From f2dbca91c346820262cd93a84ae35fe91368cea5 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Wed, 24 Jul 2024 13:33:14 +0200 Subject: [PATCH 1/5] deprecated: oracle7_cis Signed-off-by: Manuel Weber --- aws/ec2-instances/amis.tf | 30 +++++++++--------- aws/ec2-instances/main.tf | 58 +++++++++++++++++----------------- aws/ec2-instances/outputs.tf | 14 ++++---- aws/ec2-instances/variables.tf | 14 ++++---- 4 files changed, 58 insertions(+), 58 deletions(-) diff --git a/aws/ec2-instances/amis.tf b/aws/ec2-instances/amis.tf index 7e09800..d8166cb 100644 --- a/aws/ec2-instances/amis.tf +++ b/aws/ec2-instances/amis.tf @@ -404,21 +404,21 @@ data "aws_ami" "oracle7" { owners = ["679593333241"] } -data "aws_ami" "oracle7_cis" { - most_recent = true - - filter { - name = "name" - values = ["CIS Oracle Linux 7 Benchmark*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - - owners = ["679593333241"] -} +#data "aws_ami" "oracle7_cis" { +# most_recent = true +# +# filter { +# name = "name" +# values = ["CIS Oracle Linux 7 Benchmark*"] +# } +# +# filter { +# name = "virtualization-type" +# values = ["hvm"] +# } +# +# owners = ["679593333241"] +#} data "aws_ami" "oracle8" { most_recent = true diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index 7cf2ea3..b745e74 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -318,35 +318,35 @@ module "oracle7_cnspec" { user_data_replace_on_change = true } -module "oracle7_cis" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_oracle7_cis - name = "${var.prefix}-oracle7-cis-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7_cis.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true -} - -module "oracle7_cis_cnspec" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_oracle7_cis_cnspec - name = "${var.prefix}-oracle7-cis-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7_cis.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true - user_data = base64encode(local.linux_user_data) - user_data_replace_on_change = true -} +#module "oracle7_cis" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7_cis +# name = "${var.prefix}-oracle7-cis-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7_cis.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +#} + +#module "oracle7_cis_cnspec" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7_cis_cnspec +# name = "${var.prefix}-oracle7-cis-cnspec-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7_cis.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +# user_data = base64encode(local.linux_user_data) +# user_data_replace_on_change = true +#} // Oracle 8 diff --git a/aws/ec2-instances/outputs.tf b/aws/ec2-instances/outputs.tf index f2bc782..87ea1e8 100644 --- a/aws/ec2-instances/outputs.tf +++ b/aws/ec2-instances/outputs.tf @@ -190,13 +190,13 @@ output "oracle7_cnspec" { value = module.oracle7_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cnspec.public_ip}" } -output "oracle7_cis" { - value = module.oracle7_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis.public_ip}" -} - -output "oracle7_cis_cnspec" { - value = module.oracle7_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis_cnspec.public_ip}" -} +#output "oracle7_cis" { +# value = module.oracle7_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis.public_ip}" +#} +# +#output "oracle7_cis_cnspec" { +# value = module.oracle7_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis_cnspec.public_ip}" +#} # oracle8 output "oracle8" { diff --git a/aws/ec2-instances/variables.tf b/aws/ec2-instances/variables.tf index 3a1374f..6d14524 100644 --- a/aws/ec2-instances/variables.tf +++ b/aws/ec2-instances/variables.tf @@ -272,13 +272,13 @@ variable "create_oracle7_cnspec" { default = false } -variable "create_oracle7_cis" { - default = false -} - -variable "create_oracle7_cis_cnspec" { - default = false -} +#variable "create_oracle7_cis" { +# default = false +#} +# +#variable "create_oracle7_cis_cnspec" { +# default = false +#} variable "create_oracle8" { default = false From 34f7f7d54018a886c9b8436b7a75555245aa5184 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 26 Jul 2024 11:19:05 +0200 Subject: [PATCH 2/5] add oracle 9 vanilla Signed-off-by: Manuel Weber --- aws/ec2-instances/amis.tf | 34 +++++++++++++++++++ aws/ec2-instances/main.tf | 62 ++++++++++++++++++++++++++++++++++ aws/ec2-instances/outputs.tf | 18 ++++++++++ aws/ec2-instances/variables.tf | 17 ++++++++++ 4 files changed, 131 insertions(+) diff --git a/aws/ec2-instances/amis.tf b/aws/ec2-instances/amis.tf index d8166cb..b529a46 100644 --- a/aws/ec2-instances/amis.tf +++ b/aws/ec2-instances/amis.tf @@ -451,6 +451,40 @@ data "aws_ami" "oracle8_cis" { owners = ["679593333241"] } + +data "aws_ami" "oracle9" { + most_recent = true + + filter { + name = "name" + values = ["*(SupportedImages) - Oracle Linux 9 LATEST x86_64*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["679593333241"] +} + + +data "aws_ami" "oracle9_cis" { + most_recent = true + + filter { + name = "name" + values = ["CIS Oracle Linux 9 Benchmark*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["679593333241"] +} + data "aws_ami" "rocky9" { most_recent = true diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index b745e74..8c7291a 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -410,6 +410,68 @@ module "oracle8_cis_cnspec" { user_data_replace_on_change = true } +// Oracle 9 +module "oracle9" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_oracle9 + name = "${var.prefix}-oracle9-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "oracle8_cnspec" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_oracle9_cnspec + name = "${var.prefix}-oracle9-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true + user_data = base64encode(local.linux_user_data) + user_data_replace_on_change = true +} + +module "oracle8_cis" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_oracle9_cis + name = "${var.prefix}-oracle9-cis-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "oracle8_cis_cnspec" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_oracle9_cis_cnspec + name = "${var.prefix}-oracle9-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.oracle9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true + user_data = base64encode(local.linux_user_data) + user_data_replace_on_change = true +} + + // Red Hat Linux 9 module "rhel9" { diff --git a/aws/ec2-instances/outputs.tf b/aws/ec2-instances/outputs.tf index 87ea1e8..623dc6f 100644 --- a/aws/ec2-instances/outputs.tf +++ b/aws/ec2-instances/outputs.tf @@ -215,6 +215,24 @@ output "oracle8_cis_cnspec" { value = module.oracle8_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle8_cis_cnspec.public_ip}" } +# oracle9 +output "oracle9" { + value = module.oracle9.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9.public_ip}" +} + +output "oracle9_cnspec" { + value = module.oracle9_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cnspec.public_ip}" +} + +output "oracle9_cis" { + value = module.oracle9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cis.public_ip}" +} + +output "oracle9_cis_cnspec" { + value = module.oracle9_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle9_cis_cnspec.public_ip}" +} + + # rocky9 output "rocky9" { value = module.rocky9.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} rocky@${module.rocky9.public_ip}" diff --git a/aws/ec2-instances/variables.tf b/aws/ec2-instances/variables.tf index 6d14524..40e9c24 100644 --- a/aws/ec2-instances/variables.tf +++ b/aws/ec2-instances/variables.tf @@ -296,6 +296,23 @@ variable "create_oracle8_cis_cnspec" { default = false } +variable "create_oracle9" { + default = false +} + +variable "create_oracle9_cnspec" { + default = false +} + +variable "create_oracle9_cis" { + default = false +} + +variable "create_oracle9_cis_cnspec" { + default = false +} + + variable "create_rocky9" { default = false } From 1ec37e753e6a6fc9f793aa8b6ab6616bb9849dcf Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 26 Jul 2024 11:21:26 +0200 Subject: [PATCH 3/5] add oracle 9 vanilla+readme Signed-off-by: Manuel Weber --- aws/ec2-instances/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/aws/ec2-instances/README.md b/aws/ec2-instances/README.md index df997ec..f9e178d 100644 --- a/aws/ec2-instances/README.md +++ b/aws/ec2-instances/README.md @@ -36,6 +36,10 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | Oracle 8 cnspec | Latest Oracle 8 image with latest cnspec | `create_oracle8_cnspec` | | | Oracle 8 CIS | CIS Oracle Linux 8 Benchmark - Level 1 | `create_oracle8_cis` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 8 CIS cnspec | CIS Oracle Linux 8 Benchmark - Level 1 with latest cnspec | `create_oracle8_cis_cnspec` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | +| Oracle 9 | Latest Oracle 9 image | `create_oracle9` | | +| Oracle 9 cnspec | Latest Oracle 9 image with latest cnspec | `create_oracle9_cnspec` | | +| Oracle 9 CIS | CIS Oracle Linux 9 Benchmark - Level 1 | `create_oracle9_cis` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | +| Oracle 9 CIS cnspec | CIS Oracle Linux 9 Benchmark - Level 1 with latest cnspec | `create_oracle9_cis_cnspec` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | | RHEL 7 | Latest Red Hat Enterprise Linux 7 | `create_rhel7` | | | RHEL 7 cnspec | Latest Red Hat Enterprise Linux 7 with latest cnspec | `create_rhel7_cnspec` | | RHEL 7 mondoo pass private | Saved image of a manually hardened CIS RHEL7 image (which CIS deleted) | `create_rhel7_pass_private` | | From 71f950676ed0a24f6e883c48dd984b2a68846a97 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 26 Jul 2024 11:51:51 +0200 Subject: [PATCH 4/5] add RHEL9 L2 Signed-off-by: Manuel Weber --- aws/ec2-instances/README.md | 2 ++ aws/ec2-instances/amis.tf | 17 +++++++++++++++++ aws/ec2-instances/main.tf | 32 ++++++++++++++++++++++++++++++++ aws/ec2-instances/outputs.tf | 8 ++++++++ aws/ec2-instances/variables.tf | 8 ++++++++ 5 files changed, 