From 7b7ca39450591638d14054ea1c9aec73b7c09549 Mon Sep 17 00:00:00 2001 From: Colby Goettel Date: Fri, 12 Feb 2021 15:40:51 -0600 Subject: [PATCH 1/3] skeleton code --- ec2.tf => aws/ec2.tf | 2 +- iam.tf => aws/iam.tf | 0 main.tf => aws/main.tf | 3 ++- security_group.tf => aws/security_group.tf | 0 s3.tf => aws/storage.tf | 13 +++++++++++++ aws/variables.tf | 5 +++++ opencti_scripts/installer.sh | 15 +++++++++++++++ userdata/installation-wrapper-script.sh | 1 + 8 files changed, 37 insertions(+), 2 deletions(-) rename ec2.tf => aws/ec2.tf (94%) rename iam.tf => aws/iam.tf (100%) rename main.tf => aws/main.tf (83%) rename security_group.tf => aws/security_group.tf (100%) rename s3.tf => aws/storage.tf (55%) create mode 100644 aws/variables.tf diff --git a/ec2.tf b/aws/ec2.tf similarity index 94% rename from ec2.tf rename to aws/ec2.tf index 535a32d..7f3bd4a 100644 --- a/ec2.tf +++ b/aws/ec2.tf @@ -1,5 +1,5 @@ # EC2 Instance -resource "aws_instance" "test" { +resource "aws_instance" "opencti_instance" { ami = local.ami_id instance_type = local.instance_type diff --git a/iam.tf b/aws/iam.tf similarity index 100% rename from iam.tf rename to aws/iam.tf diff --git a/main.tf b/aws/main.tf similarity index 83% rename from main.tf rename to aws/main.tf index 273e415..cfe8a3f 100644 --- a/main.tf +++ b/aws/main.tf @@ -14,5 +14,6 @@ locals { opencti_connectors_script_name = "opencti-connectors.sh" vpc_id = "vpc-FILLTHISIN" subnet_id = "subnet-FILLTHISIN" - instance_type = "t3.medium" + # This instance type is an 8x16 node with EBS-backed storage. + instance_type = "a1.2xlarge" } diff --git a/security_group.tf b/aws/security_group.tf similarity index 100% rename from security_group.tf rename to aws/security_group.tf diff --git a/s3.tf b/aws/storage.tf similarity index 55% rename from s3.tf rename to aws/storage.tf index acf0f3f..4dd6762 100644 --- a/s3.tf +++ b/aws/storage.tf @@ -1,3 +1,16 @@ +# The system disk is 7.7GB which is sufficient for the application and components, but we will need more space for storing everything that OpenCTI wants to consume. The instance type we're using only allows for AWS EBS (Elastic Block Store) for disks so that's what we're going to attach. The recommendation is a minimum of 32GB disk space. +resource "aws_ebs_volume" "opencti_ebs_volume" { + availability_zone = "us-east-1a" + size = var.ebs_volume_size +} + +# AWS recommends that EBS instances be named `/dev/sd[f-p]`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names +resource "aws_volume_attachment" "attach_ebs" { + device_name = "/dev/sdf" + volume_id = aws_ebs_volume.opencti_ebs_volume.id + instance_id = aws_instance.opencti_instance.id +} + # S3 resources resource "aws_s3_bucket" "opencti" { bucket = local.opencti_bucket_name diff --git a/aws/variables.tf b/aws/variables.tf new file mode 100644 index 0000000..86d2efc --- /dev/null +++ b/aws/variables.tf @@ -0,0 +1,5 @@ +variable "ebs_volume_size" { + description = "Size of volume to attach to EC2 instance." + type = number + default = 32 +} diff --git a/opencti_scripts/installer.sh b/opencti_scripts/installer.sh index 76fac58..4773427 100644 --- a/opencti_scripts/installer.sh +++ b/opencti_scripts/installer.sh @@ -329,6 +329,21 @@ enable_service 'grakn' ## Elasticsearch log_section_heading "Elasticsearch" +echo "Setting up logrotate for Elasticsearch" +# rotate 20 logs at 50M means a maximum of 1GB Elasticsearch logs. +cat < /etc/logrotate.d/elasticsearch +/var/log/elasticsearch/*.log { + daily + rotate 20 + size 50M + copytruncate + compress + delaycompress + missingok + notifempty + create 644 elasticsearch elasticsearch +} +EOT wget -qO - 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' | apt-key add - add-apt-repository "deb https://artifacts.elastic.co/packages/7.x/apt stable main" update_apt_pkg diff --git a/userdata/installation-wrapper-script.sh b/userdata/installation-wrapper-script.sh index fa95bc3..919522b 100644 --- a/userdata/installation-wrapper-script.sh +++ b/userdata/installation-wrapper-script.sh @@ -5,6 +5,7 @@ exec > >(tee /var/log/opencti-install.log|logger -t opencti-install -s 2>/dev/console) 2>&1 echo "Update base OS" +exit apt-get update apt-get upgrade -y From 6e8a9a14128a30924756141e919bc4b1961dbd28 Mon Sep 17 00:00:00 2001 From: Colby Goettel Date: Fri, 19 Feb 2021 10:22:59 -0600 Subject: [PATCH 2/3] anonymized repo; deploying but can't access with SSM --- README.md | 17 +++----- aws/ec2.tf | 15 ++++--- aws/iam.tf | 39 +++++++++--------- aws/main.tf | 16 +++---- aws/security_group.tf | 13 +++--- aws/storage.tf | 55 ------------------------- aws/variables.tf | 28 ++++++++++++- opencti_scripts/connectors.sh | 6 +-- opencti_scripts/installer.sh | 9 +++- userdata/installation-wrapper-script.sh | 3 +- 10 files changed, 85 insertions(+), 116 deletions(-) delete mode 100644 aws/storage.tf diff --git a/README.md b/README.md index 1c8c28b..352806e 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,11 @@ # opencti-terraform ## Before you deploy -Before you get going, there are a few things you will need to do: -- Edit `main.tf`: - - (optional) Edit the AWS region (default is `us-east-1`). - - Make sure your AWS credentials are in place and edit the path to them. - - Edit the login e-mail (`opencti_install_email`). - - Edit the `vpc_id`. - - Edit the `subnet_id` -- In `security_group.tf`: - - Add your public-facing IP address to the ingress rules (this can be a comma-separated list). -- (optional) In `ec2.tf`: - - Edit the instance's tag `Name` (the default is "opencti"). +Before you get going, there are a some variables you will probably want to set. All of these can be found in `aws/variables.tf`: +- `allowed_ips_application`: Array containing each of the IPs that are allowed to access the web application. Default `0.0.0.0/0` all IPs. +- `availability_zone`: The AWS availability zone. Default `us-east-1a`. +- `login_email`: The e-mail address used to login to the application. Default `login.email@example.com`. +- `region`: The AWS region used. Default `us-east`. +- `root_volume_size`: The root volume size for the EC2 instance. Without this, the volume is 7.7GB and fills up in a day. Default `32` (GB). Note that this will incur costs. ## Deployment To deploy, navigate to the repository and run `terraform init`. Then, create a plan (`terraform plan`) and check it over. Once you're good to go, apply it (`terraform apply`). diff --git a/aws/ec2.tf b/aws/ec2.tf index 7f3bd4a..ef137d1 100644 --- a/aws/ec2.tf +++ b/aws/ec2.tf @@ -3,19 +3,22 @@ resource "aws_instance" "opencti_instance" { ami = local.ami_id instance_type = local.instance_type - # Default VPC subnet for NC Sandbox - subnet_id = local.subnet_id associate_public_ip_address = true - iam_instance_profile = aws_iam_instance_profile.opencti-profile.name + iam_instance_profile = aws_iam_instance_profile.opencti_profile.name + root_block_device { + volume_size = var.root_volume_size + } + subnet_id = aws_subnet.opencti_subnet.id - user_data = templatefile("./userdata/installation-wrapper-script.sh", { + user_data = templatefile("../userdata/installation-wrapper-script.sh", { + login_email = var.login_email, opencti_bucket_name = local.opencti_bucket_name, - opencti_install_email = local.opencti_install_email, + opencti_dir = local.opencti_dir, opencti_install_script_name = local.opencti_install_script_name, opencti_connectors_script_name = local.opencti_connectors_script_name }) - vpc_security_group_ids = [aws_security_group.opencti.id] + vpc_security_group_ids = [aws_security_group.opencti_sg.id] tags = { Name = "opencti" diff --git a/aws/iam.tf b/aws/iam.tf index bbd0d18..1249a84 100644 --- a/aws/iam.tf +++ b/aws/iam.tf @@ -1,23 +1,23 @@ # IAM initial config -data "aws_iam_policy_document" "opencti-assume-role" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["ec2.amazonaws.com"] - } - } -} - -resource "aws_iam_role" "opencti" { +resource "aws_iam_role" "opencti_role" { name = "opencti_role" - assume_role_policy = data.aws_iam_policy_document.opencti-assume-role.json + assume_role_policy = jsonencode({ + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) } -resource "aws_iam_instance_profile" "opencti-profile" { +resource "aws_iam_instance_profile" "opencti_profile" { name = "opencti_profile" - role = aws_iam_role.opencti.name + role = aws_iam_role.opencti_role.name } # AWS Systems Manager (SSM) @@ -25,16 +25,17 @@ data "aws_iam_policy" "ssm" { arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" } -resource "aws_iam_role_policy_attachment" "opencti-ssm-attach" { - role = aws_iam_role.opencti.name +resource "aws_iam_role_policy_attachment" "opencti_ssm_attach" { + role = aws_iam_role.opencti_role.name policy_arn = data.aws_iam_policy.ssm.arn } +# S3 data "aws_iam_policy" "s3readonly" { arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } -resource "aws_iam_role_policy_attachment" "opencti-readonly-attach" { - role = aws_iam_role.opencti.name +resource "aws_iam_role_policy_attachment" "opencti_readonly_attach" { + role = aws_iam_role.opencti_role.name policy_arn = data.aws_iam_policy.s3readonly.arn } diff --git a/aws/main.tf b/aws/main.tf index cfe8a3f..d05c26f 100644 --- a/aws/main.tf +++ b/aws/main.tf @@ -1,19 +1,15 @@ provider "aws" { - region = "us-east-1" - shared_credentials_file = "/path/to/your/.aws/credentials" + region = var.region + shared_credentials_file = "~/.aws/credentials" profile = "default" } +# These variables aren't meant to be changed by the end user. locals { - # Ubuntu 20.04 LTS - ami_id = "ami-0074ee617a234808d" - + ami_id = "ami-0074ee617a234808d" # Ubuntu 20.04 LTS + instance_type = "t3.2xlarge" # 8x32 with EBS-backed storage opencti_bucket_name = "opencti-storage" - opencti_install_email = "login.email@example.com" + opencti_dir = "/opt/opencti" opencti_install_script_name = "opencti-installer.sh" opencti_connectors_script_name = "opencti-connectors.sh" - vpc_id = "vpc-FILLTHISIN" - subnet_id = "subnet-FILLTHISIN" - # This instance type is an 8x16 node with EBS-backed storage. - instance_type = "a1.2xlarge" } diff --git a/aws/security_group.tf b/aws/security_group.tf index 2e69754..c907015 100644 --- a/aws/security_group.tf +++ b/aws/security_group.tf @@ -1,17 +1,18 @@ # Security group -resource "aws_security_group" "opencti" { - name = "opencti" - vpc_id = local.vpc_id +resource "aws_security_group" "opencti_sg" { + name = "opencti_sg" + vpc_id = aws_vpc.opencti_vpc.id ingress { - description = "Allow access from these IPs" + description = "Allow access to application on port 4000" from_port = 4000 to_port = 4000 protocol = "tcp" - cidr_blocks = ["put.your.ip.here/32", "another.ip.address.here/32"] + cidr_blocks = var.allowed_ips_application } egress { + description = "Application can send outbound traffic to these IPs" from_port = 0 to_port = 0 protocol = "-1" @@ -19,6 +20,6 @@ resource "aws_security_group" "opencti" { } tags = { - Name = "opencti" + Name = "opencti security group" } } diff --git a/aws/storage.tf b/aws/storage.tf deleted file mode 100644 index 4dd6762..0000000 --- a/aws/storage.tf +++ /dev/null @@ -1,55 +0,0 @@ -# The system disk is 7.7GB which is sufficient for the application and components, but we will need more space for storing everything that OpenCTI wants to consume. The instance type we're using only allows for AWS EBS (Elastic Block Store) for disks so that's what we're going to attach. The recommendation is a minimum of 32GB disk space. -resource "aws_ebs_volume" "opencti_ebs_volume" { - availability_zone = "us-east-1a" - size = var.ebs_volume_size -} - -# AWS recommends that EBS instances be named `/dev/sd[f-p]`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names -resource "aws_volume_attachment" "attach_ebs" { - device_name = "/dev/sdf" - volume_id = aws_ebs_volume.opencti_ebs_volume.id - instance_id = aws_instance.opencti_instance.id -} - -# S3 resources -resource "aws_s3_bucket" "opencti" { - bucket = local.opencti_bucket_name - acl = "private" -} - -data "aws_iam_policy_document" "opencti-s3" { - statement { - actions = [ - "s3:*", - ] - - resources = [ - "arn:aws:s3:::${local.opencti_bucket_name}", - "arn:aws:s3:::${local.opencti_bucket_name}/*", - ] - } -} - -resource "aws_iam_policy" "opencti-s3" { - name = "opencti_s3" - policy = data.aws_iam_policy_document.opencti-s3.json -} - -resource "aws_iam_role_policy_attachment" "opencti-s3-attach" { - role = aws_iam_role.opencti.name - policy_arn = aws_iam_policy.opencti-s3.arn -} - -# OpenCTI installer script -resource "aws_s3_bucket_object" "opencti-install-script" { - bucket = aws_s3_bucket.opencti.id - key = "opencti-installer.sh" - source = "opencti_scripts/installer.sh" -} - -# OpenCTI connectors script -resource "aws_s3_bucket_object" "opencti-connectors-script" { - bucket = aws_s3_bucket.opencti.id - key = "opencti-connectors.sh" - source = "opencti_scripts/connectors.sh" -} diff --git a/aws/variables.tf b/aws/variables.tf index 86d2efc..725a838 100644 --- a/aws/variables.tf +++ b/aws/variables.tf @@ -1,5 +1,29 @@ -variable "ebs_volume_size" { - description = "Size of volume to attach to EC2 instance." +variable "allowed_ips_application" { + description = "List of IP addresses allowed to access application on port 4000 of public IP. Default is all IPs." + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "availability_zone" { + description = "The availability zone to use." + type = string + default = "us-east-1a" +} + +variable "login_email" { + description = "The e-mail address to use for logging into the OpenCTI instance." + type = string + default = "login.email@example.com" +} + +variable "region" { + description = "The region to deploy in." + type = string + default = "us-east-1" +} + +variable "root_volume_size" { + description = "The size of the root volume." type = number default = 32 } diff --git a/opencti_scripts/connectors.sh b/opencti_scripts/connectors.sh index a9fea60..130004c 100644 --- a/opencti_scripts/connectors.sh +++ b/opencti_scripts/connectors.sh @@ -140,8 +140,8 @@ warn_user # This will only set up your instance for the connectors enabled. You must supply an API token (e.g., alienvault token) and enable the service. # It should be safe to run this after changing configs or enabling services. declare -A CONNECTORS; -CONNECTORS['alienvault']=0 # this -CONNECTORS['amitt']=0 # this +CONNECTORS['alienvault']=0 +CONNECTORS['amitt']=0 CONNECTORS['crowdstrike']=0 CONNECTORS['cryptolaemus']=0 CONNECTORS['cve']=1 @@ -173,7 +173,7 @@ done if [[ ! $show_user_prompt ]] then echo - read -p "Are you sure you want to continue with the list above? " -n 1 -r + read -p "Are you sure you want to continue with the list above? [y/N] " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]] then diff --git a/opencti_scripts/installer.sh b/opencti_scripts/installer.sh index 4773427..bbe8b6b 100644 --- a/opencti_scripts/installer.sh +++ b/opencti_scripts/installer.sh @@ -58,10 +58,12 @@ function print_banner { # Parameters: # - $1: section heading function log_section_heading { + echo echo "###^^^###^^^###^^^###^^^###" date --iso-8601=seconds echo $1 echo "###^^^###^^^###^^^###^^^###" + echo } # Function: check_root @@ -114,11 +116,11 @@ function check_apt_pkg { if [[ $(dpkg -l | grep $1) ]] then echo >&2 "$1 found, attempting upgrade: executing apt-get -y install --only-upgrade '$1''$2'"; - DEBIAN_FRONTEND=noninteractive apt -qq install --only-upgrade "$1""$2" > /dev/null 2>&1; + DEBIAN_FRONTEND=noninteractive apt -qq install --only-upgrade "$1""$2" quit_on_error "Upgrading $1$2" else echo >&2 "$1 missing, attempting install: executing apt-get -y install '$1''$2'"; - DEBIAN_FRONTEND=noninteractive apt -qq -y install "$1""$2" > /dev/null 2>&1; + DEBIAN_FRONTEND=noninteractive apt -qq -y install "$1""$2" quit_on_error "Installing $1$2" fi } @@ -306,6 +308,7 @@ sudo add-apt-repository 'deb [ arch=all ] https://repo.grakn.ai/repository/apt/ update_apt_pkg # apt-get install -y grakn-console=2.0.0-alpha-3 # Required dependency # apt-get install -y grakn-core-all +check_apt_pkg 'grakn-bin' '=2.0.0-alpha-6' check_apt_pkg 'grakn-core-server' "=${grakn_version}" check_apt_pkg 'grakn-console' "=${grakn_version}" check_apt_pkg 'grakn-core-all' "=${grakn_version}" @@ -478,6 +481,7 @@ update_apt_pkg check_apt_pkg 'rabbitmq-server' "=${rabbitmq_ver}" enable_service 'rabbitmq-server' +# Set RabbitMQ environment variables RRMQUNAME="rabbitadmin" # rabbitmq doesn't like '/' @@ -518,6 +522,7 @@ log_section_heading "OpenCTI package installation" echo "OpenCTI: download tarball" wget --quiet -O opencti-release-${opencti_ver}.tar.gz "https://github.com/OpenCTI-Platform/opencti/releases/download/${opencti_ver}/opencti-release-${opencti_ver}.tar.gz" tar -xzf "opencti-release-${opencti_ver}.tar.gz" --directory "/opt/" +rm "opencti-release-${opencti_ver}.tar.gz" echo "Changing owner of ${opencti_dir} to:" $(whoami)":"$(id -gn) chown -R $(whoami):$(id -gn) "${opencti_dir}" diff --git a/userdata/installation-wrapper-script.sh b/userdata/installation-wrapper-script.sh index 919522b..cd4fe2b 100644 --- a/userdata/installation-wrapper-script.sh +++ b/userdata/installation-wrapper-script.sh @@ -5,7 +5,6 @@ exec > >(tee /var/log/opencti-install.log|logger -t opencti-install -s 2>/dev/console) 2>&1 echo "Update base OS" -exit apt-get update apt-get upgrade -y @@ -17,7 +16,7 @@ aws s3 cp s3://${opencti_bucket_name}/${opencti_install_script_name} /opt/${open chmod +x /opt/${opencti_install_script_name} echo "Starting OpenCTI installation script" # Run the install script with the provided e-mail address (from main.tf) -/opt/${opencti_install_script_name} -e "${opencti_install_email}" +/opt/${opencti_install_script_name} -e "${login_email}" echo "OpenCTI installation script complete." From 8d24a32bcc9b7715041ccea8be6856066e67e631 Mon Sep 17 00:00:00 2001 From: Colby Goettel Date: Mon, 22 Feb 2021 14:31:05 -0600 Subject: [PATCH 3/3] major objectives complete --- README.md | 4 +++- aws/ec2.tf | 2 +- aws/iam.tf | 1 + aws/network.tf | 28 ++++++++++++++++++++++++++++ aws/security_group.tf | 2 +- aws/storage.tf | 43 +++++++++++++++++++++++++++++++++++++++++++ aws/terraform.tfvars | 7 +++++++ aws/variables.tf | 10 ++++++++++ 8 files changed, 94 insertions(+), 3 deletions(-) create mode 100644 aws/network.tf create mode 100644 aws/storage.tf create mode 100644 aws/terraform.tfvars diff --git a/README.md b/README.md index 352806e..6523fda 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ # opencti-terraform ## Before you deploy -Before you get going, there are a some variables you will probably want to set. All of these can be found in `aws/variables.tf`: +Before you get going, there are a some variables you will probably want to set. All of these can be found in `aws/terraform.tfvars`: - `allowed_ips_application`: Array containing each of the IPs that are allowed to access the web application. Default `0.0.0.0/0` all IPs. - `availability_zone`: The AWS availability zone. Default `us-east-1a`. - `login_email`: The e-mail address used to login to the application. Default `login.email@example.com`. - `region`: The AWS region used. Default `us-east`. - `root_volume_size`: The root volume size for the EC2 instance. Without this, the volume is 7.7GB and fills up in a day. Default `32` (GB). Note that this will incur costs. +- `subnet_id`: The AWS subnet to use. No default specified. +- `vpc_id`: The VPC to use. No default specified. ## Deployment To deploy, navigate to the repository and run `terraform init`. Then, create a plan (`terraform plan`) and check it over. Once you're good to go, apply it (`terraform apply`). diff --git a/aws/ec2.tf b/aws/ec2.tf index ef137d1..dd249a8 100644 --- a/aws/ec2.tf +++ b/aws/ec2.tf @@ -8,7 +8,7 @@ resource "aws_instance" "opencti_instance" { root_block_device { volume_size = var.root_volume_size } - subnet_id = aws_subnet.opencti_subnet.id + subnet_id = var.subnet_id user_data = templatefile("../userdata/installation-wrapper-script.sh", { login_email = var.login_email, diff --git a/aws/iam.tf b/aws/iam.tf index 1249a84..9fc83f5 100644 --- a/aws/iam.tf +++ b/aws/iam.tf @@ -2,6 +2,7 @@ resource "aws_iam_role" "opencti_role" { name = "opencti_role" assume_role_policy = jsonencode({ + Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" diff --git a/aws/network.tf b/aws/network.tf new file mode 100644 index 0000000..8c020bd --- /dev/null +++ b/aws/network.tf @@ -0,0 +1,28 @@ +# This code creates a VPC and Subnet. The code applies just fine. But Systems Manager (SSM) is unusable. Says something isn't right. Been tracking it down for far too long and it's outside the scope of this change anyway so commenting and moving along. This VPC/Subnet issue is tracked in #9. +# resource "aws_vpc" "opencti_vpc" { +# cidr_block = "10.1.0.0/16" + +# tags = { +# Name = "OpenCTI VPC" +# } +# } + +# resource "aws_subnet" "opencti_subnet" { +# vpc_id = aws_vpc.opencti_vpc.id +# cidr_block = "10.1.10.0/24" +# availability_zone = var.availability_zone + +# tags = { +# Name = "OpenCTI subnet" +# } +# } + +# resource "aws_network_interface" "opencti_nic" { +# subnet_id = aws_subnet.opencti_subnet.id +# # private_ips = ["10.1.10.100"] +# security_groups = [ aws_security_group.opencti_sg.id ] + +# tags = { +# Name = "primary_network_interface" +# } +# } diff --git a/aws/security_group.tf b/aws/security_group.tf index c907015..5941222 100644 --- a/aws/security_group.tf +++ b/aws/security_group.tf @@ -1,7 +1,7 @@ # Security group resource "aws_security_group" "opencti_sg" { name = "opencti_sg" - vpc_id = aws_vpc.opencti_vpc.id + vpc_id = var.vpc_id ingress { description = "Allow access to application on port 4000" diff --git a/aws/storage.tf b/aws/storage.tf new file mode 100644 index 0000000..c0155cf --- /dev/null +++ b/aws/storage.tf @@ -0,0 +1,43 @@ +# S3 bucket to store install and connectors scripts. +resource "aws_s3_bucket" "opencti_bucket" { + bucket = local.opencti_bucket_name + acl = "private" +} + +# S3 IAM (I don't think any of these permissions are being used) +data "aws_iam_policy_document" "opencti_s3" { + statement { + actions = [ + "s3:*", + ] + + resources = [ + "arn:aws:s3:::${local.opencti_bucket_name}", + "arn:aws:s3:::${local.opencti_bucket_name}/*", + ] + } +} + +resource "aws_iam_policy" "opencti_s3" { + name = "opencti_s3" + policy = data.aws_iam_policy_document.opencti_s3.json +} + +resource "aws_iam_role_policy_attachment" "opencti_s3_attach" { + role = aws_iam_role.opencti_role.name + policy_arn = aws_iam_policy.opencti_s3.arn +} + +# OpenCTI installer script +resource "aws_s3_bucket_object" "opencti-install-script" { + bucket = aws_s3_bucket.opencti_bucket.id + key = "opencti-installer.sh" + source = "../opencti_scripts/installer.sh" +} + +# OpenCTI connectors script +resource "aws_s3_bucket_object" "opencti-connectors-script" { + bucket = aws_s3_bucket.opencti_bucket.id + key = "opencti-connectors.sh" + source = "../opencti_scripts/connectors.sh" +} diff --git a/aws/terraform.tfvars b/aws/terraform.tfvars new file mode 100644 index 0000000..90f2a92 --- /dev/null +++ b/aws/terraform.tfvars @@ -0,0 +1,7 @@ +# allowed_ips_application = ["0.0.0.0/0"] +# availability_zone = "us-east-1a" +# login_email = "login.email@example.com" +# region = "us-east-1" +# root_volume_size = 32 +subnet_id = "" +vpc_id = "" diff --git a/aws/variables.tf b/aws/variables.tf index 725a838..351c847 100644 --- a/aws/variables.tf +++ b/aws/variables.tf @@ -27,3 +27,13 @@ variable "root_volume_size" { type = number default = 32 } + +variable "subnet_id" { + description = "The subnet ID to use." + type = string +} + +variable "vpc_id" { + description = "The VPC ID to use." + type = string +}