Merge pull request #6 from alphagov/cp-fix

Remove copy paste error, small change to README

Author: pritchyspritch

.secrets.baseline

@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": null,
+    "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2020-03-26T09:57:13Z",
+  "generated_at": "2020-05-11T09:18:09Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -49,13 +49,14 @@
     "terraform/cloudinit/kali-instance.yaml": [
       {
         "hashed_secret": "d87c448044defb778f33158d8ccf94a20531d600",
+        "is_secret": false,
         "is_verified": false,
         "line_number": 9,
         "type": "Secret Keyword"
       }
     ]
   },
-  "version": "0.13.0",
+  "version": "0.13.1",
   "word_list": {
     "file": null,
     "hash": null

README.md

@@ -24,27 +24,29 @@ Within the AWS account you wish to deploy to.
 
 - Assume the role of the aws account you wish to deploy to at your cli.
 
-*Note that this has already been done for the security-testing aws account*
+*Note that this has already been done for the `security-vuln-testing` aws account*
 
 ### Deploy with the below commands
-- git clone git@github.com:alphagov/penetration-testing-instance.git
 
-- cd penetration-testing-instance/terraform
+- Ensure you are using terraform `0.12.3`
 
-- edit main.tf and place in your public ssh-key at ssh-pub-key-1.  
-If you are working as a pair also set ssh-pub-key-2.
+- `git clone git@github.com:alphagov/penetration-testing-instance.git`
 
-- terraform init; terraform plan
+- `cd penetration-testing-instance/terraform`
 
-*AWS Vault: aws-vault exec <profile> -- terraform init; terraform plan*
+- edit main.tf and place in your public ssh-key at ssh-pub-key-{number}.  
+
+- `terraform init; terraform plan`
+
+*AWS Vault: `aws-vault exec <profile> -- terraform init; terraform plan`*
 
 - If the plan looks good then run:
-terraform apply
+`terraform apply`
 
-- To obtain the public ip address run aws-vault exec <profile> -- aws ec2 describe-instances | grep 'GroupName\|PublicIp' 
+- The public IP will be output by TF
 
 - Once the instance is up, to access use:
-ssh pentester@<public-ip-address>
+`ssh pentester@<public-ip-address>`
 
 ## Cheatsheet to get started on some of the tooling
 CHEATSHEET FOR TOOLING

terraform/cloudinit/kali-instance.yaml

@@ -11,8 +11,9 @@ users:
     ssh_import_id: None
     lock_passwd: true
     ssh_authorized_keys:
-      - ${ssh-pub-key-1}
-      - ${ssh-pub-key-2}
+    %{ for key in ssh-keys ~}
+      - ${key}
+    %{ endfor ~}
 write_files:
   - path: /usr/local/bin/empire
     permissions: '0755'

