Initial commit.

.gitignore

@@ -0,0 +1,8 @@
+terraform.tfstate*
+*.tf
+*.key
+*.crt
+*.csr
+*.tmp
+*.pem
+*.swp

AWS_AMI_MAPS.j

@@ -0,0 +1,46 @@
+{% import 'variables.include' as var %}
+
+#############
+# Search for AMIs for your OS Preference
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  filter {
+    name = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
+  }
+  filter {
+    name = "virtualization-type"
+    values = ["hvm"]
+  }
+  owners = ["099720109477"] # Canonical
+}
+# Use via: ami = "${data.aws_ami.ubuntu.id}"
+
+data "aws_ami" "centos6" {
+  most_recent = true
+  owners = ["679593333241"]
+  filter {
+    name = "name"
+    values = ["CentOS Linux 6 x86_64 HVM EBS *"]
+  }
+}
+data "aws_ami" "centos7" {
+  most_recent = true
+  owners = ["679593333241"]
+  filter {
+    name = "name"
+    values = ["CentOS Linux 7 x86_64 HVM EBS *"]
+  }
+}
+
+#############
+# Old fashioned method, manual mapping:
+variable "ubuntu_amis" {
+  type = "map"
+  default = {
+    us-east-1 = "ami-40d28157"
+    us-east-2 = "ami-153e6470"
+  }
+}
+# Use with: ami = "${lookup(var.ubuntu_amis, var.region)}"
+

Makefile

@@ -0,0 +1,29 @@
+######
+# Jinja Compiler
+#   Should specify a filename, and output processed text
+#J2=j2
+J2=python bin/jj2.py
+
+# Additional j2 flags
+J2FLAGS=
+
+# Targets
+TFTARGETS=AWS_AMI_MAPS.tf honeypot.tf network_acl.tf provider.tf security.tf splunk_server.tf variables.tf vpcs_and_subnets.tf z_nextsteps.tf
+SHTARGETS=
+SOURCES=$(TFTARGETS:.tf=.j)
+
+all: $(TFTARGETS) $(SHTARGETS)
+
+%.tf: %.j banner.txt variables.include
+	$(J2) $(J2FLAGS) $< -o $@.tmp
+	cat banner.txt $@.tmp > $@
+	rm $@.tmp
+
+%.sh: %.j variables.include
+	$(J2) $(J2FLAGS) $< -o $@
+	chmod 755 $@
+
+clean:
+	-terraform destroy
+	-rm $(TFTARGETS)  $(SHTARGETS)
+	-rm *.tmp

README.md

@@ -0,0 +1,25 @@
+# Splunk HoneyPot
+Creates a public AWS instance with a public facing interface that listens on all ports. It
+logs any incoming data on those ports (using https://github.com/fdamstra/python_multithreaded_socket_logger).
+
+Creates a second AWS instance with Splunk on it to share the data that was ingested.
+
+# !!! These should not be considered secure. !!! 
+
+A server with open ports is an attractive target to a lot of things. While I've taken precautions
+to try to minimize the risk, I suggest you keep any personal information off these servers. And 
+while you should never reuse passwords, I suggest it's especially important here.
+
+# Design
+There are two VPCs. The "untrusted" VPC contains the honeypot itself with two interfaces.
+
+The first interface on the honeypot is a management interface. It has a public IP opened 
+to the IPs specified in your configuration that allows only SSH.
+
+The second interface is open to all IP addresses and protocols, but runs no real services. The 
+only services on this interface are from the daemon.
+
+Lastly, there is second instance for splunk itself. This instance resides in a separate VPC
+and allows SSH, HTTP, and HTTPS traffic.
+
+

banner.txt

@@ -0,0 +1,8 @@
+###############################################
+# DO NOT EDIT THIS FILE
+#
+# This file is generated through 'make all'. 
+# If you need to make changes, make your changes
+# to the corresponding .j file and then rerun
+# make all
+###############################################

