cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,52 @@
|
|
1
|
+
galaxy_info:
|
2
|
+
author: your name
|
3
|
+
description: your role description
|
4
|
+
company: your company (optional)
|
5
|
+
|
6
|
+
# If the issue tracker for your role is not on github, uncomment the
|
7
|
+
# next line and provide a value
|
8
|
+
# issue_tracker_url: http://example.com/issue/tracker
|
9
|
+
|
10
|
+
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
11
|
+
# - BSD-3-Clause (default)
|
12
|
+
# - MIT
|
13
|
+
# - GPL-2.0-or-later
|
14
|
+
# - GPL-3.0-only
|
15
|
+
# - Apache-2.0
|
16
|
+
# - CC-BY-4.0
|
17
|
+
license: license (GPL-2.0-or-later, MIT, etc)
|
18
|
+
|
19
|
+
min_ansible_version: 2.1
|
20
|
+
|
21
|
+
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
22
|
+
# min_ansible_container_version:
|
23
|
+
|
24
|
+
#
|
25
|
+
# Provide a list of supported platforms, and for each platform a list of versions.
|
26
|
+
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
27
|
+
# To view available platforms and versions (or releases), visit:
|
28
|
+
# https://galaxy.ansible.com/api/v1/platforms/
|
29
|
+
#
|
30
|
+
# platforms:
|
31
|
+
# - name: Fedora
|
32
|
+
# versions:
|
33
|
+
# - all
|
34
|
+
# - 25
|
35
|
+
# - name: SomePlatform
|
36
|
+
# versions:
|
37
|
+
# - all
|
38
|
+
# - 1.0
|
39
|
+
# - 7
|
40
|
+
# - 99.99
|
41
|
+
|
42
|
+
galaxy_tags: []
|
43
|
+
# List tags for your role here, one per line. A tag is a keyword that describes
|
44
|
+
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
45
|
+
# remove the '[]' above, if you add tags to this list.
|
46
|
+
#
|
47
|
+
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
48
|
+
# Maximum 20 tags per role.
|
49
|
+
|
50
|
+
dependencies: []
|
51
|
+
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
52
|
+
# if you add dependencies to this list.
|
@@ -0,0 +1,254 @@
|
|
1
|
+
---
|
2
|
+
|
3
|
+
- name: remove firewalld
|
4
|
+
package:
|
5
|
+
name: firewalld
|
6
|
+
state: absent
|
7
|
+
|
8
|
+
- name: make sure iptables is available
|
9
|
+
package:
|
10
|
+
name: iptables-services
|
11
|
+
state: present
|
12
|
+
|
13
|
+
- name: allow inbound for public traffic
|
14
|
+
iptables:
|
15
|
+
chain: INPUT
|
16
|
+
source: 0.0.0.0/0
|
17
|
+
destination_port: "{{ item }}"
|
18
|
+
protocol: tcp
|
19
|
+
jump: ACCEPT
|
20
|
+
with_items:
|
21
|
+
- "80"
|
22
|
+
- "443"
|
23
|
+
- "8080"
|
24
|
+
- "8008"
|
25
|
+
- "8200"
|
26
|
+
- "5044"
|
27
|
+
|
28
|
+
- name: add yum repo for ElasticSearch
|
29
|
+
yum_repository:
|
30
|
+
name: elasticsearch
|
31
|
+
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
|
32
|
+
baseurl: https://artifacts.elastic.co/packages/7.x/yum
|
33
|
+
description: Elasticsearch repository for 7.x packages
|
34
|
+
|
35
|
+
- name: install logstash and related packages
|
36
|
+
package:
|
37
|
+
name: "{{ item }}"
|
38
|
+
state: present
|
39
|
+
