From b20d8fff1bf354b768a769be3432dd8cf5ea6faa Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Wed, 15 Mar 2023 14:47:49 +0000 Subject: [PATCH 01/34] First completed draft of splunk terraform file. --- terraform/splunk.tf | 88 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 terraform/splunk.tf diff --git a/terraform/splunk.tf b/terraform/splunk.tf new file mode 100644 index 00000000..b13a11a4 --- /dev/null +++ b/terraform/splunk.tf @@ -0,0 +1,88 @@ +# Just putting everything in on file for now, will move around afterwards + +# variables +variable "splunk_project_name" { + type = string + description = "Splunk Project Name" + default = "answerking-splunk-instance" +} + +variable "splunk_project_owner" { + type = string + description = "Splunk Resource Owner" + default = "answerking" +} + +module "splunk_vpc_subnet" { + source = "github.com/answerdigital/terraform-modules/modules/aws/vpc?ref=v1.1.1" + owner = var.splunk_project_owner + project_name = var.splunk_project_name + enable_vpc_flow_logs = true +} + +data "aws_ami" "amazon_linux_2" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm-*-x86_64-ebs"] + } +} + +resource "aws_security_group" "ec2_sg" { + name = "${var.splunk_project_name}-ec2_sg" + description = "Security group for ec2_sg" + vpc_id = module.splunk_vpc_subnet.vpc_id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.splunk_project_name}-ec2-sg" + Owner = var.splunk_project_owner + } +} + +module "ec2_instance_setup" { + source = "github.com/answerdigital/terraform-modules//modules/aws/ec2?ref=v1.1.1" + project_name = "answerking-splunk-instance" + owner = "answerking" + ami_id = data.aws_ami.amazon_linux_2.id + availability_zone = "eu-west-1" + subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] + vpc_security_group_ids = [aws_security_group.ec2_sg.id] + needs_elastic_ip = true + user_data = < >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +sudo yum update -y +sudo yum upgrade -y +sudo yum install docker -y +sudo systemctl enable docker.service +sudo systemctl start docker.service + +sudo docker pull splunk/splunk:latest +sudo docker run -d -p 80:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={secret password here}" --name splunk splunk/splunk:latest +EOF +} \ No newline at end of file From afe2d74c88d396c70c0d2a896e696c5a00d26dc5 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 16 Mar 2023 09:23:08 +0000 Subject: [PATCH 02/34] Fixed source urls for modules --- terraform/splunk.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/splunk.tf b/terraform/splunk.tf index b13a11a4..396032cd 100644 --- a/terraform/splunk.tf +++ b/terraform/splunk.tf @@ -14,7 +14,7 @@ variable "splunk_project_owner" { } module "splunk_vpc_subnet" { - source = "github.com/answerdigital/terraform-modules/modules/aws/vpc?ref=v1.1.1" + source = "git::https://github.com/answerdigital/terraform-modules//Terraform_modules/vpc_subnets?ref=v1.0.0" owner = var.splunk_project_owner project_name = var.splunk_project_name enable_vpc_flow_logs = true @@ -63,7 +63,7 @@ resource "aws_security_group" "ec2_sg" { } module "ec2_instance_setup" { - source = "github.com/answerdigital/terraform-modules//modules/aws/ec2?ref=v1.1.1" + source = "git::https://github.com/AnswerConsulting/AnswerKing-Infrastructure.git//Terraform_modules/ec2_instance?ref=v1.0.0" project_name = "answerking-splunk-instance" owner = "answerking" ami_id = data.aws_ami.amazon_linux_2.id From 46356d135d1e5f29856355de2d4f3051c5bb27c2 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 16 Mar 2023 14:49:19 +0000 Subject: [PATCH 03/34] splunk config now successfully runs a splunk instance --- terraform/{ => splunk}/splunk.tf | 7 ++++--- terraform/versions.tf | 7 +++++++ 2 files changed, 11 insertions(+), 3 deletions(-) rename terraform/{ => splunk}/splunk.tf (93%) diff --git a/terraform/splunk.tf b/terraform/splunk/splunk.tf similarity index 93% rename from terraform/splunk.tf rename to terraform/splunk/splunk.tf index 396032cd..a7444aab 100644 --- a/terraform/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -17,7 +17,8 @@ module "splunk_vpc_subnet" { source = "git::https://github.com/answerdigital/terraform-modules//Terraform_modules/vpc_subnets?ref=v1.0.0" owner = var.splunk_project_owner project_name = var.splunk_project_name - enable_vpc_flow_logs = true + azs = ["eu-west-2a"] + #enable_vpc_flow_logs = true } data "aws_ami" "amazon_linux_2" { @@ -67,7 +68,7 @@ module "ec2_instance_setup" { project_name = "answerking-splunk-instance" owner = "answerking" ami_id = data.aws_ami.amazon_linux_2.id - availability_zone = "eu-west-1" + availability_zone = "eu-west-2a" subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] vpc_security_group_ids = [aws_security_group.ec2_sg.id] needs_elastic_ip = true @@ -83,6 +84,6 @@ sudo systemctl enable docker.service sudo systemctl start docker.service sudo docker pull splunk/splunk:latest -sudo docker run -d -p 80:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={secret password here}" --name splunk splunk/splunk:latest +sudo docker run -d -p 80:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest EOF } \ No newline at end of file diff --git a/terraform/versions.tf b/terraform/versions.tf index 65e1be29..1771d2ab 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -3,6 +3,8 @@ provider "aws" { skip_credentials_validation = true } +provider "docker" {} + terraform { required_version = "~> 1.3" @@ -16,5 +18,10 @@ terraform { source = "hashicorp/random" version = ">= 3.4.3" } + + docker = { + source = "kreuzwerker/docker" + version = "~> 2.13.0" + } } } From b9e07db74956cce3d55747e0651899a8ee6da46c Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Fri, 17 Mar 2023 16:52:23 +0000 Subject: [PATCH 04/34] code style ammendments --- terraform/splunk/splunk.tf | 32 ++++++++------------------------ terraform/variables.tf | 12 ++++++++++++ terraform/versions.tf | 2 -- 3 files changed, 20 insertions(+), 26 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index a7444aab..c11b76b0 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -1,24 +1,8 @@ -# Just putting everything in on file for now, will move around afterwards - -# variables -variable "splunk_project_name" { - type = string - description = "Splunk Project Name" - default = "answerking-splunk-instance" -} - -variable "splunk_project_owner" { - type = string - description = "Splunk Resource Owner" - default = "answerking" -} - module "splunk_vpc_subnet" { - source = "git::https://github.com/answerdigital/terraform-modules//Terraform_modules/vpc_subnets?ref=v1.0.0" - owner = var.splunk_project_owner - project_name = var.splunk_project_name - azs = ["eu-west-2a"] - #enable_vpc_flow_logs = true + source = "git::https://github.com/answerdigital/terraform-modules//Terraform_modules/vpc_subnets?ref=v1.0.0" + owner = var.splunk_project_owner + project_name = var.splunk_project_name + azs = ["eu-west-2a"] } data "aws_ami" "amazon_linux_2" { @@ -34,7 +18,7 @@ data "aws_ami" "amazon_linux_2" { resource "aws_security_group" "ec2_sg" { name = "${var.splunk_project_name}-ec2_sg" description = "Security group for ec2_sg" - vpc_id = module.splunk_vpc_subnet.vpc_id + vpc_id = module.splunk_vpc_subnet.vpc_id ingress { from_port = 80 @@ -46,7 +30,7 @@ resource "aws_security_group" "ec2_sg" { ingress { from_port = 443 to_port = 443 - protocol = "tcp" + protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } @@ -65,8 +49,8 @@ resource "aws_security_group" "ec2_sg" { module "ec2_instance_setup" { source = "git::https://github.com/AnswerConsulting/AnswerKing-Infrastructure.git//Terraform_modules/ec2_instance?ref=v1.0.0" - project_name = "answerking-splunk-instance" - owner = "answerking" + project_name = var.splunk_project_name + owner = var.splunk_project_owner ami_id = data.aws_ami.amazon_linux_2.id availability_zone = "eu-west-2a" subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] diff --git a/terraform/variables.tf b/terraform/variables.tf index 6b2ef9e5..957eeb9d 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -68,4 +68,16 @@ variable "efs_port" { type = number description = "EFS Access Port" default = 2049 +} + +variable "splunk_project_name" { + type = string + description = "Splunk Project Name" + default = "answerking-splunk-instance" +} + +variable "splunk_project_owner" { + type = string + description = "Splunk Resource Owner" + default = "answerking" } \ No newline at end of file diff --git a/terraform/versions.tf b/terraform/versions.tf index 1771d2ab..67d306f7 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -3,8 +3,6 @@ provider "aws" { skip_credentials_validation = true } -provider "docker" {} - terraform { required_version = "~> 1.3" From 7fb54f59cdfdaf558c2506cce7c18638af72f8a3 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Fri, 17 Mar 2023 16:57:50 +0000 Subject: [PATCH 05/34] moved splunk variables to local folder for the splunk terraform code, in order to be visible --- terraform/splunk/.terraform.tfstate.lock.info | 1 + terraform/splunk/splunk-variables.tf | 11 +++++++++++ terraform/variables.tf | 12 ------------ 3 files changed, 12 insertions(+), 12 deletions(-) create mode 100644 terraform/splunk/.terraform.tfstate.lock.info create mode 100644 terraform/splunk/splunk-variables.tf diff --git a/terraform/splunk/.terraform.tfstate.lock.info b/terraform/splunk/.terraform.tfstate.lock.info new file mode 100644 index 00000000..0597618c --- /dev/null +++ b/terraform/splunk/.terraform.tfstate.lock.info @@ -0,0 +1 @@ +{"ID":"c013723a-b354-0812-330c-384ee436fbf8","Operation":"OperationTypeApply","Info":"","Who":"cstlouis@ANS-A855","Version":"1.3.9","Created":"2023-03-17T16:56:56.343131519Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/terraform/splunk/splunk-variables.tf b/terraform/splunk/splunk-variables.tf new file mode 100644 index 00000000..33754932 --- /dev/null +++ b/terraform/splunk/splunk-variables.tf @@ -0,0 +1,11 @@ +variable "splunk_project_name" { + type = string + description = "Splunk Project Name" + default = "answerking-splunk-instance" +} + +variable "splunk_project_owner" { + type = string + description = "Splunk Resource Owner" + default = "answerking" +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 957eeb9d..6b2ef9e5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -68,16 +68,4 @@ variable "efs_port" { type = number description = "EFS Access Port" default = 2049 -} - -variable "splunk_project_name" { - type = string - description = "Splunk Project Name" - default = "answerking-splunk-instance" -} - -variable "splunk_project_owner" { - type = string - description = "Splunk Resource Owner" - default = "answerking" } \ No newline at end of file From 05b9eb8b90afdbf25e2755824f9b27aa1a75fcda Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Mon, 20 Mar 2023 13:51:00 +0000 Subject: [PATCH 06/34] Added checkov skip comments to avoid the unneeded analysis errors --- terraform/splunk/.terraform.tfstate.lock.info | 1 - terraform/splunk/splunk.tf | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) delete mode 100644 terraform/splunk/.terraform.tfstate.lock.info diff --git a/terraform/splunk/.terraform.tfstate.lock.info b/terraform/splunk/.terraform.tfstate.lock.info deleted file mode 100644 index 0597618c..00000000 --- a/terraform/splunk/.terraform.tfstate.lock.info +++ /dev/null @@ -1 +0,0 @@ -{"ID":"c013723a-b354-0812-330c-384ee436fbf8","Operation":"OperationTypeApply","Info":"","Who":"cstlouis@ANS-A855","Version":"1.3.9","Created":"2023-03-17T16:56:56.343131519Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index c11b76b0..b2f7443a 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -16,6 +16,8 @@ data "aws_ami" "amazon_linux_2" { } resource "aws_security_group" "ec2_sg" { + #checkov:skip=CKV_AWS_260:Allowing ingress from 0.0.0.0 for public HTTP(S) access + #checkov:skip=CKV2_AWS_5 name = "${var.splunk_project_name}-ec2_sg" description = "Security group for ec2_sg" vpc_id = module.splunk_vpc_subnet.vpc_id From 5d3154df205c61988a1e01021b02ed45fe18bacb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Mar 2023 10:11:37 +0000 Subject: [PATCH 07/34] Bump Microsoft.AspNetCore.Mvc.Testing from 7.0.3 to 7.0.4 (#125) * Bump Microsoft.AspNetCore.Mvc.Testing from 7.0.3 to 7.0.4 Bumps [Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/aspnetcore) from 7.0.3 to 7.0.4. - [Release notes](https://github.com/dotnet/aspnetcore/releases) - [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md) - [Commits](https://github.com/dotnet/aspnetcore/compare/v7.0.3...v7.0.4) --- updated-dependencies: - dependency-name: Microsoft.AspNetCore.Mvc.Testing dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * chore(deps): update packages.lock.json --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../Answer.King.Api.IntegrationTests.csproj | 2 +- .../packages.lock.json | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj b/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj index fd5be44c..abcf3e4b 100644 --- a/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj +++ b/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj @@ -11,7 +11,7 @@ - + diff --git a/tests/Answer.King.Api.IntegrationTests/packages.lock.json b/tests/Answer.King.Api.IntegrationTests/packages.lock.json index db125bdc..60425ce9 100644 --- a/tests/Answer.King.Api.IntegrationTests/packages.lock.json +++ b/tests/Answer.King.Api.IntegrationTests/packages.lock.json @@ -21,11 +21,11 @@ }, "Microsoft.AspNetCore.Mvc.Testing": { "type": "Direct", - "requested": "[7.0.3, )", - "resolved": "7.0.3", - "contentHash": "uK3h+RhJHRDt+HEOty3LMDVJAWKucjpAdm2RKQR7QYQVAtRB9b3+Jl+9wGxlrqW5Den7Ut9RJlA+aO4nPceieQ==", + "requested": "[7.0.4, )", + "resolved": "7.0.4", + "contentHash": "Tb/CV2tvY8XlXZVD4SkV5++DoeHCuQwWlIQafgWeR2L1298PkNRF/DJhLdx+M2zXrKRAcMHZSrXXU0lBTaSEpg==", "dependencies": { - "Microsoft.AspNetCore.TestHost": "7.0.3", + "Microsoft.AspNetCore.TestHost": "7.0.4", "Microsoft.Extensions.DependencyModel": "7.0.0", "Microsoft.Extensions.Hosting": "7.0.1" } @@ -205,8 +205,8 @@ }, "Microsoft.AspNetCore.TestHost": { "type": "Transitive", - "resolved": "7.0.3", - "contentHash": "wS+gBqK8O6ASpGjEoRdxKR4qb/Hqt+RumM1bMfKxkjYpsBl4UMh8ClmXzU42omn3sWCpPqxZIBSIO3F4zEYPzQ==", + "resolved": "7.0.4", + "contentHash": "vL8iDF1I2EJ7PNEPcPuob+Z0FYYb0Fx/bRsxm1N/9Zy5F/UfsHnYdzI5Jurvsfzc6ceofvo5q0jbwrb4oHBLMg==", "dependencies": { "System.IO.Pipelines": "7.0.0" } From fe16d305d96df6a8b5cc6e51995eae05c52a7230 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Mar 2023 10:34:47 +0000 Subject: [PATCH 08/34] Bump Alba from 7.3.0 to 7.4.0 (#126) * Bump Alba from 7.3.0 to 7.4.0 Bumps [Alba](https://github.com/JasperFx/alba) from 7.3.0 to 7.4.0. - [Release notes](https://github.com/JasperFx/alba/releases) - [Commits](https://github.com/JasperFx/alba/compare/v7.3.0...v7.4.0) --- updated-dependencies: - dependency-name: Alba dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * chore(deps): update packages.lock.json --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../Answer.King.Api.IntegrationTests.csproj | 2 +- tests/Answer.King.Api.IntegrationTests/packages.lock.json | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj b/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj index abcf3e4b..2612c298 100644 --- a/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj +++ b/tests/Answer.King.Api.IntegrationTests/Answer.King.Api.IntegrationTests.csproj @@ -10,7 +10,7 @@ - + diff --git a/tests/Answer.King.Api.IntegrationTests/packages.lock.json b/tests/Answer.King.Api.IntegrationTests/packages.lock.json index 60425ce9..07ec1c1c 100644 --- a/tests/Answer.King.Api.IntegrationTests/packages.lock.json +++ b/tests/Answer.King.Api.IntegrationTests/packages.lock.json @@ -4,9 +4,9 @@ "net7.0": { "Alba": { "type": "Direct", - "requested": "[7.3.0, )", - "resolved": "7.3.0", - "contentHash": "eO3xOfP9kzF+ZENdy+GZ3Xi7T+aqQkyNmm9fCNxFIFvXeAyPOheSVcGeUG3IpUZjVls9H1rzRfO6KZ0YjgUghQ==", + "requested": "[7.4.0, )", + "resolved": "7.4.0", + "contentHash": "t4xWNcAKTSgiF/6DqNMX5htqwyvAkFDIkm14v2mWnyPBjYgM3n66roQNv5kn2bN442NvRWvXO4iAg0trEqIX2g==", "dependencies": { "IdentityModel": "6.0.0", "Microsoft.AspNetCore.Authentication.JwtBearer": "7.0.0", From 