terraform/main.tf

@@ -14,12 +14,14 @@ provider "aws" {
 }
 
 locals {
-# Set your SSH public keys here for who you want to be able to access the instance
-# Remove the existing keys
-  ssh-pub-key-1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChXVB0+ZEc2KB1147WHGbhSUGyB2xeLnwJ4CW9V9hWdTgGWMuiWOcgFc1BGGbQ2I6Be939/JzqmsNOlguB0Qq5OJgcHelgB2+qAqEb1I9gYwKFFoIOIpiG5WNNKfbY+C2OjW6zCy9n0bNdXuSDzG2becfeCtSurdoVQNwt54AEXNtQAjUqPk+T4pHpMdWpDIMamDw8PY8PG3hypr6ao5vy/vBOaIKezAGIsDnr8eVIVkaV/TCE9RRQLxpN/tXCowzRbAmIko7so5iKoQOXSzHLMk/dehDk4oQg8pdRG7n/QW3NXFg1KbS3STgUb/8uigwAVRWCEd9LysDaceUISZ2JOP2f692f/z2rA1gCQiM5qJBOTGzL980PfcnTcKA8LI7A//S+UdWEONThQlpnZf+aFTaLHLvuBNO4awOoMorDkI7FMUvyGTHKJVHqebHwBoFMKghn9tzQ/GKK+o0zNgZ5nZaVGRRzRhxv/UueYVPPlRAf0w5GRPzx4vyOc7PE4M6amIDrIG8xojVFn8m3KwQumU78m297HzWtK3CSJSDrU1k2gpHdM/8AArRtYhIyPl7w/CaC+GrVMpG3I4r1HFzR92qQ66aUanoqr40CXwL+kbyZirt3u4km2c140/qX3UJQYcmObk43MjepFxuVmRIqCqjsfBFp4ZpIqOhQdsr37Q=="
-  ssh-pub-key-2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNNsdJTe3Z6n+Qa2i8bVAnT7Db/23tOCKnBmeSBtqkU1EyVL2ByV22qm6SqvOqPCokuXFeY+0llkDWps9K/ZOEAlhGIZ6iRZQVeuc4O37g1Jd5Pe+ITAorqhSXpEzefr2rbR4zfKqI2eQs1LxT+RRrx+e4JqTucGBqIxJofuz2Wka06dXzFtUYv/3wPs5KAdGnLGawnQRhE0LibeSP5ut2NJ0xTkbWBoBgyWMKrzR0+iyqFNR9RghcJLvcmFK/J6KpGrc+FcJQKbQGBkMyR6+Tfs9rwnoOW4JyIpM5XkkhXFrBxVckM1vR6Wt0cNJPlNBBngw9TytnIgijbyjixru3rJd2RU1yjvC5a1SMwhyfYaZAJlNCuJmNDTwKTXeoi5hi7nqmNP7EoywWz+y1Z6BHu02waclYvkMMozU7/Nn6j6EIltbghsNiFL4I2amQDcfRMjjhYqV7wzhPsGV4OSlOwvziEO9kbyl2nPJtYAMKQd5Ox8e8Y6Xu7qFnOJGLKLMr2FZm+xCh8IO5428YbziIqo8JUSQknFaTW+wQYPxbNys7oyeOd5OH8pkvzwyyQYEu83AiMcwzbqLwBdNxoQ0Q17pQw+jnFuPq4EgMrGupI8hwYRVzR9AkQtOABZ0hi9sSDT4VAxQvbcymnCed3MGMi4urnASOXWcHQXgfaxPK2w=="
-  ssh-pub-key-3 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQSE+tf9oN32B40RypJH8ov7A2K/V45F3R3DblhI8n7H1l/JnbJwsgYAmQMLGqcXlCbre8xZ5qEyR+vPVGF9/2vdnF1Fke3bNuyx8vpdFz+Kx3zDXJ7G20R2sNziVOFnRK93Go/pBtpxpWrrR9sI5vpdI4Cjp7sxFbo7/lL/fipBLA1H5ieUo7b0vVDM8cdNt7aTtc6FmSmjT2T1x4ILAuKptVU68JTLZoEE29RwdCZgkjPkZuaBHF78c3vQXbp8p4mA3gqGG9SYgSoPIGDBY1YQCkBiUm+m4JA+5LmRto9AAZjRff1NbQvEdzFojMuBF4bWTSasteLZwkkMdbP8XP cardno:000606445046"
-# The office-ips below are set to the GDS office egress ips, this local var is used to whitelist inbound ssh connections
