Refactored the "qualys_vpc" module

qualys_vpc is now just the EC2 instances for the qualys
scanners.  In -live, the qualys vpc becomes the "scanners"
vpc using a standard vpc module.

base/qualys_scanners/README.md

@@ -1,3 +0,0 @@
-# Qualys Scanners
-
-Sets up a VPC for Qualys scanners and two scanners, as well as the (basic)

base/qualys_scanners/ec2.tf

@@ -28,15 +28,20 @@ data aws_ami "standard" {
   }
 }
 
+# Use the default EBS key
+data "aws_kms_key" "ebs-key" {
+  key_id = "alias/ebs_root_encrypt_decrypt"
+}
 
 resource aws_instance "qualys_scanner_preauthorized" {
 
   count                       = var.create_preauthorized_scanner == true ? 1 : 0
   ami                         = data.aws_ami.preauthorized.id
   instance_type               = "t3.medium"
-  subnet_id                   = element(module.vpc.private_subnets,0)
+  subnet_id                   = var.subnets[0]
 
-  user_data                   = base64encode("PERSCODE=${var.personalization_codes["preauthorized"]}")
+  user_data                   = base64encode("PERSCODE=${var.personalization_codes["preauthorized"]}%{ if var.proxy!="" }\nPROXY_URL=${var.proxy}:80%{ endif }")
+  key_name                    = "msoc-build"
 
   ebs_optimized               = true
   vpc_security_group_ids      = [
@@ -47,12 +52,13 @@ resource aws_instance "qualys_scanner_preauthorized" {
     cpu_credits            = "unlimited"
   }
 
-  tags                        = merge(var.tags,{"Name": "qualys-scanner-preauthorized"})
-  volume_tags                 = merge(var.tags,{"Name": "qualys-scanner-preauthorized"})
+  tags                        = merge(var.standard_tags,var.tags,{"Name": "qualys-scanner-preauthorized"})
+  volume_tags                 = merge(var.standard_tags,var.tags,{"Name": "qualys-scanner-preauthorized"})
   root_block_device {
     volume_size = 100
     volume_type = "gp2"
     encrypted   = true
+    kms_key_id  = data.aws_kms_key.ebs-key.arn
   }
   lifecycle {
     ignore_changes = [ ami ]
@@ -64,9 +70,10 @@ resource aws_instance "qualys_scanner_standard" {
   count                       = var.create_standard_scanner == true ? 1 : 0
   ami                         = data.aws_ami.standard.id
   instance_type               = "t3.medium"
-  subnet_id                   = element(module.vpc.private_subnets,0)
+  subnet_id                   = var.subnets[0]
+  key_name                    = "msoc-build"
 
-  user_data                   = base64encode("PERSCODE=${var.personalization_codes["standard"]}")
+  user_data                   = base64encode("PERSCODE=${var.personalization_codes["standard"]}%{ if var.proxy!="" }\nPROXY_URL=${var.proxy}:80%{ endif }")
 
   ebs_optimized               = true
   vpc_security_group_ids      = [
@@ -77,15 +84,45 @@ resource aws_instance "qualys_scanner_standard" {
     cpu_credits            = "unlimited"
   }
 
-  tags                        = merge(var.tags,{"Name": "qualys-scanner-standard"})
-  volume_tags                 = merge(var.tags,{"Name": "qualys-scanner-standard"})
+  tags                        = merge(var.standard_tags,var.tags,{"Name": "qualys-scanner-standard"})
+  volume_tags                 = merge(var.standard_tags,var.tags,{"Name": "qualys-scanner-standard"})
   root_block_device {
     volume_size = 100
     volume_type = "gp2"
     encrypted   = true
+    kms_key_id  = data.aws_kms_key.ebs-key.arn
   }
 
   lifecycle {
     ignore_changes = [ ami ]
   }
 }
+
+module "private_dns_record_preauthorized" {
+  source = "../../submodules/dns/private_A_record"
+  count  = var.create_preauthorized_scanner == true ? 1 : 0
+
+  name = "qualys-preauthorized"
+  ip_addresses = [ aws_instance.qualys_scanner_preauthorized[count.index].private_ip ]
+  dns_info = var.dns_info
+  reverse_enabled = var.reverse_enabled
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}
+
+module "private_dns_record_standard" {
+  source = "../../submodules/dns/private_A_record"
+
+  count = var.create_standard_scanner == true ? 1 : 0
+
+  name = "qualys-standard"
+  ip_addresses = [ aws_instance.qualys_scanner_standard[count.index].private_ip ]
+  dns_info = var.dns_info
+  reverse_enabled = var.reverse_enabled
+
+  providers = {
+    aws.c2 = aws.c2
+  }
+}

