RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/ansible/roles/mu-logstash/meta/main.yml ADDED Viewed

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+  min_ansible_version: 2.1
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

data/ansible/roles/mu-logstash/tasks/main.yml ADDED Viewed

@@ -0,0 +1,254 @@
+---
+- name: remove firewalld
+  package:
+    name: firewalld
+    state: absent
+- name: make sure iptables is available
+  package:
+    name: iptables-services
+    state: present
+- name: allow inbound for public traffic
+  iptables:
+    chain: INPUT
+    source: 0.0.0.0/0
+    destination_port: "{{ item }}"
+    protocol: tcp
+    jump: ACCEPT
+  with_items:
+  - "80"
+  - "443"
+  - "8080"
+  - "8008"
+  - "8200"
+  - "5044"
+- name: add yum repo for ElasticSearch
+  yum_repository:
+    name: elasticsearch
+    gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    baseurl: https://artifacts.elastic.co/packages/7.x/yum
+    description: Elasticsearch repository for 7.x packages
+- name: install logstash and related packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - logstash
+  - heartbeat-elastic
+  - nginx
+  - apm-server
+  - httpd-tools
+  - policycoreutils-python
+# XXX (this insecure convolution belongs in some kind of shared library)
+# We have to go through this tempfile dance because jinja doesn't actually see
+# decrypted vault data, apparently, so as soon as we try to do anything other
+# than write the whole decrypted blob to a file it fails to decrypt. That's
+# even if we try the various workarounds from:
+# https://github.com/ansible/ansible/issues/24425
+- name: create Elastic password temp file (ugh)
+  tempfile:
+    state: file
+    suffix: temp
+  register: elasticpw_tmpfile
+- name: "Write Elastic password to temp file"
+  copy:
+    dest: "{{ elasticpw_tmpfile.path }}"
+    content: "{{ mu_vaults[mu_deploy_id]['elasticpw'] }}"
+- name: "Load Elastic password from temp file"
+  slurp:
+    src: "{{ elasticpw_tmpfile.path }}"
+  register: elasticpw_yaml
+- name: From tmp YAML to dict
+  set_fact:
+    elasticpw_dict: "{{ elasticpw_yaml.content | b64decode | from_yaml }}"
+- name: decrypt elastic password
+  set_fact:
+    elasticpw: "{{ elasticpw_dict['password'] }}"
+- name: Logstash config files in /etc/logstash
+  copy:
+    dest: "/etc/logstash/{{ item }}"
+    src: "{{ item }}"
+    mode: 0644
+  become: yes
+  with_items:
+  - jvm.options
+  - logstash.yml
+  notify:
+  - Restart logstash
+- name: Logstash config files in /etc/logstash/conf.d
+  copy:
+    dest: "/etc/logstash/conf.d/{{ item }}"
+    src: "{{ item }}"
+    mode: 0644
+  become: yes
+  with_items:
+  - 02-beats-input.conf
+  - 10-rails-filter.conf
+- name: Copy Mu's CA
+  copy:
+    dest: "/etc/{{ item }}/elasticsearch-ca.pem"
+    src: /opt/mu/var/ssl/Mu_CA.pem
+    mode: 0644
+  become: yes
+  notify:
+  - Restart logstash
+  - Restart apm-server
+  with_items:
+  - logstash
+  - apm-server
+- name: Logstash Elastic integration config
+  template:
+    src: 30-elasticsearch-output.conf.j2
+    dest: /etc/logstash/conf.d/30-elasticsearch-output.conf
+    mode: 0644
+- name: Logstash CloudTrail integration config
+  template:
+    src: 20-cloudtrail.conf.j2
+    dest: /etc/logstash/conf.d/20-cloudtrail.conf
+    mode: 0644
+- name: Elastic Heartbeat config
+  template:
+    src: heartbeat.yml.j2
+    dest: /etc/heartbeat/heartbeat.yml
+    mode: 0600
+  notify:
+  - Restart heartbeat-elastic
+- name: Copy Nginx certificate into place
+  copy:
+    dest: "/etc/ssl/certs/{{ inventory_hostname }}.crt"
+    src: "/opt/mu/var/ssl/{{ inventory_hostname }}.crt"
+    mode: 0644
+  become: yes
+  notify:
+  - Restart nginx
+- name: Make sure /etc/ssl/private exists
+  file:
+    path: /etc/ssl/private
+    mode: 0077
+    state: directory
+- name: Copy Nginx key into place
+  copy:
+    dest: "/etc/ssl/private/{{ inventory_hostname }}.key"
+    src: "/opt/mu/var/ssl/{{ inventory_hostname }}.key"
+    mode: 0644
+  become: yes
+  notify:
+  - Restart nginx
+- name: Nginx configs
+  template:
+    src: "nginx/{{ item }}.j2"
+    dest: "/etc/nginx/conf.d/{{ item }}"
+    mode: 0644
+  with_items:
+  - apm.conf
+  - default.conf
+  - elastic.conf
+  notify:
+  - Restart nginx
+- name: Enable and start logstash
+  service:
+    name: logstash
+    state: started
+- name: Enable and start Elastic Heartbeat
+  service:
+    name: heartbeat-elastic
+    state: started
+- name: Enable and start Nginx
+  service:
+    name: nginx
+    state: started
+- name: set elastic password
+  command:
+    cmd: "/bin/htpasswd -b -c /etc/nginx/htpasswd.users elastic \"{{ elasticpw }}\""
+  no_log: true
+  become: yes
+- name: fix permissions on /etc/nginx/htpasswd.users
+  file:
+    path: /etc/nginx/htpasswd.users
+    owner: nginx
+    mode: 0600
+- name: Check whether logstash CloudTrail plugin is installed
+  shell: "/usr/share/logstash/bin/logstash-plugin list logstash-codec-cloudtrail"
+  ignore_errors: true
+  register: cloudtrail_present
+  no_log: true
+  become: yes
+- name: Install logstash CloudTrail plugin
+  shell: /usr/share/logstash/bin/logstash-plugin install logstash-codec-cloudtrail
+  become: yes
+  when: cloudtrail_present is failed
+  notify:
+  - Restart logstash
+- name: Fix permissions on Logstash plugins
+  shell: |
+    find /usr/share/logstash/vendor/bundle/jruby/ -type d -exec chmod go+rx {} \;
+    find /usr/share/logstash/vendor/bundle/jruby/ -type f -exec chmod go+r {} \;
+  become: yes
+- name: Check whether Kibana port is allowed
+  shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 5601"
+  ignore_errors: true
+  register: kibana_allowed
+  no_log: true
+  become: yes
+- name: Allow Nginx to connect to Kibana
+  command: "/usr/sbin/semanage port -a -t http_port_t -p tcp 5601"
+  become: yes
+  when: kibana_allowed is failed
+  notify:
+  - Restart nginx
+- name: Check whether Elastic port is allowed
+  shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 9200"
+  ignore_errors: true
+  register: elastic_allowed
+  no_log: true
+  become: yes
+- name: Allow Nginx to connect to Elastic
+  command: "/usr/sbin/semanage port -m -t http_port_t -p tcp 9200"
+  ignore_errors: true
+  become: yes
+  when: elastic_allowed is failed
+  notify:
+  - Restart nginx
+- name: APM Server config
+  template:
+    src: apm-server.yml.j2
+    dest: /etc/apm-server/apm-server.yml
+    owner: root
+    group: apm-server
+    mode: 0644
+  notify:
+  - Restart apm-server
+- name: Enable and start APM Server
+  service:
+    name: apm-server
+    state: started

