Merge pull request #598 from dtag-dev-sec/master

merge to dev

cloud/ansible/README.md

@@ -18,7 +18,7 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of
   - [Import Key Pair](#key-pair)
 - [Clone Git Repository](#clone-git)
 - [Settings and recommended values](#settings)
-  - [OpenStack authentication variables](#os-auth)
+  - [Clouds.yaml](#clouds-yaml)
   - [Ansible remote user](#remote-user)
   - [Instance settings](#instance-settings)
   - [User password](#user-password)
@@ -97,25 +97,27 @@ Import your SSH public key.
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
 `git clone https://github.com/dtag-dev-sec/tpotce.git`  
-All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder.
+All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
 
 <a name="settings"></a>
 # Settings and recommended values
-You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook.  
-The settings are located in the following Ansible vars files:
+You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
 
-<a name="os-auth"></a>
-## OpenStack authentication variables
-Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml).  
+<a name="clouds-yaml"></a>
+## Clouds.yaml
+Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
 Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
 ```
-auth_url: https://iam.eu-de.otc.t-systems.com/v3
-username: your_api_user
-password: your_password
-project_name: eu-de_your_project
-os_user_domain_name: OTC-EU-DE-000000000010000XXXXX
+clouds:
+  open-telekom-cloud:
+    profile: otc
+    auth:
+      project_name: eu-de_your_project
+      username: your_api_user
+      password: your_password
+      user_domain_name: OTC-EU-DE-000000000010000XXXXX
 ```
-You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file.  
+You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
 For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
 
