-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from newcontext-oss/cgoettel-expand-aws
expand aws
- Loading branch information
Showing
16 changed files
with
243 additions
and
148 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,13 @@ | ||
# opencti-terraform | ||
## Before you deploy | ||
Before you get going, there are a few things you will need to do: | ||
- Edit `main.tf`: | ||
- (optional) Edit the AWS region (default is `us-east-1`). | ||
- Make sure your AWS credentials are in place and edit the path to them. | ||
- Edit the login e-mail (`opencti_install_email`). | ||
- Edit the `vpc_id`. | ||
- Edit the `subnet_id` | ||
- In `security_group.tf`: | ||
- Add your public-facing IP address to the ingress rules (this can be a comma-separated list). | ||
- (optional) In `ec2.tf`: | ||
- Edit the instance's tag `Name` (the default is "opencti"). | ||
Before you get going, there are a some variables you will probably want to set. All of these can be found in `aws/terraform.tfvars`: | ||
- `allowed_ips_application`: Array containing each of the IPs that are allowed to access the web application. Default `0.0.0.0/0` all IPs. | ||
- `availability_zone`: The AWS availability zone. Default `us-east-1a`. | ||
- `login_email`: The e-mail address used to login to the application. Default `[email protected]`. | ||
- `region`: The AWS region used. Default `us-east`. | ||
- `root_volume_size`: The root volume size for the EC2 instance. Without this, the volume is 7.7GB and fills up in a day. Default `32` (GB). Note that this will incur costs. | ||
- `subnet_id`: The AWS subnet to use. No default specified. | ||
- `vpc_id`: The VPC to use. No default specified. | ||
|
||
## Deployment | ||
To deploy, navigate to the repository and run `terraform init`. Then, create a plan (`terraform plan`) and check it over. Once you're good to go, apply it (`terraform apply`). | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# IAM initial config | ||
resource "aws_iam_role" "opencti_role" { | ||
name = "opencti_role" | ||
assume_role_policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = "sts:AssumeRole" | ||
Effect = "Allow" | ||
Sid = "" | ||
Principal = { | ||
Service = "ec2.amazonaws.com" | ||
} | ||
}, | ||
] | ||
}) | ||
} | ||
|
||
resource "aws_iam_instance_profile" "opencti_profile" { | ||
name = "opencti_profile" | ||
role = aws_iam_role.opencti_role.name | ||
} | ||
|
||
# AWS Systems Manager (SSM) | ||
data "aws_iam_policy" "ssm" { | ||
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "opencti_ssm_attach" { | ||
role = aws_iam_role.opencti_role.name | ||
policy_arn = data.aws_iam_policy.ssm.arn | ||
} | ||
|
||
# S3 | ||
data "aws_iam_policy" "s3readonly" { | ||
arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "opencti_readonly_attach" { | ||
role = aws_iam_role.opencti_role.name | ||
policy_arn = data.aws_iam_policy.s3readonly.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
provider "aws" { | ||
region = var.region | ||
shared_credentials_file = "~/.aws/credentials" | ||
profile = "default" | ||
} | ||
|
||
# These variables aren't meant to be changed by the end user. | ||
locals { | ||
ami_id = "ami-0074ee617a234808d" # Ubuntu 20.04 LTS | ||
instance_type = "t3.2xlarge" # 8x32 with EBS-backed storage | ||
opencti_bucket_name = "opencti-storage" | ||
opencti_dir = "/opt/opencti" | ||
opencti_install_script_name = "opencti-installer.sh" | ||
opencti_connectors_script_name = "opencti-connectors.sh" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# This code creates a VPC and Subnet. The code applies just fine. But Systems Manager (SSM) is unusable. Says something isn't right. Been tracking it down for far too long and it's outside the scope of this change anyway so commenting and moving along. This VPC/Subnet issue is tracked in #9. | ||
# resource "aws_vpc" "opencti_vpc" { | ||
# cidr_block = "10.1.0.0/16" | ||
|