data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 ADDED Viewed

@@ -0,0 +1,28 @@
+{%- if application_attributes is defined and "cloudtrail_sources" in application_attributes: %}
+{% for trail in application_attributes["cloudtrail_sources"]: %}
+input {
+  s3 {
+    bucket => "{{ trail['bucket'] }}"
+    prefix => "AWSLogs/"
+    codec => cloudtrail {}
+    ecs_compatibility => v1
+    id => "cloudtrail{{ trail['tag'] }}"
+{% if "role_arn" in trail %}
+    role_arn => "{{ trail["role_arn"] }}"
+{% endif %}
+    tags => ["AWS", "cloudtrail", "{{ trail['tag'] }}"]
+    type => "cloudtrail"
+  }
+}
+{%- endfor %}
+{%- endif %}
+filter {
+  if [type] == "cloudtrail" {
+    geoip {
+      source => "sourceIPAddress"
+      ecs_compatibility => v1
+      target => "geoip"
+    }
+  }
+}

data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 ADDED Viewed

@@ -0,0 +1,19 @@
+output {
+  elasticsearch {
+    hosts => {%- for node,meta in mu_deployment['servers']['backend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %} "https://{{ v }}:9200"
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}
+    ssl => true
+    ssl_certificate_verification => false
+    user => "elastic"
+    password => "{{ elasticpw }}"
+    cacert => "/etc/logstash/elasticsearch-ca.pem"
+    manage_template => false
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
+  }
+}

data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 ADDED Viewed

@@ -0,0 +1,33 @@
+apm-server:
+  host: "0.0.0.0:8200"
+  concurrent_requests: 5
+  rum:
+    enabled: true
+  kibana:
+    enabled: true
+    username: "elastic"
+    password: "{{ elasticpw }}"
+output.elasticsearch:
+  hosts: [
+{%- for node,meta in mu_deployment['servers']['backend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %}
+"https://{{ v }}:9200"
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}]
+  username: "elastic"
+  password: "{{ elasticpw }}"
+  protocol: "https"
+  worker: 2
+  ssl:
+    enabled: true
+    verification_mode: none
+    certificate_authorities: ["/etc/apm-server/elasticsearch-ca.pem"]
+    supported_protocols: ["TLSv1.2"]
+#queue.mem.events: 4096
+max_procs: 4

