] Convert the `dashboard` Packer template to HCL2 --- packer/dashboard.json | 86 ---------------------------------------- packer/dashboard.pkr.hcl | 58 +++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 packer/dashboard.json create mode 100644 packer/dashboard.pkr.hcl diff --git a/packer/dashboard.json b/packer/dashboard.json deleted file mode 100644 index f93958b2..00000000 --- a/packer/dashboard.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-dashboard-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.small", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-10-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Buster", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "dashboard" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "dashboard" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "cyhy_dashboard" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/dashboard.pkr.hcl b/packer/dashboard.pkr.hcl new file mode 100644 index 00000000..b9964b9d --- /dev/null +++ b/packer/dashboard.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "dashboard" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-dashboard-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.small" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_buster.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_buster.name + OS_Version = "Debian Buster" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.dashboard"] + + provisioner "ansible" { + groups = ["dashboard"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["dashboard"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["cyhy_dashboard"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From 7121ac87500a327e2625aa3607535e8940abae1d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:34:59 -0400 Subject: [PATCH 07/15] Convert the `docker` Packer template to HCL2 --- packer/docker.json | 88 ------------------------------------------- packer/docker.pkr.hcl | 58 ++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 88 deletions(-) delete mode 100644 packer/docker.json create mode 100644 packer/docker.pkr.hcl diff --git a/packer/docker.json b/packer/docker.json deleted file mode 100644 index 717fab00..00000000 --- a/packer/docker.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 10, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-docker-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.small", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 10, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-12-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Bookworm", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "docker" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "docker" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "bod", - "code_gov", - "vdp_scan" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/docker.pkr.hcl b/packer/docker.pkr.hcl new file mode 100644 index 00000000..ac8eb180 --- /dev/null +++ b/packer/docker.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "docker" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 10 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-docker-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.small" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 10 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_bookworm.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_bookworm.name + OS_Version = "Debian Bookworm" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.docker"] + + provisioner "ansible" { + groups = ["docker"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["docker"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["bod", "code_gov", "vdp_scan"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From d25e06338c55045d2500741039dbfde97dcc12af Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:40:46 -0400 Subject: [PATCH 08/15] Convert the `mongo` Packer template to HCL2 --- packer/mongo.json | 89 -------------------------------------------- packer/mongo.pkr.hcl | 58 +++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 89 deletions(-) delete mode 100644 packer/mongo.json create mode 100644 packer/mongo.pkr.hcl diff --git a/packer/mongo.json b/packer/mongo.json deleted file mode 100644 index 30db9338..00000000 --- a/packer/mongo.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-mongo-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.small", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-10-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Buster", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "mongo" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "mongo" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "cyhy_archive", - "cyhy_commander", - "cyhy_feeds", - "mongo" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/mongo.pkr.hcl b/packer/mongo.pkr.hcl new file mode 100644 index 00000000..b73d26e4 --- /dev/null +++ b/packer/mongo.