bin/jj2.py

@@ -0,0 +1,91 @@
+#!/usr/bin/env python
+#
+# Copyright (c) 2008-2014 Miki Tebeka <miki@mikitebeka.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# * Neither the name of the "PythonWise" blog nor the names of its contributors
+#   may be used to endorse or promote products derived from this software without
+#   specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+'''Command line for expanding Jinja2 templates.
+Template variables can be passed either via the command line (using -vX=Y) or
+via a JSON/YAML configuration file (using -i /path/to/vars.json)
+Example:
+    $ echo 'Hello {{name}}' > template.txt
+    $ jj2.py -v name=Bugs template.txt
+    Hello Bugs
+    $
+'''
+
+import jinja2
+import json
+
+
+def load_vars(filename):
+    with open(filename) as fo:
+        if filename.lower().endswith('.json'):
+            return json.load(fo)
+        elif filename.lower().endswith('.yaml'):
+            import yaml  # Lazy import
+            return yaml.load(fo)
+        else:
+            raise ValueError('unknown file type: {}'.format(filename))
+
+
+def parse_cmdline_vars(cmdline_vars):
+    return dict(var.split('=', 1) for var in cmdline_vars)
+
+
+def main(argv=None):
+    import sys
+    from argparse import ArgumentParser, FileType
+
+    argv = argv or sys.argv
+
+    parser = ArgumentParser(description='Expand Jinja2 template')
+    parser.add_argument('template', help='template file to expand',
+                        type=FileType('r'), nargs='?', default=sys.stdin)
+    parser.add_argument('--var', '-v', action='append',
+                        help='template variables (in X=Y format)')
+    parser.add_argument('--output', '-o', help='output file',
+                        type=FileType('w'), nargs='?', default=sys.stdout)
+    parser.add_argument('--vars-file', '-i', help='vars files (YAML or JSON)',
+                        nargs='?')
+
+    args = parser.parse_args(argv[1:])
+
+    tvars = {}
+    if args.vars_file:
+        tvars.update(load_vars(args.vars_file))
+
+    tvars.update(parse_cmdline_vars(args.var or []))
+
+    # Fail on undefined
+    env = jinja2.Environment(undefined=jinja2.StrictUndefined, loader=jinja2.FileSystemLoader('.'))
+
+    template = env.from_string(args.template.read())
+
+    args.output.write(template.render(tvars))
+
+
+if __name__ == '__main__':
+    main()

honeypot.j

@@ -0,0 +1,107 @@
+{% import 'variables.include' as var %}
+
+###################
+# HoneyPot Instance
+resource "aws_instance" "honeypot" {
+  ami = "${data.aws_ami.ubuntu.id}"
+#  ami = "${data.aws_ami.centos7.id}"
+  instance_type = "${var.Instance-Type}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+  subnet_id = "${aws_subnet.subnet_Honeypot.id}"
+  ebs_optimized = "${var.EBS-Optimized}"
+  disable_api_termination = false
+  associate_public_ip_address = true
+  instance_initiated_shutdown_behavior = "terminate"
+  key_name = "${var.AWS-Key-Pair-Name}"
+  vpc_security_group_ids = ["${aws_security_group.sg_honeypot_secured_access.id}"]
+  depends_on    = ["aws_internet_gateway.gw_primary"]
+
+  tags {
+    Name = "honeypot"
+  }
+
+  root_block_device {
+    volume_type = "${ var.Default-Volume-Type }"
+    volume_size = "${ var.Honeypot-Volume-Size }" # Gigabytes
+    delete_on_termination = true
+  }
+
+  ebs_block_device {
+    device_name = "/dev/sdd"
+    volume_size = "${var.Swap-Volume-Size}"
+    volume_type = "${var.Swap-Volume-Type}"
+    delete_on_termination = true
+  }
+
+  user_data = <<EOF
+#cloud-config
+package_update: true
+package_upgrade: true
+packages:
+  - git
+  - vim
+  - wget
+  - curl
+  - tcpdump
+  - python
+runcmd:
+  - mkswap /dev/xvdd
+  - swapon -a
+  - git clone https://github.com/fdamstra/python_multithreaded_socket_logger.git /opt/multithreaded_socket_logger
+  - bash /opt/multithreaded_socket_logger/honeypot_init.sh
+mounts:
+  - [ xvdd, none, swap, sw, 0, 0 ]
+growpart:
+  mode: auto
+  devices: ['/']
+  ignore_growroot_disabled: false
+EOF
+#  - ifconfig eth0 | grep "inet addr" | cut -d: -f2 | awk '{ print "ListenAddress", $1 }' >> /etc/ssh/sshd_config
+# To reboot, add the following above the EOF line:
+# power_state:
+#   delay: "+0"
+#   mode: "reboot"
+#   message: "Rebooting after first init."
+#   condition: True
+
+  # Fix issues with cached keys. Arguably less secure, but also way less annoying
+  provisioner "local-exec" {
+    command = "ssh-keygen -f ~/.ssh/known_hosts -R honeypot.lab.${var.Domain-Name}"
+  }
+}
+
+# Create the "bad" network interface
+resource "aws_network_interface" "honeypot_if" {
+  subnet_id = "${aws_subnet.subnet_Honeypot.id}"
+  security_groups = ["${aws_security_group.sg_all_open.id}"]
+ 
+  attachment { 
+    instance = "${aws_instance.honeypot.id}"
+    device_index = 1
+  }
+}
+
+# Give me the IP Addresses
+output "honeypot_ip" {
+    value = "${aws_instance.honeypot.public_ip}"
+}
+
+# Give me DNS entries
+resource "aws_route53_record" "honeypot" {
+  zone_id = "${var.Domain-Zone-ID}"
+  name = "honeypot.lab.${var.Domain-Name}"
+  type = "A"
+  ttl = "300"
+  records = ["${aws_instance.honeypot.public_ip}"]
+}
+resource "aws_route53_record" "honeypot_pvt" {
+  zone_id = "${var.Domain-Zone-ID}"
+  name = "honeypot_pvt.lab.${var.Domain-Name}"
+  type = "A"
+  ttl = "300"
+  records = ["${aws_instance.honeypot.private_ip}"]
+}
+output "honeypot_dns" {
+  value = "${aws_route53_record.honeypot.name}"
+}
+

