cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,52 @@
1
+ galaxy_info:
2
+ author: your name
3
+ description: your role description
4
+ company: your company (optional)
5
+
6
+ # If the issue tracker for your role is not on github, uncomment the
7
+ # next line and provide a value
8
+ # issue_tracker_url: http://example.com/issue/tracker
9
+
10
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
11
+ # - BSD-3-Clause (default)
12
+ # - MIT
13
+ # - GPL-2.0-or-later
14
+ # - GPL-3.0-only
15
+ # - Apache-2.0
16
+ # - CC-BY-4.0
17
+ license: license (GPL-2.0-or-later, MIT, etc)
18
+
19
+ min_ansible_version: 2.1
20
+
21
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
22
+ # min_ansible_container_version:
23
+
24
+ #
25
+ # Provide a list of supported platforms, and for each platform a list of versions.
26
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27
+ # To view available platforms and versions (or releases), visit:
28
+ # https://galaxy.ansible.com/api/v1/platforms/
29
+ #
30
+ # platforms:
31
+ # - name: Fedora
32
+ # versions:
33
+ # - all
34
+ # - 25
35
+ # - name: SomePlatform
36
+ # versions:
37
+ # - all
38
+ # - 1.0
39
+ # - 7
40
+ # - 99.99
41
+
42
+ galaxy_tags: []
43
+ # List tags for your role here, one per line. A tag is a keyword that describes
44
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
45
+ # remove the '[]' above, if you add tags to this list.
46
+ #
47
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48
+ # Maximum 20 tags per role.
49
+
50
+ dependencies: []
51
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52
+ # if you add dependencies to this list.
@@ -0,0 +1,254 @@
1
+ ---
2
+
3
+ - name: remove firewalld
4
+ package:
5
+ name: firewalld
6
+ state: absent
7
+
8
+ - name: make sure iptables is available
9
+ package:
10
+ name: iptables-services
11
+ state: present
12
+
13
+ - name: allow inbound for public traffic
14
+ iptables:
15
+ chain: INPUT
16
+ source: 0.0.0.0/0
17
+ destination_port: "{{ item }}"
18
+ protocol: tcp
19
+ jump: ACCEPT
20
+ with_items:
21
+ - "80"
22
+ - "443"
23
+ - "8080"
24
+ - "8008"
25
+ - "8200"
26
+ - "5044"
27
+
28
+ - name: add yum repo for ElasticSearch
29
+ yum_repository:
30
+ name: elasticsearch
31
+ gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
32
+ baseurl: https://artifacts.elastic.co/packages/7.x/yum
33
+ description: Elasticsearch repository for 7.x packages
34
+
35
+ - name: install logstash and related packages
36
+ package:
37
+ name: "{{ item }}"
38
+ state: present
39
+ with_items:
40
+ - logstash
41
+ - heartbeat-elastic
42
+ - nginx
43
+ - apm-server
44
+ - httpd-tools
45
+ - policycoreutils-python
46
+
47
+ # XXX (this insecure convolution belongs in some kind of shared library)
48
+ # We have to go through this tempfile dance because jinja doesn't actually see
49
+ # decrypted vault data, apparently, so as soon as we try to do anything other
50
+ # than write the whole decrypted blob to a file it fails to decrypt. That's
51
+ # even if we try the various workarounds from:
52