with_items:
|
40
|
+
- logstash
|
41
|
+
- heartbeat-elastic
|
42
|
+
- nginx
|
43
|
+
- apm-server
|
44
|
+
- httpd-tools
|
45
|
+
- policycoreutils-python
|
46
|
+
|
47
|
+
# XXX (this insecure convolution belongs in some kind of shared library)
|
48
|
+
# We have to go through this tempfile dance because jinja doesn't actually see
|
49
|
+
# decrypted vault data, apparently, so as soon as we try to do anything other
|
50
|
+
# than write the whole decrypted blob to a file it fails to decrypt. That's
|
51
|
+
# even if we try the various workarounds from:
|
52
|
+
# https://github.com/ansible/ansible/issues/24425
|
53
|
+
- name: create Elastic password temp file (ugh)
|
54
|
+
tempfile:
|
55
|
+
state: file
|
56
|
+
suffix: temp
|
57
|
+
register: elasticpw_tmpfile
|
58
|
+
- name: "Write Elastic password to temp file"
|
59
|
+
copy:
|
60
|
+
dest: "{{ elasticpw_tmpfile.path }}"
|
61
|
+
content: "{{ mu_vaults[mu_deploy_id]['elasticpw'] }}"
|
62
|
+
- name: "Load Elastic password from temp file"
|
63
|
+
slurp:
|
64
|
+
src: "{{ elasticpw_tmpfile.path }}"
|
65
|
+
register: elasticpw_yaml
|
66
|
+
- name: From tmp YAML to dict
|
67
|
+
set_fact:
|
68
|
+
elasticpw_dict: "{{ elasticpw_yaml.content | b64decode | from_yaml }}"
|
69
|
+
|
70
|
+
- name: decrypt elastic password
|
71
|
+
set_fact:
|
72
|
+
elasticpw: "{{ elasticpw_dict['password'] }}"
|
73
|
+
|
74
|
+
- name: Logstash config files in /etc/logstash
|
75
|
+
copy:
|
76
|
+
dest: "/etc/logstash/{{ item }}"
|
77
|
+
src: "{{ item }}"
|
78
|
+
mode: 0644
|
79
|
+
become: yes
|
80
|
+
with_items:
|
81
|
+
- jvm.options
|
82
|
+
- logstash.yml
|
83
|
+
notify:
|
84
|
+
- Restart logstash
|
85
|
+
|
86
|
+
- name: Logstash config files in /etc/logstash/conf.d
|
87
|
+
copy:
|
88
|
+
dest: "/etc/logstash/conf.d/{{ item }}"
|
89
|
+
src: "{{ item }}"
|
90
|
+
mode: 0644
|
91
|
+
become: yes
|
92
|
+
with_items:
|
93
|
+
- 02-beats-input.conf
|
94
|
+
- 10-rails-filter.conf
|
95
|
+
|
96
|
+
- name: Copy Mu's CA
|
97
|
+
copy:
|
98
|
+
dest: "/etc/{{ item }}/elasticsearch-ca.pem"
|
99
|
+
src: /opt/mu/var/ssl/Mu_CA.pem
|
100
|
+
mode: 0644
|
101
|
+
become: yes
|
102
|
+
notify:
|
103
|
+
- Restart logstash
|
104
|
+
- Restart apm-server
|
105
|
+
with_items:
|
106
|
+
- logstash
|
107
|
+
- apm-server
|
108
|
+
|
109
|
+
- name: Logstash Elastic integration config
|
110
|
+
template:
|
111
|
+
src: 30-elasticsearch-output.conf.j2
|
112
|
+
dest: /etc/logstash/conf.d/30-elasticsearch-output.conf
|
113
|
+
mode: 0644
|
114
|
+
|
115
|
+
- name: Logstash CloudTrail integration config
|
116
|
+
template:
|
117
|
+
src: 20-cloudtrail.conf.j2
|
118
|
+
dest: /etc/logstash/conf.d/20-cloudtrail.conf
|
119
|
+
mode: 0644
|
120
|
+
|
121
|
+
- name: Elastic Heartbeat config
|
122
|
+
template:
|
123
|
+
src: heartbeat.yml.j2
|
124
|
+
dest: /etc/heartbeat/heartbeat.yml
|
125
|
+
mode: 0600
|
126
|
+
notify:
|
127
|