network_acl.j

@@ -0,0 +1,90 @@
+{% import 'variables.include' as var %}
+##########
+# Network ACLs enforce the basic rules of the topology, and are
+# further refined by security groups on instances.
+#
+# Topology has two "public" subnets (in different AZs) for 
+# servers such as searchheads and HECs that are accessible publicly.
+#
+# It was two "private" subnets (in different AZs) for
+# servers such as indexers that aren't publicly available.
+#
+# The two AZ's can talk to each other.
+# The public subnets can be accessed by any service/source
+#   allowed by the security group.
+# The private subnets are only accessible by the public
+#   subnets, and port 22 from anywhere.
+#
+# Network ACLs allow all outbound. This should be restricted
+# via security groups to only those ports needed.
+resource "aws_network_acl" "acl_public" {
+    vpc_id = "${aws_vpc.vpc_primary.id}"
+    subnet_ids = ["${aws_subnet.subnet_Splunk.id}", "${aws_subnet.subnet_Honeypot.id}"]
+    egress {
+        protocol = "-1"
+        rule_no = 10
+        action = "allow"
+        cidr_block =  "0.0.0.0/0"
+        from_port = 0
+        to_port = 0
+    }
+
+    ingress {
+        protocol = "-1"
+        rule_no = 10
+        action = "allow"
+        cidr_block =  "0.0.0.0/0"
+        from_port = 0
+        to_port = 0
+    }
+
+    tags {
+        Name = "Public Subnets"
+    }
+}
+
+#resource "aws_network_acl" "acl_private" {
+#    vpc_id = "${aws_vpc.vpc_primary.id}"
+#    subnet_ids = ["${aws_subnet.subnet_private_a.id}", "${aws_subnet.subnet_private_b.id}"]
+#    egress {
+#        protocol = "-1"
+#        rule_no = 10
+#        action = "allow"
+#        cidr_block =  "0.0.0.0/0"
+#        from_port = 0
+#        to_port = 0
+#    }
+#
+#    ingress {
+#        protocol = "-1"
+#        rule_no = 10
+#        action = "allow"
+#        cidr_block =  "${var.VPC-Subnet}"
+#        from_port = 0
+#        to_port = 0
+#    }
+#
+#    ingress {
+#        protocol = "icmp"
+#        rule_no = 20
+#        action = "allow"
+#        cidr_block =  "0.0.0.0/0"
+#        icmp_type = 8
+#        from_port = 0
+#        to_port = 0
+#    }
+#
+#    ingress {
+#        protocol = "tcp"
+#        rule_no = 30
+#        action = "allow"
+#        cidr_block =  "0.0.0.0/0"
+#        from_port = 22
+#        to_port = 22
+#    }
+#
+#    tags {
+#        Name = "Private Subnets"
+#    }
+#}
+#

