diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf index 6dcb11bdf..4a7056060 100644 --- a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf +++ b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf @@ -1,8 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 40 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} resource "aws_iam_server_certificate" "this" { name = "086_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf index e0d1e381b..fdde11eea 100644 --- a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf +++ b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf @@ -1,8 +1,23 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "086_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf index 7948899e5..e3f38d2d9 100644 --- a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf +++ b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf @@ -1,8 +1,23 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} resource "aws_iam_server_certificate" "this" { name = "087_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content + +} \ No newline at end of file diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf index 7b67b1b5f..2bd3281d3 100644 --- a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf +++ b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf @@ -1,8 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} -resource "aws_iam_server_certificate" "this" { - name = "087_certificate_red" - certificate_body = file("second-certificate.crt") - private_key = file("second-private.key") +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] } + +resource "aws_iam_server_certificate" "this" { + name = "086_certificate_red" + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf index b777da4b2..f8c71812a 100644 --- a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf +++ b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf @@ -5,10 +5,6 @@ resource "aws_lb" "this" { subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] } -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt - - resource "aws_lb_target_group" "this" { name = "lb-target-group-264-green" port = 443 @@ -31,8 +27,25 @@ resource "aws_lb_listener" "this" { resource "aws_iam_server_certificate" "this" { name = "264_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} + +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 50 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] } resource "aws_vpc" "this" { diff --git a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf index 7685a3329..5be13b66c 100644 --- a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf +++ b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf @@ -1,6 +1,3 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt - resource "aws_lb" "this" { name = "nlb-264-red" internal = false @@ -31,10 +28,28 @@ resource "aws_lb_listener" "this" { resource "aws_iam_server_certificate" "this" { name = "264_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content } +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + + resource "aws_vpc" "this" { cidr_block = "10.0.0.0/16" instance_tenancy = "default" diff --git a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf index 9903a38c2..a8366307d 100644 --- a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf +++ b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf @@ -1,7 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "279_server_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf index 4c08689be..ae67732c0 100644 --- a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf +++ b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf @@ -1,7 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt - ### we can't create expired certificate +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "279_server_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf b/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf index a10d19d9c..6ef54ec14 100644 --- a/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf +++ b/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf @@ -1,20 +1,27 @@ -# In order to create red infrastructure manual steps are required. -# 1. Before running 'terraform apply' create key pair using a 'ssh-keygen -f ~/key_pair -m PEM' command. -# 2. Run 'terraform apply'. -# 3. Go to https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#KeyPairs and delete '438_key_pair_red' key pair. -# 4. Run custodian policy. +resource "null_resource" "this" { + provisioner "local-exec" { + command = "aws ec2 delete-key-pair --key-name ${aws_key_pair.this.key_name}" + interpreter = ["/bin/bash", "-c"] + } + + depends_on = [aws_autoscaling_group.this] +} +resource "tls_private_key" "rsa" { +algorithm = "RSA" +rsa_bits = 4096 +} resource "aws_key_pair" "this" { key_name = "438_key_pair_red" - public_key = file("${path.module}/key_pair.pub") + public_key = tls_private_key.rsa.public_key_openssh } resource "aws_launch_template" "this" { name_prefix = "438_launch_template_red" image_id = data.aws_ami.this.id instance_type = "t2.micro" - key_name = "438_key_pair_red" + key_name = "438_key_pair_red" } data "aws_ami" "this" { @@ -40,8 +47,8 @@ resource "aws_autoscaling_group" "this" { } tag { - key = "CustodianRule" - value = "ecc-aws-438-autoscaling_group_has_valid_configuration" + key = "CsutodianRule" + value = "epam-aws-438-autoscaling_group_has_valid_configuration" propagate_at_launch = true } diff --git a/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf b/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf index cebd20b0d..5884d28b7 100644 --- a/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf +++ b/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf @@ -1,7 +1,30 @@ # There is a bug where 'associate_public_ip_address' has a 3 states when terraform can only provide 2 states. +data "aws_ami" "this" { + most_recent = true -# Use following command to create green infrastructure. -aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ami-06eecef118bbf9259 --instance-type t2.micro --no-associate-public-ip-address + filter { + name = "name" + values = ["amzn2-ami-*-hvm-*-arm64-gp2"] + } -# Use following command to delete infrastructure. -aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green \ No newline at end of file + filter { + name = "architecture" + values = ["arm64"] + } + + owners = ["amazon"] +} + +resource "null_resource" "this" { + + provisioner "local-exec" { + command = "aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ${data.aws_ami.this.id} --instance-type t2.micro --no-associate-public-ip-address" + interpreter = ["/bin/bash", "-c"] + } + + provisioner "local-exec" { + when = destroy + command = "aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green" + interpreter = ["/bin/bash", "-c"] + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf b/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf index 6cf8277df..1c062977a 100644 --- a/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf +++ b/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf @@ -5,14 +5,6 @@ resource "aws_lb" "this" { subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] internal = false enable_deletion_protection = false - # subnet_mapping { - # subnet_id = aws_subnet.subnet1.id - # allocation_id = aws_eip.this.id - # } - # subnet_mapping { - # subnet_id = aws_subnet.subnet2.id - # allocation_id = aws_eip.this1.id - # } } resource "aws_vpc" "this" { @@ -46,12 +38,4 @@ resource "aws_security_group" "this" { resource "aws_internet_gateway" "this" { vpc_id = aws_vpc.this.id -} - -# resource "aws_eip" "this" { -# vpc = true -# } - -# resource "aws_eip" "this1" { -# vpc = true -# } \ No newline at end of file +} \ No newline at end of file diff --git a/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf b/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf index 5bd083775..498cdd2b2 100644 --- a/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf +++ b/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf @@ -2,7 +2,13 @@ resource "null_resource" "this" { provisioner "local-exec" { command = "aws securityhub enable-security-hub --enable-default-standards" + interpreter = ["/bin/bash", "-c"] + } + provisioner "local-exec" { + when = destroy + command = "aws securityhub disable-security-hub" interpreter = ["/bin/bash", "-c"] } + } \ No newline at end of file