layer.txt
9 | zip layer.zip layer.txt
10 | EOL
11 | }
12 |
13 | triggers = {
14 | content = var.sensitive_content
15 | }
16 | }
17 |
18 | resource "aws_lambda_layer_version" "lambda_layer" {
19 | filename = "layer.zip"
20 | layer_name = var.resource_name
21 | compatible_runtimes = ["nodejs14.x"]
22 |
23 | depends_on = [null_resource.layer_zip]
24 | }
25 |
26 | resource "aws_lambda_layer_version_permission" "lambda_layer_permission" {
27 | depends_on = [aws_lambda_layer_version.lambda_layer]
28 | layer_name = aws_lambda_layer_version.lambda_layer.layer_name
29 | version_number = aws_lambda_layer_version.lambda_layer.version
30 | principal = "*"
31 | action = "lambda:GetLayerVersion"
32 | statement_id = var.resource_name
33 | }
34 |
35 | # Remove the layer once complete
36 | resource "null_resource" "remove_zip" {
37 | provisioner "local-exec" {
38 | command = "rm -f layer.zip layer.txt"
39 | }
40 |
41 | depends_on = [aws_lambda_layer_version.lambda_layer]
42 | }
43 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2/ssh/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.micro"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2/jenkins/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.micro"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2/opensearch/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.small"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2_alb/jenkins/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.micro"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2_alb/opensearch/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.small"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2_clb/opensearch/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "allowed_ip" {
28 | description = "List of IP addresses to allow access to the box"
29 | type = string
30 | default = "0.0.0.0/0"
31 | }
32 |
33 | variable "vpc_id" {
34 | description = "The VPC ID to launch the instance in"
35 | type = string
36 | }
37 |
38 | variable "instance_type" {
39 | description = "The type of instance to start"
40 | type = string
41 | default = "t3.small"
42 | }
43 |
44 | variable "key_pair" {
45 | description = "The key pair to use for SSH access"
46 | type = string
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_redshift/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "vpc_id" {
28 | description = "The VPC ID to launch the instance in"
29 | type = string
30 | }
31 |
32 | variable "subnet_id" {
33 | description = "The subnet ID to launch the instance in"
34 | type = string
35 | }
36 |
37 | variable "allowed_ip" {
38 | description = "List of IP addresses to allow access to the box"
39 | type = string
40 | default = "0.0.0.0/0"
41 | }
42 |
43 | variable "node_type" {
44 | description = "The instance type to use for the instance"
45 | type = string
46 | default = "dc2.large"
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_opensearch/variables.tf:
--------------------------------------------------------------------------------
1 | # Global variables
2 | variable "resource_name" {
3 | description = "Convincing bucket name for the organization"
4 | type = string
5 | }
6 |
7 | variable "sensitive_content" {
8 | description = "Content of the sensitive file to reach out to an appropriate contact."
9 | type = string
10 | }
11 |
12 | variable "region" {
13 | description = "The AWS region to create resources in"
14 | type = string
15 | }
16 |
17 | # Optional variables
18 | variable "tags" {
19 | description = "Organization tagging strategy but should keep Creator tag for discovery later."
20 | type = map(string)
21 | default = {
22 | "Creator" = "CloudCommotion"
23 | }
24 | }
25 |
26 | # Custom variables
27 | variable "opensearch_version" {
28 | description = "OpenSearch version."
29 | type = string
30 | default = "OpenSearch_2.7"
31 | }
32 |
33 | variable "instance_type" {
34 | description = "OpenSearch instance type."
35 | type = string
36 | default = "t3.small.search"
37 | }
38 |
39 | variable "allowed_ip" {
40 | description = "List of IP addresses to allow access to the box"
41 | type = string
42 | default = "0.0.0.0/0"
43 | }
44 |
45 | variable "vpc_id" {
46 | description = "The VPC ID to launch the instance in"
47 | type = string
48 | }
49 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_lambda/endpoint/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | data "archive_file" "lambda_zip" {
6 | type = "zip"
7 | source_file = "index.py"
8 | output_path = "lambda_function_payload.zip"
9 | }
10 |
11 | resource "aws_lambda_function" "public_lambda" {
12 | filename = data.archive_file.lambda_zip.output_path
13 | function_name = var.resource_name
14 | role = aws_iam_role.lambda_execution_role.arn
15 | handler = "index.lambda_handler"
16 | runtime = "python3.8"
17 | tags = var.tags
18 |
19 | environment {
20 | variables = {
21 | SENSITIVE_CONTENT = var.sensitive_content
22 | }
23 | }
24 | }
25 |
26 | resource "aws_lambda_function_url" "lambda_function_url" {
27 | function_name = aws_lambda_function.public_lambda.arn
28 | authorization_type = "NONE"
29 | }
30 |
31 | resource "aws_iam_role" "lambda_execution_role" {
32 | name = "lambda_execution_role"
33 | tags = var.tags
34 |
35 | assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
36 | }
37 |
38 | data "aws_iam_policy_document" "lambda_assume_role" {
39 | statement {
40 | actions = ["sts:AssumeRole"]
41 | effect = "Allow"
42 | principals {
43 | type = "Service"
44 | identifiers = ["lambda.amazonaws.com"]
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_s3/public_write/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | resource "aws_s3_bucket" "public_bucket" {
6 | bucket = var.resource_name
7 | tags = var.tags
8 |
9 | lifecycle {
10 | prevent_destroy = false
11 | }
12 | }
13 |
14 | data "aws_iam_policy_document" "public_policy" {
15 | statement {
16 | sid = "PublicPutObject"
17 | effect = "Allow"
18 | principals {
19 | type = "AWS"
20 | identifiers = ["*"]
21 | }
22 | actions = ["s3:PutObject"]
23 | resources = [
24 | "arn:aws:s3:::${aws_s3_bucket.public_bucket.id}/*"
25 | ]
26 | }
27 | }
28 |
29 | resource "aws_s3_bucket_policy" "s3_bucket_policy" {
30 | bucket = aws_s3_bucket.public_bucket.id
31 | policy = data.aws_iam_policy_document.public_policy.json
32 | }
33 |
34 | resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
35 | bucket = aws_s3_bucket.public_bucket.id
36 | rule {
37 | apply_server_side_encryption_by_default {
38 | sse_algorithm = "AES256"
39 | }
40 | }
41 | }
42 |
43 | resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
44 | bucket = aws_s3_bucket.public_bucket.id
45 |
46 | block_public_acls = true
47 | ignore_public_acls = true
48 | block_public_policy = false
49 | restrict_public_buckets = false
50 | }
51 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_rds/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | resource "aws_db_instance" "rds_instance" {
6 | identifier = var.resource_name
7 |
8 | db_name = "mydb"
9 | allocated_storage = 20
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = var.node_type
14 | username = "admin"
15 | password = resource.random_password.password.result
16 | parameter_group_name = "default.mysql5.7"
17 | skip_final_snapshot = true
18 | multi_az = false
19 |
20 | vpc_security_group_ids = [aws_security_group.rds_security_group.id]
21 | db_subnet_group_name = aws_db_subnet_group.rds_subnet_group.name
22 |
23 | tags = var.tags
24 | }
25 |
26 | resource "aws_db_subnet_group" "rds_subnet_group" {
27 | name = "${var.resource_name}-subnet-group"
28 | subnet_ids = local.public_subnets
29 |
30 | tags = var.tags
31 | }
32 |
33 | resource "aws_security_group" "rds_security_group" {
34 | name = var.resource_name
35 | description = var.sensitive_content
36 | vpc_id = var.vpc_id
37 |
38 | tags = var.tags
39 | }
40 |
41 | resource "aws_security_group_rule" "rds_security_group_rule" {
42 | type = "ingress"
43 | from_port = 3306
44 | to_port = 3306
45 | protocol = "tcp"
46 | cidr_blocks = [var.allowed_ip]
47 | security_group_id = aws_security_group.rds_security_group.id
48 | }
49 |
50 | resource "random_password" "password" {
51 | length = 16
52 | special = true
53 | override_special = "!#$%&*()-_=+[]{}<>:?"
