From a comment on the announcement article:
For this contest, you'll only be able to submit projects that you started after this announcement post was published.
Well, I guess I am disqualified. But, leaving this post up as a resource for anyone that may like it.
My Workflow
I have a process that creates custom AMIs as a "golden image" and provisions infrastructure using Terraform for custom penetration testing resources in AWS. This workflow can be used for any type of image, however!
I leverage Packer with Ansible provisioners to build an EC2 image, then have Packer freeze that server into an AMI image. I use Molecule and Terraform Plan (using a free Terraform Cloud account and Hashicorp's Terraform GitHub Action) to test PRs. Merges to main trigger Packer builds that create a new AMI in my AWS account. Terraform then runs and creates new infrastructure based off of the new AMI.
Submission Category:
DIY Deployments
Yaml File or Link to Code
The repo where this is all contained is:
artis3n
/
cloud-hackbox
Create custom AMIs with Packer and Ansible to enable rapid provisioning of offensive infrastructure in AWS using Terraform.
cloud-hackbox
A repository to build and provision custom pentest resources in AWS.
Supported hackboxes:
- Kali Linux
Additional desired hackboxes:
- ParrotOS
Setup
pip install pipenv
# Installs Terraform, Packer, and Pipenv dependencies (e.g. Ansible)
make install
# If you want to run Molecule tests
pipenv install --dev
# Set your AWS credentials
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=...
# If you have default or ephemeral credentials saved in ~/.aws/credentials you can forego these env vars
Then choose a hackbox and follow the instructions to build and provision it.
Hackboxes
Kali Linux AMI
Packer file: kali/kali-ami.json
Builds a Kali Linux AMI with the following:
- Updates all packages on the system
- Installs and configures a number of frequently used packages
- See the full list.
This AMI also pre-configures UFW. The following UFW rules are pre-configured:
- deny all incoming
- allow all outgoing
- enable ssh on tcp/22 with brute force mitigation (
ufw limit) - …
Let's step through the 2 workflows I use for this smooth CI/CD process.
CI
https://github.com/artis3n/cloud-hackbox/blob/main/.github/workflows/ci.yml
The CI workflow runs molecule to ensure any changes to the Ansible playbook for the AMI work and terraform to ensure any changes to that code results in the infrastructure that you expect. PRs must pass both checks before they can be merged.
CD
https://github.com/artis3n/cloud-hackbox/blob/main/.github/workflows/build.yml
In this workflow file, I build the new AMI with Packer and deploy it to my AWS account whenever new code is merged to main. I do not run Terraform afterward in this file because my use case is on-demand infrastructure in the future, but this can be accomplished with the following addition:
- name: Packer build
run: packer build kali/kali-ami.json
env:
AWS_MAX_ATTEMPTS: 90
AWS_POLL_DELAY_SECONDS: 60
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# New steps
- uses: hashicorp/setup-terraform@v1
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Init
run: cd kali/terraform && terraform init
- name: Provision
run: cd kali/terraform && terraform apply -auto-approve
We can be confident about the -auto-approve as we have reviewed any changes in the plan during the PR review process.
Top comments (0)