Merge pull request #23 from mdr-engineering/feature/dw_MSOCI-1334_qualys

[MSOCI-1334] Qualys Scanners Module

base/qualys_scanners/README.md

@@ -0,0 +1,3 @@
+# Qualys Scanners
+
+Sets up a VPC for Qualys scanners and two scanners, as well as the (basic)

base/qualys_scanners/ec2.tf

@@ -0,0 +1,91 @@
+data aws_ami "preauthorized" {
+
+  most_recent      = true
+  owners           = ["aws-marketplace"]
+
+  filter {
+    name   = "product-code"
+    values = [ "1mp9h4zd2ze4biqif5schqeyu" ]
+  }
+  filter {
+      name = "name"
+      values = [ "qVSA*" ]
+  }
+}
+
+data aws_ami "standard" {
+
+  most_recent      = true
+  owners           = ["aws-marketplace"]
+
+  filter {
+    name   = "product-code"
+    values = [ "9hnn1m0a6jb7k2r1n9itk3jxu" ]
+  }
+  filter {
+      name = "name"
+      values = [ "qVSA*" ]
+  }
+}
+
+
+resource aws_instance "qualys_scanner_preauthorized" {
+
+  count                       = var.create_preauthorized_scanner == true ? 1 : 0
+  ami                         = data.aws_ami.preauthorized.id
+  instance_type               = "t3.medium"
+  subnet_id                   = element(module.vpc.private_subnets,0)
+
+  user_data                   = base64encode("PERSCODE=${var.personalization_codes["preauthorized"]}")
+
+  ebs_optimized               = true
+  vpc_security_group_ids      = [
+    "${module.qualys_scanner_sg.this_security_group_id}"
+  ]
+
+  credit_specification {
+    cpu_credits            = "unlimited"
+  }
+
+  tags                        = merge(var.tags,{"Name": "qualys-scanner-preauthorized"})
+  volume_tags                 = merge(var.tags,{"Name": "qualys-scanner-preauthorized"})
+  root_block_device {
+    volume_size = 100
+    volume_type = "gp2"
+    encrypted   = true
+  }
+  lifecycle {
+    ignore_changes = [ ami ]
+  }
+}
+
+resource aws_instance "qualys_scanner_standard" {
+
+  count                       = var.create_standard_scanner == true ? 1 : 0
+  ami                         = data.aws_ami.standard.id
+  instance_type               = "t3.medium"
+  subnet_id                   = element(module.vpc.private_subnets,0)
+
+  user_data                   = base64encode("PERSCODE=${var.personalization_codes["standard"]}")
+
+  ebs_optimized               = true
+  vpc_security_group_ids      = [
+    "${module.qualys_scanner_sg.this_security_group_id}"
+  ]
+
+  credit_specification {
+    cpu_credits            = "unlimited"
+  }
+
+  tags                        = merge(var.tags,{"Name": "qualys-scanner-standard"})
+  volume_tags                 = merge(var.tags,{"Name": "qualys-scanner-standard"})
+  root_block_device {
+    volume_size = 100
+    volume_type = "gp2"
+    encrypted   = true
+  }
+
+  lifecycle {
+    ignore_changes = [ ami ]
+  }
+}

base/qualys_scanners/main.tf

@@ -0,0 +1,47 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+  version = "~> v2.0"
+  name = "${var.name}"
+  cidr = "${var.cidr}"
+
+  azs = slice(data.aws_availability_zones.available.names,0,3)
+
+  private_subnets = [
+      "${cidrsubnet(var.cidr,3,0)}",
+      "${cidrsubnet(var.cidr,3,1)}",
+      "${cidrsubnet(var.cidr,3,2)}",
+  ]
+
+  # Potentially, we could route all accounts through the transit gateway to
+  # save costs and provide one point of exit to the Internet. But at this time,
+  # I'm keeping it consistent with our legacy accounts.
+  #
+  # If we decide to do that, we should consider either dropping to a /23 per customer,
+  # or a /24 for each subnet (seems wasteful).
+  #public_subnets = [ ]
+  public_subnets = [
+      "${cidrsubnet(var.cidr,3,4)}",
+      "${cidrsubnet(var.cidr,3,5)}",
+      "${cidrsubnet(var.cidr,3,6)}",
+  ]
+
+  enable_nat_gateway = true
+  enable_dns_hostnames = true
+
+  enable_ec2_endpoint              = true
+  ec2_endpoint_private_dns_enabled = true
+  ec2_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+
+  dhcp_options_domain_name = var.inside_domain
+
+  tags = merge(var.standard_tags, var.tags)
+
+  nat_eip_tags = {
+    "eip_type" = "natgw"
+    Name = var.name
+  }
+}