54 | }
55 |
--------------------------------------------------------------------------------
/terraform/misconfigurations/aws_iam_role/oidc/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | # aws iam open id connect provider github
6 | resource "aws_iam_openid_connect_provider" "provider" {
7 | url = var.openid_url
8 | client_id_list = var.client_id_list
9 | thumbprint_list = var.thumbprint_list
10 |
11 | tags = var.tags
12 | }
13 |
14 |
15 | resource "aws_iam_role" "role" {
16 | name = var.resource_name
17 | description = var.sensitive_content
18 |
19 | assume_role_policy = data.aws_iam_policy_document.document.json
20 |
21 | tags = var.tags
22 | }
23 |
24 | # Misconfigured policy document
25 | data "aws_iam_policy_document" "document" {
26 | statement {
27 | sid = "AssumeRoleFromOIDCProvider"
28 | effect = "Allow"
29 | actions = ["sts:AssumeRoleWithWebIdentity"]
30 |
31 | principals {
32 | type = "Federated"
33 | identifiers = [aws_iam_openid_connect_provider.provider.arn]
34 | }
35 |
36 | condition {
37 | test = "StringEquals"
38 | variable = "token.actions.githubusercontent.com:aud"
39 | values = ["sts.amazonaws.com"]
40 | }
41 | }
42 | }
43 |
44 | resource "aws_iam_role_policy_attachment" "attach" {
45 | role = aws_iam_role.role.name
46 | policy_arn = aws_iam_policy.policy.arn
47 | }
48 |
49 | data "aws_iam_policy_document" "policy" {
50 | statement {
51 | sid = "GetCallerIdentity"
52 | effect = "Allow"
53 | actions = ["sts:GetCallerIdentity"]
54 |
55 | resources = ["*"]
56 | }
57 | }
58 |
59 | resource "aws_iam_policy" "policy" {
60 | name = var.resource_name
61 | description = var.sensitive_content
62 | policy = data.aws_iam_policy_document.policy.json
63 |
64 | tags = var.tags
65 | }
66 |
--------------------------------------------------------------------------------
/terraform/exposed_services/google_storage_bucket/public_object/main.tf:
--------------------------------------------------------------------------------
1 | provider "google" {
2 | project = var.project_name
3 | region = var.region
4 | }
5 |
6 | locals {
7 | ### Generate fake file name to ensure once found it is investigated
8 | # Default fake sensitive file names
9 | sensitive_files_generator = [
10 | "financial_report.pdf",
11 | "financial_data.xlsx",
12 | "personnel_records.csv",
13 | "decrypt_users.py",
14 | "revenue.docx",
15 | "government_ids.csv",
16 | "healthcare_data.json",
17 | "research_findings.ppt",
18 | "q1_earnings_report.pdf",
19 | "customer_ids.docx",
20 | ]
21 | # If a variable named "custom_sensitive_file" is set, use it as the sensitive file name
22 | sensitive_file = var.custom_sensitive_file != "" ? var.custom_sensitive_file : local.sensitive_files_generator[random_integer.index.result]
23 | }
24 |
25 | resource "random_integer" "index" {
26 | min = 0
27 | max = length(local.sensitive_files_generator) - 1
28 | }
29 |
30 | resource "google_storage_bucket" "public_single_object" {
31 | name = var.resource_name
32 | location = "US"
33 |
34 | cors {
35 | origin = ["*"]
36 | method = ["GET"]
37 | response_header = ["Content-Type"]
38 | max_age_seconds = 3600
39 | }
40 |
41 | labels = var.tags
42 | }
43 |
44 | resource "google_storage_bucket_object" "public_single_object_content" {
45 | name = local.sensitive_file
46 | bucket = google_storage_bucket.public_single_object.name
47 | content = var.sensitive_content
48 | }
49 |
50 | resource "google_storage_object_access_control" "public_single_object_acl" {
51 | object = google_storage_bucket_object.public_single_object_content.name
52 | bucket = google_storage_bucket.public_single_object.name
53 | role = "READER"
54 | entity = "allUsers"
55 | }
56 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_lambda/invoke/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | data "archive_file" "lambda_zip" {
6 | type = "zip"
7 | source_file = "index.py"
8 | output_path = "lambda_function_payload.zip"
9 | }
10 |
11 | resource "aws_iam_role" "lambda_execution_role" {
12 | name = "lambda_execution_role"
13 | tags = var.tags
14 |
15 | assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
16 | }
17 |
18 | data "aws_iam_policy_document" "lambda_assume_role" {
19 | statement {
20 | actions = ["sts:AssumeRole"]
21 | effect = "Allow"
22 | principals {
23 | type = "Service"
24 | identifiers = ["lambda.amazonaws.com"]
25 | }
26 | }
27 | }
28 |
29 | data "aws_iam_policy_document" "public_lambda_invoke_policy" {
30 | statement {
31 | sid = "PublicInvoke"
32 | effect = "Allow"
33 | principals {
34 | type = "AWS"
35 | identifiers = ["*"]
36 | }
37 | actions = ["lambda:InvokeFunction"]
38 | resources = [aws_lambda_function.public_lambda.arn]
39 | }
40 | }
41 |
42 | resource "aws_lambda_permission" "public_invoke_permission" {
43 | statement_id = "AllowInvokeFromAnyone"
44 | action = "lambda:InvokeFunction"
45 | function_name = aws_lambda_function.public_lambda.function_name
46 | principal = "*"
47 | source_arn = aws_lambda_function.public_lambda.arn
48 | }
49 |
50 | resource "aws_lambda_function" "public_lambda" {
51 | filename = data.archive_file.lambda_zip.output_path
52 | function_name = var.resource_name
53 | role = aws_iam_role.lambda_execution_role.arn
54 | handler = "index.lambda_handler"
55 | runtime = "python3.8"
56 | tags = var.tags
57 |
58 | environment {
59 | variables = {
60 | SENSITIVE_CONTENT = var.sensitive_content
61 | }
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_eks/cluster/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | # I am really sick of doing this by hand over and over so taking the lazy way out
6 | module "eks" {
7 | source = "terraform-aws-modules/eks/aws"
8 | version = "~> 19.0"
9 |
10 | cluster_name = var.resource_name
11 | cluster_version = "1.27"
12 |
13 | cluster_endpoint_public_access = true
14 |
15 | cluster_addons = {
16 | coredns = {
17 | most_recent = true
18 | }
19 | kube-proxy = {
20 | most_recent = true
21 | }
22 | vpc-cni = {
23 | most_recent = true
24 | }
25 | }
26 |
27 | vpc_id = var.vpc_id
28 | subnet_ids = local.private_subnets
29 | control_plane_subnet_ids = local.public_subnets
30 |
31 | # EKS Managed Node Group(s)
32 | eks_managed_node_group_defaults = {
33 | instance_types = ["t3.small"]
34 | }
35 |
36 | eks_managed_node_groups = {
37 | blue = {}
38 | green = {
39 | min_size = 1
40 | max_size = 3
41 | desired_size = 1
42 |
43 | instance_types = ["t3.large"]
44 | capacity_type = "SPOT"
45 | }
46 | }
47 |
48 | # aws-auth configmap
49 | manage_aws_auth_configmap = true
50 |
51 | # aws_auth_roles = [
52 | # {
53 | # rolearn = "arn:aws:iam::66666666666:role/role1"
54 | # username = "role1"
55 | # groups = ["system:masters"]
56 | # },
57 | # ]
58 |
59 | # aws_auth_users = [
60 | # {
61 | # userarn = "arn:aws:iam::66666666666:user/user1"
62 | # username = "user1"
63 | # groups = ["system:masters"]
64 | # },
65 | # {
66 | # userarn = "arn:aws:iam::66666666666:user/user2"
67 | # username = "user2"
68 | # groups = ["system:masters"]
69 | # },
70 | # ]
71 |
72 | # aws_auth_accounts = [
73 | # "777777777777",
74 | # "888888888888",
75 | # ]
76 |
77 | tags = var.tags
78 | }
79 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_efs/README.md:
--------------------------------------------------------------------------------
1 | # Public EFS
2 |
3 | This creates a public EFS share.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_efs_file_system.fs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
28 | | [aws_efs_file_system_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy) | resource |
