trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial terraform configuration

Browse Source
This commit is contained in:
Chris Long
2019-01-06 21:07:49 -08:00
parent 162f5ce552
commit 409ba689ec
13 changed files with 399 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -34,8 +34,8 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
## Requirements
* 55GB+ of free disk space
* 16GB+ of RAM
* Packer 1.0.0 or newer
* Vagrant 1.9.2 or newer
* Packer 1.3.2 or newer
* Vagrant 2.2.2 or newer
* Virtualbox or VMWare Fusion/Workstation

45
Terraform/Method1/Method1.md Normal file
View File

@@ -0,0 +1,45 @@
# Method 1 - Build Locally and Import to AWS
This method involves using Terraform to bring DetectionLab infrastructure online by first building it locally using Virtualbox/VMware and then [importing the resulting virtual machines](https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#import-vm-image) as AMIs on AWS.
The supplied Terraform configuration can then be used to create EC2 instances and all requisite networking components.
## Prerequisites
* A machine to build DetectionLab with
* An AWS account
* An AWS user and access keys to use with the AWS CLI
* Optional but recommended: a separate user for Terraform
## Step by step guide
1. Build the lab by following the [README](https://github.com/clong/DetectionLab/blob/master/README.md)
2. [Configure the AWS command line utility](https://docs.aws.amazon.com/polly/latest/dg/setup-aws-cli.html)
3. [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html). You will upload the DetectionLab VMs to this bucket later.
4. For the VM importation to work, you must create a role named `vmimport` with a trust relationship policy document that allows VM Import to assume the role, and you must attach an IAM policy to the role:
```aws iam create-role --role-name vmimport --assume-role-policy-document file:///path/to/DetectionLab/Terraform/Method1/vm_import/trust-policy.json```
5. Edit `/path/to/DetectionLab/Terraform/Method1/vm_import/role-policy.json` and insert the name of the bucket you created in step 3 on lines 12-13, replacing `YOUR_BUCKET_GOES_HERE` with the name of your bucket.
6. Use the create-role command to create a role named vmimport and give VM Import/Export access to it:
```aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///path/to/DetectionLab/Terraform/Method1/vm_import/role-policy.json```
7. Export the DetectionLab VMs as single file OVA files if they are not already in that format
8. [Upload the OVAs to the S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/upload-objects.html) you created in step three
9. Edit the `logger.json`, `dc.json`, `wef.json` and `win10.json` files and modify the S3Bucket and S3Key headers to match the location of the OVA files in your S3 bucket.
10. Import the VMs from S3 as AMIs by running the following commands:
```
aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/dc.json
aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/wef.json
aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/win10.json
aws ec2 import-image --description "logger" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/logger.json
```
11. Check on the status of the importation with the following command:
```aws ec2 describe-import-image-tasks --import-task-ids <import-ami-xxxxxxxxxxxxxxxxx>```
12. Fill out the variables in `/path/to/DetectionLab/Terraform/Method1/terraform.tfvars`
13. Run `terraform init` to setup the initial Terraform configuration
14. `cd /path/to/DetectionLab/Terraform/Method1 && terraform apply`

222
Terraform/Method1/main.tf Normal file
View File

@@ -0,0 +1,222 @@
# Terraform configuration to be used with DetectionLab Method1
# Before using this, you must fill out the variables in terraform.tfvars
# Please follow the instructions in https://github.com/clong/DetectionLab/blob/master/Terraform/Method1/Method1.md
variable "region" {
default = "us-west-1"
}
variable "shared_credentials_file" {
type = "string"
}
variable "key_name" {
default = "id_terraform"
}
variable "public_key_path" {
type = string
}
variable "ip_whitelist" {
type = "list"
}
variable "logger_ami" {}
variable "dc_ami" {}
variable "wef_ami" {}
variable "win10_ami" {}
# Specify the provider and access details
provider "aws" {
shared_credentials_file = "${var.shared_credentials_file}"
