diff --git a/aws/ec2-instances/README.md b/aws/ec2-instances/README.md index 93c8a2e..91abc32 100644 --- a/aws/ec2-instances/README.md +++ b/aws/ec2-instances/README.md @@ -28,20 +28,16 @@ This repository contains Terraform code for provisioning AWS EC2 instances for t | Debian 11 cnspec | Latest Debian 11 image with cnspec | `create_debian11_cnspec` | N/A | | Debian 11 CIS | CIS Debian Linux 11 Benchmark - Level 1 | `create_debian11_cis` | [CIS Debian Linux 11 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp?sku=7158qffnkd38liu1mrksgz53n) | | Debian 11 CIS cnspec | CIS Debian Linux 11 Benchmark - Level 1 with latest cnspec | `create_debian11_cis_cnspec` | [CIS Debian Linux 11 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp?sku=7158qffnkd38liu1mrksgz53n) | -| Oracle 7 | Latest Oracle 7 image | `create_oracle7` | | -| Oracle 7 cnspec | Latest Oracle 7 image with latest cnspec | `create_oracle7_cnspec` | | +| Debian 12 CIS | CIS Debian Linux 12 Benchmark - Level 1 | `create_debian12_cis` | [CIS Debian Linux 12 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qx5nmpdvckqgc?applicationId=AWSMPContessa&ref_=beagle&sr=0-3) | +| Debian 12 CIS cnspec | CIS Debian Linux 12 Benchmark - Level 1 with latest cnspec | `create_debian12_cis_cnspec` | [CIS Debian Linux 12 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qx5nmpdvckqgc?applicationId=AWSMPContessa&ref_=beagle&sr=0-3) | | Oracle 7 CIS | CIS Oracle Linux 7 Benchmark - Level 1 | `create_oracle7_cis` | [CIS Oracle Linux 7 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-pshwm5x5a7wmg?sr=0-24&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 7 CIS cnspec | CIS Oracle Linux 7 Benchmark - Level 1 with latest cnspec | `create_oracle7_cis_cnspec` | [CIS Oracle Linux 7 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-pshwm5x5a7wmg?sr=0-24&ref_=beagle&applicationId=AWSMPContessa) | -| Oracle 8 | Latest Oracle 8 image | `create_oracle8` | | -| Oracle 8 cnspec | Latest Oracle 8 image with latest cnspec | `create_oracle8_cnspec` | | | Oracle 8 CIS | CIS Oracle Linux 8 Benchmark - Level 1 | `create_oracle8_cis` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 8 CIS cnspec | CIS Oracle Linux 8 Benchmark - Level 1 with latest cnspec | `create_oracle8_cis_cnspec` | [CIS Oracle Linux 8 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-qohiqfju7iecs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) | | Oracle 9 | Latest Oracle 9 image | `create_oracle9` | | | Oracle 9 cnspec | Latest Oracle 9 image with latest cnspec | `create_oracle9_cnspec` | | | Oracle 9 CIS | CIS Oracle Linux 9 Benchmark - Level 1 | `create_oracle9_cis` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | | Oracle 9 CIS cnspec | CIS Oracle Linux 9 Benchmark - Level 1 with latest cnspec | `create_oracle9_cis_cnspec` | [CIS Oracle Linux 9 Benchmark - Level 1](https://aws.amazon.com/marketplace/pp/prodview-uvycouobpppp4?sr=0-1&ref_=beagle&applicationId=AWS-EC2-Console) | -| RHEL 7 | Latest Red Hat Enterprise Linux 7 | `create_rhel7` | | -| RHEL 7 cnspec | Latest Red Hat Enterprise Linux 7 with latest cnspec | `create_rhel7_cnspec` | | RHEL 7 mondoo pass private | Saved image of a manually hardened CIS RHEL7 image (which CIS deleted) | `create_rhel7_pass_private` | | | RHEL 8 | Latest Red Hat Enterprise Linux 8 | `create_rhel8` | | | RHEL 8 cnspec | Latest Red Hat Enterprise Linux 8 with latest cnspec | `create_rhel8_cnspec` | | diff --git a/aws/ec2-instances/amis.tf b/aws/ec2-instances/amis.tf index 5c1653c..0015bf4 100644 --- a/aws/ec2-instances/amis.tf +++ b/aws/ec2-instances/amis.tf @@ -115,22 +115,6 @@ data "aws_ami" "rhel9_cis" { } -data "aws_ami" "rhel7" { - most_recent = true - - filter { - name = "name" - values = ["RHEL_HA-7*_HVM-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - - owners = ["309956199498"] -} - data "aws_ami" "rhel7-cis-pass-private" { most_recent = true @@ -411,17 +395,12 @@ data "aws_ami" "debian12" { owners = ["136693071363"] } -data "aws_ami" "suse15" { +data "aws_ami" "debian12_cis" { most_recent = true filter { name = "name" - values = ["suse-sles-15-sp5*"] - } - - filter { - name = "architecture" - values = ["x86_64"] + values = ["CIS Debian Linux 12*"] } filter { @@ -429,31 +408,20 @@ data "aws_ami" "suse15" { values = ["hvm"] } - owners = ["013907871322"] + owners = ["679593333241"] } -data "aws_ami" "suse15_cis" { +data "aws_ami" "suse15" { most_recent = true filter { name = "name" - values = ["CIS SUSE Linux Enterprise 15 Benchmark*Level*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] + values = ["suse-sles-15-sp5*"] } - owners = ["679593333241"] -} - -data "aws_ami" "oracle7" { - most_recent = true - filter { - name = "name" - values = ["*SupportedImages OL7.9*"] + name = "architecture" + values = ["x86_64"] } filter { @@ -461,31 +429,15 @@ data "aws_ami" "oracle7" { values = ["hvm"] } - owners = ["679593333241"] + owners = ["013907871322"] } -#data "aws_ami" "oracle7_cis" { -# most_recent = true -# -# filter { -# name = "name" -# values = ["CIS Oracle Linux 7 Benchmark*"] -# } -# -# filter { -# name = "virtualization-type" -# values = ["hvm"] -# } -# -# owners = ["679593333241"] -#} - -data "aws_ami" "oracle8" { +data "aws_ami" "suse15_cis" { most_recent = true filter { name = "name" - values = ["*SupportedImages OL8.8*"] + values = ["CIS SUSE Linux Enterprise 15 Benchmark*Level*"] } filter { diff --git a/aws/ec2-instances/main.tf b/aws/ec2-instances/main.tf index cec393c..8ea8e89 100644 --- a/aws/ec2-instances/main.tf +++ b/aws/ec2-instances/main.tf @@ -286,15 +286,14 @@ module "debian12_cnspec" { user_data_replace_on_change = true } -// Oracle 7 -module "oracle7" { +module "debian12_cis" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle7 - name = "${var.prefix}-oracle7-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7.id + create = var.create_debian12_cis + name = "${var.prefix}-debian12-cis-${random_id.instance_id.id}" + ami = data.aws_ami.debian12_cis.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -302,13 +301,13 @@ module "oracle7" { associate_public_ip_address = true } -module "oracle7_cnspec" { +module "debian12_cis_cnspec" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 5.6.1" - create = var.create_oracle7_cnspec - name = "${var.prefix}-oracle7-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle7.id + create = var.create_debian12_cis_cnspec + name = "${var.prefix}-debian12-cis-cnspec-${random_id.instance_id.id}" + ami = data.aws_ami.debian12_cis.id instance_type = var.linux_instance_type vpc_security_group_ids = [module.linux_sg.security_group_id] subnet_id = module.vpc.public_subnets[0] @@ -318,6 +317,40 @@ module "oracle7_cnspec" { user_data_replace_on_change = true } + + +// Oracle 7 + +#module "oracle7" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7 +# name = "${var.prefix}-oracle7-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +#} +# +#module "oracle7_cnspec" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle7_cnspec +# name = "${var.prefix}-oracle7-cnspec-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle7.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +# user_data = base64encode(local.linux_user_data) +# user_data_replace_on_change = true +#} + #module "oracle7_cis" { # source = "terraform-aws-modules/ec2-instance/aws" # version = "~> 5.6.1" @@ -348,37 +381,37 @@ module "oracle7_cnspec" { # user_data_replace_on_change = true #} -// Oracle 8 - -module "oracle8" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_oracle8 - name = "${var.prefix}-oracle8-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true -} +// Oracle 8 deprecated -module "oracle8_cnspec" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_oracle8_cnspec - name = "${var.prefix}-oracle8-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.oracle8.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true - user_data = base64encode(local.linux_user_data) - user_data_replace_on_change = true -} +#module "oracle8" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle8 +# name = "${var.prefix}-oracle8-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle8.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +#} +# +#module "oracle8_cnspec" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_oracle8_cnspec +# name = "${var.prefix}-oracle8-cnspec-${random_id.instance_id.id}" +# ami = data.aws_ami.oracle8.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +# user_data = base64encode(local.linux_user_data) +# user_data_replace_on_change = true +#} module "oracle8_cis" { source = "terraform-aws-modules/ec2-instance/aws" @@ -613,37 +646,37 @@ module "centos7_hardened_community" { associate_public_ip_address = true } - -// Red Hat Linux 7 -module "rhel7" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_rhel7 - name = "${var.prefix}-rhel7-${random_id.instance_id.id}" - ami = data.aws_ami.rhel7.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true -} - -module "rhel7_cnspec" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 5.6.1" - - create = var.create_rhel7_cnspec - name = "${var.prefix}-rhel7-cnspec-${random_id.instance_id.id}" - ami = data.aws_ami.rhel7.id - instance_type = var.linux_instance_type - vpc_security_group_ids = [module.linux_sg.security_group_id] - subnet_id = module.vpc.public_subnets[0] - key_name = var.aws_key_pair_name - associate_public_ip_address = true - user_data = base64encode(local.linux_user_data) - user_data_replace_on_change = true -} +# DISFUNCT +#// Red Hat Linux 7 +#module "rhel7" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_rhel7 +# name = "${var.prefix}-rhel7-${random_id.instance_id.id}" +# ami = data.aws_ami.rhel7.