+
- Restart heartbeat-elastic
|
128
|
+
|
129
|
+
- name: Copy Nginx certificate into place
|
130
|
+
copy:
|
131
|
+
dest: "/etc/ssl/certs/{{ inventory_hostname }}.crt"
|
132
|
+
src: "/opt/mu/var/ssl/{{ inventory_hostname }}.crt"
|
133
|
+
mode: 0644
|
134
|
+
become: yes
|
135
|
+
notify:
|
136
|
+
- Restart nginx
|
137
|
+
|
138
|
+
- name: Make sure /etc/ssl/private exists
|
139
|
+
file:
|
140
|
+
path: /etc/ssl/private
|
141
|
+
mode: 0077
|
142
|
+
state: directory
|
143
|
+
|
144
|
+
- name: Copy Nginx key into place
|
145
|
+
copy:
|
146
|
+
dest: "/etc/ssl/private/{{ inventory_hostname }}.key"
|
147
|
+
src: "/opt/mu/var/ssl/{{ inventory_hostname }}.key"
|
148
|
+
mode: 0644
|
149
|
+
become: yes
|
150
|
+
notify:
|
151
|
+
- Restart nginx
|
152
|
+
|
153
|
+
- name: Nginx configs
|
154
|
+
template:
|
155
|
+
src: "nginx/{{ item }}.j2"
|
156
|
+
dest: "/etc/nginx/conf.d/{{ item }}"
|
157
|
+
mode: 0644
|
158
|
+
with_items:
|
159
|
+
- apm.conf
|
160
|
+
- default.conf
|
161
|
+
- elastic.conf
|
162
|
+
notify:
|
163
|
+
- Restart nginx
|
164
|
+
|
165
|
+
- name: Enable and start logstash
|
166
|
+
service:
|
167
|
+
name: logstash
|
168
|
+
state: started
|
169
|
+
|
170
|
+
- name: Enable and start Elastic Heartbeat
|
171
|
+
service:
|
172
|
+
name: heartbeat-elastic
|
173
|
+
state: started
|
174
|
+
|
175
|
+
- name: Enable and start Nginx
|
176
|
+
service:
|
177
|
+
name: nginx
|
178
|
+
state: started
|
179
|
+
|
180
|
+
- name: set elastic password
|
181
|
+
command:
|
182
|
+
cmd: "/bin/htpasswd -b -c /etc/nginx/htpasswd.users elastic \"{{ elasticpw }}\""
|
183
|
+
no_log: true
|
184
|
+
become: yes
|
185
|
+
|
186
|
+
- name: fix permissions on /etc/nginx/htpasswd.users
|
187
|
+
file:
|
188
|
+
path: /etc/nginx/htpasswd.users
|
189
|
+
owner: nginx
|
190
|
+
mode: 0600
|
191
|
+
|
192
|
+
- name: Check whether logstash CloudTrail plugin is installed
|
193
|
+
shell: "/usr/share/logstash/bin/logstash-plugin list logstash-codec-cloudtrail"
|
194
|
+
ignore_errors: true
|
195
|
+
register: cloudtrail_present
|
196
|
+
no_log: true
|
197
|
+
become: yes
|
198
|
+
|
199
|
+
- name: Install logstash CloudTrail plugin
|
200
|
+
shell: /usr/share/logstash/bin/logstash-plugin install logstash-codec-cloudtrail
|
201
|
+
become: yes
|
202
|
+
when: cloudtrail_present is failed
|
203
|
+
notify:
|
204
|
+
- Restart logstash
|
205
|
+
|
206
|
+
- name: Fix permissions on Logstash plugins
|
207
|
+
shell: |
|
208
|
+
find /usr/share/logstash/vendor/bundle/jruby/ -type d -exec chmod go+rx {} \;
|
209
|
+
find /usr/share/logstash/vendor/bundle/jruby/ -type f -exec chmod go+r {} \;
|
210
|
+
become: yes
|
211
|
+
|
212
|
+
- name: Check whether Kibana port is allowed
|
213
|
+
shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 5601"
|
214
|
+
ignore_errors: true
|
215
|
+
register: kibana_allowed
|
216
|
+
no_log: true
|
217
|
+
become: yes
|
218