region = "${var.region}"
profile = "terraform"
}
# Create a VPC to launch our instances into
resource "aws_vpc" "default" {
cidr_block = "192.168.0.0/16"
}
# Create an internet gateway to give our subnet access to the outside world
resource "aws_internet_gateway" "default" {
vpc_id = "${aws_vpc.default.id}"
}
# Grant the VPC internet access on its main route table
resource "aws_route" "internet_access" {
route_table_id = "${aws_vpc.default.main_route_table_id}"
destination_cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.default.id}"
}
# Create a subnet to launch our instances into
resource "aws_subnet" "default" {
vpc_id = "${aws_vpc.default.id}"
cidr_block = "192.168.38.0/24"
map_public_ip_on_launch = true
}
# Our default security group for the logger host
resource "aws_security_group" "logger" {
name = "logger_security_group"
description = "DetectionLab: Security Group for the logger host"
vpc_id = "${aws_vpc.default.id}"
# SSH access
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Splunk access
ingress {
from_port = 8000
to_port = 8000
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Fleet access
ingress {
from_port = 8412
to_port = 8412
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Caldera access
ingress {
from_port = 8888
to_port = 8888
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Allow all traffic from the private subnet
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["192.168.38.0/24"]
}
# outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "windows" {
name = "windows_security_group"
description = "DetectionLab: Security group for the Windows hosts"
vpc_id = "${aws_vpc.default.id}"
# RDP
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# WinRM
ingress {
from_port = 5985
to_port = 5986
protocol = "tcp"
cidr_blocks = "${var.ip_whitelist}"
}
# Allow all traffic from the private subnet
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["192.168.38.0/24"]
}
# outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_key_pair" "auth" {
key_name = "${var.key_name}"
public_key = "${file(var.public_key_path)}"
}
resource "aws_instance" "logger" {
instance_type = "t3.medium"
ami = "${var.logger_ami}"
tags {
Name = "logger"
}
subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.logger.id}"]
key_name = "${aws_key_pair.auth.id}"
private_ip = "192.168.38.105"
# Run the following commands to restart Fleet
provisioner "remote-exec" {
inline = [
"cd /home/vagrant/kolide-quickstart && sudo docker-compose stop",
"sudo service docker restart",
"cd /home/vagrant/kolide-quickstart && sudo docker-compose start"
]
connection {
type = "ssh"
user = "vagrant"
password = "vagrant"
}
}
root_block_device {
delete_on_termination = true
}
}
resource "aws_instance" "dc" {
instance_type = "t2.small"
ami = "${var.dc_ami}"
tags {
Name = "dc.windomain.local"
}
subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
private_ip = "192.168.38.102"
root_block_device {
delete_on_termination = true
}
}
resource "aws_instance" "wef" {
instance_type = "t2.small"
ami = "${var.wef_ami}"
tags {
Name = "wef.windomain.local"
}
subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
private_ip = "192.168.38.103"
root_block_device {
delete_on_termination = true
}
}
resource "aws_instance" "win10" {
instance_type = "t2.small"
ami = "${var.win10_ami}"
tags {
Name = "win10.windomain.local"
}
subnet_id = "${aws_subnet.default.id}"
vpc_security_group_ids = ["${aws_security_group.windows.id}"]
private_ip = "192.168.38.104"
root_block_device {
delete_on_termination = true
}
}

17
Terraform/Method1/terraform.tfvars Normal file
View File

@@ -0,0 +1,17 @@
# The region you would like EC2 instances in
# Defaults to us-west-1
region = ""
# Path to the credentials file for AWS (usually /Users/username/.aws/credentials)
shared_credentials_file = ""
# Path to the SSH public key to be added to the logger host
# Example: /Users/username/.ssh/id_terrraform.pub
public_key_path = ""
# AMI ID for each host
# Example: "ami-xxxxxxxxxxxxxxxxx"
logger_ami = ""
dc_ami = ""
wef_ami = ""
win10_ami = ""
# IP Whitelist - Subnets listed here can access the lab over the internet
# Sample: ["1.1.1.1/32", "2.2.2.2/24"]
ip_whitelist = [""]

10
Terraform/Method1/vm_import/dc.json Normal file
View File

@@ -0,0 +1,10 @@
[
{
"Description": "dc",
