Merge branch 'release/2.2.0'

ordinaryexperts · Jun 20, 2022 · c19e09b · c19e09b
2 parents bb2659a + d50f7de
commit c19e09b
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 Unreleased
 ==========
 
+2.2.0
+=====
+
+* Security hardening with Ansible role `geerlingguy.security`
+
 2.1.0
 =====
 

diff --git a/main.tf b/main.tf
@@ -31,6 +31,7 @@ data "template_file" "user_data" {
     aws_region        = local.region
     bucket_name       = aws_s3_bucket.this.bucket
     sync_users_script = data.template_file.sync_users.rendered
+    sudoers           = jsonencode(var.sudoers)
   }
 }
 
@@ -242,6 +243,11 @@ resource "aws_autoscaling_group" "this" {
   termination_policies = ["OldestLaunchConfiguration"]
   force_delete         = true
 
+  instance_refresh {
+    strategy = "Rolling"
+    triggers = ["tag"]
+  }
+
   tag {
     key                 = "Name"
     value               = aws_launch_configuration.this.name
@@ -277,11 +283,5 @@ resource "aws_launch_configuration" "this" {
 
   lifecycle {
     create_before_destroy = true
-
-    # If we do not ignore changes, user_data will be updated on every apply,
-    # even if nothing has changed.
-    ignore_changes = [user_data]
   }
 }
-
-# TODO: harden the instances, add route 53 entries
diff --git a/user_data.sh.tmpl b/user_data.sh.tmpl
@@ -1,7 +1,9 @@
 #!/bin/bash -x
-yum -y update --security
 
-# initiate hardening here
+
+#-------------------------------------------------------------------------------
+# Sync Users
+#-------------------------------------------------------------------------------
 
 mkdir -p /usr/bin/bastion/
 cat > /usr/bin/bastion/sync_users << 'EOF'
@@ -63,3 +65,26 @@ crontab ~/mycron
 rm ~/mycron
 
 /usr/bin/bastion/sync_users
+
+
+#-------------------------------------------------------------------------------
+# Hardening
+#-------------------------------------------------------------------------------
+
+yum -y update --security
+amazon-linux-extras install epel -y   # Required for Ansible role geerlingguy.security
+pip3 install ansible
+ansible-galaxy install geerlingguy.security
+
+cat > ~/playbook.yaml << EOF
+- hosts: localhost
+  gather_facts: true
+  vars:
+    security_sudoers_passwordless: ${sudoers}
+  roles:
+    - geerlingguy.security
+EOF
+
+ansible-playbook ~/playbook.yaml
+
+
diff --git a/variables.tf b/variables.tf
@@ -49,7 +49,7 @@ variable "min_count" {
 
 variable "instance_type" {
   description = "Instance type for the bastion host. Default = t2.nano"
-  default     = "t2.nano"
+  default     = "t3a.micro" # nano is too weak to run ansible role geerlingguy.security
 }
 
 variable "associate_public_ip_address" {
@@ -83,4 +83,10 @@ variable "tags" {
 variable "vpc_name" {
   type        = string
   description = "Name of the VPC this bastion serves"
+}
+
+variable "sudoers" {
+  type        = list(string)
+  description = "Usernames that will be granted passwordless sudo privilege"
+  default     = []
 }