Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
Vladyslav Yevsiukov authored and Vladyslav Yevsiukov committed Jul 21, 2023
1 parent 4dd99f6 commit 81d9d63
Show file tree
Hide file tree
Showing 12 changed files with 208 additions and 72 deletions.
24 changes: 19 additions & 5 deletions terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,22 @@
###### The step to be done before run infrastructure is to run command below
# sudo openssl req -x509 -nodes -days 40 -newkey rsa:2048 -keyout private.key -out certificate.crt
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_iam_server_certificate" "this" {
name = "086_certificate_green"
certificate_body = file("certificate.crt")
private_key = file("private.key")
}
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}
25 changes: 20 additions & 5 deletions terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,23 @@
###### The step to be done before run infrastructure is to run command below
# sudo openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}


resource "aws_iam_server_certificate" "this" {
name = "086_certificate_red"
certificate_body = file("certificate.crt")
private_key = file("private.key")
}
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}
25 changes: 20 additions & 5 deletions terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,23 @@
###### The step to be done before run infrastructure is to run command below
# sudo openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_iam_server_certificate" "this" {
name = "087_certificate_green"
certificate_body = file("certificate.crt")
private_key = file("private.key")
}
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content

}
26 changes: 20 additions & 6 deletions terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,22 @@
###### The step to be done before run infrastructure is to run command below
# sudo openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

resource "aws_iam_server_certificate" "this" {
name = "087_certificate_red"
certificate_body = file("second-certificate.crt")
private_key = file("second-private.key")
data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_iam_server_certificate" "this" {
name = "086_certificate_red"
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}
25 changes: 19 additions & 6 deletions terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ resource "aws_lb" "this" {
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
}

###### The step to be done before run infrastructure is to run command below
# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt


resource "aws_lb_target_group" "this" {
name = "lb-target-group-264-green"
port = 443
Expand All @@ -31,8 +27,25 @@ resource "aws_lb_listener" "this" {

resource "aws_iam_server_certificate" "this" {
name = "264_certificate_green"
certificate_body = file("certificate.crt")
private_key = file("private.key")
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}

resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 50 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_vpc" "this" {
Expand Down
25 changes: 20 additions & 5 deletions terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
###### The step to be done before run infrastructure is to run command below
# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt

resource "aws_lb" "this" {
name = "nlb-264-red"
internal = false
Expand Down Expand Up @@ -31,10 +28,28 @@ resource "aws_lb_listener" "this" {

resource "aws_iam_server_certificate" "this" {
name = "264_certificate_red"
certificate_body = file("certificate.crt")
private_key = file("private.key")
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}

resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}


resource "aws_vpc" "this" {
cidr_block = "10.0.0.0/16"
instance_tenancy = "default"
Expand Down
25 changes: 20 additions & 5 deletions ...aform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,22 @@
###### The step to be done before run infrastructure is to run command below
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_iam_server_certificate" "this" {
name = "279_server_certificate_green"
certificate_body = file("certificate.crt")
private_key = file("private.key")
}
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}
25 changes: 20 additions & 5 deletions terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,22 @@
###### The step to be done before run infrastructure is to run command below
# openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt - ### we can't create expired certificate
resource "null_resource" "this" {
provisioner "local-exec" {
command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout private.key -out certificate.crt"
interpreter = ["/bin/bash", "-c"]
}
}

data "local_file" "certificate" {
filename = "certificate.crt"
depends_on = [null_resource.this]
}

data "local_file" "private_key" {
filename = "private.key"
depends_on = [null_resource.this]
}

resource "aws_iam_server_certificate" "this" {
name = "279_server_certificate_red"
certificate_body = file("certificate.crt")
private_key = file("private.key")
}
certificate_body = data.local_file.certificate.content
private_key = data.local_file.private_key.content
}
25 changes: 16 additions & 9 deletions terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,27 @@
# In order to create red infrastructure manual steps are required.
# 1. Before running 'terraform apply' create key pair using a 'ssh-keygen -f ~/key_pair -m PEM' command.
# 2. Run 'terraform apply'.
# 3. Go to https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#KeyPairs and delete '438_key_pair_red' key pair.
# 4. Run custodian policy.
resource "null_resource" "this" {
provisioner "local-exec" {
command = "aws ec2 delete-key-pair --key-name ${aws_key_pair.this.key_name}"
interpreter = ["/bin/bash", "-c"]
}

depends_on = [aws_autoscaling_group.this]
}

resource "tls_private_key" "rsa" {
algorithm = "RSA"
rsa_bits = 4096
}

resource "aws_key_pair" "this" {
key_name = "438_key_pair_red"
public_key = file("${path.module}/key_pair.pub")
public_key = tls_private_key.rsa.public_key_openssh
}

resource "aws_launch_template" "this" {
name_prefix = "438_launch_template_red"
image_id = data.aws_ami.this.id
instance_type = "t2.micro"
key_name = "438_key_pair_red"
key_name = "438_key_pair_red"
}

data "aws_ami" "this" {
Expand All @@ -40,8 +47,8 @@ resource "aws_autoscaling_group" "this" {
}

tag {
key = "CustodianRule"
value = "ecc-aws-438-autoscaling_group_has_valid_configuration"
key = "CsutodianRule"
value = "epam-aws-438-autoscaling_group_has_valid_configuration"
propagate_at_launch = true
}

Expand Down
31 changes: 27 additions & 4 deletions terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,30 @@
# There is a bug where 'associate_public_ip_address' has a 3 states when terraform can only provide 2 states.
data "aws_ami" "this" {
most_recent = true

# Use following command to create green infrastructure.
aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ami-06eecef118bbf9259 --instance-type t2.micro --no-associate-public-ip-address
filter {
name = "name"
values = ["amzn2-ami-*-hvm-*-arm64-gp2"]
}

# Use following command to delete infrastructure.
aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green
filter {
name = "architecture"
values = ["arm64"]
}

owners = ["amazon"]
}

resource "null_resource" "this" {

provisioner "local-exec" {
command = "aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ${data.aws_ami.this.id} --instance-type t2.micro --no-associate-public-ip-address"
interpreter = ["/bin/bash", "-c"]
}

provisioner "local-exec" {
when = destroy
command = "aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green"
interpreter = ["/bin/bash", "-c"]
}
}
18 changes: 1 addition & 17 deletions terraform/ecc-aws-809-elb_internet_facing/red/alb.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,6 @@ resource "aws_lb" "this" {
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = false
enable_deletion_protection = false
# subnet_mapping {
# subnet_id = aws_subnet.subnet1.id
# allocation_id = aws_eip.this.id
# }
# subnet_mapping {
# subnet_id = aws_subnet.subnet2.id
# allocation_id = aws_eip.this1.id
# }
}

resource "aws_vpc" "this" {
Expand Down Expand Up @@ -46,12 +38,4 @@ resource "aws_security_group" "this" {

resource "aws_internet_gateway" "this" {
vpc_id = aws_vpc.this.id
}

# resource "aws_eip" "this" {
# vpc = true
# }

# resource "aws_eip" "this1" {
# vpc = true
# }
}
6 changes: 6 additions & 0 deletions terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,13 @@ resource "null_resource" "this" {

provisioner "local-exec" {
command = "aws securityhub enable-security-hub --enable-default-standards"
interpreter = ["/bin/bash", "-c"]
}

provisioner "local-exec" {
when = destroy
command = "aws securityhub disable-security-hub"
interpreter = ["/bin/bash", "-c"]
}

}

0 comments on commit 81d9d63

Please sign in to comment.