+ # https://github.com/ansible/ansible/issues/24425
53
+ - name: create Elastic password temp file (ugh)
54
+ tempfile:
55
+ state: file
56
+ suffix: temp
57
+ register: elasticpw_tmpfile
58
+ - name: "Write Elastic password to temp file"
59
+ copy:
60
+ dest: "{{ elasticpw_tmpfile.path }}"
61
+ content: "{{ mu_vaults[mu_deploy_id]['elasticpw'] }}"
62
+ - name: "Load Elastic password from temp file"
63
+ slurp:
64
+ src: "{{ elasticpw_tmpfile.path }}"
65
+ register: elasticpw_yaml
66
+ - name: From tmp YAML to dict
67
+ set_fact:
68
+ elasticpw_dict: "{{ elasticpw_yaml.content | b64decode | from_yaml }}"
69
+
70
+ - name: decrypt elastic password
71
+ set_fact:
72
+ elasticpw: "{{ elasticpw_dict['password'] }}"
73
+
74
+ - name: Logstash config files in /etc/logstash
75
+ copy:
76
+ dest: "/etc/logstash/{{ item }}"
77
+ src: "{{ item }}"
78
+ mode: 0644
79
+ become: yes
80
+ with_items:
81
+ - jvm.options
82
+ - logstash.yml
83
+ notify:
84
+ - Restart logstash
85
+
86
+ - name: Logstash config files in /etc/logstash/conf.d
87
+ copy:
88
+ dest: "/etc/logstash/conf.d/{{ item }}"
89
+ src: "{{ item }}"
90
+ mode: 0644
91
+ become: yes
92
+ with_items:
93
+ - 02-beats-input.conf
94
+ - 10-rails-filter.conf
95
+
96
+ - name: Copy Mu's CA
97
+ copy:
98
+ dest: "/etc/{{ item }}/elasticsearch-ca.pem"
99
+ src: /opt/mu/var/ssl/Mu_CA.pem
100
+ mode: 0644
101
+ become: yes
102
+ notify:
103
+ - Restart logstash
104
+ - Restart apm-server
105
+ with_items:
106
+ - logstash
107
+ - apm-server
108
+
109
+ - name: Logstash Elastic integration config
110
+ template:
111
+ src: 30-elasticsearch-output.conf.j2
112
+ dest: /etc/logstash/conf.d/30-elasticsearch-output.conf
113
+ mode: 0644
114
+
115
+ - name: Logstash CloudTrail integration config
116
+ template:
117
+ src: 20-cloudtrail.conf.j2
118
+ dest: /etc/logstash/conf.d/20-cloudtrail.conf
119
+ mode: 0644
120
+
121
+ - name: Elastic Heartbeat config
122
+ template:
123
+ src: heartbeat.yml.j2
124
+ dest: /etc/heartbeat/heartbeat.yml
125
+ mode: 0600
126
+ notify:
127
+ - Restart heartbeat-elastic
128
+
129
+ - name: Copy Nginx certificate into place
130
+ copy:
131
+ dest: "/etc/ssl/certs/{{ inventory_hostname }}.crt"
132
+ src: "/opt/mu/var/ssl/{{ inventory_hostname }}.crt"
133
+ mode: 0644
134
+ become: yes
135
+ notify:
136
+ - Restart nginx
137
+
138
+ - name: Make sure /etc/ssl/private exists
139
+ file:
140
+ path: /etc/ssl/private
141
+ mode: 0077
142
+ state: directory
143
+
144
+ - name: Copy Nginx key into place
145
+ copy:
146
+ dest: "/etc/ssl/private/{{ inventory_hostname }}.key"
147
+ src: "/opt/mu/var/ssl/{{ inventory_hostname }}.key"
148
+ mode: 0644
149
+ become: yes
150
+ notify:
151
+ - Restart nginx
152
+
153
+ - name: Nginx configs
154
+ template:
155
+ src: "nginx/{{ item }}.j2"
156
+ dest: "/etc/nginx/conf.d/{{ item }}"
157
+ mode: 0644
158
+ with_items:
159
+ - apm.conf
160
+ - default.conf
161
+ - elastic.conf
162
+ notify:
163
+ - Restart nginx
164
+
165
+ - name: Enable and start logstash
166
+ service:
167
+ name: logstash
168
+ state: started
169
+
170
+ - name: Enable and start Elastic Heartbeat