base/qualys_scanners/main.tf

@@ -1,65 +0,0 @@
-data "aws_availability_zones" "available" {
-  state = "available"
-}
-
-module "vpc" {
-  source = "terraform-aws-modules/vpc/aws"
-  version = "~> v2.70"
-  name = var.name
-  cidr = var.cidr
-
-  azs = slice(data.aws_availability_zones.available.names,0,3)
-
-  private_subnets = [
-      cidrsubnet(var.cidr,3,0),
-      cidrsubnet(var.cidr,3,1),
-      cidrsubnet(var.cidr,3,2),
-  ]
-
-  # Potentially, we could route all accounts through the transit gateway to
-  # save costs and provide one point of exit to the Internet. But at this time,
-  # I'm keeping it consistent with our legacy accounts.
-  #
-  # If we decide to do that, we should consider either dropping to a /23 per customer,
-  # or a /24 for each subnet (seems wasteful).
-  #public_subnets = [ ]
-  public_subnets = [
-      cidrsubnet(var.cidr,3,4),
-      cidrsubnet(var.cidr,3,5),
-      cidrsubnet(var.cidr,3,6),
-  ]
-
-  enable_nat_gateway = true
-  enable_dns_hostnames = true
-
-  enable_ec2_endpoint              = true
-  ec2_endpoint_private_dns_enabled = true
-  ec2_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.security_group_id ]
-
-  dhcp_options_domain_name = var.dns_info["private"]["zone"]
-
-  tags = merge(var.standard_tags, var.tags)
-
-  nat_eip_tags = {
-    "eip_type" = "natgw"
-    Name = var.name
-  }
-}
-
-resource "aws_flow_log" "flowlogs" {
-  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
-  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
-
-  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
-  vpc_id          = module.vpc.vpc_id
-  tags            = merge(var.standard_tags, var.tags)
-}
-
-# CIS 4.3 - Default security group should restrict all traffic
-#
-# This resource is special, and clears out existing rules. See:
-# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
-resource "aws_default_security_group" "default" {
-  vpc_id = module.vpc.vpc_id
-  tags = merge(var.standard_tags, var.tags)
-}

base/qualys_scanners/outputs.tf

@@ -1,31 +0,0 @@
-output vpc_id {
-  value = module.vpc.vpc_id
-}
-
-output public_subnets {
-  value = module.vpc.public_subnets
-}
-
-output private_subnets {
-  value = module.vpc.private_subnets
-}
-
-output allow_all_sg_id {
-  value = module.allow_all_sg.security_group_id
-}
-
-output allow_all_outbound_sg_id {
-  value = module.allow_all_outbound_sg.security_group_id
-}
-
-output private_route_tables {
-  value = module.vpc.private_route_table_ids
-}
-
-output public_route_tables {
-  value = module.vpc.public_route_table_ids
-}
-
-output azs {
-  value = module.vpc.azs
-}

base/qualys_scanners/security-groups.tf

@@ -12,76 +12,28 @@ locals {
 
 }
 
-module "aws_endpoints_sg" {
-  use_name_prefix = false
-  source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
-  name        = "aws_endpoints"
-  tags        = merge(var.standard_tags, var.tags)
-  vpc_id      = module.vpc.vpc_id
-
-  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
-  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
-  egress_ipv6_cidr_blocks = [ ]
-
-  egress_rules = [ "all-all" ]
-  ingress_rules = [ "all-all" ]
-}
-
-module "allow_all_sg" {
-  use_name_prefix = false
-  source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
-  name        = "allow-all"
-  tags        = merge(var.standard_tags, var.tags)
-  vpc_id      = module.vpc.vpc_id
-
-  ingress_cidr_blocks = [ "0.0.0.0/0" ]
-  egress_cidr_blocks = [ "0.0.0.0/0" ]
-  ingress_rules = [ "all-all" ]
-  egress_rules = [ "all-all" ]
-}
-
-module "allow_all_outbound_sg" {
-  use_name_prefix = false
-  source = "terraform-aws-modules/security-group/aws"
-  version = "~> 3"
-  name        = "allow-all-outbound"
-  tags        = merge(var.standard_tags, var.tags)
-  vpc_id      = module.vpc.vpc_id
-
-  egress_rules = [ "all-all" ]
-}
-
 module "qualys_scanner_sg" {
   use_name_prefix = false
   source = "terraform-aws-modules/security-group/aws"
   version = "~> 3"
   name        = "qualys-scanner"
   tags        = merge(var.standard_tags, var.tags)
-  vpc_id      = module.vpc.vpc_id
+  vpc_id      = var.vpc_id
 
   egress_with_cidr_blocks = [
-    {
-      from_port   = 443
-      to_port     = 443
-      protocol    = "TCP"
-      description = "Qualys Management Plane"
-      cidr_blocks = join(",",local.qualys_mgmt_cidrs)
-    },
+    #{
+    #  from_port   = 443
+    #  to_port     = 443
+    #  protocol    = "TCP"
+    #  description = "Qualys Management Plane"
+    #  cidr_blocks = join(",",local.qualys_mgmt_cidrs)
+    #},
     {
       from_port   = -1
       to_port     = -1
       protocol    = "ALL"
       description = "Outbound for scanning things"
       cidr_blocks = "10.0.0.0/8"
-    },
-    {
-      from_port   = 443
-      to_port     = 443
-      protocol    = "TCP"
-      description = "Temp allow all outbound ; remove when proxy in place"
-      cidr_blocks = "0.0.0.0/0"
     }
   ]
 

base/qualys_scanners/vars.tf

@@ -1,19 +1,3 @@
-variable "cidr" {
-  description = "The CIDR Block for the VPC"
-  type        = string
-}
-
-variable "name" {
-  description = "The name for the VPC"
-  type        = string
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map
-  default     = { }
-}
-
 variable "create_preauthorized_scanner" {
   description = "Flag for creating pre-authed scanner instance"
   type        = bool
@@ -32,11 +16,35 @@ variable "personalization_codes" {
   default     = { }
 }
 
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map }
+variable "subnets" {
+  type = list(string)
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "proxy" {
+  type = string
+  default = ""
+}
+
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map
+  default     = { }
+}
+
+variable "reverse_enabled" {
+  description = "Whether to create the reverse DNS entry."
+  type = bool
+  default = true
+}
+
+
 variable "dns_info" { type = map }
+
+variable "standard_tags" { type = map }
+variable "environment" { type = string }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
-variable "aws_account_id" { type = string }

base/qualys_scanners/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}