67 insertions(+) diff --git a/aws/ec2-instances/README.md b/aws/ec2-instances/README.md index f9e178d..edbc816 100644 --- a/aws/ec2-instances/README.md +++ b/aws/ec2-instances/README.md @@ -49,6 +49,8 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | RHEL 8 CIS cnspec | CIS Red Hat Enterprise Linux 8 STIG Benchmark with latest cnspec | `create_rhel8_cis_cnspec` | [CIS Red Hat Enterprise Linux 8 STIG Benchmark](https://aws.amazon.com/marketplace/pp/prodview-ia2nfuoig3jmu?sr=0-3&ref_=beagle&applicationId=AWSMPContessa) | | RHEL 9 | Latest RHEL 9 image | `create_rhel9` | | | RHEL 9 cnspec | Latest RHEL 9 with latest cnspec | `create_rhel9_cnspec` | | +| RHEL 9 CIS | CIS Red Hat Enterprise Linux 9 Level 2 | `create_rhel9_cis` | [CIS Red Hat Enterprise Linux 9 - Level 2](https://aws.amazon.com/marketplace/pp/prodview-6axx7cl7vguti?sr=0-5&ref_=beagle&applicationId=AWS-EC2-Console) | +| RHEL 9 CIS cnspec | CIS Red Hat Enterprise Linux 9 Level 2 with latest cnspec | `create_rhel9_cis_cnspec` | [CIS Red Hat Enterprise Linux 9 - Level 2](https://aws.amazon.com/marketplace/pp/prodview-6axx7cl7vguti?sr=0-5&ref_=beagle&applicationId=AWS-EC2-Console) | | NGINX on RHEL 9 CIS | Latest NGINX on RHEL 9 image CIS hardened | `create_nginx_rhel9_cis` | | | NGINX on RHEL 9 CIS cnspec | Latest NGINX on RHEL 9 image CIS hardened with latest cnspec | `create_nginx_rhel9_cis_cnspec` | | | SUSE 15 | Latest SUSE 15 image | `create_suse15` | | diff --git a/aws/ec2-instances/amis.tf b/aws/ec2-instances/amis.tf index b529a46..23ece9d 100644 --- a/aws/ec2-instances/amis.tf +++ b/aws/ec2-instances/amis.tf @@ -98,6 +98,23 @@ data "aws_ami" "rhel8_cis" { owners = ["679593333241"] } +data "aws_ami" "rhel9_cis" { + most_recent = true + + filter { + name = "name" + values = ["CIS Red Hat Enterprise Linux 9*Level 2*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["679593333241"] +} + + data "aws_ami" "rhel7" { most_recent = true diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index 8c7291a..79a0e9b 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -504,6 +504,38 @@ module "rhel9_cnspec" { user_data_replace_on_change = true } +module "rhel9_cis" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_rhel9_cis + name = "${var.prefix}-rhel9-cis-${random_id.instance_id.id}" + ami = data.aws_ami.rhel9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true +} + +module "rhel9_cis_cnspec" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.6.1" + + create = var.create_rhel9_cis_cnspec + name = "${var.prefix}-rhel9-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.rhel9_cis.id + instance_type = var.linux_instance_type + vpc_security_group_ids = [module.linux_sg.security_group_id] + subnet_id = module.vpc.public_subnets[0] + key_name = var.aws_key_pair_name + associate_public_ip_address = true + user_data = base64encode(local.linux_user_data) + user_data_replace_on_change = true +} + + + // Red Hat Linux 8 module "rhel8" { diff --git a/aws/ec2-instances/outputs.tf b/aws/ec2-instances/outputs.tf index 623dc6f..2b42f14 100644 --- a/aws/ec2-instances/outputs.tf +++ b/aws/ec2-instances/outputs.tf @@ -81,6 +81,14 @@ output "rhel9_cnspec" { value = module.rhel9_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cnspec.public_ip}" } +output "rhel9_cis" { + value = module.rhel9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cis.public_ip}" +} + +output "rhel9_cis_cnspec" { + value = module.rhel9_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel9_cis_cnspec.public_ip}" +} + # nginx on rhel9 cis output "nginx_rhel9_cis" { value = module.nginx_rhel9_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.nginx_rhel9_cis.public_ip}" diff --git a/aws/ec2-instances/variables.tf b/aws/ec2-instances/variables.tf index 40e9c24..b5e5504 100644 --- a/aws/ec2-instances/variables.tf +++ b/aws/ec2-instances/variables.tf @@ -156,6 +156,14 @@ variable "create_ubuntu1804_cnspec" { default = false } +variable "create_rhel9_cis" { + default = false +} + +variable "create_rhel9_cis_cnspec" { + default = false +} + variable "create_rhel9" { default = false } From 7fa3c4823be42d7d94724e66c717ea490316bda3 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 26 Jul 2024 11:57:22 +0200 Subject: [PATCH 5/5] add RHEL9 L2++ Signed-off-by: Manuel Weber --- aws/ec2-instances/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index 79a0e9b..b19f6cd 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -425,7 +425,7 @@ module "oracle9" { associate_public_ip_address = true } -module "oracle8_cnspec" { +module "oracle9_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" @@ -441,7 +441,7 @@ module "oracle8_cnspec" { user_data_replace_on_change = true } -module "oracle8_cis" { +module "oracle9_cis" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" @@ -455,7 +455,7 @@ module "oracle8_cis" { associate_public_ip_address = true } -module "oracle8_cis_cnspec" { +module "oracle9_cis_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1"