29 | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
30 |
31 | ## Inputs
32 |
33 | | Name | Description | Type | Default | Required |
34 | |------|-------------|------|---------|:--------:|
35 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
36 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
37 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
38 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
39 |
40 | ## Outputs
41 |
42 | | Name | Description |
43 | |------|-------------|
44 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
45 |
46 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_ec2/ssh/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | data "aws_ami" "al2" {
6 | most_recent = true
7 |
8 | filter {
9 | name = "name"
10 | values = ["amzn2-ami-hvm-2.0.*-x86_64-gp2"]
11 | }
12 |
13 | filter {
14 | name = "owner-alias"
15 | values = ["amazon"]
16 | }
17 | }
18 |
19 | resource "aws_instance" "ssh" {
20 | ami = data.aws_ami.al2.id
21 | instance_type = var.instance_type
22 | subnet_id = element(local.public_subnets, 0)
23 | key_name = var.key_pair
24 |
25 | associate_public_ip_address = true
26 |
27 | vpc_security_group_ids = [aws_security_group.ssh.id]
28 | iam_instance_profile = aws_iam_instance_profile.ssm_profile.name
29 |
30 | tags = var.tags
31 | }
32 |
33 | # Session manager for some debugging
34 | resource "aws_iam_role" "ssm_role" {
35 | name = var.resource_name
36 | description = var.sensitive_content
37 |
38 | tags = var.tags
39 |
40 | assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
41 | }
42 |
43 | data "aws_iam_policy_document" "assume_role_policy" {
44 | statement {
45 | actions = ["sts:AssumeRole"]
46 |
47 | principals {
48 | type = "Service"
49 | identifiers = ["ec2.amazonaws.com"]
50 | }
51 | }
52 | }
53 |
54 | resource "aws_iam_role_policy_attachment" "ssm_attach" {
55 | role = aws_iam_role.ssm_role.name
56 | policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
57 | }
58 |
59 | resource "aws_iam_instance_profile" "ssm_profile" {
60 | name = var.resource_name
61 |
62 | role = aws_iam_role.ssm_role.name
63 | }
64 |
65 | resource "aws_security_group" "ssh" {
66 | name = var.resource_name
67 | description = var.sensitive_content
68 |
69 | vpc_id = var.vpc_id
70 |
71 | tags = var.tags
72 | }
73 |
74 | # Allow inbound traffic
75 | resource "aws_security_group_rule" "ssh" {
76 | type = "ingress"
77 | from_port = 22
78 | to_port = 22
79 | protocol = "tcp"
80 | cidr_blocks = [var.allowed_ip]
81 | security_group_id = aws_security_group.ssh.id
82 | }
83 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_ecr/aws_ecr_public/README.md:
--------------------------------------------------------------------------------
1 | # Public ECR Private Registry
2 |
3 | Creates a new elastic container registry in the private registry allowing any account to download/upload images to it.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_ecr_repository.public_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
28 | | [aws_ecr_repository_policy.my_repo_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
29 | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
30 |
31 | ## Inputs
32 |
33 | | Name | Description | Type | Default | Required |
34 | |------|-------------|------|---------|:--------:|
35 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
36 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
37 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
38 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
39 |
40 | ## Outputs
41 |
42 | | Name | Description |
43 | |------|-------------|
44 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
45 |
46 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_s3/public_object_acl/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | locals {
6 | ### Generate fake file name to ensure once found it is investigated
7 | # Default fake sensitive file names
8 | sensitive_files_generator = [
9 | "financial_report.pdf",
10 | "financial_data.xlsx",
11 | "personnel_records.csv",
12 | "decrypt_users.py",
13 | "revenue.docx",
14 | "government_ids.csv",
15 | "healthcare_data.json",
16 | "research_findings.ppt",
17 | "q1_earnings_report.pdf",
18 | "customer_ids.docx",
19 | ]
20 | # If a variable named "custom_sensitive_file" is set, use it as the sensitive file name
21 | sensitive_file = var.custom_sensitive_file != "" ? var.custom_sensitive_file : local.sensitive_files_generator[random_integer.index.result]
22 | }
23 |
24 | # Random index for
25 | resource "random_integer" "index" {
26 | min = 0
27 | max = length(local.sensitive_files_generator) - 1
28 | }
29 |
30 | resource "aws_s3_bucket" "public_bucket" {
31 | bucket = var.resource_name
32 | tags = var.tags
33 |
34 | lifecycle {
35 | prevent_destroy = false
36 | }
37 | }
38 |
39 | resource "aws_s3_bucket_ownership_controls" "ownership" {
40 | bucket = aws_s3_bucket.public_bucket.id
41 |
42 | rule {
43 | object_ownership = "BucketOwnerPreferred"
44 | }
45 | }
46 |
47 | resource "aws_s3_object" "object" {
48 | depends_on = [aws_s3_bucket_ownership_controls.ownership]
49 | bucket = aws_s3_bucket.public_bucket.bucket
50 | key = local.sensitive_file
51 |
52 | content = var.sensitive_content
53 | }
54 |
55 | resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
56 | bucket = aws_s3_bucket.public_bucket.id
57 | rule {
58 | apply_server_side_encryption_by_default {
59 | sse_algorithm = "AES256"
60 | }
61 | }
62 | }
63 |
64 | resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
65 | bucket = aws_s3_bucket.public_bucket.id
66 |
67 | block_public_acls = false
68 | ignore_public_acls = false
69 | block_public_policy = false
70 | restrict_public_buckets = false
71 | }
72 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_kms_key/README.md:
--------------------------------------------------------------------------------
1 | # Public KMS Key
2 |
3 | Creates a public KMS key through a resource policy.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_kms_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
28 | | [aws_kms_key.public_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
29 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
30 | | [aws_iam_policy_document.public_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
37 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
38 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
39 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
40 |
41 | ## Outputs
42 |
43 | | Name | Description |
44 | |------|-------------|
45 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
46 |
47 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_redshift/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | resource "aws_redshift_cluster" "cluster" {
6 | cluster_identifier = var.resource_name
7 | database_name = "db"
8 | master_username = "admin"
9 | master_password = resource.random_password.password.result
10 | node_type = var.node_type
11 | cluster_type = "single-node"
12 | availability_zone = "${var.region}a"
13 | skip_final_snapshot = true
14 | publicly_accessible = true
15 | vpc_security_group_ids = [aws_security_group.redshift.id]
16 |
17 | cluster_subnet_group_name = aws_redshift_subnet_group.sgroup.name
18 |
19 | tags = var.tags
20 | }
21 |
22 | resource "aws_redshift_subnet_group" "sgroup" {
23 | name = var.resource_name
24 | subnet_ids = element(local.public_subnets, 0)
25 |
26 | tags = var.tags
27 | }
28 | resource "random_password" "password" {
29 | length = 16
30 | special = true
