From 2c1f83a2f7130fa3e8c50629ec4a1348cf02a263 Mon Sep 17 00:00:00 2001 From: Jason McVetta Date: Fri, 17 Jun 2022 19:26:48 -0400 Subject: [PATCH 1/2] Security hardening (#11) https://github.com/ordinaryexperts/terraform-aws-hardened-bastion/pull/11 --- CHANGELOG.md | 2 ++ main.tf | 12 ++++++------ user_data.sh.tmpl | 29 +++++++++++++++++++++++++++-- variables.tf | 8 +++++++- 4 files changed, 42 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d21e621..ea6ac4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased ========== +* Security hardening with Ansible role `geerlingguy.security` + 2.1.0 ===== diff --git a/main.tf b/main.tf index dab286f..708f211 100644 --- a/main.tf +++ b/main.tf @@ -31,6 +31,7 @@ data "template_file" "user_data" { aws_region = local.region bucket_name = aws_s3_bucket.this.bucket sync_users_script = data.template_file.sync_users.rendered + sudoers = jsonencode(var.sudoers) } } @@ -242,6 +243,11 @@ resource "aws_autoscaling_group" "this" { termination_policies = ["OldestLaunchConfiguration"] force_delete = true + instance_refresh { + strategy = "Rolling" + triggers = ["tag"] + } + tag { key = "Name" value = aws_launch_configuration.this.name @@ -277,11 +283,5 @@ resource "aws_launch_configuration" "this" { lifecycle { create_before_destroy = true - - # If we do not ignore changes, user_data will be updated on every apply, - # even if nothing has changed. - ignore_changes = [user_data] } } - -# TODO: harden the instances, add route 53 entries diff --git a/user_data.sh.tmpl b/user_data.sh.tmpl index fb1acea..d25318a 100644 --- a/user_data.sh.tmpl +++ b/user_data.sh.tmpl @@ -1,7 +1,9 @@ #!/bin/bash -x -yum -y update --security -# initiate hardening here + +#------------------------------------------------------------------------------- +# Sync Users +#------------------------------------------------------------------------------- mkdir -p /usr/bin/bastion/ cat > /usr/bin/bastion/sync_users << 'EOF' @@ -63,3 +65,26 @@ crontab ~/mycron rm ~/mycron /usr/bin/bastion/sync_users + + +#------------------------------------------------------------------------------- +# Hardening +#------------------------------------------------------------------------------- + +yum -y update --security +amazon-linux-extras install epel -y # Required for Ansible role geerlingguy.security +pip3 install ansible +ansible-galaxy install geerlingguy.security + +cat > ~/playbook.yaml << EOF +- hosts: localhost + gather_facts: true + vars: + security_sudoers_passwordless: ${sudoers} + roles: + - geerlingguy.security +EOF + +ansible-playbook ~/playbook.yaml + + diff --git a/variables.tf b/variables.tf index f82fbe8..57e2126 100644 --- a/variables.tf +++ b/variables.tf @@ -49,7 +49,7 @@ variable "min_count" { variable "instance_type" { description = "Instance type for the bastion host. Default = t2.nano" - default = "t2.nano" + default = "t3a.micro" # nano is too weak to run ansible role geerlingguy.security } variable "associate_public_ip_address" { @@ -83,4 +83,10 @@ variable "tags" { variable "vpc_name" { type = string description = "Name of the VPC this bastion serves" +} + +variable "sudoers" { + type = list(string) + description = "Usernames that will be granted passwordless sudo privilege" + default = [] } \ No newline at end of file From d50f7de63150e458652ddf9ae2ba2eb632bb29cf Mon Sep 17 00:00:00 2001 From: Jason McVetta Date: Mon, 20 Jun 2022 11:55:33 -0400 Subject: [PATCH 2/2] release 2.2.0 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea6ac4c..4866839 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ Unreleased ========== +2.2.0 +===== + * Security hardening with Ansible role `geerlingguy.security` 2.1.0