|
+
|
219
|
+
- name: Allow Nginx to connect to Kibana
|
220
|
+
command: "/usr/sbin/semanage port -a -t http_port_t -p tcp 5601"
|
221
|
+
become: yes
|
222
|
+
when: kibana_allowed is failed
|
223
|
+
notify:
|
224
|
+
- Restart nginx
|
225
|
+
|
226
|
+
- name: Check whether Elastic port is allowed
|
227
|
+
shell: "/usr/sbin/semanage port -l | grep ^http_port_t | grep 9200"
|
228
|
+
ignore_errors: true
|
229
|
+
register: elastic_allowed
|
230
|
+
no_log: true
|
231
|
+
become: yes
|
232
|
+
|
233
|
+
- name: Allow Nginx to connect to Elastic
|
234
|
+
command: "/usr/sbin/semanage port -m -t http_port_t -p tcp 9200"
|
235
|
+
ignore_errors: true
|
236
|
+
become: yes
|
237
|
+
when: elastic_allowed is failed
|
238
|
+
notify:
|
239
|
+
- Restart nginx
|
240
|
+
|
241
|
+
- name: APM Server config
|
242
|
+
template:
|
243
|
+
src: apm-server.yml.j2
|
244
|
+
dest: /etc/apm-server/apm-server.yml
|
245
|
+
owner: root
|
246
|
+
group: apm-server
|
247
|
+
mode: 0644
|
248
|
+
notify:
|
249
|
+
- Restart apm-server
|
250
|
+
|
251
|
+
- name: Enable and start APM Server
|
252
|
+
service:
|
253
|
+
name: apm-server
|
254
|
+
state: started
|
@@ -0,0 +1,28 @@
|
|
1
|
+
{%- if application_attributes is defined and "cloudtrail_sources" in application_attributes: %}
|
2
|
+
{% for trail in application_attributes["cloudtrail_sources"]: %}
|
3
|
+
input {
|
4
|
+
s3 {
|
5
|
+
bucket => "{{ trail['bucket'] }}"
|
6
|
+
prefix => "AWSLogs/"
|
7
|
+
codec => cloudtrail {}
|
8
|
+
ecs_compatibility => v1
|
9
|
+
id => "cloudtrail{{ trail['tag'] }}"
|
10
|
+
{% if "role_arn" in trail %}
|
11
|
+
role_arn => "{{ trail["role_arn"] }}"
|
12
|
+
{% endif %}
|
13
|
+
tags => ["AWS", "cloudtrail", "{{ trail['tag'] }}"]
|
14
|
+
type => "cloudtrail"
|
15
|
+
}
|
16
|
+
}
|
17
|
+
{%- endfor %}
|
18
|
+
{%- endif %}
|
19
|
+
|
20
|
+
filter {
|
21
|
+
if [type] == "cloudtrail" {
|
22
|
+
geoip {
|
23
|
+
source => "sourceIPAddress"
|
24
|
+
ecs_compatibility => v1
|
25
|
+
target => "geoip"
|
26
|
+
}
|
27
|
+
}
|
28
|
+
}
|
@@ -0,0 +1,19 @@
|
|
1
|
+
output {
|
2
|
+
elasticsearch {
|
3
|
+
hosts => {%- for node,meta in mu_deployment['servers']['backend'].items() %}
|
4
|
+
{%- for k,v in meta.items() %}
|
5
|
+
{%- if k in ["private_ip_address"] %} "https://{{ v }}:9200"
|
6
|
+
{%- endif %}
|
7
|
+
{%- endfor %}
|
8
|
+
{%- if not loop.last %},{%- endif %}
|
9
|
+
{%- endfor %}
|
10
|
+
|
11
|
+
ssl => true
|
12
|
+
ssl_certificate_verification => false
|
13
|
+
user => "elastic"
|
14
|
+
password => "{{ elasticpw }}"
|
15
|
+
cacert => "/etc/logstash/elasticsearch-ca.pem"
|
16
|
+
manage_template => false
|
17
|
+
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
|
18
|
+
}
|
19
|
+
}
|
@@ -0,0 +1,33 @@
|
|
1
|
+
apm-server:
|
2
|
+
host: "0.0.0.0:8200"
|
3
|
+
concurrent_requests: 5
|
4
|
+
rum:
|
5
|
+
enabled: true
|
6
|
+
kibana:
|
7
|
+
enabled: true
|
8
|
+