+  # Set your SSH public keys here for who you want to be able to access the instance
+  # Remove the existing keys
+  ssh-keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChXVB0+ZEc2KB1147WHGbhSUGyB2xeLnwJ4CW9V9hWdTgGWMuiWOcgFc1BGGbQ2I6Be939/JzqmsNOlguB0Qq5OJgcHelgB2+qAqEb1I9gYwKFFoIOIpiG5WNNKfbY+C2OjW6zCy9n0bNdXuSDzG2becfeCtSurdoVQNwt54AEXNtQAjUqPk+T4pHpMdWpDIMamDw8PY8PG3hypr6ao5vy/vBOaIKezAGIsDnr8eVIVkaV/TCE9RRQLxpN/tXCowzRbAmIko7so5iKoQOXSzHLMk/dehDk4oQg8pdRG7n/QW3NXFg1KbS3STgUb/8uigwAVRWCEd9LysDaceUISZ2JOP2f692f/z2rA1gCQiM5qJBOTGzL980PfcnTcKA8LI7A//S+UdWEONThQlpnZf+aFTaLHLvuBNO4awOoMorDkI7FMUvyGTHKJVHqebHwBoFMKghn9tzQ/GKK+o0zNgZ5nZaVGRRzRhxv/UueYVPPlRAf0w5GRPzx4vyOc7PE4M6amIDrIG8xojVFn8m3KwQumU78m297HzWtK3CSJSDrU1k2gpHdM/8AArRtYhIyPl7w/CaC+GrVMpG3I4r1HFzR92qQ66aUanoqr40CXwL+kbyZirt3u4km2c140/qX3UJQYcmObk43MjepFxuVmRIqCqjsfBFp4ZpIqOhQdsr37Q==",
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNNsdJTe3Z6n+Qa2i8bVAnT7Db/23tOCKnBmeSBtqkU1EyVL2ByV22qm6SqvOqPCokuXFeY+0llkDWps9K/ZOEAlhGIZ6iRZQVeuc4O37g1Jd5Pe+ITAorqhSXpEzefr2rbR4zfKqI2eQs1LxT+RRrx+e4JqTucGBqIxJofuz2Wka06dXzFtUYv/3wPs5KAdGnLGawnQRhE0LibeSP5ut2NJ0xTkbWBoBgyWMKrzR0+iyqFNR9RghcJLvcmFK/J6KpGrc+FcJQKbQGBkMyR6+Tfs9rwnoOW4JyIpM5XkkhXFrBxVckM1vR6Wt0cNJPlNBBngw9TytnIgijbyjixru3rJd2RU1yjvC5a1SMwhyfYaZAJlNCuJmNDTwKTXeoi5hi7nqmNP7EoywWz+y1Z6BHu02waclYvkMMozU7/Nn6j6EIltbghsNiFL4I2amQDcfRMjjhYqV7wzhPsGV4OSlOwvziEO9kbyl2nPJtYAMKQd5Ox8e8Y6Xu7qFnOJGLKLMr2FZm+xCh8IO5428YbziIqo8JUSQknFaTW+wQYPxbNys7oyeOd5OH8pkvzwyyQYEu83AiMcwzbqLwBdNxoQ0Q17pQw+jnFuPq4EgMrGupI8hwYRVzR9AkQtOABZ0hi9sSDT4VAxQvbcymnCed3MGMi4urnASOXWcHQXgfaxPK2w==",
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQSE+tf9oN32B40RypJH8ov7A2K/V45F3R3DblhI8n7H1l/JnbJwsgYAmQMLGqcXlCbre8xZ5qEyR+vPVGF9/2vdnF1Fke3bNuyx8vpdFz+Kx3zDXJ7G20R2sNziVOFnRK93Go/pBtpxpWrrR9sI5vpdI4Cjp7sxFbo7/lL/fipBLA1H5ieUo7b0vVDM8cdNt7aTtc6FmSmjT2T1x4ILAuKptVU68JTLZoEE29RwdCZgkjPkZuaBHF78c3vQXbp8p4mA3gqGG9SYgSoPIGDBY1YQCkBiUm+m4JA+5LmRto9AAZjRff1NbQvEdzFojMuBF4bWTSasteLZwkkMdbP8XP cardno:000606445046"
+  ]
+  # The office-ips below are set to the GDS office egress ips, this local var is used to whitelist inbound ssh connections
   office-ips = [
     "85.133.67.244/32",
     "213.86.153.212/32",
@@ -41,7 +43,7 @@ resource "aws_vpc" "vuln-tooling" {
 }
 
