Initial terraform configuration

Terraform/Method1/Method1.md

@@ -0,0 +1,45 @@
+# Method 1 - Build Locally and Import to AWS
+
+This method involves using Terraform to bring DetectionLab infrastructure online by first building it locally using Virtualbox/VMware and then [importing the resulting virtual machines](https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#import-vm-image) as AMIs on AWS.
+
+The supplied Terraform configuration can then be used to create EC2 instances and all requisite networking components.
+
+## Prerequisites
+* A machine to build DetectionLab with
+* An AWS account
+* An AWS user and access keys to use with the AWS CLI
+* Optional but recommended: a separate user for Terraform
+
+## Step by step guide
+
+1. Build the lab by following the [README](https://github.com/clong/DetectionLab/blob/master/README.md)
+2. [Configure the AWS command line utility](https://docs.aws.amazon.com/polly/latest/dg/setup-aws-cli.html)
+3. [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html). You will upload the DetectionLab VMs to this bucket later.
+
+4. For the VM importation to work, you must create a role named `vmimport` with a trust relationship policy document that allows VM Import to assume the role, and you must attach an IAM policy to the role:
+
+  ```aws iam create-role --role-name vmimport --assume-role-policy-document file:///path/to/DetectionLab/Terraform/Method1/vm_import/trust-policy.json```
+
+5. Edit `/path/to/DetectionLab/Terraform/Method1/vm_import/role-policy.json` and insert the name of the bucket you created in step 3 on lines 12-13, replacing `YOUR_BUCKET_GOES_HERE` with the name of your bucket.
+
+6. Use the create-role command to create a role named vmimport and give VM Import/Export access to it:
+
+ ```aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///path/to/DetectionLab/Terraform/Method1/vm_import/role-policy.json```
+
+7. Export the DetectionLab VMs as single file OVA files if they are not already in that format
+8. [Upload the OVAs to the S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/upload-objects.html) you created in step three
+9. Edit the `logger.json`, `dc.json`, `wef.json` and `win10.json` files and modify the S3Bucket and S3Key headers to match the location of the OVA files in your S3 bucket.
+10. Import the VMs from S3 as AMIs by running the following commands:
+```
+aws ec2 import-image --description "dc" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/dc.json
+aws ec2 import-image --description "wef" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/wef.json
+aws ec2 import-image --description "win10" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/win10.json
+aws ec2 import-image --description "logger" --license-type byol --disk-containers file:///path/to/DetectionLab/Terraform/Method1/vm_import/logger.json
+```
+11. Check on the status of the importation with the following command:
+
+  ```aws ec2 describe-import-image-tasks --import-task-ids <import-ami-xxxxxxxxxxxxxxxxx>```
+
+12. Fill out the variables in `/path/to/DetectionLab/Terraform/Method1/terraform.tfvars`
+13. Run `terraform init` to setup the initial Terraform configuration
+14. `cd /path/to/DetectionLab/Terraform/Method1 && terraform apply`

Terraform/Method1/main.tf

@@ -0,0 +1,222 @@
+# Terraform configuration to be used with DetectionLab Method1
+# Before using this, you must fill out the variables in terraform.tfvars
+# Please follow the instructions in https://github.com/clong/DetectionLab/blob/master/Terraform/Method1/Method1.md
+
+variable "region" {
+  default = "us-west-1"
+}
+variable "shared_credentials_file" {
+  type = "string"
+}
+variable "key_name" {
+  default = "id_terraform"
+}
+variable "public_key_path" {
+  type = string
+}
+variable "ip_whitelist" {
+  type = "list"
+}
+variable "logger_ami" {}
+variable "dc_ami" {}
+variable "wef_ami" {}
+variable "win10_ami" {}
+
+# Specify the provider and access details
+provider "aws" {
+  shared_credentials_file = "${var.shared_credentials_file}"
+  region = "${var.region}"
+  profile = "terraform"
+}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "default" {
+  cidr_block = "192.168.0.0/16"
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "default" {
+  vpc_id = "${aws_vpc.default.id}"
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "internet_access" {
+  route_table_id         = "${aws_vpc.default.main_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.default.id}"
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "default" {
+  vpc_id                  = "${aws_vpc.default.id}"
+  cidr_block              = "192.168.38.0/24"
+  map_public_ip_on_launch = true
+}
+
+# Our default security group for the logger host
+resource "aws_security_group" "logger" {
+  name        = "logger_security_group"
+  description = "DetectionLab: Security Group for the logger host"
+  vpc_id      = "${aws_vpc.default.id}"
+
+  # SSH access
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # Splunk access
+  ingress {
+    from_port   = 8000
+    to_port     = 8000
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # Fleet access
+  ingress {
+    from_port   = 8412
+    to_port     = 8412
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # Caldera access
+  ingress {
+    from_port   = 8888
+    to_port     = 8888