provider.j

@@ -0,0 +1,10 @@
+{% import 'variables.include' as var %}
+
+# Set a provider for the region
+provider "aws" {
+# Specify keys if not provided by shared crednentials file
+#  access_key = "${var.access_key}"
+#  secret_key = "${var.secret_key}"
+  region     = "${var.region}"
+}
+

security.j

@@ -0,0 +1,147 @@
+{% import 'variables.include' as var %}
+
+##########################
+# Honeypot Secured Access
+resource "aws_security_group" "sg_honeypot_secured_access" {
+  name        = "sg_honeypot_secured_access"
+  description = "Allows ssh from me. Allows select outbound for updates and such."
+  vpc_id      = "${aws_vpc.vpc_primary.id}"
+
+  # SSH for management from me
+  ingress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["${var.Trusted-CIDR}"]
+  }
+
+  # Outbound Access
+  egress {
+    from_port = 20
+    to_port = 21
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 53
+    to_port = 53
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 53
+    to_port = 53
+    protocol = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+##########################
+# Splunk Secured Access
+resource "aws_security_group" "sg_splunk_secured_access" {
+  name        = "sg_splunk_secured_access"
+  description = "Allows ssh, http, and https from me. Allows select outbound for updates and such."
+  vpc_id      = "${aws_vpc.vpc_primary.id}"
+
+  # SSH for management from me
+  ingress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["${var.Trusted-CIDR}"]
+  }
+  ingress {
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+    cidr_blocks = ["${var.Trusted-CIDR}"]
+  }
+  ingress {
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+    cidr_blocks = ["${var.Trusted-CIDR}"]
+  }
+
+  # Outbound Access
+  egress {
+    from_port = 20
+    to_port = 21
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 53
+    to_port = 53
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 53
+    to_port = 53
+    protocol = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+##########################
+# All Open
+resource "aws_security_group" "sg_all_open" {
+  name        = "sg_all_open"
+  description = "Allows everything."
+  vpc_id      = "${aws_vpc.vpc_primary.id}"
+
+  # SSH for management from me
+  ingress {
+    from_port = 0
+    to_port = 0
+    protocol = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Outbound Access
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+

splunk_server.j

@@ -0,0 +1,100 @@
+{% import 'variables.include' as var %}
+
+###################
+# Splunk_Server Instance
+resource "aws_instance" "splunk-hp" {
+  ami = "${data.aws_ami.ubuntu.id}"
+#  ami = "${data.aws_ami.centos7.id}"
+  instance_type = "${var.Instance-Type}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+  subnet_id = "${aws_subnet.subnet_Splunk.id}"
+  ebs_optimized = "${var.EBS-Optimized}"
+  disable_api_termination = false
+  associate_public_ip_address = true
+  instance_initiated_shutdown_behavior = "terminate"
+  key_name = "${var.AWS-Key-Pair-Name}"
+  vpc_security_group_ids = ["${aws_security_group.sg_splunk_secured_access.id}"]
+  depends_on    = ["aws_internet_gateway.gw_primary"]
+
+  tags {
+    Name = "splunk-hp"
+  }
+
+  root_block_device {
+    volume_type = "${ var.Default-Volume-Type }"
+    volume_size = "${ var.Splunk-Volume-Size }" # Gigabytes
+    delete_on_termination = true
+  }
+
+  ebs_block_device {
+    device_name = "/dev/sdd"
+    volume_size = "${var.Swap-Volume-Size}"
+    volume_type = "${var.Swap-Volume-Type}"
+    delete_on_termination = true
+  }
+
+  user_data = <<EOF
+#cloud-config
+package_update: true
+package_upgrade: true
+packages:
+  - git
+  - vim
+  - wget
+  - curl
+  - tcpdump
+  - python
+runcmd:
+  - mkswap /dev/xvdd
+  - swapon -a
+  - git clone https://github.com/fdamstra/python_multithreaded_socket_logger.git /opt/multithreaded_socket_logger
+  - bash /opt/multithreaded_socket_logger/splunkserver_init.sh
+mounts:
+  - [ xvdd, none, swap, sw, 0, 0 ]
+growpart:
+  mode: auto
+  devices: ['/']
+  ignore_growroot_disabled: false
+power_state:
+  delay: "+0"
+  mode: "reboot"
+  message: "Rebooting after first init."
+  condition: True
+EOF
+# To reboot, add the following above the EOF line:
+# power_state:
+#   delay: "+10"
+#   mode: "reboot"
+#   message: "Rebooting after first init."
+#   condition: True
+
+  # Fix issues with cached keys. Arguably less secure, but also way less annoying
+  provisioner "local-exec" {
+    command = "ssh-keygen -f ~/.ssh/known_hosts -R splunk-hp.lab.${var.Domain-Name}"
+  }
+}
+
+# Give me the IP Addresses
+output "splunk-hp_ip" {
+    value = "${aws_instance.splunk-hp.public_ip}"
+}
+
+# Give me DNS entries
+resource "aws_route53_record" "splunk-hp" {
+  zone_id = "${var.Domain-Zone-ID}"
+  name = "splunk-hp.lab.${var.Domain-Name}"
+  type = "A"
+  ttl = "300"
+  records = ["${aws_instance.splunk-hp.public_ip}"]
+}
+resource "aws_route53_record" "splunk-hp_pvt" {
+  zone_id = "${var.Domain-Zone-ID}"
+  name = "splunk-hp_pvt.lab.${var.Domain-Name}"
+  type = "A"
+  ttl = "300"
+  records = ["${aws_instance.splunk-hp.private_ip}"]
+}
+output "splunk-hp_dns" {
+  value = "${aws_route53_record.splunk-hp.name}"
+}
+