171
+ service:
172
+ name: heartbeat-elastic
173
+ state: started
174
+
175
+ - name: Enable and start Nginx
176
+ service:
177
+ name: nginx
178
+ state: started
179
+
180
+ - name: set elastic password
181
+ command:
182
+ cmd: "/bin/htpasswd -b -c /etc/nginx/htpasswd.users elastic \"{{ elasticpw }}\""
183
+ no_log: true
184
+ become: yes
185
+
186
+ - name: fix permissions on /etc/nginx/htpasswd.users
187
+ file:
188
+ path: /etc/nginx/htpasswd.users
189
+ owner: nginx
190
+ mode: 0600
191
+
192
+ - name: Check whether logstash CloudTrail plugin is installed
193
+ shell: "/usr/share/logstash/bin/logstash-plugin list logstash-codec-cloudtrail"
194
+ ignore_errors: true
195
+ register: cloudtrail_present
196
+ no_log: true
197
+ become: yes
198
+
199
+ - name: Install logstash CloudTrail plugin
200
+ shell: /usr/share/logstash/bin/logstash-plugin install logstash-codec-cloudtrail
201
+ become: yes
202
+ when: cloudtrail_present is failed
203
+ notify:
204
+ - Restart logstash
205
+
206
+ - name: Fix permissions on Logstash plugins
207
+ shell: |
208
+ find /usr/share/logstash/vendor/bundle/jruby/ -type d -exec chmod go+rx {} \;
209
+ find /usr/share/logstash/vendor/bundle/jruby/ -type f -exec chmod go+r {} \;
210
+ become: yes
211
+
212
+ - name: Check whether Kibana port is allowed
213
+ shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 5601"
214
+ ignore_errors: true
215
+ register: kibana_allowed
216
+ no_log: true
217
+ become: yes
218
+
219
+ - name: Allow Nginx to connect to Kibana
220
+ command: "/usr/sbin/semanage port -a -t http_port_t -p tcp 5601"
221
+ become: yes
222
+ when: kibana_allowed is failed
223
+ notify:
224
+ - Restart nginx
225
+
226
+ - name: Check whether Elastic port is allowed
227
+ shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 9200"
228
+ ignore_errors: true
229
+ register: elastic_allowed
230
+ no_log: true
231
+ become: yes
232
+
233
+ - name: Allow Nginx to connect to Elastic
234
+ command: "/usr/sbin/semanage port -m -t http_port_t -p tcp 9200"
235
+ ignore_errors: true
236
+ become: yes
237
+ when: elastic_allowed is failed
238
+ notify:
239
+ - Restart nginx
240
+
241
+ - name: APM Server config
242
+ template:
243
+ src: apm-server.yml.j2
244
+ dest: /etc/apm-server/apm-server.yml
245
+ owner: root
246
+ group: apm-server
247
+ mode: 0644
248
+ notify:
249
+ - Restart apm-server
250
+
251
+ - name: Enable and start APM Server
252
+ service:
253
+ name: apm-server
254
+ state: started
@@ -0,0 +1,28 @@
1
+ {%- if application_attributes is defined and "cloudtrail_sources" in application_attributes: %}
2
+ {% for trail in application_attributes["cloudtrail_sources"]: %}
3
+ input {
4
+ s3 {
5
+ bucket => "{{ trail['bucket'] }}"
6
+ prefix => "AWSLogs/"
7
+ codec => cloudtrail {}
8
+ ecs_compatibility => v1
9
+ id => "cloudtrail{{ trail['tag'] }}"
10
+ {% if "role_arn" in trail %}
11
+ role_arn => "{{ trail["role_arn"] }}"
12
+ {% endif %}
13
+ tags => ["AWS", "cloudtrail", "{{ trail['tag'] }}"]
14
+ type => "cloudtrail"
15
+ }
16
+ }
17
+ {%- endfor %}
18
