loading...

True CI/CD Pipeline for "Golden Image" AMIs

artis3n profile image Ari Kalfus ・2 min read

From a comment on the announcement article:

For this contest, you'll only be able to submit projects that you started after this announcement post was published.

Well, I guess I am disqualified. But, leaving this post up as a resource for anyone that may like it.

My Workflow

I have a process that creates custom AMIs as a "golden image" and provisions infrastructure using Terraform for custom penetration testing resources in AWS. This workflow can be used for any type of image, however!

I leverage Packer with Ansible provisioners to build an EC2 image, then have Packer freeze that server into an AMI image. I use Molecule and Terraform Plan (using a free Terraform Cloud account and Hashicorp's Terraform GitHub Action) to test PRs. Merges to main trigger Packer builds that create a new AMI in my AWS account. Terraform then runs and creates new infrastructure based off of the new AMI.

Submission Category:

DIY Deployments

Yaml File or Link to Code

The repo where this is all contained is:

GitHub logo artis3n / cloud-hackbox

Create custom AMIs with Packer and Ansible to enable rapid provisioning of offensive infrastructure in AWS using Terraform.

cloud-hackbox

A repository to build and provision custom pentest resources in AWS.

GitHub Workflow Status GitHub Workflow Status GitHub last commit GitHub GitHub followers Twitter Follow

Supported hackboxes:

  • Kali Linux

Additional desired hackboxes:

  • ParrotOS

Setup

pip install pipenv
# Installs Terraform, Packer, and Pipenv dependencies (e.g. Ansible)
make install
# If you want to run Molecule tests
pipenv install --dev
# Set your AWS credentials
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=...
# If you have default or ephemeral credentials saved in ~/.aws/credentials you can forego these env vars

Then choose a hackbox and follow the instructions to build and provision it.

Hackboxes

Kali Linux AMI

Packer file: kali/kali-ami.json

Builds a Kali Linux AMI with the following:

  • Updates all packages on the system
  • Installs and configures a number of frequently used packages

This AMI also pre-configures UFW. The following UFW rules are pre-configured:

  • deny all incoming
  • allow all outgoing
  • enable ssh on tcp/22 with brute force mitigation (ufw limit)

Let's step through the 2 workflows I use for this smooth CI/CD process.

CI

https://github.com/artis3n/cloud-hackbox/blob/main/.github/workflows/ci.yml

The CI workflow runs molecule to ensure any changes to the Ansible playbook for the AMI work and terraform to ensure any changes to that code results in the infrastructure that you expect. PRs must pass both checks before they can be merged.

CD

https://github.com/artis3n/cloud-hackbox/blob/main/.github/workflows/build.yml

In this workflow file, I build the new AMI with Packer and deploy it to my AWS account whenever new code is merged to main. I do not run Terraform afterward in this file because my use case is on-demand infrastructure in the future, but this can be accomplished with the following addition:

- name: Packer build
  run: packer build kali/kali-ami.json
  env:
      AWS_MAX_ATTEMPTS: 90
      AWS_POLL_DELAY_SECONDS: 60
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

# New steps

- uses: hashicorp/setup-terraform@v1
  with:
      cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

- name: Init
  run: cd kali/terraform && terraform init

- name: Provision
  run: cd kali/terraform && terraform apply -auto-approve

We can be confident about the -auto-approve as we have reviewed any changes in the plan during the PR review process.

Additional Resources / Info

Posted on by:

artis3n profile

Ari Kalfus

@artis3n

Penetration tester and security engineer. @artis3n

Discussion

pic
Editor guide