0559494e11f3024383d8cbac3bc9e19fc3ae0f8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Mar 2023 10:41:27 +0000 Subject: [PATCH 09/34] Bump AWSSDK.CloudWatchLogs from 3.7.104.33 to 3.7.104.40 (#128) * Bump AWSSDK.CloudWatchLogs from 3.7.104.33 to 3.7.104.40 Bumps [AWSSDK.CloudWatchLogs](https://github.com/aws/aws-sdk-net) from 3.7.104.33 to 3.7.104.40. - [Release notes](https://github.com/aws/aws-sdk-net/releases) - [Commits](https://github.com/aws/aws-sdk-net/commits) --- updated-dependencies: - dependency-name: AWSSDK.CloudWatchLogs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * chore(deps): update packages.lock.json --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/Answer.King.Api/Answer.King.Api.csproj | 2 +- src/Answer.King.Api/packages.lock.json | 12 ++++++------ .../packages.lock.json | 12 ++++++------ tests/Answer.King.Api.UnitTests/packages.lock.json | 12 ++++++------ 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/Answer.King.Api/Answer.King.Api.csproj b/src/Answer.King.Api/Answer.King.Api.csproj index 47eab26e..eaf9a5ef 100644 --- a/src/Answer.King.Api/Answer.King.Api.csproj +++ b/src/Answer.King.Api/Answer.King.Api.csproj @@ -18,7 +18,7 @@ - + diff --git a/src/Answer.King.Api/packages.lock.json b/src/Answer.King.Api/packages.lock.json index 24663581..9a7143f6 100644 --- a/src/Answer.King.Api/packages.lock.json +++ b/src/Answer.King.Api/packages.lock.json @@ -27,11 +27,11 @@ }, "AWSSDK.CloudWatchLogs": { "type": "Direct", - "requested": "[3.7.104.33, )", - "resolved": "3.7.104.33", - "contentHash": "IkG8APzfnH54VfIC8qUwDuuotsOd8kJ4FlXuUspzr9JA6V1QkXTiNHvEfooNnMP5UlFMKLMea1lZbDs8zBDDTw==", + "requested": "[3.7.104.40, )", + "resolved": "3.7.104.40", + "contentHash": "KDl4kHFiTkjGwtU31dgUbhS/ouYRHk/qftZZs+SR3rnR4lQFduvRYN/zWUUppti6MC1XT6uA7JTbE7UzEqjrkQ==", "dependencies": { - "AWSSDK.Core": "[3.7.105.19, 4.0.0)" + "AWSSDK.Core": "[3.7.106.4, 4.0.0)" } }, "AWSSDK.Extensions.NETCore.Setup": { @@ -211,8 +211,8 @@ }, "AWSSDK.Core": { "type": "Transitive", - "resolved": "3.7.105.19", - "contentHash": "RHSJu4gmQMvqGdxcNVNWglueXGFma+d6n3MUvWsMieosLbWvFq3TzCkeNF0Zmf69iUxNTHTWv+zoYNsFygZk+g==" + "resolved": "3.7.106.4", + "contentHash": "U+U7j0k5NxXXjjD9yxsVN5MjRpYlTSMyaDjLqwJaaeoFhycdkJ81t3Baret6VBwIGMmYpjAerk79vLAhvwU5Wg==" }, "FluentValidation": { "type": "Transitive", diff --git a/tests/Answer.King.Api.IntegrationTests/packages.lock.json b/tests/Answer.King.Api.IntegrationTests/packages.lock.json index 07ec1c1c..159eee91 100644 --- a/tests/Answer.King.Api.IntegrationTests/packages.lock.json +++ b/tests/Answer.King.Api.IntegrationTests/packages.lock.json @@ -126,16 +126,16 @@ }, "AWSSDK.CloudWatchLogs": { "type": "Transitive", - "resolved": "3.7.104.33", - "contentHash": "IkG8APzfnH54VfIC8qUwDuuotsOd8kJ4FlXuUspzr9JA6V1QkXTiNHvEfooNnMP5UlFMKLMea1lZbDs8zBDDTw==", + "resolved": "3.7.104.40", + "contentHash": "KDl4kHFiTkjGwtU31dgUbhS/ouYRHk/qftZZs+SR3rnR4lQFduvRYN/zWUUppti6MC1XT6uA7JTbE7UzEqjrkQ==", "dependencies": { - "AWSSDK.Core": "[3.7.105.19, 4.0.0)" + "AWSSDK.Core": "[3.7.106.4, 4.0.0)" } }, "AWSSDK.Core": { "type": "Transitive", - "resolved": "3.7.105.19", - "contentHash": "RHSJu4gmQMvqGdxcNVNWglueXGFma+d6n3MUvWsMieosLbWvFq3TzCkeNF0Zmf69iUxNTHTWv+zoYNsFygZk+g==" + "resolved": "3.7.106.4", + "contentHash": "U+U7j0k5NxXXjjD9yxsVN5MjRpYlTSMyaDjLqwJaaeoFhycdkJ81t3Baret6VBwIGMmYpjAerk79vLAhvwU5Wg==" }, "AWSSDK.Extensions.NETCore.Setup": { "type": "Transitive", @@ -1760,7 +1760,7 @@ "dependencies": { "AWS.Logger.AspNetCore": "[3.3.0, )", "AWS.Logger.SeriLog": "[3.2.0, )", - "AWSSDK.CloudWatchLogs": "[3.7.104.33, )", + "AWSSDK.CloudWatchLogs": "[3.7.104.40, )", "AWSSDK.Extensions.NETCore.Setup": "[3.7.5, )", "Answer.King.Domain": "[1.0.0, )", "Answer.King.Infrastructure": "[1.0.0, )", diff --git a/tests/Answer.King.Api.UnitTests/packages.lock.json b/tests/Answer.King.Api.UnitTests/packages.lock.json index af7a3273..f28810ba 100644 --- a/tests/Answer.King.Api.UnitTests/packages.lock.json +++ b/tests/Answer.King.Api.UnitTests/packages.lock.json @@ -84,16 +84,16 @@ }, "AWSSDK.CloudWatchLogs": { "type": "Transitive", - "resolved": "3.7.104.33", - "contentHash": "IkG8APzfnH54VfIC8qUwDuuotsOd8kJ4FlXuUspzr9JA6V1QkXTiNHvEfooNnMP5UlFMKLMea1lZbDs8zBDDTw==", + "resolved": "3.7.104.40", + "contentHash": "KDl4kHFiTkjGwtU31dgUbhS/ouYRHk/qftZZs+SR3rnR4lQFduvRYN/zWUUppti6MC1XT6uA7JTbE7UzEqjrkQ==", "dependencies": { - "AWSSDK.Core": "[3.7.105.19, 4.0.0)" + "AWSSDK.Core": "[3.7.106.4, 4.0.0)" } }, "AWSSDK.Core": { "type": "Transitive", - "resolved": "3.7.105.19", - "contentHash": "RHSJu4gmQMvqGdxcNVNWglueXGFma+d6n3MUvWsMieosLbWvFq3TzCkeNF0Zmf69iUxNTHTWv+zoYNsFygZk+g==" + "resolved": "3.7.106.4", + "contentHash": "U+U7j0k5NxXXjjD9yxsVN5MjRpYlTSMyaDjLqwJaaeoFhycdkJ81t3Baret6VBwIGMmYpjAerk79vLAhvwU5Wg==" }, "AWSSDK.Extensions.NETCore.Setup": { "type": "Transitive", @@ -1449,7 +1449,7 @@ "dependencies": { "AWS.Logger.AspNetCore": "[3.3.0, )", "AWS.Logger.SeriLog": "[3.2.0, )", - "AWSSDK.CloudWatchLogs": "[3.7.104.33, )", + "AWSSDK.CloudWatchLogs": "[3.7.104.40, )", "AWSSDK.Extensions.NETCore.Setup": "[3.7.5, )", "Answer.King.Domain": "[1.0.0, )", "Answer.King.Infrastructure": "[1.0.0, )", From 43919997e4efe91920c503baa95d6967d6bdad36 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Fri, 24 Mar 2023 13:56:15 +0000 Subject: [PATCH 10/34] successfully applied however, broke current splunk instance --- terraform/splunk/splunk-providers.tf | 5 + terraform/splunk/splunk-variables.tf | 6 + terraform/splunk/splunk.tf | 159 ++++++++++++++++++++++++--- 3 files changed, 155 insertions(+), 15 deletions(-) create mode 100644 terraform/splunk/splunk-providers.tf diff --git a/terraform/splunk/splunk-providers.tf b/terraform/splunk/splunk-providers.tf new file mode 100644 index 00000000..f38e2d2d --- /dev/null +++ b/terraform/splunk/splunk-providers.tf @@ -0,0 +1,5 @@ +#aws provider here +provider "aws" { + region = "eu-west-2" + skip_credentials_validation = true +} \ No newline at end of file diff --git a/terraform/splunk/splunk-variables.tf b/terraform/splunk/splunk-variables.tf index 33754932..0cef5459 100644 --- a/terraform/splunk/splunk-variables.tf +++ b/terraform/splunk/splunk-variables.tf @@ -8,4 +8,10 @@ variable "splunk_project_owner" { type = string description = "Splunk Resource Owner" default = "answerking" +} + +variable "splunk_domain_name" { + type = string + description = "Splunk Domain Name" + default = "splunk.answerking.co.uk" } \ No newline at end of file diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index b2f7443a..cf2ae1e2 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -18,29 +18,24 @@ data "aws_ami" "amazon_linux_2" { resource "aws_security_group" "ec2_sg" { #checkov:skip=CKV_AWS_260:Allowing ingress from 0.0.0.0 for public HTTP(S) access #checkov:skip=CKV2_AWS_5 - name = "${var.splunk_project_name}-ec2_sg" + name = "${var.splunk_project_name}-ec2-sg" description = "Security group for ec2_sg" vpc_id = module.splunk_vpc_subnet.vpc_id ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + security_groups = [aws_security_group.lb_sg.id] + description = "Application Load Balancer" } - egress { + egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] + description = "All traffic" } tags = { @@ -57,7 +52,7 @@ module "ec2_instance_setup" { availability_zone = "eu-west-2a" subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] vpc_security_group_ids = [aws_security_group.ec2_sg.id] - needs_elastic_ip = true + needs_elastic_ip = false #true user_data = < Date: Mon, 27 Mar 2023 10:13:19 +0100 Subject: [PATCH 11/34] updated route 53 record code --- terraform/splunk/splunk.