username: "elastic"
|
9
|
+
password: "{{ elasticpw }}"
|
10
|
+
|
11
|
+
output.elasticsearch:
|
12
|
+
hosts: [
|
13
|
+
{%- for node,meta in mu_deployment['servers']['backend'].items() %}
|
14
|
+
{%- for k,v in meta.items() %}
|
15
|
+
{%- if k in ["private_ip_address"] %}
|
16
|
+
"https://{{ v }}:9200"
|
17
|
+
{%- endif %}
|
18
|
+
{%- endfor %}
|
19
|
+
{%- if not loop.last %},{%- endif %}
|
20
|
+
{%- endfor %}]
|
21
|
+
username: "elastic"
|
22
|
+
password: "{{ elasticpw }}"
|
23
|
+
protocol: "https"
|
24
|
+
worker: 2
|
25
|
+
ssl:
|
26
|
+
enabled: true
|
27
|
+
verification_mode: none
|
28
|
+
certificate_authorities: ["/etc/apm-server/elasticsearch-ca.pem"]
|
29
|
+
supported_protocols: ["TLSv1.2"]
|
30
|
+
|
31
|
+
#queue.mem.events: 4096
|
32
|
+
|
33
|
+
max_procs: 4
|
@@ -0,0 +1,29 @@
|
|
1
|
+
heartbeat.monitors:
|
2
|
+
- type: http
|
3
|
+
id: elk
|
4
|
+
name: elk
|
5
|
+
ports: [5601, 9200]
|
6
|
+
schedule: '@every 10s'
|
7
|
+
urls: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
|
8
|
+
{%- for k,v in meta.items() %}
|
9
|
+
{%- if k in ["private_ip_address"] %} ["https://{{ v }}"]
|
10
|
+
{%- endif %}
|
11
|
+
{%- endfor %}
|
12
|
+
{%- if not loop.last %},{%- endif %}
|
13
|
+
{%- endfor %}
|
14
|
+
|
15
|
+
processors:
|
16
|
+
- add_cloud_metadata: ~
|
17
|
+
- add_host_metadata: ~
|
18
|
+
|
19
|
+
output.logstash:
|
20
|
+
hosts: ["localhost:5044"]
|
21
|
+
|
22
|
+
setup:kibana:
|
23
|
+
host: {%- for node,meta in mu_deployment['servers']['frontend'].items() %}
|
24
|
+
{%- for k,v in meta.items() %}
|
25
|
+
{%- if k in ["public_dns_name"] %} ["{{ v }}/"]
|
26
|
+
{%- endif %}
|
27
|
+
{%- endfor %}
|
28
|
+
{%- if not loop.last %},{%- endif %}
|
29
|
+
{%- endfor %}
|
@@ -0,0 +1,25 @@
|
|
1
|
+
server {
|
2
|
+
listen 8008 ssl;
|
3
|
+
listen [::]:8008 ssl;
|
4
|
+
|
5
|
+
server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
|
6
|
+
ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
|
7
|
+
ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
|
8
|
+
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
9
|
+
|
10
|
+
location / {
|
11
|
+
proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
|
12
|
+
{%- for k,v in meta.items() %}
|
13
|
+
{%- if k in ["private_ip_address"] %} https://{{ v }}:8200;
|
14
|
+
{%- endif %}
|
15
|
+
{%- endfor %}
|
16
|
+
{%- if not loop.last %},{%- endif %}
|
17
|
+
{%- endfor %}
|
18
|
+
|
19
|
+
proxy_http_version 1.1;
|
20
|
+
proxy_set_header Upgrade $http_upgrade;
|
21
|
+
proxy_set_header Connection 'upgrade';
|
22
|
+
proxy_set_header Host $host;
|
23
|
+
proxy_cache_bypass $http_upgrade;
|
24
|
+
}
|
25
|
+
}
|
@@ -0,0 +1,56 @@
|
|
1
|
+
server {
|
2
|
+
listen 443 http2 ssl;
|
3
|
+
listen [::]:443 http2 ssl;
|
4
|
+
|
5
|
+
server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
|
6
|
+
|
7
|
+
#auth_basic "Restricted Access";
|
8
|
+
#auth_basic_user_file /etc/nginx/htpasswd.users;