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # Allow all traffic from the private subnet
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["192.168.38.0/24"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "windows" {
+  name        = "windows_security_group"
+  description = "DetectionLab: Security group for the Windows hosts"
+  vpc_id      = "${aws_vpc.default.id}"
+
+  # RDP
+  ingress {
+    from_port   = 3389
+    to_port     = 3389
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # WinRM
+  ingress {
+    from_port   = 5985
+    to_port     = 5986
+    protocol    = "tcp"
+    cidr_blocks = "${var.ip_whitelist}"
+  }
+
+  # Allow all traffic from the private subnet
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["192.168.38.0/24"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_key_pair" "auth" {
+  key_name   = "${var.key_name}"
+  public_key = "${file(var.public_key_path)}"
+}
+
+resource "aws_instance" "logger" {
+  instance_type = "t3.medium"
+  ami = "${var.logger_ami}"
+  tags {
+    Name = "logger"
+  }
+  subnet_id = "${aws_subnet.default.id}"
+  vpc_security_group_ids = ["${aws_security_group.logger.id}"]
+  key_name = "${aws_key_pair.auth.id}"
+  private_ip = "192.168.38.105"
+  # Run the following commands to restart Fleet
+  provisioner "remote-exec" {
+    inline = [
+      "cd /home/vagrant/kolide-quickstart && sudo docker-compose stop",
+      "sudo service docker restart",
+      "cd /home/vagrant/kolide-quickstart && sudo docker-compose start"
+    ]
+    connection {
+      type = "ssh"
+      user = "vagrant"
+      password = "vagrant"
+    }
+  }
+  root_block_device {
+    delete_on_termination = true
+  }
+}
+
+resource "aws_instance" "dc" {
+  instance_type = "t2.small"
+  ami = "${var.dc_ami}"
+  tags {
+    Name = "dc.windomain.local"
+  }
+  subnet_id = "${aws_subnet.default.id}"
+  vpc_security_group_ids = ["${aws_security_group.windows.id}"]
+  private_ip = "192.168.38.102"
+  root_block_device {
+    delete_on_termination = true
+  }
+}
+
+resource "aws_instance" "wef" {
+  instance_type = "t2.small"
+  ami = "${var.wef_ami}"
+  tags {
+    Name = "wef.windomain.local"
+  }
+  subnet_id = "${aws_subnet.default.id}"
+  vpc_security_group_ids = ["${aws_security_group.windows.id}"]
+  private_ip = "192.168.38.103"
+  root_block_device {
+    delete_on_termination = true
+  }
+}
+
+resource "aws_instance" "win10" {
+  instance_type = "t2.small"
+  ami = "${var.win10_ami}"
+  tags {
+    Name = "win10.windomain.local"
+  }
+  subnet_id = "${aws_subnet.default.id}"
+  vpc_security_group_ids = ["${aws_security_group.windows.id}"]
+  private_ip = "192.168.38.104"
+  root_block_device {
+    delete_on_termination = true
+  }
+}

Terraform/Method1/terraform.tfvars

@@ -0,0 +1,17 @@
+# The region you would like EC2 instances in
+# Defaults to us-west-1
+region = ""
+# Path to the credentials file for AWS (usually /Users/username/.aws/credentials)
+shared_credentials_file = ""
+# Path to the SSH public key to be added to the logger host
+# Example: /Users/username/.ssh/id_terrraform.pub
+public_key_path = ""
+# AMI ID for each host
+# Example: "ami-xxxxxxxxxxxxxxxxx"
+logger_ami = ""
+dc_ami =  ""
+wef_ami = ""
+win10_ami = ""
+# IP Whitelist - Subnets listed here can access the lab over the internet
+# Sample: ["1.1.1.1/32", "2.2.2.2/24"]
+ip_whitelist = [""]

Terraform/Method1/vm_import/dc.json

@@ -0,0 +1,10 @@
+[
+  {
+    "Description": "dc",
+    "DeviceName": "dc",
+    "Format": "ova",
+    "UserBucket": {
+        "S3Bucket": "YOUR_BUCKET_GOES_HERE",
+        "S3Key": "dc.ova"
+    }
+}]

Terraform/Method1/vm_import/logger.json

@@ -0,0 +1,10 @@
+[
+  {
+    "Description": "logger",
+    "DeviceName": "logger",
+    "Format": "ova",
+    "UserBucket": {
+        "S3Bucket": "YOUR_BUCKET_GOES_HERE",
+        "S3Key": "logger.ova"
+    }
+}]

Terraform/Method1/vm_import/role-policy.json

@@ -0,0 +1,27 @@
+{
+   "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Effect":"Allow",
+         "Action":[
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:ListBucket"
+         ],
+         "Resource":[
+            "arn:aws:s3:::BUCKET_NAME_GOES_HERE",
+            "arn:aws:s3:::BUCKET_NAME_GOES_HERE/*"
+         ]
+      },
+      {
+         "Effect":"Allow",
+         "Action":[
+            "ec2:ModifySnapshotAttribute",
+            "ec2:CopySnapshot",
+            "ec2:RegisterImage",
+            "ec2:Describe*"
+         ],
+         "Resource":"*"
+      }
+   ]
+}

Terraform/Method1/vm_import/trust-policy.json

@@ -0,0 +1,15 @@
+{
+   "Version": "2012-10-17",
+   "Statement": [
+      {
+         "Effect": "Allow",
+         "Principal": { "Service": "vmie.amazonaws.com" },
+         "Action": "sts:AssumeRole",
+         "Condition": {
+            "StringEquals":{
+               "sts:Externalid": "vmimport"
+            }
+         }
+      }
+   ]
+}

Terraform/Method1/vm_import/wef.json

@@ -0,0 +1,10 @@
+[
+  {
+    "Description": "wef",
+    "DeviceName": "wef",
+    "Format": "ova",
+    "UserBucket": {
+        "S3Bucket": "YOUR_BUCKET_GOES_HERE",
+        "S3Key": "wef.ova"
+    }
+}]

Terraform/Method1/vm_import/win10.json

@@ -0,0 +1,10 @@
+[
+  {
+    "Description": "win10",
+    "DeviceName": "win10",
+    "Format": "ova",
+    "UserBucket": {
+        "S3Bucket": "YOUR_BUCKET_GOES_HERE",
+        "S3Key": "win10.ova"
+    }
+}]