variables.include

@@ -0,0 +1,32 @@
+{###################################################}
+{# Required Jinja Variables                        #}
+{# Most users will need to customize these values. #}
+{###################################################}
+{# AWS Key Pair Name #
+{# The name of the AWS Key Pair as identified in AWS IAM #}
+{% set AWS_Key_Pair_Name = "Fred-IO" %}
+
+{# Private Key File #
+{# The private key paired with the above IAM keyname #}
+{% set Private_Key_File = "~/.ssh/id_rsa" %}
+
+{# Domain Name #}
+{# The domain name. Must be hosted in Route53. #}
+{% set Domain_Name = "monkeybox.org" %}
+
+{# Domain Zone ID (Route53) #}
+{# The Route53 Zone ID #}
+{% set Domain_Zone_ID = "Z49JKEQC08KW8" %}
+
+{# Trust Source IPs in CIDR #}
+{# These IPs will have direct access to instances. Should include  #}
+{# the terraform master's IP address, as well as your workstation  #}
+{# or home IP. Can contain multiple entries.                       #}
+{% set Trusted_CIDR = '["99.56.213.129/32"]'  %}
+
+{###########################################}
+{# Optional Variables                      #}
+{# Default values are fine for most users. #}
+{###########################################}
+{# AWS Region #}
+{% set AWS_Region = "us-east-2" %}

