From f5b097b19a95876964d697d6f4b18d7f8f4ed333 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 22 Mar 2020 00:34:10 +0100 Subject: [PATCH 1/5] Switch to clouds.yaml file for authentication and use Open Telekom Cloud Vendor profile --- cloud/ansible/openstack/clouds.yaml | 8 ++++ .../openstack/roles/deploy/tasks/main.yaml | 48 +++---------------- .../openstack/roles/deploy/vars/main.yaml | 1 - .../openstack/roles/deploy/vars/os_auth.yaml | 5 -- 4 files changed, 14 insertions(+), 48 deletions(-) create mode 100644 cloud/ansible/openstack/clouds.yaml delete mode 100644 cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml diff --git a/cloud/ansible/openstack/clouds.yaml b/cloud/ansible/openstack/clouds.yaml new file mode 100644 index 00000000..fd0b2831 --- /dev/null +++ b/cloud/ansible/openstack/clouds.yaml @@ -0,0 +1,8 @@ +clouds: + open-telekom-cloud: + profile: otc + auth: + project_name: eu-de_your_project + username: your_api_user + password: your_password + user_domain_name: OTC-EU-DE-000000000010000XXXXX diff --git a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml index 7e7826b8..bd68b1bf 100644 --- a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml @@ -2,51 +2,26 @@ shell: echo t-pot-ansible-$(pwgen -ns 6 -1) register: tpot_name -- name: Import OpenStack authentication variables - include_vars: - file: roles/deploy/vars/os_auth.yaml - no_log: true - - name: Create security group os_security_group: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud name: sg-tpot-any description: tpot any-any - name: Add rules to security group os_security_group_rule: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud security_group: sg-tpot-any remote_ip_prefix: 0.0.0.0/0 - name: Create network os_network: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud name: network-tpot - name: Create subnet os_subnet: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud network_name: network-tpot name: subnet-tpot cidr: 192.168.0.0/24 @@ -56,26 +31,15 @@ - name: Create router os_router: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud name: router-tpot interfaces: - subnet-tpot - name: Launch an instance os_server: - auth: - auth_url: "{{ auth_url }}" - username: "{{ username }}" - password: "{{ password }}" - project_name: "{{ project_name }}" - os_user_domain_name: "{{ os_user_domain_name }}" + cloud: open-telekom-cloud name: "{{ tpot_name.stdout }}" - region_name: "{{ region_name }}" availability_zone: "{{ availability_zone }}" image: "{{ image }}" boot_from_volume: yes diff --git a/cloud/ansible/openstack/roles/deploy/vars/main.yaml b/cloud/ansible/openstack/roles/deploy/vars/main.yaml index 0854d0ed..d2b0664a 100644 --- a/cloud/ansible/openstack/roles/deploy/vars/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/vars/main.yaml @@ -1,4 +1,3 @@ -region_name: eu-de availability_zone: eu-de-03 image: Standard_Debian_10_latest volume_size: 128 diff --git a/cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml b/cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml deleted file mode 100644 index fdb1a29b..00000000 --- a/cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml +++ /dev/null @@ -1,5 +0,0 @@ -auth_url: https://iam.eu-de.otc.t-systems.com/v3 -username: your_api_user -password: your_password -project_name: eu-de_your_project -os_user_domain_name: OTC-EU-DE-000000000010000XXXXX From 7815f4e8e4242ef8d79cd2cfcf18f9142ef01b2e Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 22 Mar 2020 00:50:24 +0100 Subject: [PATCH 2/5] Fix some ansible-lint errors --- cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml | 2 +- cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml | 2 +- cloud/ansible/openstack/roles/install/tasks/main.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml index a484f34e..1856a3df 100644 --- a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml @@ -1,6 +1,6 @@ - name: Copy ews configuration file template: - src: ../templates/ews.cfg + src: ews.cfg dest: /data/ews/conf owner: root group: root diff --git a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml index 4c5a2c0e..50ea7311 100644 --- a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml @@ -1,6 +1,6 @@ - name: Copy hpfeeds configuration file copy: - src: ../files/hpfeeds.cfg + src: hpfeeds.cfg dest: /data/ews/conf owner: tpot group: tpot diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index b931cc77..40977347 