+ {%- endif %}
19
+
20
+ filter {
21
+ if [type] == "cloudtrail" {
22
+ geoip {
23
+ source => "sourceIPAddress"
24
+ ecs_compatibility => v1
25
+ target => "geoip"
26
+ }
27
+ }
28
+ }
@@ -0,0 +1,19 @@
1
+ output {
2
+ elasticsearch {
3
+ hosts => {%- for node,meta in mu_deployment['servers']['backend'].items() %}
4
+ {%- for k,v in meta.items() %}
5
+ {%- if k in ["private_ip_address"] %} "https://{{ v }}:9200"
6
+ {%- endif %}
7
+ {%- endfor %}
8
+ {%- if not loop.last %},{%- endif %}
9
+ {%- endfor %}
10
+
11
+ ssl => true
12
+ ssl_certificate_verification => false
13
+ user => "elastic"
14
+ password => "{{ elasticpw }}"
15
+ cacert => "/etc/logstash/elasticsearch-ca.pem"
16
+ manage_template => false
17
+ index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
18
+ }
19
+ }
@@ -0,0 +1,33 @@
1
+ apm-server:
2
+ host: "0.0.0.0:8200"
3
+ concurrent_requests: 5
4
+ rum:
5
+ enabled: true
6
+ kibana:
7
+ enabled: true
8
+ username: "elastic"
9
+ password: "{{ elasticpw }}"
10
+
11
+ output.elasticsearch:
12
+ hosts: [
13
+ {%- for node,meta in mu_deployment['servers']['backend'].items() %}
14
+ {%- for k,v in meta.items() %}
15
+ {%- if k in ["private_ip_address"] %}
16
+ "https://{{ v }}:9200"
17
+ {%- endif %}
18
+ {%- endfor %}
19
+ {%- if not loop.last %},{%- endif %}
20
+ {%- endfor %}]
21
+ username: "elastic"
22
+ password: "{{ elasticpw }}"
23
+ protocol: "https"
24
+ worker: 2
25
+ ssl:
26
+ enabled: true
27
+ verification_mode: none
28
+ certificate_authorities: ["/etc/apm-server/elasticsearch-ca.pem"]
29
+ supported_protocols: ["TLSv1.2"]
30
+
31
+ #queue.mem.events: 4096
32
+
33
+ max_procs: 4
@@ -0,0 +1,29 @@
1
+ heartbeat.monitors:
2
+ - type: http
3
+ id: elk
4
+ name: elk
5
+ ports: [5601, 9200]
6
+ schedule: '@every 10s'
7
+ urls: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
8
+ {%- for k,v in meta.items() %}
9
+ {%- if k in ["private_ip_address"] %} ["https://{{ v }}"]
10
+ {%- endif %}
11
+ {%- endfor %}
12
+ {%- if not loop.last %},{%- endif %}
13
+ {%- endfor %}
14
+
15
+ processors:
16
+ - add_cloud_metadata: ~
17
+ - add_host_metadata: ~
18
+
19
+ output.logstash:
20
+ hosts: ["localhost:5044"]
21
+
22
+ setup:kibana:
23
+ host: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
24
+ {%- for k,v in meta.items() %}
25
+ {%- if k in ["public_dns_name"] %} ["{{ v }}/"]
26
+ {%- endif %}
27
+ {%- endfor %}
28
+ {%- if not loop.last %},{%- endif %}
29
+ {%- endfor %}
@@ -0,0 +1,25 @@
1
+ server {
2
+ listen 8008 ssl;
3
+ listen [::]:8008 ssl;
4
+
5
+ server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
6
+ ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
7
+ ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
8
+ # ssl_dhparam /etc/ssl/certs/dhparam.pem;
9
+
10
+ location / {
11
+ proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
12
+ {%- for k,v in meta.items() %}
13
+ {%- if k in ["private_ip_address"] %} https://{{ v }}:8200;
14
+ {%- endif %}
15
+ {%- endfor %}
16
+ {%- if not loop.last %},{%- endif %}
17
+ {%- endfor %}
18
+
19
+ proxy_http_version 1.1;
20