variables.j

@@ -0,0 +1,109 @@
+{% import 'variables.include' as var %}
+# User Settings
+# -------------
+# These MUST be configured
+variable "AWS-Key-Pair-Name" {
+  description = "Name of the keypair in AWS"
+  type = "string"
+  default = "{{ var.AWS_Key_Pair_Name }}"
+}
+
+variable "Private-Key-File" {
+  description = "The name of the file containing your private key"
+  type = "string"
+  default = "{{ var.Private_Key_File }}"
+}
+
+variable "Domain-Name" {
+  description = "Your domain name (hosted in Route53)"
+  type = "string"
+  default = "{{ var.Domain_Name }}"
+}
+
+variable "Domain-Zone-ID" {
+  description = "The Zone ID of the Domain-Name in Route53"
+  type = "string"
+  default = "{{ var.Domain_Zone_ID }}"
+}
+
+variable "Trusted-CIDR" {
+  description = "Trusted source addresses in CIDR notation."
+  type = "list"
+  default =  {{ var.Trusted_CIDR }}
+}
+
+# Common Settings
+# ---------------
+# You may wish to customize these, but defaults
+# will usually work.
+variable "region" {
+  description = "Which AWS region do you wish to deploy to?"
+  type = "string"
+  default = "{{ var.AWS_Region }}"
+}
+
+variable "VPC-Subnet" {
+  description = "The full subnet for your VPC (to be split into 2 subnets)"
+  type = "string"
+  default = "10.66.0.0/16"
+}
+
+variable "Honeypot-Subnet" {
+  description = "The CIDR for the Honeypot subnet. Must be a subnet of VPC-Subnet"
+  type = "string"
+  default = "10.66.0.0/24"
+}
+
+variable "Splunk-Subnet" {
+  description = "The CIDR for the Splunk subnet. Must be a subnet of VPC-Subnet"
+  type = "string"
+  default = "10.66.1.0/24"
+}
+
+# Performance Settings
+# --------------------
+# Defaults are probably fine, but if you want to change
+# your performance, here's where you can tune.
+variable "Instance-Type" {
+  description = "What size instances do you want to deploy?"
+  type = "string"
+  default = "t2.micro"
+}
+
+variable "EBS-Optimized" {
+  description = "Should instances be deployed as EBS optimized?"
+  type = "string"
+  default = false
+}
+
+variable "Honeypot-Volume-Size" {
+  description = "How much swap do you need?"
+  type = "string"
+  default = 10
+}
+
+variable "Splunk-Volume-Size" {
+  description = "How much swap do you need?"
+  type = "string"
+  default = 10
+}
+
+variable "Swap-Volume-Size" {
+  description = "How much swap do you need?"
+  type = "string"
+  default = 2
+}
+
+variable "Swap-Volume-Type" {
+  description = "Type of storage for the swap volume."
+  type = "string"
+  default = "gp2"
+}
+
+variable "Default-Volume-Type" {
+  description = "Type of storage for the default volumes."
+  type = "string"
+  default = "gp2"
+}
+
+

vpcs_and_subnets.j

@@ -0,0 +1,70 @@
+{% import 'variables.include' as var %}
+
+###########
+# Create a VPC with an Internet gateway for everybody to play in
+resource "aws_vpc" "vpc_primary" {
+  cidr_block = "${var.VPC-Subnet}"
+  enable_dns_support = true
+  enable_dns_hostnames = true
+  tags {
+    Name = "Primary VPC"
+  }
+}
+resource "aws_internet_gateway" "gw_primary" {
+  vpc_id = "${aws_vpc.vpc_primary.id}"
+  tags {
+    Name = "Primary Gateway"
+  }
+}
+
+###########
+# Create honeypot and splunk subnets in an AZ
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "subnet_Honeypot" {
+  vpc_id = "${aws_vpc.vpc_primary.id}"
+  cidr_block = "${var.Honeypot-Subnet}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+  map_public_ip_on_launch = true
+  tags {
+    Name = "HoneyPot"
+  }
+}
+resource "aws_subnet" "subnet_Splunk" {
+  vpc_id = "${aws_vpc.vpc_primary.id}"
+  cidr_block = "${var.Splunk-Subnet}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+  map_public_ip_on_launch = true
+  tags {
+    Name = "Splunk Subnet"
+  }
+}
+
+##########
+# Routing
+resource "aws_route_table" "r" {
+    vpc_id = "${aws_vpc.vpc_primary.id}"
+    route {
+        cidr_block = "0.0.0.0/0"
+        gateway_id = "${aws_internet_gateway.gw_primary.id}"
+    }
+  tags {
+    Name = "Primary Route Table"
+  }
+}
+resource "aws_route_table_association" "rt_public_a" {
+  subnet_id = "${aws_subnet.subnet_Honeypot.id}"
+  route_table_id = "${aws_route_table.r.id}"
+}
+resource "aws_route_table_association" "rt_public_b" {
+  subnet_id = "${aws_subnet.subnet_Splunk.id}"
+  route_table_id = "${aws_route_table.r.id}"
+}
+#resource "aws_route_table_association" "rt_private_a" {
+#  subnet_id = "${aws_subnet.subnet_private_a.id}"
+#  route_table_id = "${aws_route_table.r.id}"
+#}
+#resource "aws_route_table_association" "rt_private_b" {
+#  subnet_id = "${aws_subnet.subnet_private_b.id}"
+#  route_table_id = "${aws_route_table.r.id}"
+#}

z_nextsteps.j

@@ -0,0 +1,6 @@
+{% import "variables.include" as var %}
+output "NEXT-STEPS" {
+  value = <<EOF
+Enjoy!
+EOF
+}