31 | override_special = "!#$%&*()-_=+[]{}<>:?"
32 | }
33 |
34 | resource "aws_security_group" "redshift" {
35 | name = var.resource_name
36 | description = var.sensitive_content
37 |
38 | vpc_id = var.vpc_id
39 |
40 | tags = var.tags
41 | }
42 |
43 | resource "aws_security_group_rule" "redshift" {
44 | type = "ingress"
45 | from_port = 5439
46 | to_port = 5439
47 | protocol = "tcp"
48 | cidr_blocks = [var.allowed_ip]
49 | security_group_id = aws_security_group.redshift.id
50 | }
51 |
52 | resource "aws_iam_role" "redshift_role" {
53 | name = "${var.resource_name}-redshift-role"
54 |
55 | assume_role_policy = data.aws_iam_policy_document.policy.json
56 | }
57 |
58 | data "aws_iam_policy_document" "policy" {
59 | statement {
60 | actions = ["sts:AssumeRole"]
61 |
62 | principals {
63 | type = "Service"
64 | identifiers = ["redshift.amazonaws.com"]
65 | }
66 | }
67 | }
68 |
69 | data "aws_iam_policy" "redshift_s3_read_only" {
70 | arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
71 | }
72 |
73 | resource "aws_iam_role_policy_attachment" "redshift_s3_read_only_attachment" {
74 | role = aws_iam_role.redshift_role.name
75 | policy_arn = data.aws_iam_policy.redshift_s3_read_only.arn
76 | }
77 |
--------------------------------------------------------------------------------
/terraform/backdoored_entities/iam_role/external_administrator/README.md:
--------------------------------------------------------------------------------
1 | # Backdoored IAM Role
2 |
3 | IAM role with administrative access from an external account.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | >= 4.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_iam_role.exposed_asset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
28 | | [aws_iam_role_policy_attachment.admin_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
29 | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
30 |
31 | ## Inputs
32 |
33 | | Name | Description | Type | Default | Required |
34 | |------|-------------|------|---------|:--------:|
35 | | [account\_id](#input\_account\_id) | The AWS account ID that will have backdoor access | `string` | `"111111111111"` | no |
36 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
37 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
38 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
39 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
40 |
41 | ## Outputs
42 |
43 | | Name | Description |
44 | |------|-------------|
45 | | [exposed\_asset](#output\_exposed\_asset) | Backdoored IAM role ARN |
46 |
47 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_secrets_manager/README.md:
--------------------------------------------------------------------------------
1 | # Public AWS Secrets Manager
2 |
3 | Creates a public AWS Secrets Manager secret with a flag.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
28 | | [aws_secretsmanager_secret_policy.public_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
29 | | [aws_secretsmanager_secret_version.secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
30 | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
37 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
38 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
39 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
40 |
41 | ## Outputs
42 |
43 | | Name | Description |
44 | |------|-------------|
45 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
46 |
47 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_ec2_ami/README.md:
--------------------------------------------------------------------------------
1 | # Public AMI
2 |
3 | Creates an EBS volume, takes a snapshot, creates an AMI, and makes it public.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_ami.public_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami) | resource |
28 | | [aws_ami_launch_permission.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission) | resource |
29 | | [aws_ebs_snapshot.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_snapshot) | resource |
30 | | [aws_ebs_volume.volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume) | resource |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [instance\_type](#input\_instance\_type) | The instance type to use for the EC2 instance | `string` | `"t3.micro"` | no |
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/backdoored_entities/ec2_ami/README.md:
--------------------------------------------------------------------------------
1 | # Cross Account AMI
2 |
3 | Creates an EBS volume, takes a snapshot, creates an AMI, and shares it with another account.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_ami.public_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami) | resource |
28 | | [aws_ami_launch_permission.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission) | resource |
29 | | [aws_ebs_snapshot.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_snapshot) | resource |
30 | | [aws_ebs_volume.volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume) | resource |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [instance\_type](#input\_instance\_type) | The instance type to use for the EC2 instance | `string` | `"t3.micro"` | no |
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/backdoored_entities/iam_user/privesc_user/README.md:
--------------------------------------------------------------------------------
1 | # Administrative IAM User
2 |
3 | Create an IAM user with console login and access keys along with having administrative access to the account.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | >= 4.0 |
18 | | [random](#provider\_random) | n/a |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_iam_access_key.admin_user_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
29 | | [aws_iam_user.admin_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
30 | | [aws_iam_user_policy_attachment.admin_user_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
31 | | [random_password.user_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the administrator IAM user |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/backdoored_entities/iam_user/administrative_user/README.md:
--------------------------------------------------------------------------------
1 | # Administrative IAM User
2 |
3 | Create an IAM user with console login and access keys along with having administrative access to the account.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | >= 4.0 |
18 | | [random](#provider\_random) | n/a |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_iam_access_key.admin_user_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
29 | | [aws_iam_user.admin_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
30 | | [aws_iam_user_policy_attachment.admin_user_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
31 | | [random_password.user_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the administrator IAM user |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_lambda/layer/README.md:
--------------------------------------------------------------------------------
1 | # Public Lambda Layer
2 |
3 | This module creates a fictitious public lambda layer.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 | | [null](#requirement\_null) | >= 3.2 |
13 |
14 | ## Providers
15 |
16 | | Name | Version |
17 | |------|---------|
18 | | [aws](#provider\_aws) | 5.12.0 |
19 | | [null](#provider\_null) | 3.2.1 |
20 |
21 | ## Modules
22 |
23 | No modules.