"DeviceName": "dc",
"Format": "ova",
"UserBucket": {
"S3Bucket": "YOUR_BUCKET_GOES_HERE",
"S3Key": "dc.ova"
}
}]

10
Terraform/Method1/vm_import/logger.json Normal file
View File

@@ -0,0 +1,10 @@
[
{
"Description": "logger",
"DeviceName": "logger",
"Format": "ova",
"UserBucket": {
"S3Bucket": "YOUR_BUCKET_GOES_HERE",
"S3Key": "logger.ova"
}
}]

27
Terraform/Method1/vm_import/role-policy.json Normal file
View File

@@ -0,0 +1,27 @@
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource":[
"arn:aws:s3:::BUCKET_NAME_GOES_HERE",
"arn:aws:s3:::BUCKET_NAME_GOES_HERE/*"
]
},
{
"Effect":"Allow",
"Action":[
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource":"*"
}
]
}

15
Terraform/Method1/vm_import/trust-policy.json Normal file
View File

@@ -0,0 +1,15 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}

10
Terraform/Method1/vm_import/wef.json Normal file
View File

@@ -0,0 +1,10 @@
[
{
"Description": "wef",
"DeviceName": "wef",
"Format": "ova",
"UserBucket": {
"S3Bucket": "YOUR_BUCKET_GOES_HERE",
"S3Key": "wef.ova"
}
}]

10
Terraform/Method1/vm_import/win10.json Normal file
View File

@@ -0,0 +1,10 @@
[
{
"Description": "win10",
"DeviceName": "win10",
"Format": "ova",
"UserBucket": {
"S3Bucket": "YOUR_BUCKET_GOES_HERE",
"S3Key": "win10.ova"
}
}]

21
Terraform/Terraform.md Normal file
View File

@@ -0,0 +1,21 @@
# DetectionLab Terraform
When I considered the possible ways of building DetectionLab using Terraform, two possibilities came to mind:
### Method 1 - Building locally and exporting VMs
The general concept behind this method is to use Virtualbox or VMware to build DetectionLab. You can then use AWS's VM import capabilities to create AMIs based off of the virtual machines. Once that process is complete, the infrastructure can easily be spun up using a Terraform configuration file.
This method has the benefit of allowing users to customize the VMs before importing them to AWS.
The obvious downside is that it still requires local infrastructure to build the lab, and uploading large OVA files to S3 can be extremely time consuming on slower connections.
### Method 2 - Building and deploying in AWS
The alternative to building locally would be to build the lab entirely in AWS. This would mean the Packer builds would need to be modified to generate EBS volumes and the Vagrant provisioning would need to be modified to support cloud infrastructure. Virtualbox and VMware-based builds benefit from things like virtual machine guest tools for file sharing, which are obviously unavailable on AWS instances.
This method has the benefit of not requiring any local infrastructure for builds but requires a lot of work, cost, and time to convert the build process to be cloud-based.
### Progress Updates
The instructions for deploying DetectionLab to AWS via Method 1 are available here: [Method 1 README](./Method1/Method1.md)
Progress on Method 2 will be tracked using a GitHub project that is viewable here: https://github.com/clong/DetectionLab/projects/1

6
build.ps1
View File

@@ -97,12 +97,12 @@ function check_vagrant {
break
}
# Check Vagrant version >= 2.0.0
# Check Vagrant version >= 2.2.2
[System.Version]$vagrant_version = $(vagrant --version).Split(' ')[1]
[System.Version]$version_comparison = 2.0.0
[System.Version]$version_comparison = 2.2.2
if ($vagrant_version -lt $version_comparison) {
Write-Warning 'It is highly recommended to use Vagrant 2.0.0 or above before continuing'
Write-Warning 'It is highly recommended to use Vagrant 2.2.2 or above before continuing'
}
}

10
build.sh
View File

@@ -29,9 +29,13 @@ check_vagrant_path() {
(echo >&2 "Please correct this before continuing. Quitting.")
exit 1
fi
# Ensure Vagrant >= 2.0.0
if [ "$(vagrant --version | grep -o "[0-9]" | head -1)" -lt 2 ]; then
(echo >&2 "WARNING: It is highly recommended to use Vagrant 2.0.0 or above before continuing")
# Ensure Vagrant >= 2.2.2
# https://unix.stackexchange.com/a/285928
VAGRANT_VERSION="$(vagrant --version | cut -d ' ' -f 2)"
REQUIRED_VERSION="2.2.2"
# If the version of Vagrant is not greater than the required version
if ! [ "$(printf '%s\n' "$REQUIRED_VERSION" "$VAGRANT_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then
(echo >&2 "WARNING: It is highly recommended to use Vagrant $REQUIRED_VERSION or above before continuing")
fi
}