Collection of Terraform modules to manually deploy Vulnerability Scanning and IDS appliances into an existing customer managed subnet in AWS.
This template is intended to be used by the customer when manual deployment mode is selected for Deployment Mode.
The template included here will take care of the creation of the whole infrastructure required to create a working IDS appliance and vulnerability scanning. However, further steps are required to have a fully functional appliance.
In this use case, the customer provides an existing subnet where the appliances are going to be deployed in.
NOTE: It is the customer's responsibility to properly configure network access to the chosen subnet. This includes management of IGW, Routes, NACLs and NAT associated with the existing subnet. Scan and IDS appliances must be able to communicate with our Datacenters via IGW or NAT Gateway/NAT instance.
In order to deploy the appliances these requirements must be done prior:
- A
manualmode AWS deployment exist in the Alert Logic console manualmode deployments needs to have scope set to at least one VPC- AWS VPC ID and CIDR where the appliances will be deployed in
- Subnet ID and type (public, private) where the appliances are going to be deployed in
#aws_assumed_role_arn = "arn:aws:iam::<aws_account>:role/<assumed_role>" // This field is only necessary when an assumed role is required. Commented out by default.
aws_profile = "aws_profile" // The AWS profile configured for credentials OR matching AWS_PROFILE environment variable
aws_cred_file = "~/.aws/credentials" // An AWS credentials file to specify your credentials
aws_region = "xx-xxxx-x" // The AWS region to deploy the appliance in
vpc_id = "vpc-xxxxxxxx" // Specify the VPC ID where the appliance will be deployed in
vpc_cidr = "10.10.0.0/16" // Specify the VPC CIDR block
ci_subnet_id = "subnet-xxxxxxxx" // Specify the existing subnet ID where the scanning appliance will be deployed in
ci_subnet_type = "Public" // Select if the subnet is a public or private subnet. Enter Public or Private
ci_instance_type = "c5.large" // AlertLogic Security Appliance EC2 instance type. Enter m4.large, m4.xlarge, m4.2xlarge, m5.large, m5.xlarge, m5.2xlarge, c4.large, c4.xlarge, c4.2xlarge, c5.large, c5.xlarge or c5.2xlarge
ids_subnet_id = "subnet-xxxxxxxx" // Specify the existing subnet ID where the appliance will be deployed in
ids_subnet_type = "Public" // Select if the subnet is a public or private subnet. Enter Public or Private
ids_instance_type = "c5.xlarge" // AlertLogic IDS Appliance EC2 instance type. Enter m4.large, m4.xlarge, m4.2xlarge, m5.large, m5.xlarge, m5.2xlarge, c4.large, c4.xlarge, c4.2xlarge, c5.large, c5.xlarge or c5.2xlarge
ids_appliance_number = "1" // Number of IDS appliances to be deployed set by the Autoscaling groupThe template will create the following resources in each Subnet provided (see Appendix A for details on each resource):
- A security group for the Scanning appliance
- A security launch template for the Scanning appliance
- A security auto scaling group with a single instance (default) for the Scanning appliance
- A security group for the IDS appliance (if create_ids is set to 1)
- A security launch template for the IDS appliance (if create_ids is set to 1)
- A security auto scaling group with a single instance (default) for the IDS appliance (if create_ids is set to 1)
-
clone or download the entire repository to your working directory, i.e. ~/aws-manual-deployment
├── deploy.tf ├── module │ ├── ci_scan │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── ids │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── README.md └── vars.tfvars 3 directories, 9 files -
add all the required variable values in a separate file under the same directory, i.e. vars.tfvars
-
run Terraform initialization and apply to create the security resources in AWS:
terraform init terraform apply -var-file=vars.tfvars
Provider configuration: The configuration applied to this terraform uses a shared_credentials_file method. Credentials can be provided from separate file (default file name is credentials.tf) Variables can be loaded from separate file or passed as parameters. See https://www.terraform.io/docs/providers/aws/#authentication for more options.
If you need to assume a role with your user account, then you will need to replace the existing "aws" provider section with the below: provider "aws" { assume_role { role_arn = var.aws_assumed_role_arn } shared_credentials_file = var.aws_cred_file profile = var.aws_profile region = var.aws_region }
Make sure to add the following variable to the variables section below: variable "aws_assumed_role_arn" {}
Make sure that you uncomment the section in the vars.tfvars file for the assumed role as well.
This section provides details about each resource created by the template.
Every security group is configured to have following attributes:
| Attribute Name | Attribute Value |
|---|---|
| name | AlertLogic IDS/Scan Security Group |
| description | AlertLogic IDS/Scan Security Group |
As appliances needs to connect to Alert Logic back-end as well as access to customer infrastructure inside a VPC, the following rules are configured (taken from here):
For Scanning:
| direction | protocol | ports | CIDR | Notes |
|---|---|---|---|---|
| out | tcp | 53 | 0.0.0.0/0 | DNS operations |
| out | tcp | 443 | 0.0.0.0/0 | Appliance updates to backend over HTTPs |
| out | udp | 53 | 0.0.0.0/0 | DNS operations |
| out | all | all | <VpcCidrBlock> | Internal scans functionality |
For IDS:
| direction | protocol | ports | CIDR | Notes |
|---|---|---|---|---|
| in | tcp | 443 | <VpcCidrBlock> | Agent updates (single point of egress only) |
| in | tcp | 7777 | <VpcCidrBlock> | Agent network data transport |
| out | tcp | 53 | <GoogleDNS> | DNS operations |
| out | tcp | 443 | <AlertLogicDC> | Appliance updates to backend |
| out | tcp | 4138 | <AlertLogicDC> | Event transport to backend |
Every launch template is configured to have following attributes:
| Attribute Name | Attribute Value |
|---|---|
| name | AlertLogic-IDS/Scan-Template--idsappliance |
| image_id | AMI ID depends on the region and is preconfigured in the template to have the latest version |
| instance_type | This is the instance type set as input parameter |
NOTE: The AMI IDs used are shared automatically with the AWS account by Alert Logic when the deployment is created in the UI.
Every group is configured to have following attributes:
| Attribute Name | Attribute Value |
|---|---|
| name | AlertLogic IDS/Scan ASG |
| DesiredCapacity | Provided appliance number or 1 if not provided |