Modernize the Packer template in this repository

.pre-commit-config.yaml

@@ -204,7 +204,7 @@ repos:
 
   # Packer hooks
   - repo: https://github.com/cisagov/pre-commit-packer
-    rev: v0.1.0
+    rev: v0.3.0
     hooks:
       - id: packer_validate
       - id: packer_fmt

README.md

@@ -10,20 +10,21 @@ The AMIs are built like so:
 ```console
 cd packer
 ansible-galaxy install --role-file ansible/requirements.yml
-packer build bastion.json
-packer build dashboard.json
-packer build docker.json
-packer build mongo.json
-packer build nessus.json
-packer build nmap.json
-packer build reporter.json
+packer init .
+packer build .
 ```
 
 If building a non-default image (for testing as an example) the prefix for the
 created AMI can be changed from the default value of `cyhy` like so:
 
 ```console
-packer build -var ami_prefix=testing bastion.json
+packer build -var ami_prefix=testing -only amazon-ebs.bastion .
+```
+
+You can also use a `.pkrvars.hcl` file to set any variables.  For example:
+
+```hcl
+ami_prefix = "testing"
 ```
 
 Also note that

packer/.terraform-docs.yml

@@ -0,0 +1,14 @@
+---
+formatter: markdown table
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+settings:
+  anchor: false
+  atx-closed: true
+  html: false
+  lockfile: false

packer/README.md

@@ -0,0 +1,89 @@
+# Cyber Hygiene Packer templates #
+
+## AMIs ##
+
+The following AMIs are available in this Packer template:
+
+| Template name | Description |
+| ------------- | ----------- |
+| bastion | Provides a jump box to a private VPC. |
+| dashboard | The Cyber Hygiene dashboard application. |
+| docker | Runs Docker configurations to perform BOD 18-01 and 20-01 scanning as well as generate the DHS [code.gov](https://code.gov) inventory. |
+| mongo | Provides the MongoDB database used by the Cyber Hygiene scanning system as well as running [cisagov/cyhy-commander]. |
+| nessus | A Nessus scanner for the Cyber Hygiene scanning system (referred to as a `vulnscanner`). |
+| nmap | An Nmap scanner for the Cyber Hygiene scanning system (referred to as a `portscanner`). |
+| reporter | Runs the daily notification and weekly report generation using [cisagov/cyhy-reports]. |
+
+## Building ##
+
+Build an AMI with:
+
+```console
+cd packer
+ansible-galaxy install --role-file ansible/requirements.yml
+packer init .
+packer build -only amazon-ebs.<target AMI> .
+```
+
+Also note that
+
+```console
+ansible-galaxy install --force --role-file ansible/requirements.yml
+```
+
+will update the roles that are being pulled from external sources.  This
+may be required, for example, if a role that is being pulled from a
+GitHub repository has been updated and you want the new changes.  By
+default `ansible-galaxy install` *will not* upgrade roles.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements ##
+
+No requirements.
+
+## Providers ##
+
+| Name | Version |
+|------|---------|
+| amazon-ami | n/a |
+
+## Modules ##
+
+No modules.
+
+## Resources ##
+
+| Name | Type |
+|------|------|
+| [amazon-ami_amazon-ami.debian_bookworm](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source |
+| [amazon-ami_amazon-ami.debian_buster](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source |
+
+## Inputs ##
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| ami\_prefix | The prefix to use for the names of AMIs created. | `string` | `"cyhy"` | no |
+| ami\_regions | The list of AWS regions to copy the AMI to once it has been created. Example: ["us-east-1"] | `list(string)` | ```[ "us-east-1", "us-west-1", "us-west-2" ]``` | no |
+| build\_region | The region in which to retrieve the base AMI from and build the new AMI. | `string` | `"us-east-2"` | no |
+| is\_prerelease | The pre-release status to use for the tags applied to the created AMI. | `bool` | `false` | no |
+
+## Outputs ##
+
+No outputs.
+<!-- END_TF_DOCS -->
+
+## License ##
+
+This project is in the worldwide [public domain](LICENSE.md).
+
+This project is in the public domain within the United States, and
+copyright and related rights in the work worldwide are waived through
+the [CC0 1.0 Universal public domain
+dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+
+All contributions to this project will be released under the CC0
+dedication. By submitting a pull request, you are agreeing to comply
+with this waiver of copyright interest.
+
+[cisagov/cyhy-commander]: https://github.com/cisagov/cyhy-commander
+[cisagov/cyhy-reports]: https://github.com/cisagov/cyhy-reports

packer/base_images.pkr.hcl

@@ -0,0 +1,21 @@
+data "amazon-ami" "debian_buster" {
+  filters = {
+    name                = "debian-10-amd64-*"
+    root-device-type    = "ebs"
+    virtualization-type = "hvm"
+  }
+  most_recent = true
+  owners      = ["136693071363"]
+  region      = var.build_region
+}
+
+data "amazon-ami" "debian_bookworm" {
+  filters = {
+    name                = "debian-12-amd64-*"
+    root-device-type    = "ebs"
+    virtualization-type = "hvm"
+  }
+  most_recent = true
+  owners      = ["136693071363"]
+  region      = var.build_region
+}

packer/bastion.pkr.hcl

@@ -0,0 +1,58 @@
+source "amazon-ebs" "bastion" {
+  ami_block_device_mappings {
+    delete_on_termination = true
+    device_name           = "/dev/xvda"
+    encrypted             = true
+    volume_size           = 8
+    volume_type           = "gp3"
+  }
+  ami_name      = "${var.ami_prefix}-bastion-hvm-${local.timestamp}-x86_64-ebs"
+  ami_regions   = var.ami_regions
+  instance_type = "t3.small"
+  launch_block_device_mappings {
+    delete_on_termination = true
+    device_name           = "/dev/xvda"
+    encrypted             = true
+    volume_size           = 8
+    volume_type           = "gp3"
+  }
+  region       = var.build_region
+  source_ami   = data.amazon-ami.debian_bookworm.id
+  ssh_username = "admin"
+  tags = {
+    Application   = "Cyber Hygiene"
+    Architecture  = "x86_64"
+    Base_AMI_Name = data.amazon-ami.debian_bookworm.name
+    OS_Version    = "Debian Bookworm"
+    Pre_Release   = var.is_prerelease
+    Release       = "Latest"
+    Team          = "VM Fusion - Development"
+  }
+  temporary_key_pair_type = "ed25519"
+}
+
+build {
+  sources = ["source.amazon-ebs.bastion"]
+
+  provisioner "ansible" {
+    groups        = ["bastion"]
+    playbook_file = "ansible/upgrade.yml"
+    use_proxy     = false
+    use_sftp      = true
+  }
+
+  provisioner "ansible" {
+    groups        = ["bastion"]
+    playbook_file = "ansible/python.yml"
+    use_proxy     = false
+    use_sftp      = true
+  }
+
+  provisioner "ansible" {
+    ansible_env_vars = ["AWS_DEFAULT_REGION=${var.build_region}"]
+    groups           = ["bastion"]
+    playbook_file    = "ansible/playbook.yml"
+    use_proxy        = false
+    use_sftp         = true
+  }
+}