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "mongo" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-mongo-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.small" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_buster.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_buster.name + OS_Version = "Debian Buster" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.mongo"] + + provisioner "ansible" { + groups = ["mongo"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["mongo"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["cyhy_archive", "cyhy_commander", "cyhy_feeds", "mongo"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From f153ebb3a0919e6326a38dd9f9e92e7de2a88436 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:42:52 -0400 Subject: [PATCH 09/15] Convert the `nessus` Packer template to HCL2 --- packer/nessus.json | 86 ------------------------------------------- packer/nessus.pkr.hcl | 58 +++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 packer/nessus.json create mode 100644 packer/nessus.pkr.hcl diff --git a/packer/nessus.json b/packer/nessus.json deleted file mode 100644 index 97d077c4..00000000 --- a/packer/nessus.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-nessus-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "m5.large", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-12-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Bookworm", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "nessus" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "nessus" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "nessus" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/nessus.pkr.hcl b/packer/nessus.pkr.hcl new file mode 100644 index 00000000..d0b3c57a --- /dev/null +++ b/packer/nessus.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "nessus" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-nessus-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "m5.large" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_bookworm.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_bookworm.name + OS_Version = "Debian Bookworm" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.nessus"] + + provisioner "ansible" { + groups = ["nessus"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["nessus"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["nessus"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From cc88d36a443ec8d0b4d947b6a9c0b4a755323584 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:44:38 -0400 Subject: [PATCH 10/15] Convert the `nmap` Packer template to HCL2 --- packer/nmap.json | 86 --------------------------------------------- packer/nmap.pkr.hcl | 58 ++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 packer/nmap.json create mode 100644 packer/nmap.pkr.hcl diff --git a/packer/nmap.json b/packer/nmap.json deleted file mode 100644 index 470d99f1..00000000 --- a/packer/nmap.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-nmap-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.small", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 8, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-12-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Bookworm", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "nmap" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "nmap" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "nmap" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/nmap.pkr.hcl b/packer/nmap.pkr.hcl new file mode 100644 index 00000000..b64d808a --- /dev/null +++ b/packer/nmap.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "nmap" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-nmap-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.small" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 8 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_bookworm.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_bookworm.name + OS_Version = "Debian Bookworm" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.nmap"] + + provisioner "ansible" { + groups = ["nmap"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["nmap"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["nmap"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From 20602607a9a77d351bbc662ae3f27d520f207efc Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:51:32 -0400 Subject: [PATCH 11/15] Convert the `reporter` Packer template to HCL2 --- packer/reporter.json | 86 ----------------------------------------- packer/reporter.pkr.hcl | 58 +++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 packer/reporter.json create mode 100644 packer/reporter.pkr.hcl diff --git a/packer/reporter.json b/packer/reporter.json deleted file mode 100644 index cc29cbc8..00000000 --- a/packer/reporter.