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index cf2ae1e2..3b1f2c54 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -72,16 +72,16 @@ EOF # route 53 resource "aws_route53_record" "splunk" { - zone_id = aws_route53_zone.hosted_zone.zone_id - name = var.splunk_domain_name + zone_id = "Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id + name = var.splunk_domain_name #"answerking.co.uk" type = "A" ttl = 300 records = [module.ec2_instance_setup.instance_public_ip_address] #[aws_lb.lb.dns_name] } -resource "aws_route53_zone" "hosted_zone" { - name = var.splunk_domain_name -} +#resource "aws_route53_zone" "hosted_zone" { +# name = var.splunk_domain_name +#} # Elastic IP From 1b0f2bffa86dd51bf4ea782c609e249241e8f951 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Tue, 28 Mar 2023 11:41:17 +0100 Subject: [PATCH 12/34] subnet mapping now configured for one subnet --- terraform/splunk/splunk.tf | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 3b1f2c54..50078b4e 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -88,10 +88,9 @@ resource "aws_route53_record" "splunk" { resource "aws_eip" "lb_eip" { #checkov:skip=CKV2_AWS_19:IP is being used for load balancer vpc = true - count = "2" tags = { - Name = "${var.splunk_project_name}-eip-${count.index}" + Name = "${var.splunk_project_name}-eip" Owner = var.splunk_project_owner } } @@ -142,14 +141,22 @@ resource "aws_lb" "lb" { load_balancer_type = "network" ip_address_type = "ipv4" - dynamic "subnet_mapping" { - for_each = module.splunk_vpc_subnet.public_subnet_ids - content { - subnet_id = "${subnet_mapping.value}" - allocation_id = "${aws_eip.lb_eip[subnet_mapping.key].id}" - } + subnet_mapping { + subnet_id = "${module.splunk_vpc_subnet.public_subnet_ids[0]}" + allocation_id = "${aws_eip.lb_eip.id}" } + #subnet_id = module.splunk_vpc_subnet.value + #allocation_id = aws_eip.lb_eip[module.splunk_vpc_subnet.key].id + + #dynamic "subnet_mapping" { + # for_each = module.splunk_vpc_subnet.public_subnet_ids + # content { + # subnet_id = "${subnet_mapping.value}" + # allocation_id = "${aws_eip.lb_eip[subnet_mapping.key].id}" + # } + #} + tags = { Name = "${var.splunk_project_name}-lb" } From 5f423d66bd30d7ad691853eee5f3d5808ee7ed99 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Tue, 28 Mar 2023 11:41:41 +0100 Subject: [PATCH 13/34] Added S3 bucket for splunk --- terraform/splunk/backend.tf | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 terraform/splunk/backend.tf diff --git a/terraform/splunk/backend.tf b/terraform/splunk/backend.tf new file mode 100644 index 00000000..4515c201 --- /dev/null +++ b/terraform/splunk/backend.tf @@ -0,0 +1,49 @@ +#terraform { +# backend "s3" { +# bucket = "answerking-splunk-terraform" +# key = "answerking-splunk-terraform.tfstate" +# region = "eu-west-2" +# dynamodb_table = "answerking-splunk-terraform-state" +# } +#} + +resource "aws_s3_bucket" "terraform_backend_bucket" { + bucket = "answerking-splunk-terraform" + + tags = { + Name = "answerking-splunk-terraform" + } +} + +resource "aws_s3_bucket_acl" "terraform_backend_bucket_acl" { + bucket = aws_s3_bucket.terraform_backend_bucket.id + acl = "private" +} + +resource "aws_s3_bucket_public_access_block" "terraform_backend_bucket_public_access_block" { + bucket = aws_s3_bucket.terraform_backend_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_versioning" "terraform_backend_bucket_versioning" { + bucket = aws_s3_bucket.terraform_backend_bucket.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_dynamodb_table" "terraform_backend_state" { + name = "answerking-splunk-terraform-state" + read_capacity = 20 + write_capacity = 20 + hash_key = "LockID" + + attribute { + name = "LockID" + type = "S" + } +} \ No newline at end of file From 1cf066e5492eaa7f72a02ac0a6485550173ba524 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Tue, 28 Mar 2023 17:06:38 +0100 Subject: [PATCH 14/34] Added back certificate and reference. Ammended properties pointed out in PR review --- terraform/splunk/splunk.tf | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 50078b4e..77f57589 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -3,6 +3,8 @@ module "splunk_vpc_subnet" { owner = var.splunk_project_owner project_name = var.splunk_project_name azs = ["eu-west-2a"] + num_public_subnets = 1 + num_private_subnets = 0 } data "aws_ami" "amazon_linux_2" { @@ -166,7 +168,7 @@ resource "aws_lb_target_group" "target_group" { name = "${var.splunk_project_name}-lb-tg" port = 443 protocol = "TCP" - target_type = "alb" + target_type = "ip" vpc_id = module.splunk_vpc_subnet.vpc_id tags = { @@ -179,14 +181,14 @@ resource "aws_lb_target_group" "target_group" { } } -#resource "aws_acm_certificate" "cert" { -# domain_name = var.splunk_domain_name -# validation_method = "DNS" -# -# lifecycle { -# create_before_destroy = true -# } -#} +resource "aws_acm_certificate" "cert" { + domain_name = var.splunk_domain_name + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } +} resource "aws_lb_listener" "lb_listener" { load_balancer_arn = aws_lb.lb.id @@ -201,8 +203,10 @@ resource "aws_lb_listener" "lb_listener" { resource "aws_lb_listener" "lb_listener_443" { load_balancer_arn = aws_lb.lb.id + certificate_arn = aws_acm_certificate.cert.arn port = "443" - protocol = "TCP" + protocol = "TLS" + alpn_policy = "HTTP2Preferred" default_action { type = "forward" From da1b1047a774cc63ca60dc559bf2f8dfe3a542be Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Fri, 31 Mar 2023 14:55:27 +0100 Subject: [PATCH 15/34] Added 8000 to ec2 sg. Added certificate validation --- .../splunk/{backend.tf => splunk-backend.tf} | 23 ++++--- terraform/splunk/splunk.tf | 64 ++++++++++++++----- 2 files changed, 62 insertions(+), 25 deletions(-) rename terraform/splunk/{backend.tf => splunk-backend.tf} (79%) diff --git a/terraform/splunk/backend.tf b/terraform/splunk/splunk-backend.tf similarity index 79% rename from terraform/splunk/backend.tf rename to terraform/splunk/splunk-backend.tf index 4515c201..be83146c 100644 --- a/terraform/splunk/backend.tf +++ b/terraform/splunk/splunk-backend.tf @@ -1,12 +1,14 @@ -#terraform { -# backend "s3" { -# bucket = "answerking-splunk-terraform" -# key = "answerking-splunk-terraform.tfstate" -# region = "eu-west-2" -# dynamodb_table = "answerking-splunk-terraform-state" -# } -#} - +/* +terraform { + backend "s3" { + bucket = "answerking-splunk-terraform" + key = "answerking-splunk-terraform.tfstate" + region = "eu-west-2" + dynamodb_table = "answerking-splunk-terraform-state" + } +} +*/ +/* resource "aws_s3_bucket" "terraform_backend_bucket" { bucket = "answerking-splunk-terraform" @@ -46,4 +48,5 @@ resource "aws_dynamodb_table" "terraform_backend_state" { name = "LockID" type = "S" } -} \ No newline at end of file +} +*/ \ No newline at end of file diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 77f57589..c1d35234 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -40,6 +40,14 @@ resource "aws_security_group" "ec2_sg" { description = "All traffic" } + ingress { + from_port = 8000 + to_port = 8000 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "HTTPS" + } + tags = { Name = "${var.splunk_project_name}-ec2-sg" Owner = var.splunk_project_owner @@ -67,24 +75,55 @@ sudo systemctl enable docker.service sudo systemctl start docker.service sudo docker pull splunk/splunk:latest -sudo docker run -d -p 80:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest +sudo docker run -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest EOF } # route 53 resource "aws_route53_record" "splunk" { - zone_id = "Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id + zone_id = "Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id #"Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id name = var.splunk_domain_name #"answerking.co.uk" type = "A" ttl = 300 - records = [module.ec2_instance_setup.instance_public_ip_address] #[aws_lb.lb.dns_name] + records = [aws_eip.lb_eip.public_ip]#[module.ec2_instance_setup.instance_public_ip_address] #[aws_lb.lb.dns_name] } +#resource "aws_route53_record" "splunk" { +# for_each = { +# for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { +# name = dvo.resource_record_name +# record = dvo.resource_record_value +# type = dvo.resource_record_type +# } +# } + +# allow_overwrite = true +# name = each.value.name +# records = [each.value.record] +# ttl = 60 +# type = each.value.type +# zone_id = "Z0072706JT6B6N2J7Z9H" +#} + #resource "aws_route53_zone" "hosted_zone" { -# name = var.splunk_domain_name +# name = "answerking.co.uk" #var.splunk_domain_name #} +resource "aws_acm_certificate" "cert" { + domain_name = var.splunk_domain_name + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "validate" { + certificate_arn = aws_acm_certificate.cert.arn + #validation_record_fqdns = [for record in aws_route53_record.splunk : record.fqdn] #[aws_route53_record.splunk.fqdn] +} + # Elastic IP resource "aws_eip" "lb_eip" { @@ -166,7 +205,7 @@ resource "aws_lb" "lb" { resource "aws_lb_target_group" "target_group" { name = "${var.splunk_project_name}-lb-tg" - port = 443 + port = 8000 #443 protocol = "TCP" target_type = "ip" vpc_id = module.splunk_vpc_subnet.vpc_id @@ -181,15 +220,6 @@ resource "aws_lb_target_group" "target_group" { } } -resource "aws_acm_certificate" "cert" { - domain_name = var.splunk_domain_name - validation_method = "DNS" - - lifecycle { - create_before_destroy = true - } -} - resource "aws_lb_listener" "lb_listener" { load_balancer_arn = aws_lb.lb.id port = "80" @@ -203,7 +233,7 @@ resource "aws_lb_listener" "lb_listener" { resource "aws_lb_listener" "lb_listener_443" { load_balancer_arn = aws_lb.lb.id - certificate_arn = aws_acm_certificate.cert.arn + certificate_arn = aws_acm_certificate_validation.validate.certificate_arn #aws_acm_certificate.cert.arn port = "443" protocol = "TLS" alpn_policy = "HTTP2Preferred" @@ -212,4 +242,8 @@ resource "aws_lb_listener" "lb_listener_443" { type = "forward" target_group_arn = aws_lb_target_group.target_group.id } + + #depends_on = [ + # aws_acm_certificate.cert + #] } From 326b58b41aeb91c0538cd28e9b270a9694e0666c Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Fri, 31 Mar 2023 17:01:08 +0100 Subject: [PATCH 16/34] added eip sg to ec2 setup --- terraform/splunk/splunk.tf | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index c1d35234..07e503ab 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -61,7 +61,8 @@ module "ec2_instance_setup" { ami_id = data.aws_ami.amazon_linux_2.id availability_zone = "eu-west-2a" subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] - vpc_security_group_ids = [aws_security_group.ec2_sg.id] + #vpc_security_group_ids = [aws_security_group.ec2_sg.id] + vpc_security_group_ids = [aws_security_group.lb_sg.id] needs_elastic_ip = false #true user_data = < Date: Sun, 2 Apr 2023 13:10:35 +0100 Subject: [PATCH 17/34] Fixed s3 backend --- terraform/splunk/splunk-backend.tf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/terraform/splunk/splunk-backend.tf b/terraform/splunk/splunk-backend.tf index be83146c..f1112a21 100644 --- a/terraform/splunk/splunk-backend.tf +++ b/terraform/splunk/splunk-backend.tf @@ -1,4 +1,3 @@ -/* terraform { backend "s3" { bucket = "answerking-splunk-terraform" @@ -7,8 +6,7 @@ terraform { dynamodb_table = "answerking-splunk-terraform-state" } } -*/ -/* + resource "aws_s3_bucket" "terraform_backend_bucket" { bucket = "answerking-splunk-terraform" @@ -48,5 +46,4 @@ resource "aws_dynamodb_table" "terraform_backend_state" { name = "LockID" type = "S" } -} -*/ \ No newline at end of file +} \ No newline at end of file From 06ff32e003a8d0c53f1bbd3051079d262ed98e18 Mon Sep 17 00:00:00 2001 From: Beth Cryer Date: Mon, 3 Apr 2023 01:14:17 +0100 Subject: [PATCH 18/34] switched to ALB, still not workin :( --- terraform/splunk/ec2/main.tf | 92 ++++++++++++ terraform/splunk/ec2/output.tf | 9 ++ terraform/splunk/ec2/variables.tf | 65 +++++++++ terraform/splunk/splunk-backend.tf | 4 +- terraform/splunk/splunk-variables.tf | 26 ++-- terraform/splunk/splunk.tf | 203 +++++++++++---------------- 6 files changed, 265 insertions(+), 134 deletions(-) create mode 100644 terraform/splunk/ec2/main.tf create mode 100644 terraform/splunk/ec2/output.tf create mode 100644 terraform/splunk/ec2/variables.tf diff --git a/terraform/splunk/ec2/main.tf b/terraform/splunk/ec2/main.tf new file mode 100644 index 00000000..8789ef78 --- /dev/null +++ b/terraform/splunk/ec2/main.tf @@ -0,0 +1,92 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + tls = { + source = "hashicorp/tls" + version = ">= 4.0.4" + } + } +} + +resource "aws_iam_instance_profile" "instance_profile" { + name = "${var.project_name}-ec2-monitoring-and-setup" + role = aws_iam_role.instance_role.name +} + +resource "aws_iam_role" "instance_role" { + name = "${var.project_name}-ec2-monitoring-and-setup" + assume_role_policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": ["sts:AssumeRole"], + "Effect": "Allow", + "Principal": { + "Service": ["ec2.amazonaws.com"] + } + } + ] + } + EOF +} + +resource "aws_iam_role_policy_attachment" "instance_role" { + for_each = toset([ + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", + "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy" + ]) + role = aws_iam_role.instance_role.name + policy_arn = each.value +} + +resource "tls_private_key" "private_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "aws_key_pair" "key_pair" { + key_name = "${var.project_name}-key-pair" + public_key = tls_private_key.private_key.public_key_openssh +} + +resource "aws_instance" "ec2" { + instance_type = var.ec2_instance_type + key_name = aws_key_pair.key_pair.key_name + ami = var.ami_id + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + root_block_device { + encrypted = true + } + + availability_zone = var.availability_zone + subnet_id = var.subnet_id + vpc_security_group_ids = var.vpc_security_group_ids + associate_public_ip_address = var.associate_public_ip_address + + iam_instance_profile = aws_iam_instance_profile.instance_profile.name + + user_data = var.user_data + user_data_replace_on_change = var.user_data_replace_on_change + + tags = { + Name = "${var.project_name}-ec2" + Owner = var.owner + } +} + +resource "aws_eip" "public_elastic_ip" { + count = var.needs_elastic_ip == true ? 1 : 0 + + instance = aws_instance.ec2.id + vpc = true + + tags = { + Name = "${var.project_name}-public-elastic-ip" + Owner = var.owner + } +} \ No newline at end of file diff --git a/terraform/splunk/ec2/output.tf b/terraform/splunk/ec2/output.tf new file mode 100644 index 00000000..2e3f0082 --- /dev/null +++ b/terraform/splunk/ec2/output.tf @@ -0,0 +1,9 @@ +output "instance_public_ip_address" { + value = aws_instance.ec2.public_ip + description = "This outputs the public IP associated with the EC2 instance. Note that this ouput will be the same as the elastic IP if `needs_elastic_ip` is set to `true`. This output is of type `string`." +} + +output "ec2_id" { + value = aws_instance.ec2.id + description = "This outputs the ID of the EC2 instance." +} \ No newline at end of file diff --git a/terraform/splunk/ec2/variables.tf b/terraform/splunk/ec2/variables.tf new file mode 100644 index 00000000..100dea0f --- /dev/null +++ b/terraform/splunk/ec2/variables.tf @@ -0,0 +1,65 @@ +/* + MANDATORY VARIABLES +*/ +variable "project_name" { + type = string + description = "This is used to label the resources of the module." +} + +variable "owner" { + type = string + description = "This is used to specify the owner of the resources in this module." +} + +variable "ami_id" { + type = string + description = "This is the id of the ami image used for the ec2 instance." +} + +variable "availability_zone" { + type = string + description = "This is the availability zone you want the ec2 instance to be created in." +} + +variable "subnet_id" { + type = string + description = "This is the id of the subnet you want the ec2 instance to be created in." +} + +variable "vpc_security_group_ids" { + type = list(string) + description = "This is a list of ids that specifies the security groups you want your EC2 to be in. If you do not wish to specify a security group for your module then please set this value to an empty list" +} + +/* + OPTIONAL VARIABLES +*/ +variable "ec2_instance_type" { + type = string + default = "t2.micro" + description = "This is the type of EC2 instance you want." +} + +variable "associate_public_ip_address" { + type = bool + default = true + description = "This is a boolean value indicating if a public IP