From a71e6eaeccbac0e3a08187aeda550df5ac9a62ae Mon Sep 17 00:00:00 2001 From: Manuel Weber <112621871+mm-weber@users.noreply.github.com> Date: Tue, 17 Sep 2024 17:04:51 +0200 Subject: [PATCH] Add Oracle9 , remove deprecated AMI (#73) * deprecated: oracle7_cis Signed-off-by: Manuel Weber * add oracle 9 vanilla Signed-off-by: Manuel Weber * add oracle 9 vanilla+readme Signed-off-by: Manuel Weber * add RHEL9 L2 Signed-off-by: Manuel Weber * add RHEL9 L2++ Signed-off-by: Manuel Weber --------- Signed-off-by: Manuel Weber --- aws/ec2-instances/README.md | 6 ++ aws/ec2-instances/amis.tf | 63 +++++++++++++-- aws/ec2-instances/main.tf | 144 +++++++++++++++++++++++++++------ aws/ec2-instances/outputs.tf | 40 +++++++-- aws/ec2-instances/variables.tf | 37 +++++++-- 5 files changed, 246 insertions(+), 44 deletions(-) diff --git a/aws/ec2-instances/README.md b/aws/ec2-instances/README.md index df997ec..edbc816 100644 --- a/aws/ec2-instances/README.md +++ b/aws/ec2-instances/README.md @@ -36,6 +36,10 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | Oracle 8 cnspec | Latest Oracle 8 image with latest cnspec | `create_oracle8_cnspec` | | | Oracle 8 CIS | CIS Oracle Linux 8 Benchmark - Level 1 | `create_oracle8_cis` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 8 CIS cnspec | CIS Oracle Linux 8 Benchmark - Level 1 with latest cnspec | `create_oracle8_cis_cnspec` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | +| Oracle 9 | Latest Oracle 9 image | `create_oracle9` | | +| Oracle 9 cnspec | Latest Oracle 9 image with latest cnspec | `create_oracle9_cnspec` | | +| Oracle 9 CIS | CIS Oracle Linux 9 Benchmark - Level 1 | `create_oracle9_cis` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | +| Oracle 9 CIS cnspec | CIS Oracle Linux 9 Benchmark - Level 1 with latest cnspec | `create_oracle9_cis_cnspec` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | | RHEL 7 | Latest Red Hat Enterprise Linux 7 | `create_rhel7` | | | RHEL 7 cnspec | Latest Red Hat Enterprise Linux 7 with latest cnspec | `create_rhel7_cnspec` | | RHEL 7 mondoo pass private | Saved image of a manually hardened CIS RHEL7 image (which CIS deleted) | `create_rhel7_pass_private` | | @@ -45,6 +49,8 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | RHEL 8 CIS cnspec | CIS Red Hat Enterprise Linux 8 STIG Benchmark with latest cnspec | `create_rhel8_cis_cnspec` | [CIS Red Hat Enterprise Linux 8 STIG Benchmark](https://aws.amazon.com/marketplace/pp/prodview-ia2nfuoig3jmu?sr=0-3&ref_=beagle&applicationId=AWSMPContessa) | | RHEL 9 | Latest RHEL 9 image | `create_rhel9` | | | RHEL 9 cnspec | Latest RHEL 9 with latest cnspec | `create_rhel9_cnspec` | | +| RHEL 9 CIS | CIS Red Hat Enterprise Linux 9 Level 2 | `create_rhel9_cis` | [CIS Red Hat Enterprise Linux 9 - Level 2](https://aws.amazon.com/marketplace/pp/prodview-6axx7cl7vguti?sr=0-5&ref_=beagle&applicationId=AWS-EC2-Console) | +| RHEL 9 CIS cnspec | CIS Red Hat Enterprise Linux 9 Level 2 with latest cnspec | `create_rhel9_cis_cnspec` | [CIS Red Hat Enterprise Linux 9 - Level 2](https://aws.amazon.com/marketplace/pp/prodview-6axx7cl7vguti?sr=0-5&ref_=beagle&applicationId=AWS-EC2-Console) | | NGINX on RHEL 9 CIS | Latest NGINX on RHEL 9 image CIS hardened | `create_nginx_rhel9_cis` | | | NGINX on RHEL 9 CIS cnspec | Latest NGINX on RHEL 9 image CIS hardened with latest cnspec | `create_nginx_rhel9_cis_cnspec` | | | SUSE 15 | Latest SUSE 15 image | `create_suse15` | | diff --git a/aws/ec2-instances/amis.tf b/aws/ec2-instances/amis.tf index 7e09800..23ece9d 100644 --- a/aws/ec2-instances/amis.tf +++ b/aws/ec2-instances/amis.tf @@ -98,6 +98,23 @@ data "aws_ami" "rhel8_cis" { owners = ["679593333241"] } +data "aws_ami" "rhel9_cis" { + most_recent = true + + filter { + name = "name" + values = ["CIS Red Hat Enterprise Linux 9*Level 2*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["679593333241"] +} + + data "aws_ami" "rhel7" { most_recent = true @@ -404,12 +421,28 @@ data "aws_ami" "oracle7" { owners = ["679593333241"] } -data "aws_ami" "oracle7_cis" { +#data "aws_ami" "oracle7_cis" { +# most_recent = true +# +# filter { +# name = "name" +# values = ["CIS Oracle Linux 7 Benchmark*"] +# } +# +# filter { +# name = "virtualization-type" +# values = ["hvm"] +# } +# +# owners = ["679593333241"] +#} + +data "aws_ami" "oracle8" { most_recent = true filter { name = "name" - values = ["CIS Oracle Linux 7 Benchmark*"] + values = ["*SupportedImages OL8.8*"] } filter { @@ -420,12 +453,12 @@ data "aws_ami" "oracle7_cis" { owners = ["679593333241"] } -data "aws_ami" "oracle8" { +data "aws_ami" "oracle8_cis" { most_recent = true filter { name = "name" - values = ["*SupportedImages OL8.8*"] + values = ["CIS Oracle Linux 8 Benchmark*"] } filter { @@ -436,12 +469,29 @@ data "aws_ami" "oracle8" { owners = ["679593333241"] } -data "aws_ami" "oracle8_cis" { +data "aws_ami" "oracle9" { most_recent = true filter { name = "name" - values = ["CIS Oracle Linux 8 Benchmark*"] + values = ["*(SupportedImages) - Oracle Linux 9 LATEST x86_64*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["679593333241"] +} + + +data "aws_ami" "oracle9_cis" { + most_recent = true + + filter { + name = "name" + values = ["CIS Oracle Linux 9 Benchmark*"] } filter { @@ -451,6 +501,7 @@ data "aws_ami" "oracle8_cis" { owners = ["679593333241"] } + data "aws_ami" "rocky9" { most_recent = true diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index 7cf2ea3..b19f6cd 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -318,13 +318,45 @@ module "oracle7_cnspec" { user_data_replace_on_change = true } -module "oracle7_cis" { +#module "oracle7_cis" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7_cis +# name = "${var.prefix}-oracle7-cis-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7_cis.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +#} + +#module "oracle7_cis_cnspec" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7_cis_cnspec +# name = "${var.prefix}-oracle7-cis-cnspec-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7_cis.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +# user_data = base64encode(local.linux_user_data) +# user_data_replace_on_change = true +#} + +// Oracle 8 + +module "oracle8" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle7_cis - name = "${var.prefix}-oracle7-cis-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7_cis.id + create = var.create_oracle8 + name = "${var.prefix}-oracle8-${random_id.instance_id.id}" + ami = data.aws_ami.oracle8.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -332,13 +364,13 @@ module "oracle7_cis" { associate_public_ip_address = true } -module "oracle7_cis_cnspec" { +module "oracle8_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle7_cis_cnspec - name = "${var.prefix}-oracle7-cis-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7_cis.id + create = var.create_oracle8_cnspec + name = "${var.prefix}-oracle8-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle8.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -348,29 +380,58 @@ module "oracle7_cis_cnspec" { user_data_replace_on_change = true } -// Oracle 8 +module "oracle8_cis" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" -module "oracle8" { + create = var.create_oracle8_cis + name = "${var.prefix}-oracle8-cis-${random_id.instance_id.id}" + ami = data.aws_ami.oracle8_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "oracle8_cis_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle8 - name = "${var.prefix}-oracle8-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8.id + create = var.create_oracle8_cis_cnspec + name = "${var.prefix}-oracle8-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle8_cis.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] key_name = var.aws_key_pair_name associate_public_ip_address = true + user_data = base64encode(local.linux_user_data) + user_data_replace_on_change = true } -module "oracle8_cnspec" { +// Oracle 9 +module "oracle9" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle8_cnspec - name = "${var.prefix}-oracle8-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8.id + create = var.create_oracle9 + name = "${var.prefix}-oracle9-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "oracle9_cnspec" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_oracle9_cnspec + name = "${var.prefix}-oracle9-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -380,13 +441,13 @@ module "oracle8_cnspec" { user_data_replace_on_change = true } -module "oracle8_cis" { +module "oracle9_cis" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle8_cis - name = "${var.prefix}-oracle8-cis-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8_cis.id + create = var.create_oracle9_cis + name = "${var.prefix}-oracle9-cis-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9_cis.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -394,13 +455,13 @@ module "oracle8_cis" { associate_public_ip_address = true } -module "oracle8_cis_cnspec" { +module "oracle9_cis_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle8_cis_cnspec - name = "${var.prefix}-oracle8-cis-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8_cis.id + create = var.create_oracle9_cis_cnspec + name = "${var.prefix}-oracle9-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9_cis.