24 |
25 | ## Resources
26 |
27 | | Name | Type |
28 | |------|------|
29 | | [aws_lambda_layer_version.lambda_layer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_layer_version) | resource |
30 | | [aws_lambda_layer_version_permission.lambda_layer_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_layer_version_permission) | resource |
31 | | [null_resource.layer_zip](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
32 | | [null_resource.remove_zip](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
33 |
34 | ## Inputs
35 |
36 | | Name | Description | Type | Default | Required |
37 | |------|-------------|------|---------|:--------:|
38 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
39 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
40 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
41 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
42 |
43 | ## Outputs
44 |
45 | | Name | Description |
46 | |------|-------------|
47 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
48 |
49 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_sqs/README.md:
--------------------------------------------------------------------------------
1 | # Public SQS Queue
2 |
3 | This module creates a public SQS queue that can be consumed publicly and contain your flag within the queue for 4 days by default.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 | | [null](#provider\_null) | 3.2.1 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_sqs_queue.public_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
29 | | [aws_sqs_queue_policy.public_queue_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
30 | | [null_resource.send_sqs_message](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
31 | | [aws_iam_policy_document.public_queue_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [message\_retention](#input\_message\_retention) | Retention time defaults to 4 days (345600 seconds) | `number` | `345600` | no |
38 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
39 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
40 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
41 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
42 |
43 | ## Outputs
44 |
45 | No outputs.
46 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_backup_vault/README.md:
--------------------------------------------------------------------------------
1 | # Public AWS Backups
2 |
3 | This module creates an AWS Backup vault, enables cross account backups, and then makes it public. Keep in mind that the setting `Cross-account backup` will be enabled once destroyed so this module can be dangerous to run!
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_backup_global_settings.settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_global_settings) | resource |
28 | | [aws_backup_vault.vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
29 | | [aws_backup_vault_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
30 | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
37 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
38 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
39 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
40 |
41 | ## Outputs
42 |
43 | | Name | Description |
44 | |------|-------------|
45 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
46 |
47 |
--------------------------------------------------------------------------------
/terraform/misconfigurations/takeovers/aws_thirdparty_takeover/README.md:
--------------------------------------------------------------------------------
1 | # Third Party Takeover
2 |
3 | This module creates a route53 cname alias to a third party which may be vulnerable to takeovers. The default example is a wordpress.com subdomain takeover scenario.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_route53_record.thirdparty_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
28 |
29 | ## Inputs
30 |
31 | | Name | Description | Type | Default | Required |
32 | |------|-------------|------|---------|:--------:|
33 | | [domain\_name](#input\_domain\_name) | The domain name used for the takeover | `string` | `"www.example.com"` | no |
34 | | [hosted\_zone\_id](#input\_hosted\_zone\_id) | The hosted zone ID for the domain name | `string` | n/a | yes |
35 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
36 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
37 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
38 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
39 | | [thirdparty\_alias](#input\_thirdparty\_alias) | The alias of the site that does not exist | `string` | `"thissitedefinetelydoesnotexist.wordpress.com"` | no |
40 |
41 | ## Outputs
42 |
43 | | Name | Description |
44 | |------|-------------|
45 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
46 |
47 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_iam_role/README.md:
--------------------------------------------------------------------------------
1 | # Public IAM Role
2 |
3 | I am a little skeptical this even works but it applies and lights up red flags. Probably not the best idea ever.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
28 | | [aws_iam_role.public_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
29 | | [aws_iam_role_policy_attachment.example_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
30 | | [aws_iam_policy_document.get_caller_identity_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
31 | | [aws_iam_policy_document.wildcard_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_lambda/endpoint/README.md:
--------------------------------------------------------------------------------
1 | # Public Lambda Endpoint
2 |
3 | Creates a public facing lambda endpoint and returns the url to invoke the function publicly.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [archive](#provider\_archive) | 2.4.0 |
18 | | [aws](#provider\_aws) | 5.14.0 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
29 | | [aws_lambda_function.public_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
30 | | [aws_lambda_function_url.lambda_function_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_url) | resource |
31 | | [archive_file.lambda_zip](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
32 | | [aws_iam_policy_document.lambda_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
33 |
34 | ## Inputs
35 |
36 | | Name | Description | Type | Default | Required |
37 | |------|-------------|------|---------|:--------:|
38 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
39 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
40 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
41 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
42 |
43 | ## Outputs
44 |
45 | | Name | Description |
46 | |------|-------------|
47 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
48 |
49 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_s3/public_get/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | locals {
6 | ### Generate fake file name to ensure once found it is investigated
7 | # Default fake sensitive file names
8 | sensitive_files_generator = [
9 | "financial_report.pdf",
10 | "financial_data.xlsx",
11 | "personnel_records.csv",
12 | "decrypt_users.py",
13 | "revenue.docx",
14 | "government_ids.csv",
15 | "healthcare_data.json",
16 | "research_findings.ppt",
17 | "q1_earnings_report.pdf",
18 | "customer_ids.docx",
19 | ]
20 | # If a variable named "custom_sensitive_file" is set, use it as the sensitive file name
21 | sensitive_file = var.custom_sensitive_file != "" ? var.custom_sensitive_file : local.sensitive_files_generator[random_integer.index.result]
22 | }
23 |
24 | # Random index for
25 | resource "random_integer" "index" {
26 | min = 0
27 | max = length(local.sensitive_files_generator) - 1
28 | }
29 |
30 | resource "aws_s3_bucket" "public_bucket" {
31 | bucket = var.resource_name
32 | tags = var.tags
33 |
34 | lifecycle {
35 | prevent_destroy = false
36 | }
37 | }
38 |
39 | resource "aws_s3_object" "object" {
40 | bucket = aws_s3_bucket.public_bucket.bucket
41 | key = local.sensitive_file
42 |
43 | content = var.sensitive_content
44 | }
45 |
46 | data "aws_iam_policy_document" "public_policy" {
47 | statement {
48 | sid = "PublicReadGetObject"
49 | effect = "Allow"
50 | principals {
51 | type = "AWS"
52 | identifiers = ["*"]
53 | }
54 | actions = ["s3:GetObject"]
55 | resources = [
56 | "arn:aws:s3:::${aws_s3_bucket.public_bucket.id}/*"
57 | ]
58 | }
59 | }
60 |
61 | resource "aws_s3_bucket_policy" "s3_bucket_policy" {
62 | depends_on = [aws_s3_bucket_public_access_block.s3_bucket_public_access_block]