address should be associated with the EC2 instance." +} + +variable "user_data" { + type = string + default = "" + description = "This allows bash scripts and command line commands to be specified and run in the EC2 instance when launched. Do not pass gzip-compressed data via this argument." +} + +variable "needs_elastic_ip" { + type = bool + default = false + description = "This is a boolean value indicating whether an elastic IP should be generated and associated with the EC2 instance." +} + +variable "user_data_replace_on_change" { + type = bool + default = true + description = "This value indicates whether changes to the `user_data` value triggers a rebuild of the EC2 instance." +} \ No newline at end of file diff --git a/terraform/splunk/splunk-backend.tf b/terraform/splunk/splunk-backend.tf index f1112a21..4bafe80a 100644 --- a/terraform/splunk/splunk-backend.tf +++ b/terraform/splunk/splunk-backend.tf @@ -7,6 +7,7 @@ terraform { } } +/* resource "aws_s3_bucket" "terraform_backend_bucket" { bucket = "answerking-splunk-terraform" @@ -46,4 +47,5 @@ resource "aws_dynamodb_table" "terraform_backend_state" { name = "LockID" type = "S" } -} \ No newline at end of file +} +*/ \ No newline at end of file diff --git a/terraform/splunk/splunk-variables.tf b/terraform/splunk/splunk-variables.tf index 0cef5459..ff01be8d 100644 --- a/terraform/splunk/splunk-variables.tf +++ b/terraform/splunk/splunk-variables.tf @@ -1,17 +1,23 @@ variable "splunk_project_name" { - type = string - description = "Splunk Project Name" - default = "answerking-splunk-instance" + type = string + description = "Splunk Project Name" + default = "answerking-splunk-instance" } variable "splunk_project_owner" { - type = string - description = "Splunk Resource Owner" - default = "answerking" + type = string + description = "Splunk Resource Owner" + default = "answerking" } -variable "splunk_domain_name" { - type = string - description = "Splunk Domain Name" - default = "splunk.answerking.co.uk" +variable "dns_base_domain_name" { + type = string + description = "DNS Base Domain Name" + default = "answerking.co.uk" +} + +variable "dns_splunk_domain_name" { + type = string + description = "Splunk Domain Name" + default = "splunk.answerking.co.uk" } \ No newline at end of file diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 07e503ab..04b71000 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -2,8 +2,7 @@ module "splunk_vpc_subnet" { source = "git::https://github.com/answerdigital/terraform-modules//Terraform_modules/vpc_subnets?ref=v1.0.0" owner = var.splunk_project_owner project_name = var.splunk_project_name - azs = ["eu-west-2a"] - num_public_subnets = 1 + num_public_subnets = 2 num_private_subnets = 0 } @@ -40,14 +39,6 @@ resource "aws_security_group" "ec2_sg" { description = "All traffic" } - ingress { - from_port = 8000 - to_port = 8000 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - description = "HTTPS" - } - tags = { Name = "${var.splunk_project_name}-ec2-sg" Owner = var.splunk_project_owner @@ -55,78 +46,40 @@ resource "aws_security_group" "ec2_sg" { } module "ec2_instance_setup" { - source = "git::https://github.com/AnswerConsulting/AnswerKing-Infrastructure.git//Terraform_modules/ec2_instance?ref=v1.0.0" + #source = "git::https://github.com/AnswerConsulting/AnswerKing-Infrastructure.git//Terraform_modules/ec2_instance?ref=v1.0.0" + source = "./ec2" project_name = var.splunk_project_name owner = var.splunk_project_owner ami_id = data.aws_ami.amazon_linux_2.id - availability_zone = "eu-west-2a" + availability_zone = module.splunk_vpc_subnet.az_zones[0] subnet_id = module.splunk_vpc_subnet.public_subnet_ids[0] - #vpc_security_group_ids = [aws_security_group.ec2_sg.id] - vpc_security_group_ids = [aws_security_group.lb_sg.id] - needs_elastic_ip = false #true + vpc_security_group_ids = [aws_security_group.ec2_sg.id] + needs_elastic_ip = false + user_data_replace_on_change = true user_data = < >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - -sudo yum update -y -sudo yum upgrade -y -sudo yum install docker -y -sudo systemctl enable docker.service -sudo systemctl start docker.service - -sudo docker pull splunk/splunk:latest -sudo docker run -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest -EOF + #!/bin/bash -xe + #logs all user_data commands into a user-data.log file + exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + + sudo yum update -y + sudo yum upgrade -y + sudo yum install docker -y + sudo systemctl enable docker.service + sudo systemctl start docker.service + + sudo docker pull splunk/splunk:latest + sudo docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest + EOF } -# route 53 +# Route53 -/* -resource "aws_route53_record" "splunk" { - zone_id = "Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id #"Z0072706JT6B6N2J7Z9H" #data.aws_route53_zone.hosted_zone.zone_id - name = var.splunk_domain_name #"answerking.co.uk" - type = "A" - ttl = 300 - records = [aws_eip.lb_eip.public_ip]#[module.ec2_instance_setup.instance_public_ip_address] #[aws_lb.lb.dns_name] +data "aws_route53_zone" "hosted_zone" { + name = var.dns_base_domain_name } -*/ - -resource "aws_route53_record" "splunk" { - zone_id = "Z0072706JT6B6N2J7Z9H" - name = var.splunk_domain_name - type = "CNAME" - set_identifier = "public_ip" - ttl = "60" - records = [aws_lb.lb.dns_name] - geolocation_routing_policy { - country = "GB" - } -} - -#resource "aws_route53_record" "splunk" { -# for_each = { -# for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { -# name = dvo.resource_record_name -# record = dvo.resource_record_value -# type = dvo.resource_record_type -# } -# } - -# allow_overwrite = true -# name = each.value.name -# records = [each.value.record] -# ttl = 60 -# type = each.value.type -# zone_id = "Z0072706JT6B6N2J7Z9H" -#} - -#resource "aws_route53_zone" "hosted_zone" { -# name = "answerking.co.uk" #var.splunk_domain_name -#} resource "aws_acm_certificate" "cert" { - domain_name = var.splunk_domain_name + domain_name = var.dns_splunk_domain_name validation_method = "DNS" lifecycle { @@ -134,24 +87,19 @@ resource "aws_acm_certificate" "cert" { } } -resource "aws_acm_certificate_validation" "validate" { - certificate_arn = aws_acm_certificate.cert.arn - #validation_record_fqdns = [for record in aws_route53_record.splunk : record.fqdn] #[aws_route53_record.splunk.fqdn] -} - -# Elastic IP - -resource "aws_eip" "lb_eip" { - #checkov:skip=CKV2_AWS_19:IP is being used for load balancer - vpc = true +resource "aws_route53_record" "splunk" { + zone_id = data.aws_route53_zone.hosted_zone.zone_id + name = var.dns_splunk_domain_name + type = "CNAME" + set_identifier = "public_ip" + ttl = "60" + records = [aws_lb.lb.dns_name] - tags = { - Name = "${var.splunk_project_name}-eip" - Owner = var.splunk_project_owner + geolocation_routing_policy { + country = "GB" } } - # Load balancer resource "aws_security_group" "lb_sg" { @@ -192,26 +140,12 @@ resource "aws_security_group" "lb_sg" { } resource "aws_lb" "lb" { - name = "${var.splunk_project_name}-lb" - internal = false - load_balancer_type = "network" - ip_address_type = "ipv4" - - subnet_mapping { - subnet_id = "${module.splunk_vpc_subnet.public_subnet_ids[0]}" - allocation_id = "${aws_eip.lb_eip.id}" - } - - #subnet_id = module.splunk_vpc_subnet.value - #allocation_id = aws_eip.lb_eip[module.splunk_vpc_subnet.key].id - - #dynamic "subnet_mapping" { - # for_each = module.splunk_vpc_subnet.public_subnet_ids - # content { - # subnet_id = "${subnet_mapping.value}" - # allocation_id = "${aws_eip.lb_eip[subnet_mapping.key].id}" - # } - #} + name = "${var.splunk_project_name}-lb" + internal = false + load_balancer_type = "application" + subnets = module.splunk_vpc_subnet.public_subnet_ids + drop_invalid_header_fields = true + security_groups = [aws_security_group.lb_sg.id] tags = { Name = "${var.splunk_project_name}-lb" @@ -219,46 +153,69 @@ resource "aws_lb" "lb" { } resource "aws_lb_target_group" "target_group" { - name = "${var.splunk_project_name}-lb-tg" - port = 8000 #443 - protocol = "TCP" - target_type = "ip" + name = "${var.splunk_project_name}-tg-${substr(uuid(), 0, 2)}" + port = 8000 + protocol = "HTTP" + target_type = "instance" vpc_id = module.splunk_vpc_subnet.vpc_id + health_check { + path = "/services/server/info" + protocol = "HTTP" + port = 8089 + matcher = "200" + interval = 15 + timeout = 3 + healthy_threshold = 2 + unhealthy_threshold = 2 + } + + tags = { Name = "${var.splunk_project_name}-lb-target-group" } lifecycle { create_before_destroy = true - ignore_changes = [name] + ignore_changes = [name] } } -resource "aws_lb_listener" "lb_listener" { - load_balancer_arn = aws_lb.lb.id +resource "aws_lb_target_group_attachment" "target_group_attachment_ec2" { + target_group_arn = aws_lb_target_group.target_group.arn + target_id = module.ec2_instance_setup.ec2_id + port = 8000 +} + +resource "aws_lb_listener" "lb_listener_http" { + load_balancer_arn = aws_lb.lb.arn port = "80" - protocol = "TCP" + protocol = "HTTP" default_action { - type = "forward" - target_group_arn = aws_lb_target_group.target_group.id + type = "redirect" + + redirect { + port = "443" + protocol = "HTTPS" + status_code = "HTTP_301" + } } } -resource "aws_lb_listener" "lb_listener_443" { - load_balancer_arn = aws_lb.lb.id - certificate_arn = aws_acm_certificate_validation.validate.certificate_arn #aws_acm_certificate.cert.arn +resource "aws_lb_listener" "lb_listener_https" { + load_balancer_arn = aws_lb.lb.arn port = "443" - protocol = "TLS" - alpn_policy = "HTTP2Preferred" + protocol = "HTTPS" + certificate_arn = aws_acm_certificate.cert.arn default_action { type = "forward" target_group_arn = aws_lb_target_group.target_group.id } - #depends_on = [ - # aws_acm_certificate.cert - #] + tags = { + Name = "${var.splunk_project_name}-lb-listener" + Owner = var.splunk_project_owner + } } From bbd6a45051c50cf2bc8eb2bc49324ffbaf96e7aa Mon Sep 17 00:00:00 2001 From: Beth Cryer Date: Mon, 3 Apr 2023 11:58:28 +0100 Subject: [PATCH 19/34] hi :) --- terraform/splunk/splunk.tf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 04b71000..9da6f107 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -57,18 +57,17 @@ module "ec2_instance_setup" { needs_elastic_ip = false user_data_replace_on_change = true user_data = < >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - sudo yum update -y - sudo yum upgrade -y - sudo yum install docker -y - sudo systemctl enable docker.service - sudo systemctl start docker.service + sudo yum update -y && yum upgrade -y + sudo amazon-linux-extras install docker -y + sudo service docker start sudo docker pull splunk/splunk:latest - sudo docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD={password}" --name splunk splunk/splunk:latest + sudo docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password" --name splunk splunk/splunk:latest EOF } From 537300039eaedf779b9903b55ebf6f2e441df550 Mon Sep 17 00:00:00 2001 From: pietro convalle Date: Mon, 3 Apr 2023 13:43:47 +0100 Subject: [PATCH 20/34] reverted indentation in bash script --- terraform/splunk/splunk.tf | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 9da6f107..7cc18dcf 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -31,7 +31,7 @@ resource "aws_security_group" "ec2_sg" { description = "Application Load Balancer" } - egress { + egress { from_port = 0 to_port = 0 protocol = "-1" @@ -57,18 +57,16 @@ module "ec2_instance_setup" { needs_elastic_ip = false user_data_replace_on_change = true user_data = < >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 - - sudo yum update -y && yum upgrade -y - sudo amazon-linux-extras install docker -y - sudo service docker start - - sudo docker pull splunk/splunk:latest - sudo docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password" --name splunk splunk/splunk:latest - EOF +#!/bin/bash +set -ex +#logs all user_data commands into a user-data.log file +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 +sudo yum update -y && yum upgrade -y +sudo amazon-linux-extras install docker -y +sudo service docker start +sudo docker pull splunk/splunk:latest +sudo docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password" --name splunk splunk/splunk:latest +EOF } # Route53 @@ -116,7 +114,7 @@ resource "aws_security_group" "lb_sg" { description = "HTTP" } - ingress { + ingress { from_port = 443 to_port = 443 protocol = "tcp" @@ -124,7 +122,7 @@ resource "aws_security_group" "lb_sg" { description = "HTTPS" } - egress { + egress { from_port = 0 to_port = 0 protocol = "-1" From 81ac819eb19c36de0f8c4d9553c5610c89317da4 Mon Sep 17 00:00:00 2001 From: pietro convalle Date: Mon, 3 Apr 2023 14:00:32 +0100 Subject: [PATCH 21/34] changed ports in security group --- terraform/splunk/splunk.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 7cc18dcf..fdf5b010 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -24,9 +24,9 @@ resource "aws_security_group" "ec2_sg" { vpc_id = module.splunk_vpc_subnet.vpc_id ingress { - from_port = 0 - to_port = 0 - protocol = "-1" + from_port = 8000 + to_port = 8089 + protocol = "tcp" security_groups = [aws_security_group.lb_sg.id] description = "Application Load Balancer" } From 30015bc3c64400e876aabeb1334123ed55f25b49 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Wed, 5 Apr 2023 13:35:00 +0100 Subject: [PATCH 22/34] removed docker provider --- terraform/versions.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 67d306f7..65e1be29 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -16,10 +16,5 @@ terraform { source = "hashicorp/random" version = ">= 3.4.3" } - - docker = { - source = "kreuzwerker/docker" - version = "~> 2.13.0" - } } } From 572da9076f6da03f0d76c423132b62158553a36a Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Wed, 5 Apr 2023 17:34:55 +0100 Subject: [PATCH 23/34] s3 access logs and related config added --- terraform/splunk/splunk.tf | 92 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index fdf5b010..2003200f 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -144,6 +144,11 @@ resource "aws_lb" "lb" { drop_invalid_header_fields = true security_groups = [aws_security_group.lb_sg.id] + access_logs { + bucket = aws_s3_bucket.elb_logs.bucket + enabled = true + } + tags = { Name = "${var.splunk_project_name}-lb" } @@ -216,3 +221,90 @@ resource "aws_lb_listener" "lb_listener_https" { Owner = var.splunk_project_owner } } + +# S3 logs +resource "aws_s3_bucket" "elb_logs" { + bucket = "${var.splunk_project_name}-lb-logs" + + tags = { + Name = "${var.splunk_project_name}-lb-logs" + Owner = var.splunk_project_owner + } +} + +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} +data "aws_elb_service_account" "main" {} +resource "aws_s3_bucket_policy" "lb-bucket-policy" { + bucket = aws_s3_bucket.elb_logs.id + + policy = < Date: Wed, 12 Apr 2023 18:48:39 +0100 Subject: [PATCH 24/34] enabled deletion protection for load balancer --- terraform/splunk/splunk.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 2003200f..ea4bcbd5 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -143,6 +143,7 @@ resource "aws_lb" "lb" { subnets = module.splunk_vpc_subnet.public_subnet_ids drop_invalid_header_fields = true security_groups = [aws_security_group.lb_sg.id] + enable_deletion_protection = true access_logs { bucket = aws_s3_bucket.elb_logs.bucket From d2c53e7cd1aecd57babcd35335f79a336faffd22 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Wed, 12 Apr 2023 19:01:53 +0100 Subject: [PATCH 25/34] Added skip for aws autoscaling EC2 launch template checkov check --- terraform/launch-config.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/launch-config.tf b/terraform/launch-config.tf index 6c5b6c58..442d28ae 100644 --- a/terraform/launch-config.tf +++ b/terraform/launch-config.tf @@ -27,6 +27,7 @@ data "template_file" "user_data" { resource "aws_launch_configuration" "ecs_launch_config" { #checkov:skip=CKV_AWS_79:TODO: Disable the Instance Metadata Service or enable it with proper configuration (v2) #checkov:skip=CKV_AWS_8:TODO: Encrypt volume in future security ticket + #checkov:skip=CKV_AWS_315:TODO: Look into aws autoscaling if necessary image_id = data.aws_ami.ecs_ami.id iam_instance_profile = aws_iam_instance_profile.ecs_instance_profile.name security_groups = [aws_security_group.ecs_sg.id] From 7a6f5d9940b009774ec1b1863e280c4e9afab2bc Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Wed, 12 Apr 2023 19:07:48 +0100 Subject: [PATCH 26/34] Skipped checkov check for S3 bucket event notifications --- terraform/splunk/splunk.