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "builders": [ - { - "ami_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 10, - "volume_type": "gp3" - } - ], - "ami_name": "{{user `ami_prefix`}}-reporter-hvm-{{timestamp}}-x86_64-ebs", - "ami_regions": "{{user `ami_regions`}}", - "instance_type": "t3.medium", - "launch_block_device_mappings": [ - { - "delete_on_termination": true, - "device_name": "/dev/xvda", - "encrypted": true, - "volume_size": 10, - "volume_type": "gp3" - } - ], - "region": "{{user `build_region`}}", - "source_ami_filter": { - "filters": { - "name": "debian-10-amd64-*", - "root-device-type": "ebs", - "virtualization-type": "hvm" - }, - "most_recent": true, - "owners": [ - "136693071363" - ] - }, - "ssh_username": "admin", - "tags": { - "Application": "Cyber Hygiene", - "Base_AMI_Name": "{{ .SourceAMIName }}", - "OS_Version": "Debian Buster", - "Release": "Latest", - "Team": "VM Fusion - Development" - }, - "temporary_key_pair_type": "ed25519", - "type": "amazon-ebs" - } - ], - "provisioners": [ - { - "groups": [ - "reporter" - ], - "playbook_file": "ansible/upgrade.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "groups": [ - "reporter" - ], - "playbook_file": "ansible/python.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - }, - { - "ansible_env_vars": [ - "AWS_DEFAULT_REGION={{user `build_region`}}" - ], - "groups": [ - "cyhy_reporter" - ], - "playbook_file": "ansible/playbook.yml", - "type": "ansible", - "use_proxy": false, - "use_sftp": true - } - ], - "variables": { - "ami_prefix": "cyhy", - "ami_regions": "us-east-1,us-west-1,us-west-2", - "build_region": "us-east-2" - } -} diff --git a/packer/reporter.pkr.hcl b/packer/reporter.pkr.hcl new file mode 100644 index 00000000..df012612 --- /dev/null +++ b/packer/reporter.pkr.hcl @@ -0,0 +1,58 @@ +source "amazon-ebs" "reporter" { + ami_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 10 + volume_type = "gp3" + } + ami_name = "${var.ami_prefix}-reporter-hvm-${local.timestamp}-x86_64-ebs" + ami_regions = var.ami_regions + instance_type = "t3.medium" + launch_block_device_mappings { + delete_on_termination = true + device_name = "/dev/xvda" + encrypted = true + volume_size = 10 + volume_type = "gp3" + } + region = var.build_region + source_ami = data.amazon-ami.debian_buster.id + ssh_username = "admin" + tags = { + Application = "Cyber Hygiene" + Architecture = "x86_64" + Base_AMI_Name = data.amazon-ami.debian_buster.name + OS_Version = "Debian Buster" + Pre_Release = var.is_prerelease + Release = "Latest" + Team = "VM Fusion - Development" + } + temporary_key_pair_type = "ed25519" +} + +build { + sources = ["source.amazon-ebs.reporter"] + + provisioner "ansible" { + groups = ["reporter"] + playbook_file = "ansible/upgrade.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + groups = ["reporter"] + playbook_file = "ansible/python.yml" + use_proxy = false + use_sftp = true + } + + provisioner "ansible" { + ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"] + groups = ["cyhy_reporter"] + playbook_file = "ansible/playbook.yml" + use_proxy = false + use_sftp = true + } +} From 23236079f7b55e5a4df6f2f5218ba801585f98b7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Oct 2024 18:14:04 -0400 Subject: [PATCH 12/15] Add a README for the Packer configuration Provide basic information about the Packer templates and how to build an AMI. --- packer/README.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 packer/README.md diff --git a/packer/README.md b/packer/README.md new file mode 100644 index 00000000..46aa1e10 --- /dev/null +++ b/packer/README.md @@ -0,0 +1,53 @@ +# Cyber Hygiene Packer templates # + +## AMIs ## + +The following AMIs are available in this Packer template: + +| Template name | Description | +| ------------- | ----------- | +| bastion | Provides a jump box to a private VPC. | +| dashboard | The Cyber Hygiene dashboard application. | +| docker | Runs Docker configurations to perform BOD 18-01 and 20-01 scanning as well as generate the DHS [code.gov](https://code.gov) inventory. | +| mongo | Provides the MongoDB database used by the Cyber Hygiene scanning system as well as running [cisagov/cyhy-commander]. | +| nessus | A Nessus scanner for the Cyber Hygiene scanning system (referred to as a `vulnscanner`). | +| nmap | An Nmap scanner for the Cyber Hygiene scanning system (referred to as a `portscanner`). | +| reporter | Runs the daily notification and weekly report generation using [cisagov/cyhy-reports] | + +## Building ## + +Build an AMI with: + +```console +cd packer +ansible-galaxy install --role-file ansible/requirements.yml +packer init . +packer build -only amazon-ebs. . +``` + +Also note that + +```console +ansible-galaxy install --force --role-file ansible/requirements.yml +``` + +will update the roles that are being pulled from external sources. This +may be required, for example, if a role that is being pulled from a +GitHub repository has been updated and you want the new changes. By +default `ansible-galaxy install` *will not* upgrade roles. + +## License ## + +This project is in the worldwide [public domain](LICENSE.md). + +This project is in the public domain within the United States, and +copyright and related rights in