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -410,6 +471,7 @@ module "oracle8_cis_cnspec" { user_data_replace_on_change = true } + // Red Hat Linux 9 module "rhel9" { @@ -442,6 +504,38 @@ module "rhel9_cnspec" { user_data_replace_on_change = true } +module "rhel9_cis" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_rhel9_cis + name = "${var.prefix}-rhel9-cis-${random_id.instance_id.id}" + ami = data.aws_ami.rhel9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "rhel9_cis_cnspec" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_rhel9_cis_cnspec + name = "${var.prefix}-rhel9-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.rhel9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true + user_data = base64encode(local.linux_user_data) + user_data_replace_on_change = true +} + + + // Red Hat Linux 8 module "rhel8" { diff --git a/aws/ec2-instances/outputs.tf b/aws/ec2-instances/outputs.tf index f2bc782..2b42f14 100644 --- a/aws/ec2-instances/outputs.tf +++ b/aws/ec2-instances/outputs.tf @@ -81,6 +81,14 @@ output "rhel9_cnspec" { value = module.rhel9_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cnspec.public_ip}" } +output "rhel9_cis" { + value = module.rhel9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cis.public_ip}" +} + +output "rhel9_cis_cnspec" { + value = module.rhel9_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cis_cnspec.public_ip}" +} + # nginx on rhel9 cis output "nginx_rhel9_cis" { value = module.nginx_rhel9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.nginx_rhel9_cis.public_ip}" @@ -190,13 +198,13 @@ output "oracle7_cnspec" { value = module.oracle7_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cnspec.public_ip}" } -output "oracle7_cis" { - value = module.oracle7_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis.public_ip}" -} - -output "oracle7_cis_cnspec" { - value = module.oracle7_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis_cnspec.public_ip}" -} +#output "oracle7_cis" { +# value = module.oracle7_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis.public_ip}" +#} +# +#output "oracle7_cis_cnspec" { +# value = module.oracle7_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis_cnspec.public_ip}" +#} # oracle8 output "oracle8" { @@ -215,6 +223,24 @@ output "oracle8_cis_cnspec" { value = module.oracle8_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle8_cis_cnspec.public_ip}" } +# oracle9 +output "oracle9" { + value = module.oracle9.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9.public_ip}" +} + +output "oracle9_cnspec" { + value = module.oracle9_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cnspec.public_ip}" +} + +output "oracle9_cis" { + value = module.oracle9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cis.public_ip}" +} + +output "oracle9_cis_cnspec" { + value = module.oracle9_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cis_cnspec.public_ip}" +} + + # rocky9 output "rocky9" { value = module.rocky9.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} rocky@${module.rocky9.public_ip}" diff --git a/aws/ec2-instances/variables.tf b/aws/ec2-instances/variables.tf index 3a1374f..b5e5504 100644 --- a/aws/ec2-instances/variables.tf +++ b/aws/ec2-instances/variables.tf @@ -156,6 +156,14 @@ variable "create_ubuntu1804_cnspec" { default = false } +variable "create_rhel9_cis" { + default = false +} + +variable "create_rhel9_cis_cnspec" { + default = false +} + variable "create_rhel9" { default = false } @@ -272,30 +280,47 @@ variable "create_oracle7_cnspec" { default = false } -variable "create_oracle7_cis" { +#variable "create_oracle7_cis" { +# default = false +#} +# +#variable "create_oracle7_cis_cnspec" { +# default = false +#} + +variable "create_oracle8" { default = false } -variable "create_oracle7_cis_cnspec" { +variable "create_oracle8_cnspec" { default = false } -variable "create_oracle8" { +variable "create_oracle8_cis" { default = false } -variable "create_oracle8_cnspec" { +variable "create_oracle8_cis_cnspec" { default = false } -variable "create_oracle8_cis" { +variable "create_oracle9" { default = false } -variable "create_oracle8_cis_cnspec" { +variable "create_oracle9_cnspec" { default = false } +variable "create_oracle9_cis" { + default = false +} + +variable "create_oracle9_cis_cnspec" { + default = false +} + + variable "create_rocky9" { default = false }