data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 ADDED Viewed

@@ -0,0 +1,29 @@
+heartbeat.monitors:
+  - type: http
+    id: elk
+    name: elk
+    ports: [5601, 9200]
+    schedule: '@every 10s'
+    urls: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %} ["https://{{ v }}"]
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}
+processors:
+  - add_cloud_metadata: ~
+  - add_host_metadata: ~
+output.logstash:
+  hosts: ["localhost:5044"]
+setup:kibana:
+  host: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["public_dns_name"] %} ["{{ v }}/"]
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}

data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 ADDED Viewed

@@ -0,0 +1,25 @@
+server {
+  listen 8008 ssl;
+  listen [::]:8008 ssl;
+  server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
+  ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
+  ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
+#  ssl_dhparam /etc/ssl/certs/dhparam.pem;
+  location / {
+     proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %} https://{{ v }}:8200;
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}
+     proxy_http_version 1.1;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection 'upgrade';
+     proxy_set_header Host $host;
+     proxy_cache_bypass $http_upgrade;
+  }
+}

data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 ADDED Viewed

@@ -0,0 +1,56 @@
+server {
+    listen 443 http2 ssl;
+    listen [::]:443 http2 ssl;
+    server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
+    #auth_basic "Restricted Access";
+    #auth_basic_user_file /etc/nginx/htpasswd.users;
+    ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
+    ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
+#    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    location / {
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/htpasswd.users;
+        proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %} http://{{ v }}:5601;
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+    }
+    #location /elastic {
+    #    set $proxy_port 9200;
+    #    proxy_pass http://localhost:9200;
+    #    proxy_http_version 1.1;
+    #    proxy_set_header Upgrade $http_upgrade;
+    #    proxy_set_header Connection 'upgrade';
+    #    proxy_set_header Host $host;
+    #    proxy_cache_bypass $http_upgrade;
+    #}
+    #location /logstash {
+    #    proxy_pass http://localhost:5044;
+    #    proxy_http_version 1.1;
+    #    proxy_set_header Upgrade $http_upgrade;
+    #    proxy_set_header Connection 'upgrade';
+    #    proxy_set_header Host $host;
+    #    proxy_cache_bypass $http_upgrade;
+    #}
+    error_page 404 /404.html;
+    location = /404.html {
+    }
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+    }
+}

data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 ADDED Viewed

@@ -0,0 +1,27 @@
+server {
+  listen 8080 ssl;
+  listen [::]:8080 ssl;
+  server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
+  ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
+  ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
+#  ssl_dhparam /etc/ssl/certs/dhparam.pem;
+  location / {
+     proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
+  {%- for k,v in meta.items() %}
+    {%- if k in ["private_ip_address"] %} https://{{ v }}:9200;
+    {%- endif %}
+  {%- endfor %}
+  {%- if not loop.last %},{%- endif %}
+{%- endfor %}
+     #proxy_http_version 1.1;
+     #proxy_set_header Upgrade $http_upgrade;
+     #proxy_set_header Connection 'upgrade';
+     #proxy_set_header Host $host;
+     #proxy_cache_bypass $http_upgrade;
+     #proxy_ssl_trusted_certificate /etc/;
+     proxy_ssl_verify off;
+  }
+}

data/ansible/roles/mu-logstash/tests/inventory ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ localhost
2	+

data/ansible/roles/mu-logstash/tests/test.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - mu-logstash

data/ansible/roles/mu-logstash/vars/main.yml ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ ---
2	+ # vars file for mu-logstash

data/ansible/roles/mu-rdp/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+Role Name
+=========
+Allow local-auth interactive remote logins to Windows nodes.
+Requirements
+------------
+Windows host with internet connectivity
+License
+-------
+Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
+Licensed under the BSD-3 license (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License in the root of the project or at
+    http://egt-labs.com/mu/LICENSE.html
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+Author Information
+------------------
+Current developers: John Stange
+egt-labs-admins@egt-labs.com

data/ansible/roles/mu-rdp/meta/main.yml ADDED Viewed

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your description
+  company: your company (optional)
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+  min_ansible_version: 2.4
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

data/ansible/roles/mu-rdp/tasks/main.yml ADDED Viewed

@@ -0,0 +1,9 @@
+---
+- name: Allow traffic to port 3389
+  win_shell: Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
+- name: Enable RDP
+  win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
+- name: Allow RDP to use local user authentication
+  win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0

data/ansible/roles/mu-rdp/tests/inventory ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ localhost
2	+

data/ansible/roles/mu-rdp/tests/test.yml ADDED Viewed

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - mu-rdp

data/ansible/roles/mu-windows/tasks/main.yml CHANGED Viewed

@@ -34,3 +34,6 @@
 - name: "Tell EC2Launch to run on next boot (Windows 2016+)"
   when: ((ansible_facts['distribution_major_version'] | int) >= 10 and mu_build_image is defined and mu_build_image == True)
   win_shell: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
+- name: Allow RDP to use local user authentication
+  win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0

data/bin/mu-ansible-secret CHANGED Viewed

@@ -56,7 +56,7 @@ if $opts[:string]
   else
     ARGV.shift
   end
-  MU::Groomer::Ansible.encryptString(namestr, $opts[:string])
+  puts MU::Groomer::Ansible.encryptString($opts[:string], namestr)
   exit
 end