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index ea4bcbd5..1fa17018 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -225,6 +225,7 @@ resource "aws_lb_listener" "lb_listener_https" { # S3 logs resource "aws_s3_bucket" "elb_logs" { + #checkov:skip=CKV2_AWS_62:TODO: event notifications not needed bucket = "${var.splunk_project_name}-lb-logs" tags = { From a10a2edd01b3f27f07408c56a7b30e6b3b3a3aca Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 13 Apr 2023 16:13:29 +0100 Subject: [PATCH 27/34] Skipped check for EC2 lanch templates for the aws_autoscaling_group resource --- terraform/launch-config.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/launch-config.tf b/terraform/launch-config.tf index 442d28ae..b6f55fae 100644 --- a/terraform/launch-config.tf +++ b/terraform/launch-config.tf @@ -41,6 +41,7 @@ resource "aws_launch_configuration" "ecs_launch_config" { } resource "aws_autoscaling_group" "failure_analysis_ecs_asg" { + #checkov:skip=CKV_AWS_315:TODO: Look into aws autoscaling if necessary name = "${var.project_name}-auto-scaling-group" launch_configuration = aws_launch_configuration.ecs_launch_config.name vpc_zone_identifier = [ From a91ff96add0980d70c42250412ed24c7d08a3ede Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 13 Apr 2023 16:19:39 +0100 Subject: [PATCH 28/34] Checkov check for KMS encryption on S3 buckets has been skipped. Will be implemented in a future security update --- terraform/splunk/splunk.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 1fa17018..08217522 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -226,6 +226,7 @@ resource "aws_lb_listener" "lb_listener_https" { # S3 logs resource "aws_s3_bucket" "elb_logs" { #checkov:skip=CKV2_AWS_62:TODO: event notifications not needed + #checkov:skip=CKV_AWS_145:TODO: encryption will be done in a future security update bucket = "${var.splunk_project_name}-lb-logs" tags = { From c0d6e3776dfa7d146cb490fea40c52371796e848 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 13 Apr 2023 17:13:05 +0100 Subject: [PATCH 29/34] Added checkov skips for the elb_logs resource --- terraform/splunk/splunk.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 08217522..9ba4bade 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -227,6 +227,9 @@ resource "aws_lb_listener" "lb_listener_https" { resource "aws_s3_bucket" "elb_logs" { #checkov:skip=CKV2_AWS_62:TODO: event notifications not needed #checkov:skip=CKV_AWS_145:TODO: encryption will be done in a future security update + #checkov:skip=CKV_AWS_144: cross-region replication not needed + #checkov:skip=CKV2_AWS_61: lifecycle configuration not needed + #checov:skip=CKV_AWS_18: access logging not neeeded for this bucket bucket = "${var.splunk_project_name}-lb-logs" tags = { From 68d7a0d228dd5a0ddfa9964dfcf349be1dc08079 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 13 Apr 2023 17:53:01 +0100 Subject: [PATCH 30/34] Set associate public ip address to false for the splunk ec2 instance --- terraform/splunk/splunk.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 9ba4bade..3bf5d4e5 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -56,6 +56,7 @@ module "ec2_instance_setup" { vpc_security_group_ids = [aws_security_group.ec2_sg.id] needs_elastic_ip = false user_data_replace_on_change = true + associate_public_ip_address = false user_data = < Date: Thu, 13 Apr 2023 17:59:19 +0100 Subject: [PATCH 31/34] Load balancer for splunk is not using TLS 1.2 --- terraform/splunk/splunk.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index 3bf5d4e5..b0f359b1 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -211,6 +211,7 @@ resource "aws_lb_listener" "lb_listener_https" { load_balancer_arn = aws_lb.lb.arn port = "443" protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" certificate_arn = aws_acm_certificate.cert.arn default_action { @@ -230,7 +231,7 @@ resource "aws_s3_bucket" "elb_logs" { #checkov:skip=CKV_AWS_145:TODO: encryption will be done in a future security update #checkov:skip=CKV_AWS_144: cross-region replication not needed #checkov:skip=CKV2_AWS_61: lifecycle configuration not needed - #checov:skip=CKV_AWS_18: access logging not neeeded for this bucket + #checkov:skip=CKV_AWS_18: access logging not neeeded for this bucket bucket = "${var.splunk_project_name}-lb-logs" tags = { From fca116dbddd2dfe617faa5e13bc2ddc5fda3e2b4 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Thu, 13 Apr 2023 18:06:04 +0100 Subject: [PATCH 32/34] Added versioning for the elb logs s3 bucket --- terraform/splunk/splunk.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index b0f359b1..d0e21422 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -233,6 +233,10 @@ resource "aws_s3_bucket" "elb_logs" { #checkov:skip=CKV2_AWS_61: lifecycle configuration not needed #checkov:skip=CKV_AWS_18: access logging not neeeded for this bucket bucket = "${var.splunk_project_name}-lb-logs" + + versioning { + enabled = true + } tags = { Name = "${var.splunk_project_name}-lb-logs" From 33f9c62a855ef437cff65e34f9930f1abca21ba8 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Mon, 17 Apr 2023 10:57:29 +0100 Subject: [PATCH 33/34] updated ec2 instance set up to use the new version 2.1.0 for the ec2 module --- terraform/splunk/splunk.tf | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index d0e21422..f543ebaa 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -46,8 +46,7 @@ resource "aws_security_group" "ec2_sg" { } module "ec2_instance_setup" { - #source = "git::https://github.com/AnswerConsulting/AnswerKing-Infrastructure.git//Terraform_modules/ec2_instance?ref=v1.0.0" - source = "./ec2" + source = "git::https://github.com/answerdigital/terraform-modules//modules/aws/ec2?ref=v2.1.0" project_name = var.splunk_project_name owner = var.splunk_project_owner ami_id = data.aws_ami.amazon_linux_2.id @@ -187,7 +186,7 @@ resource "aws_lb_target_group" "target_group" { resource "aws_lb_target_group_attachment" "target_group_attachment_ec2" { target_group_arn = aws_lb_target_group.target_group.arn - target_id = module.ec2_instance_setup.ec2_id + target_id = module.ec2_instance_setup.instance_id port = 8000 } @@ -232,11 +231,7 @@ resource "aws_s3_bucket" "elb_logs" { #checkov:skip=CKV_AWS_144: cross-region replication not needed #checkov:skip=CKV2_AWS_61: lifecycle configuration not needed #checkov:skip=CKV_AWS_18: access logging not neeeded for this bucket - bucket = "${var.splunk_project_name}-lb-logs" - - versioning { - enabled = true - } + bucket = "${var.splunk_project_name}-lb-logs" tags = { Name = "${var.splunk_project_name}-lb-logs" @@ -244,6 +239,14 @@ resource "aws_s3_bucket" "elb_logs" { } } +resource "aws_s3_bucket_versioning" "version" { + bucket = aws_s3_bucket.elb_logs.id + + versioning_configuration { + status = "Enabled" + } +} + data "aws_region" "current" {} data "aws_caller_identity" "current" {} data "aws_elb_service_account" "main" {} From 6936d3d12da881df200e259100b0621812ae9268 Mon Sep 17 00:00:00 2001 From: Calvin St Louis Date: Mon, 17 Apr 2023 15:41:31 +0100 Subject: [PATCH 34/34] Successfully applies with ec2 update --- terraform/splunk/splunk.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/splunk/splunk.tf b/terraform/splunk/splunk.tf index f543ebaa..dfb6f991 100644 --- a/terraform/splunk/splunk.tf +++ b/terraform/splunk/splunk.tf @@ -46,7 +46,7 @@ resource "aws_security_group" "ec2_sg" { } module "ec2_instance_setup" { - source = "git::https://github.com/answerdigital/terraform-modules//modules/aws/ec2?ref=v2.1.0" + source = "git::https://github.com/answerdigital/terraform-modules//modules/aws/ec2?ref=v2" project_name = var.splunk_project_name owner = var.splunk_project_owner ami_id = data.aws_ami.amazon_linux_2.id