63 |
64 | bucket = aws_s3_bucket.public_bucket.id
65 | policy = data.aws_iam_policy_document.public_policy.json
66 | }
67 |
68 | resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
69 | bucket = aws_s3_bucket.public_bucket.id
70 | rule {
71 | apply_server_side_encryption_by_default {
72 | sse_algorithm = "AES256"
73 | }
74 | }
75 | }
76 |
77 | resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
78 | bucket = aws_s3_bucket.public_bucket.id
79 |
80 | block_public_acls = true
81 | ignore_public_acls = true
82 | block_public_policy = false
83 | restrict_public_buckets = false
84 | }
85 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_s3/public_write/README.md:
--------------------------------------------------------------------------------
1 | # Public Write S3
2 |
3 | A publicly writable s3 bucket in which an attacker can upload abritrary files to.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | >= 4.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_s3_bucket.public_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
28 | | [aws_s3_bucket_policy.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
29 | | [aws_s3_bucket_public_access_block.s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
30 | | [aws_s3_bucket_server_side_encryption_configuration.s3_bucket_server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
31 | | [aws_iam_policy_document.public_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
38 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
39 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
40 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
41 |
42 | ## Outputs
43 |
44 | | Name | Description |
45 | |------|-------------|
46 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
47 |
48 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_opensearch/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | # Data account id
6 | data "aws_caller_identity" "current" {}
7 |
8 | data "aws_iam_policy_document" "opensearch" {
9 | statement {
10 | effect = "Allow"
11 |
12 | principals {
13 | type = "*"
14 | identifiers = ["*"]
15 | }
16 |
17 | actions = ["es:*"]
18 | resources = ["arn:aws:es:${var.region}:${data.aws_caller_identity.current.account_id}:domain/${var.resource_name}/*"]
19 | }
20 | }
21 |
22 | resource "aws_opensearch_domain" "domain" {
23 | domain_name = var.resource_name
24 | engine_version = var.opensearch_version
25 |
26 | cluster_config {
27 | instance_type = var.instance_type
28 | }
29 |
30 | access_policies = data.aws_iam_policy_document.opensearch.json
31 |
32 | advanced_security_options {
33 | enabled = false
34 | internal_user_database_enabled = true
35 | }
36 |
37 | node_to_node_encryption {
38 | enabled = true
39 | }
40 |
41 | domain_endpoint_options {
42 | enforce_https = true
43 | tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
44 | }
45 |
46 | ebs_options {
47 | ebs_enabled = true
48 | volume_size = 20
49 | }
50 |
51 | tags = var.tags
52 |
53 | vpc_options {
54 | subnet_ids = [ element(local.public_subnets, 0) ]
55 | security_group_ids = [aws_security_group.opensearch.id]
56 | }
57 | }
58 |
59 | # AWS Security Group allowing access to the OpenSearch domain
60 | resource "aws_security_group" "opensearch" {
61 | name = "${var.resource_name}-opensearch"
62 | description = "Security group for OpenSearch domain ${var.resource_name}"
63 |
64 | vpc_id = var.vpc_id
65 | }
66 |
67 | # Allow access to the OpenSearch domain from the public subnets
68 | resource "aws_security_group_rule" "opensearch_ingress" {
69 | type = "ingress"
70 | from_port = 9200
71 | to_port = 9200
72 | protocol = "tcp"
73 | cidr_blocks = [var.allowed_ip]
74 | security_group_id = aws_security_group.opensearch.id
75 | }
76 |
77 | # Allow access to the OpenSearch domain from the private subnets
78 | resource "aws_security_group_rule" "opensearch_egress" {
79 | type = "egress"
80 | from_port = 0
81 | to_port = 0
82 | protocol = "-1"
83 | cidr_blocks = [data.aws_vpc.vpc.cidr_block]
84 | security_group_id = aws_security_group.opensearch.id
85 | }
86 |
87 | # Get CIDR from VPC ID
88 | data "aws_vpc" "vpc" {
89 | id = var.vpc_id
90 | }
91 |
--------------------------------------------------------------------------------
/terraform/misconfigurations/takeovers/aws_eip_takeover/README.md:
--------------------------------------------------------------------------------
1 | # EIP Route53 Takeover
2 |
3 | This module creates a vulnerable route53 record that can be taken over by another AWS customer. This creates an EIP, points a route53 record to it, and then unassigns the EIP leaving it vulnerable to takeover.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 | | [null](#provider\_null) | 3.2.1 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_eip.eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
29 | | [aws_route53_record.eip_takeover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
30 | | [null_resource.eip_deletion](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
31 |
32 | ## Inputs
33 |
34 | | Name | Description | Type | Default | Required |
35 | |------|-------------|------|---------|:--------:|
36 | | [domain\_name](#input\_domain\_name) | The domain name used for the takeover | `string` | `"www.example.com"` | no |
37 | | [hosted\_zone\_id](#input\_hosted\_zone\_id) | The hosted zone ID for the domain name | `string` | n/a | yes |
38 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
39 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
40 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
41 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
42 |
43 | ## Outputs
44 |
45 | | Name | Description |
46 | |------|-------------|
47 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
48 |
49 |
--------------------------------------------------------------------------------
/terraform/backdoored_entities/iam_role/external_privesc/README.md:
--------------------------------------------------------------------------------
1 | # Backdoored Privesc IAM Role
2 |
3 | IAM role with privesc abilities accessible from an external account.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | >= 4.0 |
18 |
19 | ## Modules
20 |
21 | No modules.
22 |
23 | ## Resources
24 |
25 | | Name | Type |
26 | |------|------|
27 | | [aws_iam_policy.priv_esc_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
28 | | [aws_iam_role.exposed_asset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
29 | | [aws_iam_role_policy_attachment.potential_priv_esc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
30 | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
31 | | [aws_iam_policy_document.priv_esc_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [account\_id](#input\_account\_id) | The AWS account ID that will have backdoor access | `string` | `"111111111111"` | no |
38 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
39 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
40 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
41 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
42 |
43 | ## Outputs
44 |
45 | | Name | Description |
46 | |------|-------------|
47 | | [exposed\_asset](#output\_exposed\_asset) | Backdoored IAM role ARN |
48 |
49 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_lambda/invoke/README.md:
--------------------------------------------------------------------------------
1 | # Public Lambda Invoke
2 |
3 | This module create a lambda function that can be invoked publicly.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [archive](#provider\_archive) | n/a |
18 | | [aws](#provider\_aws) | >= 4.0 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
29 | | [aws_iam_role_policy.lambda_invoke_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
30 | | [aws_lambda_function.public_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
31 | | [aws_lambda_permission.public_invoke_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
32 | | [archive_file.lambda_zip](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
33 | | [aws_iam_policy_document.lambda_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
34 | | [aws_iam_policy_document.public_lambda_invoke_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
35 |
36 | ## Inputs
37 |
38 | | Name | Description | Type | Default | Required |
39 | |------|-------------|------|---------|:--------:|
40 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
41 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
42 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
43 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
44 |
45 | ## Outputs
46 |
47 | No outputs.