 <a name="remote-user"></a>
@@ -126,17 +128,15 @@ You may have to adjust the `remote_user` in the Ansible Playbook under [`opensta
 ## Instance settings
 Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).  
 Here you can customize your virtual machine specifications:
-  - Specify the region name
   - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
   - Change the OS image (For T-Pot we need Debian)
   - (Optional) Change the volume size
   - Specify your key pair (:warning: Mandatory)
   - (Optional) Change the instance type (flavor)  
     `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
-    A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html).
+    A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
 
 ```
-region_name: eu-de
 availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
@@ -154,7 +154,7 @@ user_password: LiNuXuSeRPaSs#
 
 <a name="tpot-conf"></a>
 ## Configure `tpot.conf.dist`
-The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist).  
+The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).  
 Here you can choose:
   - between the various T-Pot editions
   - a username for the web interface

cloud/ansible/openstack/clouds.yaml

@@ -0,0 +1,8 @@
+clouds:
+  open-telekom-cloud:
+    profile: otc
+    auth:
+      project_name: eu-de_your_project
+      username: your_api_user
+      password: your_password
+      user_domain_name: OTC-EU-DE-000000000010000XXXXX

cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml

@@ -1,6 +1,6 @@
 - name: Copy ews configuration file
   template:
-    src: ../templates/ews.cfg
+    src: ews.cfg
     dest: /data/ews/conf
     owner: root
     group: root

cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml

@@ -1,6 +1,6 @@
 - name: Copy hpfeeds configuration file
   copy:
-    src: ../files/hpfeeds.cfg
+    src: hpfeeds.cfg
     dest: /data/ews/conf
     owner: tpot
     group: tpot

cloud/ansible/openstack/roles/deploy/tasks/main.yaml

@@ -2,51 +2,26 @@
   shell: echo t-pot-ansible-$(pwgen -ns 6 -1)
   register: tpot_name
 
-- name: Import OpenStack authentication variables
-  include_vars:
-    file: roles/deploy/vars/os_auth.yaml
-  no_log: true
-
 - name: Create security group
   os_security_group:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     name: sg-tpot-any
     description: tpot any-any
 
 - name: Add rules to security group
   os_security_group_rule:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     security_group: sg-tpot-any
     remote_ip_prefix: 0.0.0.0/0
 
 - name: Create network
   os_network:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     name: network-tpot
 
 - name: Create subnet
   os_subnet:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     network_name: network-tpot
     name: subnet-tpot
     cidr: 192.168.0.0/24
@@ -56,26 +31,15 @@
 
 - name: Create router
   os_router:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     name: router-tpot
     interfaces:
       - subnet-tpot
 
 - name: Launch an instance
   os_server:
-    auth:
-      auth_url: "{{ auth_url }}"
-      username: "{{ username }}"
-      password: "{{ password }}"
-      project_name: "{{ project_name }}"
-      os_user_domain_name: "{{ os_user_domain_name }}"
+    cloud: open-telekom-cloud
     name: "{{ tpot_name.stdout }}"
-    region_name: "{{ region_name }}"
     availability_zone: "{{ availability_zone }}"
     image: "{{ image }}"
     boot_from_volume: yes

cloud/ansible/openstack/roles/deploy/vars/main.yaml

@@ -1,4 +1,3 @@
-region_name: eu-de
 availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128

cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml

@@ -1,5 +0,0 @@
-auth_url: https://iam.eu-de.otc.t-systems.com/v3
-username: your_api_user
-password: your_password
-project_name: eu-de_your_project
-os_user_domain_name: OTC-EU-DE-000000000010000XXXXX

cloud/terraform/aws/main.tf

@@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
     volume_size           = 128
     delete_on_termination = true
   }
-  user_data              = "${file("../cloud-init.yaml")}    content: ${base64encode(file("../tpot.conf"))}"
+  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
   vpc_security_group_ids = [aws_security_group.tpot.id]
   associate_public_ip_address = true
 }

cloud/terraform/aws/variables.tf

@@ -32,23 +32,49 @@ variable "ec2_instance_type" {
 variable "ec2_ami" {
   type = map(string)
   default = {
-    "ap-east-1"      = "ami-b7d0abc6"
-    "ap-northeast-1" = "ami-01f4f0c9374675b99"
-    "ap-northeast-2" = "ami-0855cb0c55370c38c"
-    "ap-south-1"     = "ami-00d7d1cbdcb087cf3"
-    "ap-southeast-1" = "ami-03779b1b2fbb3a9d4"
-    "ap-southeast-2" = "ami-0ce3a7c68c6b1678d"
-    "ca-central-1"   = "ami-037099906a22f210f"
-    "eu-central-1"   = "ami-0845c3902a6f2af32"
-    "eu-north-1"     = "ami-e634bf98"
-    "eu-west-1"      = "ami-06a53bf81914447b5"
-    "eu-west-2"      = "ami-053d9f0770cd2e34c"
-    "eu-west-3"      = "ami-060bf1f444f742af9"
-    "me-south-1"     = "ami-04a9a536105c72d30"
-    "sa-east-1"      = "ami-0a5fd18ed0b9c7f35"
-    "us-east-1"      = "ami-01db78123b2b99496"
-    "us-east-2"      = "ami-010ffea14ff17ebf5"
-    "us-west-1"      = "ami-0ed1af421f2a3cf40"
-    "us-west-2"      = "ami-030a304a76b181155"
+    "ap-east-1"      = "ami-f9c58188"
+    "ap-northeast-1" = "ami-0fae5501ae428f9d7"
+    "ap-northeast-2" = "ami-0522874b039290246"
+    "ap-south-1"     = "ami-03b4e18f70aca8973"
+    "ap-southeast-1" = "ami-0852293c17f5240b3"
+    "ap-southeast-2" = "ami-03ea2db714f1f6acf"
+    "ca-central-1"   = "ami-094511e5020cdea18"
+    "eu-central-1"   = "ami-0394acab8c5063f6f"
+    "eu-north-1"     = "ami-0c82d9a7f5674320a"
+    "eu-west-1"      = "ami-006d280940ad4a96c"
+    "eu-west-2"      = "ami-08fe9ea08db6f1258"
+    "eu-west-3"      = "ami-04563f5eab11f2b87"
+    "me-south-1"     = "ami-0492a01b319d1f052"
+    "sa-east-1"      = "ami-05e16feea94258a69"
+    "us-east-1"      = "ami-04d70e069399af2e9"
+    "us-east-2"      = "ami-04100f1cdba76b497"
+    "us-west-1"      = "ami-014c78f266c5b7163"
+    "us-west-2"      = "ami-023b7a69b9328e1f9"
   }
 }
+
+# cloud-init configuration
+variable "timezone" {
+  default = "UTC"
+}
+
+variable "linux_password" {
+  #default = "LiNuXuSeRPaSs#"
+  description = "Set a password for the default user"
+}
+
+# These will go in the generated tpot.conf file
+variable "tpot_flavor" {
+  default = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]"
+}
+
+variable "web_user" {
+  default = "webuser"
+  description = "Set a username for the web user"
+}
+
+variable "web_password" {
+  #default = "w3b$ecret"
+  description = "Set a password for the web user"
+}

cloud/terraform/cloud-init.yaml

@@ -1,9 +1,5 @@
 #cloud-config
-timezone: UTC
-
-package_update: true
-package_upgrade: true
-package_reboot_if_required: true
+timezone: ${timezone}
 
 packages:
   - git
@@ -12,14 +8,18 @@ runcmd:
   - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
   - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
   - rm /root/tpot.conf
-  - /sbin/shutdown -r +5
+  - /sbin/shutdown -r now
+
+password: ${password}
+chpasswd:
+  expire: false
 
-# The contents of tpot.conf will be base64 encoded and appended to this file
-# via the terraform configuration in main.tf
-#
-# Make sure there are no trailing new lines after "permissions" below
 write_files:
-  - encoding: b64
+  - content: |
+      # tpot configuration file
+      myCONF_TPOT_FLAVOR='${tpot_flavor}'
+      myCONF_WEB_USER='${web_user}'
+      myCONF_WEB_PW='${web_password}'
     owner: root:root
     path: /root/tpot.conf
     permissions: '0600'

cloud/terraform/tpot.conf

@@ -1,5 +0,0 @@
-# tpot configuration file
-# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
-myCONF_TPOT_FLAVOR='STANDARD'
-myCONF_WEB_USER='webuser'
-myCONF_WEB_PW='w3b$ecret'