base/qualys_scanners/outputs.tf

@@ -0,0 +1,31 @@
+output vpc_id {
+  value = module.vpc.vpc_id
+}
+
+output public_subnets {
+  value = module.vpc.public_subnets
+}
+
+output private_subnets {
+  value = module.vpc.private_subnets
+}
+
+output allow_all_sg_id {
+  value = module.allow_all_sg.this_security_group_id
+}
+
+output allow_all_outbound_sg_id {
+  value = module.allow_all_outbound_sg.this_security_group_id
+}
+
+output private_route_tables {
+  value = module.vpc.private_route_table_ids
+}
+
+output public_route_tables {
+  value = module.vpc.public_route_table_ids
+}
+
+output azs {
+  value = module.vpc.azs
+}

base/qualys_scanners/security-groups.tf

@@ -0,0 +1,90 @@
+# Several of these security groups will have customer IPs listed in them to allow
+# POP systems to access our services.
+#
+
+locals {
+
+  # Qualys known CIDRs for scanners to call back to home
+  # (in lieu of using the proxy at least for now)
+  qualys_mgmt_cidrs = [
+    "64.39.96.0/24" 
+  ]
+
+}
+
+module "aws_endpoints_sg" {
+  use_name_prefix = false
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3"
+  name        = "aws_endpoints"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
+  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
+  egress_ipv6_cidr_blocks = [ ]
+
+  egress_rules = [ "all-all" ]
+  ingress_rules = [ "all-all" ]
+}
+
+module "allow_all_sg" {
+  use_name_prefix = false
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3"
+  name        = "allow-all"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_cidr_blocks = [ "0.0.0.0/0" ]
+  egress_cidr_blocks = [ "0.0.0.0/0" ]
+  ingress_rules = [ "all-all" ]
+  egress_rules = [ "all-all" ]
+}
+
+module "allow_all_outbound_sg" {
+  use_name_prefix = false
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3"
+  name        = "allow-all-outbound"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = module.vpc.vpc_id
+
+  egress_rules = [ "all-all" ]
+}
+
+module "qualys_scanner_sg" {
+  use_name_prefix = false
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3"
+  name        = "qualys-scanner"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = module.vpc.vpc_id
+
+  egress_with_cidr_blocks = [
+    {
+      from_port   = 443
+      to_port     = 443
+      protocol    = "TCP"
+      description = "Qualys Management Plane"
+      cidr_blocks = join(",",local.qualys_mgmt_cidrs)
+    },
+    {
+      from_port   = -1
+      to_port     = -1
+      protocol    = "ALL"
+      description = "Outbound for scanning things"
+      cidr_blocks = "10.0.0.0/8"
+    }
+  ]
+
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = -1
+      to_port     = -1
+      protocol    = "ICMP"
+      description = "Permit all ICMP"
+      cidr_blocks = "10.0.0.0/8"
+    }
+  ]
+}

base/qualys_scanners/vars.tf

@@ -0,0 +1,69 @@
+variable "cidr" {
+  description = "The CIDR Block for the VPC"
+  type        = string
+}
+
+variable "name" {
+  description = "The name for the VPC"
+  type        = string
+}
+
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map
+  default     = { }
+}
+
+variable "create_preauthorized_scanner" {
+  description = "Flag for creating pre-authed scanner instance"
+  type        = bool
+  default     = true
+}
+
+variable "create_standard_scanner" {
+  description = "Flag for creating standard scanner instance"
+  type        = bool
+  default     = true
+}
+
+variable "personalization_codes" {
+  description = "Magic values from qualys authorizing the scanners"
+  type        = map
+  default     = { }
+}
+
+# ----------------------------------
+# Below this line are variables inherited from higher levels, so they
+# do not need to be explicitly passed to this module.
+variable "standard_tags" {
+  type        = map
+}
+
+variable "inside_domain" {
+  type        = string
+}
+
+variable "aws_region" {
+  type        = string
+}
+
+#variable "environment_vars" {
+#  description = "Environment Vars"
+#  type        = map
+#}
+#
+#variable "partition_vars" {
+#  description = "Partition Vars"
+#  type        = map
+#}
+#
+#variable "region_vars" {
+#  description = "Region Vars"
+#  type        = map
+#}
+#
+#variable "account_vars" {
+#  description = "Account Vars"
+#  type        = map
+#}
+

base/qualys_scanners/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 0.12"
+}