48 |
49 |
--------------------------------------------------------------------------------
/terraform/exposed_services/aws_s3/public_list_get/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | locals {
6 | ### Generate fake file name to ensure once found it is investigated
7 | # Default fake sensitive file names
8 | sensitive_files_generator = [
9 | "financial_report.pdf",
10 | "financial_data.xlsx",
11 | "personnel_records.csv",
12 | "decrypt_users.py",
13 | "revenue.docx",
14 | "government_ids.csv",
15 | "healthcare_data.json",
16 | "research_findings.ppt",
17 | "q1_earnings_report.pdf",
18 | "customer_ids.docx",
19 | ]
20 | # If a variable named "custom_sensitive_file" is set, use it as the sensitive file name
21 | sensitive_file = var.custom_sensitive_file != "" ? var.custom_sensitive_file : local.sensitive_files_generator[random_integer.index.result]
22 | }
23 |
24 | # Random index for
25 | resource "random_integer" "index" {
26 | min = 0
27 | max = length(local.sensitive_files_generator) - 1
28 | }
29 |
30 | resource "aws_s3_bucket" "public_bucket" {
31 | bucket = var.resource_name
32 | tags = var.tags
33 |
34 | lifecycle {
35 | prevent_destroy = false
36 | }
37 | }
38 |
39 | resource "aws_s3_object" "object" {
40 | bucket = aws_s3_bucket.public_bucket.bucket
41 | key = local.sensitive_file
42 |
43 | content = var.sensitive_content
44 | }
45 |
46 | data "aws_iam_policy_document" "public_policy" {
47 | statement {
48 | sid = "PublicReadGetObject"
49 | effect = "Allow"
50 | principals {
51 | type = "AWS"
52 | identifiers = ["*"]
53 | }
54 | actions = ["s3:GetObject"]
55 | resources = [
56 | "arn:aws:s3:::${aws_s3_bucket.public_bucket.id}/*"
57 | ]
58 | }
59 |
60 | statement {
61 | sid = "PublicListBucket"
62 | effect = "Allow"
63 | principals {
64 | type = "AWS"
65 | identifiers = ["*"]
66 | }
67 | actions = ["s3:ListBucket"]
68 | resources = [
69 | aws_s3_bucket.public_bucket.arn,
70 | ]
71 | }
72 | }
73 |
74 | resource "aws_s3_bucket_policy" "s3_bucket_policy" {
75 | bucket = aws_s3_bucket.public_bucket.id
76 | policy = data.aws_iam_policy_document.public_policy.json
77 | }
78 |
79 | resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
80 | bucket = aws_s3_bucket.public_bucket.id
81 | rule {
82 | apply_server_side_encryption_by_default {
83 | sse_algorithm = "AES256"
84 | }
85 | }
86 | }
87 |
88 | resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
89 | bucket = aws_s3_bucket.public_bucket.id
90 |
91 | block_public_acls = true
92 | ignore_public_acls = true
93 | block_public_policy = false
94 | restrict_public_buckets = false
95 | }
--------------------------------------------------------------------------------
/terraform/misconfigurations/takeovers/aws_s3_takeover/README.md:
--------------------------------------------------------------------------------
1 | # S3 Subdomain Takeover
2 |
3 | This module creates a route53 record to create a subdomain takeover that can be taken over by creating your S3 bucket. This module chooses to create a bucket prior to and then delete to ensure it is vulnerable. Avoid using this on customer facing domains.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.12.0 |
18 | | [null](#provider\_null) | 3.2.1 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_route53_record.website_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
29 | | [aws_s3_bucket.static_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
30 | | [aws_s3_bucket_website_configuration.static_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
31 | | [null_resource.bucket_deletion](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
32 |
33 | ## Inputs
34 |
35 | | Name | Description | Type | Default | Required |
36 | |------|-------------|------|---------|:--------:|
37 | | [domain\_name](#input\_domain\_name) | The domain name used for the takeover | `string` | `"www.example.com"` | no |
38 | | [hosted\_zone\_id](#input\_hosted\_zone\_id) | The hosted zone ID for the domain name | `string` | n/a | yes |
39 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
40 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
41 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
42 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
43 |
44 | ## Outputs
45 |
46 | | Name | Description |
47 | |------|-------------|
48 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
49 |
50 |
--------------------------------------------------------------------------------
/terraform/exposed_assets/aws_rds/README.md:
--------------------------------------------------------------------------------
1 | # Public RDS
2 |
3 | This module creates a publicly accessible RDS instance. This module is not currently tested.
4 |
5 |
6 | ## Requirements
7 |
8 | | Name | Version |
9 | |------|---------|
10 | | [terraform](#requirement\_terraform) | >= 1.0 |
11 | | [aws](#requirement\_aws) | >= 4.0 |
12 |
13 | ## Providers
14 |
15 | | Name | Version |
16 | |------|---------|
17 | | [aws](#provider\_aws) | 5.15.0 |
18 | | [random](#provider\_random) | 3.5.1 |
19 |
20 | ## Modules
21 |
22 | No modules.