||
# tags = { | ||
# Name = "OpenCTI VPC" | ||
# } | ||
# } | ||
|
||
# resource "aws_subnet" "opencti_subnet" { | ||
# vpc_id = aws_vpc.opencti_vpc.id | ||
# cidr_block = "10.1.10.0/24" | ||
# availability_zone = var.availability_zone | ||
|
||
# tags = { | ||
# Name = "OpenCTI subnet" | ||
# } | ||
# } | ||
|
||
# resource "aws_network_interface" "opencti_nic" { | ||
# subnet_id = aws_subnet.opencti_subnet.id | ||
# # private_ips = ["10.1.10.100"] | ||
# security_groups = [ aws_security_group.opencti_sg.id ] | ||
|
||
# tags = { | ||
# Name = "primary_network_interface" | ||
# } | ||
# } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Security group | ||
resource "aws_security_group" "opencti_sg" { | ||
name = "opencti_sg" | ||
vpc_id = var.vpc_id | ||
|
||
ingress { | ||
description = "Allow access to application on port 4000" | ||
from_port = 4000 | ||
to_port = 4000 | ||
protocol = "tcp" | ||
cidr_blocks = var.allowed_ips_application | ||
} | ||
|
||
egress { | ||
description = "Application can send outbound traffic to these IPs" | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
tags = { | ||
Name = "opencti security group" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# S3 bucket to store install and connectors scripts. | ||
resource "aws_s3_bucket" "opencti_bucket" { | ||
bucket = local.opencti_bucket_name | ||
acl = "private" | ||
} | ||
|
||
# S3 IAM (I don't think any of these permissions are being used) | ||
data "aws_iam_policy_document" "opencti_s3" { | ||
statement { | ||
actions = [ | ||
"s3:*", | ||
] | ||
|
||
resources = [ | ||
"arn:aws:s3:::${local.opencti_bucket_name}", | ||
"arn:aws:s3:::${local.opencti_bucket_name}/*", | ||
] | ||
} | ||
} | ||
|
||
resource "aws_iam_policy" "opencti_s3" { | ||
name = "opencti_s3" | ||
policy = data.aws_iam_policy_document.opencti_s3.json | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "opencti_s3_attach" { | ||
role = aws_iam_role.opencti_role.name | ||
policy_arn = aws_iam_policy.opencti_s3.arn | ||
} | ||
|
||
# OpenCTI installer script | ||
resource "aws_s3_bucket_object" "opencti-install-script" { | ||
bucket = aws_s3_bucket.opencti_bucket.id | ||
key = "opencti-installer.sh" | ||
source = "../opencti_scripts/installer.sh" | ||
} | ||
|
||
# OpenCTI connectors script | ||
resource "aws_s3_bucket_object" "opencti-connectors-script" { | ||
bucket = aws_s3_bucket.opencti_bucket.id | ||
key = "opencti-connectors.sh" | ||
source = "../opencti_scripts/connectors.sh" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# allowed_ips_application = ["0.0.0.0/0"] | ||
# availability_zone = "us-east-1a" | ||
# login_email = "[email protected]" | ||
# region = "us-east-1" | ||
# root_volume_size = 32 | ||
subnet_id = "" | ||
vpc_id = "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
variable "allowed_ips_application" { | ||
description = "List of IP addresses allowed to access application on port 4000 of public IP. Default is all IPs." | ||
type = list(string) | ||
default = ["0.0.0.0/0"] | ||
} | ||
|
||
variable "availability_zone" { | ||
description = "The availability zone to use." | ||
type = string | ||
default = "us-east-1a" | ||
} | ||
|
||
variable "login_email" { | ||
description = "The e-mail address to use for logging into the OpenCTI instance." | ||
type = string | ||
default = "[email protected]" | ||
} | ||
|
||
variable "region" { | ||
description = "The region to deploy in." | ||
type = string | ||
default = "us-east-1" | ||
} | ||
|
||
variable "root_volume_size" { | ||
description = "The size of the root volume." | ||
type = number | ||
default = 32 | ||
} | ||
|
||
variable "subnet_id" { | ||
description = "The subnet ID to use." | ||
type = string | ||
} | ||
|
||
variable "vpc_id" { | ||
description = "The VPC ID to use." | ||
type = string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.