 resource "aws_internet_gateway" "vuln-tooling-igw" {
-  vpc_id = "${aws_vpc.vuln-tooling.id}"
+  vpc_id = aws_vpc.vuln-tooling.id
 
   tags = {
     Name      = "Vulnerability Tooling Internet Gateway"
@@ -50,8 +52,8 @@ resource "aws_internet_gateway" "vuln-tooling-igw" {
 }
 
 resource "aws_subnet" "vuln-tooling-subnet" {
-  vpc_id     = "${aws_vpc.vuln-tooling.id}"
-  cidr_block = "10.0.1.0/24"
+  vpc_id                  = aws_vpc.vuln-tooling.id
+  cidr_block              = "10.0.1.0/24"
   availability_zone       = "eu-west-2a"
   map_public_ip_on_launch = true
 
@@ -62,11 +64,11 @@ resource "aws_subnet" "vuln-tooling-subnet" {
 }
 
 resource "aws_route_table" "vuln-tooling-route-table" {
-  vpc_id = "${aws_vpc.vuln-tooling.id}"
+  vpc_id = aws_vpc.vuln-tooling.id
 
   route {
-    cidr_block        = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.vuln-tooling-igw.id}"
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.vuln-tooling-igw.id
   }
 
   tags = {
@@ -76,8 +78,8 @@ resource "aws_route_table" "vuln-tooling-route-table" {
 }
 
 resource "aws_route_table_association" "vuln-tooling-association" {
-  subnet_id      = "${aws_subnet.vuln-tooling-subnet.id}"
-  route_table_id = "${aws_route_table.vuln-tooling-route-table.id}"
+  subnet_id      = aws_subnet.vuln-tooling-subnet.id
+  route_table_id = aws_route_table.vuln-tooling-route-table.id
 }
 
 data "aws_ami" "vuln-tooling-kali-ami" {
@@ -100,22 +102,10 @@ data "aws_ami" "vuln-tooling-kali-ami" {
   }
 }
 
-data "template_file" "kali_userdata" {
-  template = "${file("cloudinit/kali-instance.yaml")}"
-
-  vars = {
-    hostname        = "kali-pentest-01"
-    ssh-pub-key-1   = "${local.ssh-pub-key-1}"
-    ssh-pub-key-2   = "${local.ssh-pub-key-2}"
-    ssh-pub-key-2   = "${local.ssh-pub-key-3}"
-    bootstrap-tools = "${file("cloudinit/bootstrap-tools.sh.tpl")}"
-  }
-}
-
 resource "aws_security_group" "kali-pentest-sg" {
   name        = "kali-pentest-sg"
   description = "Kali PenTest Instance Security Group"
-  vpc_id      = "${aws_vpc.vuln-tooling.id}"
+  vpc_id      = aws_vpc.vuln-tooling.id
 
   ingress {
     from_port   = 22
@@ -125,9 +115,9 @@ resource "aws_security_group" "kali-pentest-sg" {
   }
 
   egress {
-    from_port = 0
-    to_port   = 0
-    protocol  = -1
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
     cidr_blocks = ["0.0.0.0/0"]
   }
 
@@ -138,18 +128,31 @@ resource "aws_security_group" "kali-pentest-sg" {
 }
 
 resource "aws_instance" "kali-pentest" {
-  ami           = "${data.aws_ami.vuln-tooling-kali-ami.id}"
+  ami           = data.aws_ami.vuln-tooling-kali-ami.id
   instance_type = "t2.medium"
-  user_data     = "${data.template_file.kali_userdata.rendered}"
-  monitoring    = "true"
-  subnet_id     = "${aws_subnet.vuln-tooling-subnet.id}"
+
+  user_data = templatefile(
+    "${path.module}/cloudinit/kali-instance.yaml",
+    {
+      hostname        = "kali-pentest-01"
+      ssh-keys        = local.ssh-keys
+      bootstrap-tools = "${file("cloudinit/bootstrap-tools.sh.tpl")}"
+    }
+  )
+
+  monitoring = "true"
+  subnet_id  = aws_subnet.vuln-tooling-subnet.id
 
   vpc_security_group_ids = [
-    "${aws_security_group.kali-pentest-sg.id}",
+    aws_security_group.kali-pentest-sg.id,
   ]
 
   tags = {
     Name      = "Vulnerability Tooling Kali Pentest Instance"
     ManagedBy = "terraform"
   }
 }
+
+output "instance_ip_addr" {
+  value = aws_instance.kali-pentest.public_ip
+}