+ proxy_set_header Upgrade $http_upgrade;
21
+ proxy_set_header Connection 'upgrade';
22
+ proxy_set_header Host $host;
23
+ proxy_cache_bypass $http_upgrade;
24
+ }
25
+ }
@@ -0,0 +1,56 @@
1
+ server {
2
+ listen 443 http2 ssl;
3
+ listen [::]:443 http2 ssl;
4
+
5
+ server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
6
+
7
+ #auth_basic "Restricted Access";
8
+ #auth_basic_user_file /etc/nginx/htpasswd.users;
9
+
10
+ ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
11
+ ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
12
+ # ssl_dhparam /etc/ssl/certs/dhparam.pem;
13
+
14
+ location / {
15
+ auth_basic "Restricted Access";
16
+ auth_basic_user_file /etc/nginx/htpasswd.users;
17
+ proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
18
+ {%- for k,v in meta.items() %}
19
+ {%- if k in ["private_ip_address"] %} http://{{ v }}:5601;
20
+ {%- endif %}
21
+ {%- endfor %}
22
+ {%- if not loop.last %},{%- endif %}
23
+ {%- endfor %}
24
+ proxy_http_version 1.1;
25
+ proxy_set_header Upgrade $http_upgrade;
26
+ proxy_set_header Connection 'upgrade';
27
+ proxy_set_header Host $host;
28
+ proxy_cache_bypass $http_upgrade;
29
+ }
30
+
31
+ #location /elastic {
32
+ # set $proxy_port 9200;
33
+ # proxy_pass http://localhost:9200;
34
+ # proxy_http_version 1.1;
35
+ # proxy_set_header Upgrade $http_upgrade;
36
+ # proxy_set_header Connection 'upgrade';
37
+ # proxy_set_header Host $host;
38
+ # proxy_cache_bypass $http_upgrade;
39
+ #}
40
+
41
+ #location /logstash {
42
+ # proxy_pass http://localhost:5044;
43
+ # proxy_http_version 1.1;
44
+ # proxy_set_header Upgrade $http_upgrade;
45
+ # proxy_set_header Connection 'upgrade';
46
+ # proxy_set_header Host $host;
47
+ # proxy_cache_bypass $http_upgrade;
48
+ #}
49
+
50
+ error_page 404 /404.html;
51
+ location = /404.html {
52
+ }
53
+ error_page 500 502 503 504 /50x.html;
54
+ location = /50x.html {
55
+ }
56
+ }
@@ -0,0 +1,27 @@
1
+ server {
2
+ listen 8080 ssl;
3
+ listen [::]:8080 ssl;
4
+
5
+ server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
6
+ ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
7
+ ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
8
+ # ssl_dhparam /etc/ssl/certs/dhparam.pem;
9
+
10
+ location / {
11
+ proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
12
+ {%- for k,v in meta.items() %}
13
+ {%- if k in ["private_ip_address"] %} https://{{ v }}:9200;
14
+ {%- endif %}
15
+ {%- endfor %}
16
+ {%- if not loop.last %},{%- endif %}
17
+ {%- endfor %}
18
+
19
+ #proxy_http_version 1.1;
20
+ #proxy_set_header Upgrade $http_upgrade;
21
+ #proxy_set_header Connection 'upgrade';
22
+ #proxy_set_header Host $host;
23
+ #proxy_cache_bypass $http_upgrade;
24
+ #proxy_ssl_trusted_certificate /etc/;
25
+ proxy_ssl_verify off;
26
+ }
27
+ }
@@ -0,0 +1,2 @@
1
+ localhost
2
+
@@ -0,0 +1,5 @@
1
+ ---
2
+ - hosts: localhost
3
+ remote_user: root
4
+ roles:
5
+ - mu-logstash
@@ -0,0 +1,2 @@
1
+ ---
2
+ # vars file for mu-logstash
@@ -0,0 +1,33 @@
1
+ Role Name
2
+ =========
3
+
4
+ Allow local-auth interactive remote logins to Windows nodes.