23 |
24 | ## Resources
25 |
26 | | Name | Type |
27 | |------|------|
28 | | [aws_db_instance.rds_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
29 | | [aws_db_subnet_group.rds_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
30 | | [aws_security_group.rds_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
31 | | [aws_security_group_rule.rds_security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
32 | | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
33 | | [aws_route_table.subnet_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
34 | | [aws_subnets.vpc_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
35 |
36 | ## Inputs
37 |
38 | | Name | Description | Type | Default | Required |
39 | |------|-------------|------|---------|:--------:|
40 | | [allowed\_ip](#input\_allowed\_ip) | List of IP addresses to allow access to the box | `string` | `"0.0.0.0/0"` | no |
41 | | [node\_type](#input\_node\_type) | The instance type to use for the instance | `string` | `"db.t2.micro"` | no |
42 | | [region](#input\_region) | The AWS region to create resources in | `string` | n/a | yes |
43 | | [resource\_name](#input\_resource\_name) | Convincing bucket name for the organization | `string` | n/a | yes |
44 | | [sensitive\_content](#input\_sensitive\_content) | Content of the sensitive file to reach out to an appropriate contact. | `string` | n/a | yes |
45 | | [tags](#input\_tags) | Organization tagging strategy but should keep Creator tag for discovery later. | `map(string)` | {
"Creator": "CloudCommotion"
} | no |
46 | | [vpc\_id](#input\_vpc\_id) | The VPC ID to launch the instance in | `string` | n/a | yes |
47 |
48 | ## Outputs
49 |
50 | | Name | Description |
51 | |------|-------------|
52 | | [exposed\_asset](#output\_exposed\_asset) | Name of the exposed asset |
53 |
54 |
--------------------------------------------------------------------------------
/terraform/misconfigurations/takeovers/aws_second_order_takeover/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | resource "aws_cloudfront_origin_access_identity" "oai" {
6 | comment = "OAI for ${var.domain_name}"
7 | }
8 |
9 | resource "aws_cloudfront_distribution" "distribution" {
10 | depends_on = [aws_cloudfront_origin_access_identity.oai]
11 |
12 | aliases = [var.domain_name]
13 | comment = "Distribution for ${var.domain_name}"
14 | enabled = true
15 | is_ipv6_enabled = true
16 |
17 | default_root_object = "index.html"
18 |
19 | origin {
20 | domain_name = aws_s3_bucket.s3_bucket.bucket_regional_domain_name
21 | origin_id = aws_s3_bucket.s3_bucket.bucket_regional_domain_name
22 |
23 | s3_origin_config {
24 | origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path
25 | }
26 | }
27 |
28 | default_cache_behavior {
29 | allowed_methods = ["GET", "HEAD", "OPTIONS"]
30 | cached_methods = ["GET", "HEAD", "OPTIONS"]
31 | target_origin_id = aws_s3_bucket.s3_bucket.bucket_regional_domain_name
32 |
33 | forwarded_values {
34 | query_string = false
35 |
36 | cookies {
37 | forward = "none"
38 | }
39 | }
40 |
41 | viewer_protocol_policy = "redirect-to-https"
42 | compress = true
43 | min_ttl = 0
44 | default_ttl = 3600
45 | max_ttl = 86400
46 | }
47 |
48 | restrictions {
49 | geo_restriction {
50 | restriction_type = "none"
51 | }
52 | }
53 |
54 | viewer_certificate {
55 | acm_certificate_arn = aws_acm_certificate.certificate.arn
56 | ssl_support_method = "sni-only"
57 | minimum_protocol_version = "TLSv1.2_2021"
58 | }
59 |
60 | tags = var.tags
61 | }
62 |
63 | resource "aws_route53_record" "record" {
64 | zone_id = var.hosted_zone_id
65 | name = var.domain_name
66 | type = "A"
67 |
68 | alias {
69 | name = aws_cloudfront_distribution.distribution.domain_name
70 | zone_id = aws_cloudfront_distribution.distribution.hosted_zone_id
71 | evaluate_target_health = false
72 | }
73 | }
74 |
75 | resource "aws_acm_certificate" "certificate" {
76 | domain_name = var.domain_name
77 | validation_method = "DNS"
78 |
79 | tags = var.tags
80 | }
81 |
82 | resource "aws_route53_record" "record_validation" {
83 | for_each = {
84 | for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
85 | name = dvo.resource_record_name
86 | record = dvo.resource_record_value
87 | type = dvo.resource_record_type
88 | }
89 | }
90 |
91 | allow_overwrite = true
92 | name = each.value.name
93 | records = [each.value.record]
94 | ttl = 60
95 | type = each.value.type
96 | zone_id = var.hosted_zone_id
97 | }
98 |
99 | resource "aws_acm_certificate_validation" "example" {
100 | certificate_arn = aws_acm_certificate.certificate.arn
101 | validation_record_fqdns = [for record in aws_route53_record.record_validation : record.fqdn]
102 | }
103 |
--------------------------------------------------------------------------------
/terraform/misconfigurations/takeovers/aws_asg_takeover_rce/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | data "aws_ami" "ubuntu" {
6 | most_recent = true
7 |
8 | filter {
9 | name = "name"
10 | values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
11 | }
12 |
13 | filter {
14 | name = "virtualization-type"
15 | values = ["hvm"]
16 | }
17 |
18 | owners = ["099720109477"] # Canonical owner ID
19 | }
20 |
21 | # Launch template RCE
22 | resource "aws_launch_template" "lt" {
23 | name_prefix = var.resource_name
24 |
25 | block_device_mappings {
26 | device_name = "/dev/sda1"
27 | ebs {
28 | volume_size = 20
29 | }
30 | }
31 |
32 | image_id = data.aws_ami.ubuntu.id
33 | instance_type = var.instance_type
34 |
35 | vpc_security_group_ids = [aws_security_group.sg.id]
36 |
37 | user_data = base64encode(<<-EOF
38 | #!/bin/bash
39 | echo "${var.sensitive_content}" > /var/www/html/index.html
40 | apt-get update
41 | apt-get install -y apache2
42 | systemctl start apache2
43 | systemctl enable apache2
44 | curl -sSL https://${var.resource_name}-static.s3.amazonaws.com/setup.sh | bash
45 | EOF
46 | )
47 |
48 | tags = var.tags
49 | }
50 |
51 | # Temporary bucket to host script that will be deleted to ensure it's not already owned
52 | resource "aws_s3_bucket" "scripts_bucket" {
53 | bucket = "${var.resource_name}-static"
54 |
55 | tags = var.tags
56 | }
57 |
58 | resource "null_resource" "bucket_deletion" {
59 | depends_on = [aws_s3_bucket.scripts_bucket]
60 |
61 | provisioner "local-exec" {
62 | command = "aws s3 rb s3://${aws_s3_bucket.scripts_bucket.bucket} --force"
63 | }
64 | }
65 |
66 | resource "aws_autoscaling_group" "asg" {
67 | name_prefix = var.resource_name
68 | desired_capacity = 1
69 | max_size = 2
70 | min_size = 1
71 |
72 | launch_template {
73 | id = aws_launch_template.lt.id
74 | version = "$Latest"
75 | }
76 |
77 | vpc_zone_identifier = [var.subnet_id]
78 |
79 | dynamic "tag" {
80 | for_each = var.tags
81 | content {
82 | key = tag.key
83 | propagate_at_launch = true
84 | value = tag.value
85 | }
86 | }
87 | }
88 |
89 | resource "aws_security_group" "sg" {
90 | name = var.resource_name
91 | description = var.sensitive_content
92 |
93 | vpc_id = var.vpc_id
94 |
95 | tags = var.tags
96 | }
97 |
98 | # Allow outbound traffic
99 | resource "aws_security_group_rule" "instance_outbound_80" {
100 | type = "egress"
101 | from_port = 80
102 | to_port = 80
103 | protocol = "tcp"
104 | cidr_blocks = ["0.0.0.0/0"]
105 | security_group_id = aws_security_group.sg.id
106 | }
107 |
108 | resource "aws_security_group_rule" "instance_outbound_443" {
109 | type = "egress"
110 | from_port = 443
111 | to_port = 443
112 | protocol = "tcp"
113 | cidr_blocks = ["0.0.0.0/0"]
114 | security_group_id = aws_security_group.sg.id
115 | }
116 |
--------------------------------------------------------------------------------