the work worldwide are waived through +the [CC0 1.0 Universal public domain +dedication](https://creativecommons.org/publicdomain/zero/1.0/). + +All contributions to this project will be released under the CC0 +dedication. By submitting a pull request, you are agreeing to comply +with this waiver of copyright interest. + +[cisagov/cyhy-commander]: https://github.com/cisagov/cyhy-commander +[cisagov/cyhy-reports]: https://github.com/cisagov/cyhy-reports From 9ceab2dc9c7524353dc94be46fe0ab3e9f138b8a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 2 Oct 2024 00:13:12 -0400 Subject: [PATCH 13/15] Use `terraform-docs` to populate Packer information Since the new Packer configuration is in HCL2 we can use `terraform-docs` to populate the Packer README with some information. Although the information populated is limited it at least documents the variables used by the configuration. --- packer/.terraform-docs.yml | 14 ++++++++++++++ packer/README.md | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 packer/.terraform-docs.yml diff --git a/packer/.terraform-docs.yml b/packer/.terraform-docs.yml new file mode 100644 index 00000000..575b15db --- /dev/null +++ b/packer/.terraform-docs.yml @@ -0,0 +1,14 @@ +--- +formatter: markdown table +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + +settings: + anchor: false + atx-closed: true + html: false + lockfile: false diff --git a/packer/README.md b/packer/README.md index 46aa1e10..b6bb165e 100644 --- a/packer/README.md +++ b/packer/README.md @@ -36,6 +36,42 @@ may be required, for example, if a role that is being pulled from a GitHub repository has been updated and you want the new changes. By default `ansible-galaxy install` *will not* upgrade roles. + +## Requirements ## + +No requirements. + +## Providers ## + +| Name | Version | +|------|---------| +| amazon-ami | n/a | + +## Modules ## + +No modules. + +## Resources ## + +| Name | Type | +|------|------| +| [amazon-ami_amazon-ami.debian_bookworm](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source | +| [amazon-ami_amazon-ami.debian_buster](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source | + +## Inputs ## + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| ami\_prefix | The prefix to use for the names of AMIs created. | `string` | `"cyhy"` | no | +| ami\_regions | The list of AWS regions to copy the AMI to once it has been created. Example: ["us-east-1"] | `list(string)` | ```[ "us-east-1", "us-west-1", "us-west-2" ]``` | no | +| build\_region | The region in which to retrieve the base AMI from and build the new AMI. | `string` | `"us-east-2"` | no | +| is\_prerelease | The pre-release status to use for the tags applied to the created AMI. | `bool` | `false` | no | + +## Outputs ## + +No outputs. + + ## License ## This project is in the worldwide [public domain](LICENSE.md). From 2c79e4b4edbd5887c1dd3c8c1dc6421c9f15fd16 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 2 Oct 2024 00:22:26 -0400 Subject: [PATCH 14/15] Update the project README Update to reflect the conversion of the Packer configuration to HCL2. --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d3d9e44d..7b27e6a8 100644 --- a/README.md +++ b/README.md @@ -10,20 +10,21 @@ The AMIs are built like so: ```console cd packer ansible-galaxy install --role-file ansible/requirements.yml -packer build bastion.json -packer build dashboard.json -packer build docker.json -packer build mongo.json -packer build nessus.json -packer build nmap.json -packer build reporter.json +packer init . +packer build . ``` If building a non-default image (for testing as an example) the prefix for the created AMI can be changed from the default value of `cyhy` like so: ```console -packer build -var ami_prefix=testing bastion.json +packer build -var ami_prefix=testing -only amazon-ebs.bastion . +``` + +You can also use a `.pkrvars.hcl` file to set any variables. For example: + +```hcl +ami_prefix = "testing" ``` Also note that From c086fc6e78c5e7727adddc63824faccc8bab0538 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 11:38:56 -0400 Subject: [PATCH 15/15] Add a missed period to the Packer template README Co-authored-by: dav3r --- packer/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packer/README.md b/packer/README.md index b6bb165e..a5a5e954 100644 --- a/packer/README.md +++ b/packer/README.md @@ -12,7 +12,7 @@ The following AMIs are available in this Packer template: | mongo | Provides the MongoDB database used by the Cyber Hygiene scanning system as well as running [cisagov/cyhy-commander]. | | nessus | A Nessus scanner for the Cyber Hygiene scanning system (referred to as a `vulnscanner`). | | nmap | An Nmap scanner for the Cyber Hygiene scanning system (referred to as a `portscanner`). | -| reporter | Runs the daily notification and weekly report generation using [cisagov/cyhy-reports] | +| reporter | Runs the daily notification and weekly report generation using [cisagov/cyhy-reports]. | ## Building ##