Merge pull request #397 from prateepb/terraform

Add Terraform Support
2025-04-29 03:38:51 +00:00 · 2019-06-27 07:51:26 +02:00 · 2019-06-27 07:51:26 +02:00 · 93417ddefd
commit 93417ddefd
parent fc752b10c2 9db5c92f4d
9 changed files with 306 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -54,6 +54,7 @@ Furthermore we use the following tools
  - [Post Install Auto](#postinstallauto)
  - [Cloud Deployments](#cloud)
    - [Ansible Deployment on Open Telekom Cloud](#ansible-otc)
    - [Terraform](#terraform)
  - [First Run](#firstrun)
  - [System Placement](#placement)
 - [Updates](#updates)
@ -339,6 +340,15 @@ The [`deploy_ansible_otc_t-pot.sh`](cloud/open-telekom-cloud/deploy_ansible_otc_
 It first creates a new Elastic Cloud Server via the Open Telekom Cloud API and then invokes the Ansible Playbooks to install and configure T-Pot.  
 You can have a look at the script and easily adapt it for other cloud providers.
 <a name="terraform"></a>
 ### Terraform Configuration
 You can find [Terraform](https://www.terraform.io/) configuration in the [`cloud/terraform`](cloud/terraform) folder.
 This can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.
 Configuration for Amazon Web Services (AWS) is currently included and this can easily be extended to support other [Terraform providers](https://www.terraform.io/docs/providers/index.html).
 <a name="firstrun"></a>
 ## First Run
 The installation requires very little interaction, only a locale and keyboard setting have to be answered for the basic linux installation. The system will reboot and please maintain the active internet connection. The T-Pot installer will start and ask you for an installation type, password for the **tsec** user and credentials for a **web user**. Everything else will be configured automatically. All docker images and other componenents will be downloaded. Depending on your network connection and the chosen installation type, the installation may take some time. During our tests (250Mbit down, 40Mbit up), the installation was usually finished within a 15-30 minute timeframe.
--- a/cloud/terraform/.gitignore
+++ b/cloud/terraform/.gitignore
@ -0,0 +1,2 @@
 **/.terraform
 **/terraform.*
--- a/cloud/terraform/README.md
+++ b/cloud/terraform/README.md
@ -0,0 +1,131 @@
 # T-Pot Terraform
 This [Terraform](https://www.terraform.io/) configuration can be used to provision a T-Pot instance in AWS in addition to all of the necessary pre-requisites. Specifically, the following resources will be created:
 * EC2 instance:
  * t3.large (2 vCPU, 8 GiB RAM)
  * 128GB disk
  * [Debian Stretch](https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch) (The T-Pot installation script will then upgrade this to Debian Sid)
 * AWS Security Group:
  * TCP/UDP ports <= 64000 open to the Internet
  * TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
 [Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup. Additional provisioning using Ansible etc. is not required.
 The following resources are NOT automatically created and need to be specified in the configuration below:
 * VPC
 * Subnet
 ## Pre-Requisites
 * [Terraform](https://www.terraform.io/) 0.12
 * AWS Account
  * Existing VPC. VPC ID should be specified in configuration below
  * Existing subnet. Subnet ID should be specified in configuration below
 * AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
 ## Required Configuration Changes
 ### Terraform Variables
 In `aws/variables.tf`, change the following variables to correspond to your existing EC2 infrastructure:
 * `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
 * `ec2_vpc_id`
 * `ec2_subnet_id`
 * `ec2_region`
 ### Admin Credentials
 In `tpot.conf`, change the following variables:
 ```
 myCONF_WEB_USER='webuser'
 myCONF_WEB_PW='w3b$ecret'
 ```
 This will be used to configure credentials for the T-Pot Kibana interface. Refer to [Options](https://github.com/dtag-dev-sec/tpotce#options) for more information.
 ## Initialising
 The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
 ```
 $ cd aws
 $ terraform init
 Initializing the backend...
 Initializing provider plugins...
 - Checking for available provider plugins...
 - Downloading plugin for provider "aws" (terraform-providers/aws) 2.16.0...
 The following providers do not have any version constraints in configuration,
 so the latest version was installed.
 To prevent automatic upgrades to new major versions that may contain breaking
 changes, it is recommended to add version = "..." constraints to the
 corresponding provider blocks in configuration, with the constraint strings
 suggested below.
 * provider.aws: version = "~> 2.16"
 Terraform has been successfully initialized!
 You may now begin working with Terraform. Try running "terraform plan" to see
 any changes that are required for your infrastructure. All Terraform commands
 should now work.
 If you ever set or change modules or backend configuration for Terraform,
 rerun this command to reinitialize your working directory. If you forget, other
 commands will detect it and remind you to do so if necessary.
 ```
 ## Applying the Configuration
 The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
 ```
 $ terraform apply
 An execution plan has been generated and is shown below.
 Resource actions are indicated with the following symbols:
  + create
 Terraform will perform the following actions:
  # aws_instance.tpot will be created
  ...
  # aws_security_group.tpot will be created
  ...
 Plan: 2 to add, 0 to change, 0 to destroy.
 Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value:
 ```
 This will perform the following actions:
 1. Create EC2 security group
 2. Start a Debian EC2 instance
 3. Update all packages and reboot if necessary
 4. Install T-Pot and required dependencies
 5. Reboot
 ## Connecting to the Instance
 ### SSH
 Prior to the final reboot, you will temporarily be able to SSH to port 22 as per standard. Following the reboot, port 22 is used for the honeypot. The *real* SSH server is listening on port **64295**
 ### Browser
 https://www.example.com:64297/
 Replace with the FQDN of your EC2 instance. Refer to the [T-POT documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access) for further details.
--- a/cloud/terraform/aws/main.tf
+++ b/cloud/terraform/aws/main.tf
@ -0,0 +1,65 @@
 provider "aws" {
  region = var.ec2_region
 }
 resource "aws_security_group" "tpot" {
  name        = "T-Pot"
  description = "T-Pot Honeypot"
  vpc_id      = var.ec2_vpc_id
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 64294
    to_port     = 64294
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64295
    to_port     = 64295
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64297
    to_port     = 64297
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "T-Pot"
  }
 }
 resource "aws_instance" "tpot" {
  ami           = var.ec2_ami[var.ec2_region]
  instance_type = var.ec2_instance_type
  key_name      = var.ec2_ssh_key_name
  subnet_id     = var.ec2_subnet_id
  tags = {
    Name = "T-Pot Honeypot"
  }
  root_block_device {
    volume_type           = "gp2"
    volume_size           = 128
    delete_on_termination = true
  }
  user_data              = "${file("../cloud-init.yaml")}    content: ${base64encode(file("../tpot.conf"))}"
  vpc_security_group_ids = [aws_security_group.tpot.id]
 }
--- a/cloud/terraform/aws/outputs.tf
+++ b/cloud/terraform/aws/outputs.tf
@ -0,0 +1,12 @@
 output "Admin_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64294/"
 }
 output "SSH_Access" {
  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
 }
 output "Web_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64297/"
 }
--- a/cloud/terraform/aws/variables.tf
+++ b/cloud/terraform/aws/variables.tf
@ -0,0 +1,53 @@
 variable "admin_ip" {
  default     = ["127.0.0.1/32"]
  description = "admin IP addresses in CIDR format"
 }
 variable "ec2_vpc_id" {
  description = "ID of AWS VPC"
  default     = "vpc-XXX"
 }
 variable "ec2_subnet_id" {
  description = "ID of AWS VPC subnet"
  default     = "subnet-YYY"
 }
 variable "ec2_region" {
  description = "AWS region to launch servers"
  default     = "eu-west-1"
 }
 variable "ec2_ssh_key_name" {
  default = "default"
 }
 # https://aws.amazon.com/ec2/instance-types/
 # t3.large = 2 vCPU, 8 GiB RAM
 variable "ec2_instance_type" {
  default = "t3.large"
 }
 # Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch
 variable "ec2_ami" {
  type = map(string)
  default = {
    "ap-northeast-1" = "ami-09fbcd30452841cb9"
    "ap-northeast-2" = "ami-08363ccce96df1fff"
    "ap-south-1"     = "ami-0dc98cbb0d0e49162"
    "ap-southeast-1" = "ami-0555b1a5444087dd4"
    "ap-southeast-2" = "ami-029c54f988446691a"
    "ca-central-1"   = "ami-04413a263a7d94982"
    "eu-central-1"   = "ami-01fb3b7bab31acac5"
    "eu-north-1"     = "ami-050f04ca573daa1fb"
    "eu-west-1"      = "ami-0968f6a31fc6cffc0"
    "eu-west-2"      = "ami-0faa9c9b5399088fd"
    "eu-west-3"      = "ami-0cd23820af84edc85"
    "sa-east-1"      = "ami-030580e61468e54bd"
    "us-east-1"      = "ami-0357081a1383dc76b"
    "us-east-2"      = "ami-09c10a66337c79669"
    "us-west-1"      = "ami-0adbaf2e0ce044437"
    "us-west-2"      = "ami-05a3ef6744aa96514"
  }
 }
--- a/cloud/terraform/aws/versions.tf
+++ b/cloud/terraform/aws/versions.tf
@ -0,0 +1,3 @@
 terraform {
  required_version = ">= 0.12"
 }
--- a/cloud/terraform/cloud-init.yaml
+++ b/cloud/terraform/cloud-init.yaml
@ -0,0 +1,25 @@
 #cloud-config
 timezone: UTC
 package_update: true
 package_upgrade: true
 package_reboot_if_required: true
 packages:
  - git
 runcmd:
  - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
  - rm /root/tpot.conf
  - /sbin/shutdown -r +5
 # The contents of tpot.conf will be base64 encoded and appended to this file
 # via the terraform configuration in main.tf
 #
 # Make sure there are no trailing new lines after "permissions" below
 write_files:
  - encoding: b64
    owner: root:root
    path: /root/tpot.conf
    permissions: '0600'
--- a/cloud/terraform/tpot.conf
+++ b/cloud/terraform/tpot.conf
@ -0,0 +1,5 @@
 # tpot configuration file
 # myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
 myCONF_TPOT_FLAVOR='STANDARD'
 myCONF_WEB_USER='webuser'
 myCONF_WEB_PW='w3b$ecret'