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +#} +# +#module "rhel7_cnspec" { +# source = "terraform-aws-modules/ec2-instance/aws" +# version = "~> 5.6.1" +# +# create = var.create_rhel7_cnspec +# name = "${var.prefix}-rhel7-cnspec-${random_id.instance_id.id}" +# ami = data.aws_ami.rhel7.id +# instance_type = var.linux_instance_type +# vpc_security_group_ids = [module.linux_sg.security_group_id] +# subnet_id = module.vpc.public_subnets[0] +# key_name = var.aws_key_pair_name +# associate_public_ip_address = true +# user_data = base64encode(local.linux_user_data) +# user_data_replace_on_change = true +#} // Private RHEL7 Image module "rhel7_pass_private" { diff --git a/aws/ec2-instances/outputs.tf b/aws/ec2-instances/outputs.tf index b8d1512..41817b9 100644 --- a/aws/ec2-instances/outputs.tf +++ b/aws/ec2-instances/outputs.tf @@ -41,20 +41,11 @@ output "centos7_hardened_community" { value = module.centos7_hardened_community.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.centos7_hardened_community.public_ip}" } -# rhel 7 -output "rhel7" { - value = module.rhel7.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel7.public_ip}" -} - +# rhel 7 private mondoo image output "rhel7_pass_private" { value = module.rhel7_pass_private.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel7_pass_private.public_ip}" } - -output "rhel7_cnspec" { - value = module.rhel7_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel7_cnspec.public_ip}" -} - # rhel8 output "rhel8" { value = module.rhel8.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.rhel8.public_ip}" @@ -177,6 +168,15 @@ output "debian12_cnspec" { value = module.debian12_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} admin@${module.debian12_cnspec.public_ip}" } +#debian12cis +output "debian12_cis" { + value = module.debian12_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} admin@${module.debian12_cis.public_ip}" +} + +output "debian12_cis_cnspec" { + value = module.debian12_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} admin@${module.debian12_cis_cnspec.public_ip}" +} + # suse15 output "suse15" { value = module.suse15.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.suse15.public_ip}" @@ -194,33 +194,6 @@ output "suse15_cis_cnspec" { value = module.suse15_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.suse15_cis_cnspec.public_ip}" } -# oracle7 -# oracle7 -output "oracle7" { - value = module.oracle7.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7.public_ip}" -} - -output "oracle7_cnspec" { - value = module.oracle7_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cnspec.public_ip}" -} - -#output "oracle7_cis" { -# value = module.oracle7_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis.public_ip}" -#} -# -#output "oracle7_cis_cnspec" { -# value = module.oracle7_cis_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle7_cis_cnspec.public_ip}" -#} - -# oracle8 -output "oracle8" { - value = module.oracle8.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle8.public_ip}" -} - -output "oracle8_cnspec" { - value = module.oracle8_cnspec.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle8_cnspec.public_ip}" -} - output "oracle8_cis" { value = module.oracle8_cis.public_ip == null ? "" : "ssh -o StrictHostKeyChecking=no -i ~/.ssh/${var.aws_key_pair_name} ec2-user@${module.oracle8_cis.public_ip}" } diff --git a/aws/ec2-instances/variables.tf b/aws/ec2-instances/variables.tf index 368a3c3..25f23ba 100644 --- a/aws/ec2-instances/variables.tf +++ b/aws/ec2-instances/variables.tf @@ -196,18 +196,10 @@ variable "create_centos7_hardened_community" { default = false } -variable "create_rhel7" { - default = false -} - variable "create_rhel7_pass_private" { default = false } -variable "create_rhel7_cnspec" { - default = false -} - variable "create_rhel7_cis" { default = false } @@ -260,43 +252,27 @@ variable "create_debian12_cnspec" { default = false } -variable "create_suse15" { +variable "create_debian12_cis" { default = false } -variable "create_suse15_cnspec" { +variable "create_debian12_cis_cnspec" { default = false } -variable "create_suse15_cis" { - default = false -} - -variable "create_suse15_cis_cnspec" { - default = false -} - -variable "create_oracle7" { +variable "create_suse15" { default = false } -variable "create_oracle7_cnspec" { +variable "create_suse15_cnspec" { default = false } -#variable "create_oracle7_cis" { -# default = false -#} -# -#variable "create_oracle7_cis_cnspec" { -# default = false -#} - -variable "create_oracle8" { +variable "create_suse15_cis" { default = false } -variable "create_oracle8_cnspec" { +variable "create_suse15_cis_cnspec" { default = false }