Merge pull request #262 from mdr-engineering/feature/ftd_MSOCI-1274_VMRay_SecretsForUA

VMRay Deployments now use Secrest Manager to get UA information

base/account_standards_c2/secrets.tf

@@ -0,0 +1,7 @@
+# Set up some basic secret configuration. We don't want the secrets themselves in here. They'll have to be hand-entered. But this will set up the scaffolding.
+resource "aws_secretsmanager_secret" "ubuntu" {
+  name = "Ubuntu"
+  description = "Secrets required for provisioning Ubuntu systems."
+  recovery_window_in_days = 30
+  tags = merge(var.standard_tags, var.tags)
+}

base/vmray_instances/cloud-init/cloud-init.tpl

@@ -4,6 +4,16 @@ hostname: ${hostname}
 salt-master: ${salt_master}
 fqdn: ${fqdn}
 
+# Ubuntu Advantage - broken? Using cmd.run
+#ubuntu_advantage:
+#  token: ${ua_key}
+#  enable:
+#  - fips
+#  - cis
+#  - esm-infra
+#  - fips-updates
+#  - livepatch # no livepatch with fips!
+
 # Write files happens early
 write_files:
 - content: |
@@ -58,6 +68,12 @@ growpart:
   ignore_growroot_disabled: false
 
 runcmd:
+ - find /usr/local/lib -type f -exec chmod o+r {} \;
+ - ua attach ${ua_key}
+ - ua enable --assume-yes cis fips fips-updates
+ - /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
+ - apt update 
+ - apt upgrade -y
  - /bin/systemctl restart salt-minion
  - /bin/systemctl enable salt-minion
  - /bin/systemctl start amazon-ssm-agent
@@ -66,10 +82,11 @@ runcmd:
  - /bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 
 # Either final message or power state, but probably not both
-final_message: "The system is up after $UPTIME seconds"
-#power_state:
-#  delay: "+30"
-#  mode: reboot
-#  message: "System configured after $UPTIME seconds"
+#final_message: "The system is up after $UPTIME seconds"
+power_state:
+  # delay is in minutes
+  delay: "+1"
+  mode: reboot
+  message: "System configured after $UPTIME seconds"
 #  timeout: 300
 #  condition: true

base/vmray_instances/server.tf

@@ -80,6 +80,24 @@ resource "aws_instance" "vmray-server-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "vmray-server" })
 }
 
+# Secrets example:
+#  1. Find the secret
+#  2. Get the secret
+#  3. Decode the json
+data "aws_secretsmanager_secret" "ubuntu" {
+  name = "Ubuntu"
+  provider = aws.c2
+}
+
+data "aws_secretsmanager_secret_version" "ubuntu" {
+  secret_id = data.aws_secretsmanager_secret.ubuntu.id
+  provider = aws.c2
+}
+
+locals {
+  secret_ubuntu = jsondecode(data.aws_secretsmanager_secret_version.ubuntu.secret_string)
+}
+
 data "template_file" "cloud-init-vmray-server" {
   # Should these be in a common directory? I suspect they'd be reusable
   template = file("${path.module}/cloud-init/cloud-init.tpl")
@@ -93,6 +111,7 @@ data "template_file" "cloud-init-vmray-server" {
     aws_partition = var.aws_partition
     aws_partition_alias = var.aws_partition_alias
     aws_region = var.aws_region
+    ua_key = local.secret_ubuntu["ua_key"]
   }
 }
 

base/vmray_instances/vars.tf

@@ -28,3 +28,4 @@ variable "azs" { type = list(string) }
 variable "public_subnets" { type = list(string) }
 variable "private_subnets" { type = list(string) }
 variable "common_services_account" { type = string }
+variable "c2_accounts" { type = map }

base/vmray_instances/worker.tf

@@ -54,6 +54,7 @@ data "template_file" "cloud-init-vmray-worker" {
     aws_partition = var.aws_partition
     aws_partition_alias = var.aws_partition_alias
     aws_region = var.aws_region
+    ua_key = local.secret_ubuntu["ua_key"] # This is gathered in server.tf
   }
 }