Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add back CDM agents #91

Merged
merged 5 commits into from
Oct 13, 2023
Merged

Add back CDM agents #91

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a1ca743
Revert "Remove CDM playbook"
jsf9k Oct 4, 2023
dec956e
Bump version from 0.3.6 to 0.3.7
jsf9k Oct 4, 2023
af606f8
Bump version from 0.3.7 to 0.3.7-rc.1
jsf9k Oct 4, 2023
e70b591
Revert "Update TF code for build user"
jsf9k Oct 4, 2023
a91369a
Finalize version from 0.3.7-rc.1 to 0.3.7
jsf9k Oct 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion src/cdm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,24 @@
become: yes
become_method: ansible.builtin.sudo
tasks:
- name: Install CrowdStrike
- name: Install CDM Tanium client
ansible.builtin.include_role:
name: cdm_tanium
vars:
cdm_tanium_server_name: "{{ lookup('aws_ssm', '/cdm/tanium_hostname') }}"
cdm_tanium_third_party_bucket_name: "{{ build_bucket }}"
- name: Install CDM Nessus agent
ansible.builtin.include_role:
name: cdm_nessus_agent
vars:
cdm_nessus_agent_third_party_bucket_name: "{{ build_bucket }}"
# The Python code that will be run by cloud-init to link the
# Nessus Agent will require boto3
- name: Install boto3
ansible.builtin.package:
name:
- python3-boto3
- name: Install CDM CrowdStrike
ansible.builtin.include_role:
name: crowdstrike
vars:
Expand All @@ -25,3 +42,24 @@
- direction: out
port: 443
proto: tcp
# Tanium
- direction: in
port: 17472
proto: tcp
- direction: out
port: 17472
proto: tcp
# Tanium threat response
- direction: in
port: 17475
proto: tcp
- direction: out
port: 17475
proto: tcp
# Tenable
- direction: in
port: 8834
proto: tcp
- direction: out
port: 8834
proto: tcp
4 changes: 4 additions & 0 deletions src/requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ roles:
src: https://github.com/cisagov/ansible-role-automated-security-updates
- name: banner
src: https://github.com/cisagov/ansible-role-banner
- name: cdm_nessus_agent
src: https://github.com/cisagov/ansible-role-cdm-nessus-agent
- name: cdm_tanium
src: https://github.com/cisagov/ansible-role-cdm-tanium-client
- name: chrony_aws
src: https://github.com/cisagov/ansible-role-chrony-aws
- name: clamav
Expand Down
2 changes: 1 addition & 1 deletion src/version.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.3.6"
__version__ = "0.3.7-rc.1"
61 changes: 61 additions & 0 deletions terraform-build-user/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,74 @@ module "iam_user" {
}

ssm_parameters = [
"/cdm/tanium_hostname",
"/cyhy/dev/users",
"/openvpn/server/*",
"/ssh/public_keys/*",
]
user_name = "build-openvpn-packer"
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-tanium-client to the production
# EC2AMICreate role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_tanium_production" {
provider = aws.images-production-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_tanium_client.outputs.production_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_production.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-tanium-client to the staging EC2AMICreate
# role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_tanium_staging" {
provider = aws.images-staging-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_tanium_client.outputs.staging_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_staging.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-nessus-agent to the production
# EC2AMICreate role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_nessus_production" {
provider = aws.images-production-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_nessus_agent.outputs.production_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_production.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-nessus-agent to the staging EC2AMICreate
# role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_nessus_staging" {
provider = aws.images-staging-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_nessus_agent.outputs.staging_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_staging.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-certificates to the production EC2AMICreate
# role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_certificates_production" {
provider = aws.images-production-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_certificates.outputs.production_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_production.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-cdm-certificates to the staging EC2AMICreate
# role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_certificates_staging" {
provider = aws.images-staging-ami

policy_arn = data.terraform_remote_state.ansible_role_cdm_certificates.outputs.staging_bucket_policy.arn
role = module.iam_user.ec2amicreate_role_staging.name
}

# Attach 3rd party S3 bucket read-only policy from
# cisagov/ansible-role-crowdstrike to the production EC2AMICreate role
resource "aws_iam_role_policy_attachment" "thirdpartybucketread_crowdstrike_production" {
Expand Down
39 changes: 39 additions & 0 deletions terraform-build-user/remote_states.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,45 @@ data "terraform_remote_state" "images_staging" {
workspace = "staging"
}

data "terraform_remote_state" "ansible_role_cdm_certificates" {
backend = "s3"

config = {
encrypt = true
bucket = "cisa-cool-terraform-state"
dynamodb_table = "terraform-state-lock"
profile = "cool-terraform-backend"
region = "us-east-1"
key = "ansible-role-cdm-certificates/terraform.tfstate"
}
}

data "terraform_remote_state" "ansible_role_cdm_nessus_agent" {
backend = "s3"

config = {
encrypt = true
bucket = "cisa-cool-terraform-state"
dynamodb_table = "terraform-state-lock"
profile = "cool-terraform-backend"
region = "us-east-1"
key = "ansible-role-cdm-nessus-agent/terraform.tfstate"
}
}

data "terraform_remote_state" "ansible_role_cdm_tanium_client" {
backend = "s3"

config = {
encrypt = true
bucket = "cisa-cool-terraform-state"
dynamodb_table = "terraform-state-lock"
profile = "cool-terraform-backend"
region = "us-east-1"
key = "ansible-role-cdm-tanium-client/terraform.tfstate"
}
}

data "terraform_remote_state" "ansible_role_crowdstrike" {
backend = "s3"

Expand Down