|
9
|
+
|
10
|
+
ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
|
11
|
+
ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
|
12
|
+
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
13
|
+
|
14
|
+
location / {
|
15
|
+
auth_basic "Restricted Access";
|
16
|
+
auth_basic_user_file /etc/nginx/htpasswd.users;
|
17
|
+
proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
|
18
|
+
{%- for k,v in meta.items() %}
|
19
|
+
{%- if k in ["private_ip_address"] %} http://{{ v }}:5601;
|
20
|
+
{%- endif %}
|
21
|
+
{%- endfor %}
|
22
|
+
{%- if not loop.last %},{%- endif %}
|
23
|
+
{%- endfor %}
|
24
|
+
proxy_http_version 1.1;
|
25
|
+
proxy_set_header Upgrade $http_upgrade;
|
26
|
+
proxy_set_header Connection 'upgrade';
|
27
|
+
proxy_set_header Host $host;
|
28
|
+
proxy_cache_bypass $http_upgrade;
|
29
|
+
}
|
30
|
+
|
31
|
+
#location /elastic {
|
32
|
+
# set $proxy_port 9200;
|
33
|
+
# proxy_pass http://localhost:9200;
|
34
|
+
# proxy_http_version 1.1;
|
35
|
+
# proxy_set_header Upgrade $http_upgrade;
|
36
|
+
# proxy_set_header Connection 'upgrade';
|
37
|
+
# proxy_set_header Host $host;
|
38
|
+
# proxy_cache_bypass $http_upgrade;
|
39
|
+
#}
|
40
|
+
|
41
|
+
#location /logstash {
|
42
|
+
# proxy_pass http://localhost:5044;
|
43
|
+
# proxy_http_version 1.1;
|
44
|
+
# proxy_set_header Upgrade $http_upgrade;
|
45
|
+
# proxy_set_header Connection 'upgrade';
|
46
|
+
# proxy_set_header Host $host;
|
47
|
+
# proxy_cache_bypass $http_upgrade;
|
48
|
+
#}
|
49
|
+
|
50
|
+
error_page 404 /404.html;
|
51
|
+
location = /404.html {
|
52
|
+
}
|
53
|
+
error_page 500 502 503 504 /50x.html;
|
54
|
+
location = /50x.html {
|
55
|
+
}
|
56
|
+
}
|
@@ -0,0 +1,27 @@
|
|
1
|
+
server {
|
2
|
+
listen 8080 ssl;
|
3
|
+
listen [::]:8080 ssl;
|
4
|
+
|
5
|
+
server_name {{ inventory_hostname }} {{ ec2['public_dns_name'] }} {{ ec2['private_dns_name'] }};
|
6
|
+
ssl_certificate /etc/ssl/certs/{{ inventory_hostname }}.crt;
|
7
|
+
ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
|
8
|
+
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
9
|
+
|
10
|
+
location / {
|
11
|
+
proxy_pass {%- for node,meta in mu_deployment['servers']['backend'].items() %}
|
12
|
+
{%- for k,v in meta.items() %}
|
13
|
+
{%- if k in ["private_ip_address"] %} https://{{ v }}:9200;
|
14
|
+
{%- endif %}
|
15
|
+
{%- endfor %}
|
16
|
+
{%- if not loop.last %},{%- endif %}
|
17
|
+
{%- endfor %}
|
18
|
+
|
19
|
+
#proxy_http_version 1.1;
|
20
|
+
#proxy_set_header Upgrade $http_upgrade;
|
21
|
+
#proxy_set_header Connection 'upgrade';
|
22
|
+
#proxy_set_header Host $host;
|
23
|
+
#proxy_cache_bypass $http_upgrade;
|
24
|
+
#proxy_ssl_trusted_certificate /etc/;
|
25
|
+
proxy_ssl_verify off;
|
26
|
+
}
|
27
|
+
}
|
@@ -0,0 +1,33 @@
|
|
1
|
+
Role Name
|
2
|
+
=========
|
3
|
+
|
4
|
+
Allow local-auth interactive remote logins to Windows nodes.