5
+
6
+ Requirements
7
+ ------------
8
+
9
+ Windows host with internet connectivity
10
+
11
+ License
12
+ -------
13
+
14
+ Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
15
+
16
+ Licensed under the BSD-3 license (the "License");
17
+ you may not use this file except in compliance with the License.
18
+ You may obtain a copy of the License in the root of the project or at
19
+
20
+ http://egt-labs.com/mu/LICENSE.html
21
+
22
+ Unless required by applicable law or agreed to in writing, software
23
+ distributed under the License is distributed on an "AS IS" BASIS,
24
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25
+ See the License for the specific language governing permissions and
26
+ limitations under the License.
27
+
28
+ Author Information
29
+ ------------------
30
+
31
+ Current developers: John Stange
32
+
33
+ egt-labs-admins@egt-labs.com
@@ -0,0 +1,53 @@
1
+ galaxy_info:
2
+ author: your name
3
+ description: your description
4
+ company: your company (optional)
5
+
6
+ # If the issue tracker for your role is not on github, uncomment the
7
+ # next line and provide a value
8
+ # issue_tracker_url: http://example.com/issue/tracker
9
+
10
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
11
+ # - BSD-3-Clause (default)
12
+ # - MIT
13
+ # - GPL-2.0-or-later
14
+ # - GPL-3.0-only
15
+ # - Apache-2.0
16
+ # - CC-BY-4.0
17
+ license: license (GPL-2.0-or-later, MIT, etc)
18
+
19
+ min_ansible_version: 2.4
20
+
21
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
22
+ # min_ansible_container_version:
23
+
24
+ #
25
+ # Provide a list of supported platforms, and for each platform a list of versions.
26
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27
+ # To view available platforms and versions (or releases), visit:
28
+ # https://galaxy.ansible.com/api/v1/platforms/
29
+ #
30
+ # platforms:
31
+ # - name: Fedora
32
+ # versions:
33
+ # - all
34
+ # - 25
35
+ # - name: SomePlatform
36
+ # versions:
37
+ # - all
38
+ # - 1.0
39
+ # - 7
40
+ # - 99.99
41
+
42
+ galaxy_tags: []
43
+ # List tags for your role here, one per line. A tag is a keyword that describes
44
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
45
+ # remove the '[]' above, if you add tags to this list.
46
+ #
47
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48
+ # Maximum 20 tags per role.
49
+
50
+ dependencies: []
51
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52
+ # if you add dependencies to this list.
53
+
@@ -0,0 +1,9 @@
1
+ ---
2
+ - name: Allow traffic to port 3389
3
+ win_shell: Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
4
+
5
+ - name: Enable RDP
6
+ win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
7
+
8
+ - name: Allow RDP to use local user authentication
9
+ win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
@@ -0,0 +1,2 @@
1
+ localhost
2
+
@@ -0,0 +1,5 @@
1
+ ---
2
+ - hosts: localhost
3
+ remote_user: root
4
+ roles:
5
+ - mu-rdp
@@ -34,3 +34,6 @@
34
34
  - name: "Tell EC2Launch to run on next boot (Windows 2016+)"
35
35
  when: ((ansible_facts['distribution_major_version'] | int) >= 10 and mu_build_image is defined and mu_build_image == True)
36
36
  win_shell: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
37
+
38
+ - name: Allow RDP to use local user authentication
39
+ win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
@@ -56,7 +56,7 @@ if $opts[:string]
56
56
  else
57
57
  ARGV.shift
58
58
  end
59
- MU::Groomer::Ansible.encryptString(namestr, $opts[:string])
59
+ puts MU::Groomer::Ansible.encryptString($opts[:string], namestr)
60
60
  exit
61
61
  end
62
62