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -9,7 +9,7 @@ repo: "https://github.com/dtag-dev-sec/tpotce.git" dest: /root/tpot -- name: Prepare to set user password +- name: Prepare to set user password set_fact: user_name: "{{ ansible_user }}" user_salt: "s0mew1ck3dTpoT" From f6061873506a8e4d9e624e75330c34091cf4c249 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 22 Mar 2020 02:29:50 +0100 Subject: [PATCH 3/5] Update README.md --- cloud/ansible/README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index b8666a76..e52da17e 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -18,7 +18,7 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of - [Import Key Pair](#key-pair) - [Clone Git Repository](#clone-git) - [Settings and recommended values](#settings) - - [OpenStack authentication variables](#os-auth) + - [Clouds.yaml](#clouds-yaml) - [Ansible remote user](#remote-user) - [Instance settings](#instance-settings) - [User password](#user-password) @@ -97,25 +97,27 @@ Import your SSH public key. # Clone Git Repository Clone the `tpotce` repository to your Ansible Master: `git clone https://github.com/dtag-dev-sec/tpotce.git` -All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder. +All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder. # Settings and recommended values -You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook. -The settings are located in the following Ansible vars files: +You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook: - -## OpenStack authentication variables -Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml). + +## Clouds.yaml +Located at [`openstack/clouds.yaml`](openstack/clouds.yaml). Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name): ``` -auth_url: https://iam.eu-de.otc.t-systems.com/v3 -username: your_api_user -password: your_password -project_name: eu-de_your_project -os_user_domain_name: OTC-EU-DE-000000000010000XXXXX +clouds: + open-telekom-cloud: + profile: otc + auth: + project_name: eu-de_your_project + username: your_api_user + password: your_password + user_domain_name: OTC-EU-DE-000000000010000XXXXX ``` -You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file. +You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary. For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation. @@ -126,17 +128,15 @@ You may have to adjust the `remote_user` in the Ansible Playbook under [`opensta ## Instance settings Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml). Here you can customize your virtual machine specifications: - - Specify the region name - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). - Change the OS image (For T-Pot we need Debian) - (Optional) Change the volume size - Specify your key pair (:warning: Mandatory) - (Optional) Change the instance type (flavor) `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor. - A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html). + A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html). ``` -region_name: eu-de availability_zone: eu-de-03 image: Standard_Debian_10_latest volume_size: 128 @@ -154,7 +154,7 @@ user_password: LiNuXuSeRPaSs# ## Configure `tpot.conf.dist` -The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist). +The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist). Here you can choose: - between the various T-Pot editions - a username for the web interface From 435e8c20341486d01aac89da49306b9decf8ef51 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Wed, 25 Mar 2020 11:51:53 +0100 Subject: [PATCH 4/5] Update AWS AMIs https://wiki.debian.org/Cloud/AmazonEC2Image/Buster --- cloud/terraform/aws/variables.tf | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/cloud/terraform/aws/variables.tf b/cloud/terraform/aws/variables.tf index 2921f7ae..1af904db 100644 --- a/cloud/terraform/aws/variables.tf +++ b/cloud/terraform/aws/variables.tf @@ -32,23 +32,23 @@ variable "ec2_instance_type" { variable "ec2_ami" { type = map(string) default = { - "ap-east-1" = "ami-b7d0abc6" - "ap-northeast-1" = "ami-01f4f0c9374675b99" - "ap-northeast-2" = "ami-0855cb0c55370c38c" - "ap-south-1" = "ami-00d7d1cbdcb087cf3" - "ap-southeast-1" = "ami-03779b1b2fbb3a9d4" - "ap-southeast-2" = "ami-0ce3a7c68c6b1678d" - "ca-central-1" = "ami-037099906a22f210f" - "eu-central-1" = "ami-0845c3902a6f2af32" - "eu-north-1" = "ami-e634bf98" - "eu-west-1" = "ami-06a53bf81914447b5" - "eu-west-2" = "ami-053d9f0770cd2e34c" - "eu-west-3" = "ami-060bf1f444f742af9" - "me-south-1" = "ami-04a9a536105c72d30" - "sa-east-1" = "ami-0a5fd18ed0b9c7f35" - "us-east-1" = "ami-01db78123b2b99496" - "us-east-2" = "ami-010ffea14ff17ebf5" - "us-west-1" = "ami-0ed1af421f2a3cf40" - "us-west-2" = "ami-030a304a76b181155" + "ap-east-1" = "ami-f9c58188" + "ap-northeast-1" = "ami-0fae5501ae428f9d7" + "ap-northeast-2" = "ami-0522874b039290246" + "ap-south-1" = "ami-03b4e18f70aca8973" + "ap-southeast-1" = "ami-0852293c17f5240b3" + "ap-southeast-2" = "ami-03ea2db714f1f6acf" + "ca-central-1" = "ami-094511e5020cdea18" + "eu-central-1" = "ami-0394acab8c5063f6f" + "eu-north-1" = "ami-0c82d9a7f5674320a" + "eu-west-1" = "ami-006d280940ad4a96c" + "eu-west-2" = "ami-08fe9ea08db6f1258" + "eu-west-3" = "ami-04563f5eab11f2b87" + "me-south-1" = "ami-0492a01b319d1f052" + "sa-east-1" = "ami-05e16feea94258a69" + "us-east-1" = "ami-04d70e069399af2e9" + "us-east-2" = "ami-04100f1cdba76b497" + "us-west-1" = "ami-014c78f266c5b7163" + "us-west-2" = "ami-023b7a69b9328e1f9" } } From a73f34490de1127eeab90ab3736c449b03073398 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Wed, 25 Mar 2020 13:34:22 +0100 Subject: [PATCH 5/5] Update AWS Terraform - Add variables to cloud-init.yaml - Allow to set Linux OS password via cloud-init - Pass the tpot.conf file as inline content to allow variables - Remove obsolete tpot.conf file in terraform/ directory --- cloud/terraform/aws/main.tf | 2 +- cloud/terraform/aws/variables.tf | 26 ++++++++++++++++++++++++++ cloud/terraform/cloud-init.yaml | 22 +++++++++++----------- cloud/terraform/tpot.conf | 5 ----- 4 files changed, 38 insertions(+), 17 deletions(-) delete mode 100644 cloud/terraform/tpot.conf diff --git a/cloud/terraform/aws/main.tf b/cloud/terraform/aws/main.tf index 164bf3b1..533ee4bc 100644 --- a/cloud/terraform/aws/main.tf +++ b/cloud/terraform/aws/main.tf @@ -60,7 +60,7 @@ resource "aws_instance" "tpot" { volume_size = 128 delete_on_termination = true } - user_data = "${file("../cloud-init.yaml")} content: ${base64encode(file("../tpot.conf"))}" + user_data = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password}) vpc_security_group_ids = [aws_security_group.tpot.id] associate_public_ip_address = true } diff --git a/cloud/terraform/aws/variables.tf b/cloud/terraform/aws/variables.tf index 2921f7ae..11da5c8d 100644 --- a/cloud/terraform/aws/variables.tf +++ b/cloud/terraform/aws/variables.tf @@ -52,3 +52,29 @@ variable "ec2_ami" { "us-west-2" = "ami-030a304a76b181155" } } + +# cloud-init configuration +variable "timezone" { + default = "UTC" +} + +variable "linux_password" { + #default = "LiNuXuSeRPaSs#" + description = "Set a password for the default user" +} + +# These will go in the generated tpot.conf file +variable "tpot_flavor" { + default = "STANDARD" + description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]" +} + +variable "web_user" { + default = "webuser" + description = "Set a username for the web user" +} + +variable "web_password" { + #default = "w3b$ecret" + description = "Set a password for the web user" +} diff --git a/cloud/terraform/cloud-init.yaml b/cloud/terraform/cloud-init.yaml index 612f15d3..123e1612 100644 --- a/cloud/terraform/cloud-init.yaml +++ b/cloud/terraform/cloud-init.yaml @@ -1,9 +1,5 @@ #cloud-config -timezone: UTC - -package_update: true -package_upgrade: true -package_reboot_if_required: true +timezone: ${timezone} packages: - git @@ -12,14 +8,18 @@ runcmd: - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf - rm /root/tpot.conf - - /sbin/shutdown -r +5 + - /sbin/shutdown -r now + +password: ${password} +chpasswd: + expire: false -# The contents of tpot.conf will be base64 encoded and appended to this file -# via the terraform configuration in main.tf -# -# Make sure there are no trailing new lines after "permissions" below write_files: - - encoding: b64 + - content: | + # tpot configuration file + myCONF_TPOT_FLAVOR='${tpot_flavor}' + myCONF_WEB_USER='${web_user}' + myCONF_WEB_PW='${web_password}' owner: root:root path: /root/tpot.conf permissions: '0600' diff --git a/cloud/terraform/tpot.conf b/cloud/terraform/tpot.conf deleted file mode 100644 index f2f3e6a0..00000000 --- a/cloud/terraform/tpot.conf +++ /dev/null @@ -1,5 +0,0 @@ -# tpot configuration file -# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN] -myCONF_TPOT_FLAVOR='STANDARD' -myCONF_WEB_USER='webuser' -myCONF_WEB_PW='w3b$ecret'