|
5
|
+
|
6
|
+
Requirements
|
7
|
+
------------
|
8
|
+
|
9
|
+
Windows host with internet connectivity
|
10
|
+
|
11
|
+
License
|
12
|
+
-------
|
13
|
+
|
14
|
+
Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
|
15
|
+
|
16
|
+
Licensed under the BSD-3 license (the "License");
|
17
|
+
you may not use this file except in compliance with the License.
|
18
|
+
You may obtain a copy of the License in the root of the project or at
|
19
|
+
|
20
|
+
http://egt-labs.com/mu/LICENSE.html
|
21
|
+
|
22
|
+
Unless required by applicable law or agreed to in writing, software
|
23
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
24
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
25
|
+
See the License for the specific language governing permissions and
|
26
|
+
limitations under the License.
|
27
|
+
|
28
|
+
Author Information
|
29
|
+
------------------
|
30
|
+
|
31
|
+
Current developers: John Stange
|
32
|
+
|
33
|
+
egt-labs-admins@egt-labs.com
|
@@ -0,0 +1,53 @@
|
|
1
|
+
galaxy_info:
|
2
|
+
author: your name
|
3
|
+
description: your description
|
4
|
+
company: your company (optional)
|
5
|
+
|
6
|
+
# If the issue tracker for your role is not on github, uncomment the
|
7
|
+
# next line and provide a value
|
8
|
+
# issue_tracker_url: http://example.com/issue/tracker
|
9
|
+
|
10
|
+
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
11
|
+
# - BSD-3-Clause (default)
|
12
|
+
# - MIT
|
13
|
+
# - GPL-2.0-or-later
|
14
|
+
# - GPL-3.0-only
|
15
|
+
# - Apache-2.0
|
16
|
+
# - CC-BY-4.0
|
17
|
+
license: license (GPL-2.0-or-later, MIT, etc)
|
18
|
+
|
19
|
+
min_ansible_version: 2.4
|
20
|
+
|
21
|
+
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
22
|
+
# min_ansible_container_version:
|
23
|
+
|
24
|
+
#
|
25
|
+
# Provide a list of supported platforms, and for each platform a list of versions.
|
26
|
+
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
27
|
+
# To view available platforms and versions (or releases), visit:
|
28
|
+
# https://galaxy.ansible.com/api/v1/platforms/
|
29
|
+
#
|
30
|
+
# platforms:
|
31
|
+
# - name: Fedora
|
32
|
+
# versions:
|
33
|
+
# - all
|
34
|
+
# - 25
|
35
|
+
# - name: SomePlatform
|
36
|
+
# versions:
|
37
|
+
# - all
|
38
|
+
# - 1.0
|
39
|
+
# - 7
|
40
|
+
# - 99.99
|
41
|
+
|
42
|
+
galaxy_tags: []
|
43
|
+
# List tags for your role here, one per line. A tag is a keyword that describes
|
44
|
+
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
45
|
+
# remove the '[]' above, if you add tags to this list.
|
46
|
+
#
|
47
|
+
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
48
|
+
# Maximum 20 tags per role.
|
49
|
+
|
50
|
+
dependencies: []
|
51
|
+
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
52
|
+
# if you add dependencies to this list.
|
53
|
+
|
@@ -0,0 +1,9 @@
|
|
1
|
+
---
|
2
|
+
- name: Allow traffic to port 3389
|
3
|
+
win_shell: Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
|
4
|
+
|
5
|
+
- name: Enable RDP
|
6
|
+
win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
|
7
|
+
|
8
|
+
- name: Allow RDP to use local user authentication
|
9
|
+
win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
|
@@ -34,3 +34,6 @@
|
|
34
34
|
- name: "Tell EC2Launch to run on next boot (Windows 2016+)"
|
35
35
|
when: ((ansible_facts['distribution_major_version'] | int) >= 10 and mu_build_image is defined and mu_build_image == True)
|
36
36
|
win_shell: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
|
37
|
+
|
38
|
+
- name: Allow RDP to use local user authentication
|
39
|
+
win_shell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0
|