Merge pull request #91 from cisagov/improvement/add-back-cdm-tools

jsf9k · web-flow · commit 793f5d422c21 · 2023-10-13T11:37:03.000-04:00
Add back CDM agents
diff --git a/src/cdm.yml b/src/cdm.yml
@@ -4,7 +4,24 @@
   become: yes
   become_method: ansible.builtin.sudo
   tasks:
-    - name: Install CrowdStrike
+    - name: Install CDM Tanium client
+      ansible.builtin.include_role:
+        name: cdm_tanium
+      vars:
+        cdm_tanium_server_name: "{{ lookup('aws_ssm', '/cdm/tanium_hostname') }}"
+        cdm_tanium_third_party_bucket_name: "{{ build_bucket }}"
+    - name: Install CDM Nessus agent
+      ansible.builtin.include_role:
+        name: cdm_nessus_agent
+      vars:
+        cdm_nessus_agent_third_party_bucket_name: "{{ build_bucket }}"
+    # The Python code that will be run by cloud-init to link the
+    # Nessus Agent will require boto3
+    - name: Install boto3
+      ansible.builtin.package:
+        name:
+          - python3-boto3
+    - name: Install CDM CrowdStrike
       ansible.builtin.include_role:
         name: crowdstrike
       vars:
@@ -25,3 +42,24 @@
           - direction: out
             port: 443
             proto: tcp
+          # Tanium
+          - direction: in
+            port: 17472
+            proto: tcp
+          - direction: out
+            port: 17472
+            proto: tcp
+          # Tanium threat response
+          - direction: in
+            port: 17475
+            proto: tcp
+          - direction: out
+            port: 17475
+            proto: tcp
+          # Tenable
+          - direction: in
+            port: 8834
+            proto: tcp
+          - direction: out
+            port: 8834
+            proto: tcp
diff --git a/src/requirements.yml b/src/requirements.yml
@@ -8,6 +8,10 @@ roles:
     src: https://github.com/cisagov/ansible-role-automated-security-updates
   - name: banner
     src: https://github.com/cisagov/ansible-role-banner
+  - name: cdm_nessus_agent
+    src: https://github.com/cisagov/ansible-role-cdm-nessus-agent
+  - name: cdm_tanium
+    src: https://github.com/cisagov/ansible-role-cdm-tanium-client
   - name: chrony_aws
     src: https://github.com/cisagov/ansible-role-chrony-aws
   - name: clamav
diff --git a/src/version.txt b/src/version.txt
@@ -1 +1 @@
-__version__ = "0.3.6"
+__version__ = "0.3.7"
diff --git a/terraform-build-user/main.tf b/terraform-build-user/main.tf
@@ -10,13 +10,74 @@ module "iam_user" {
   }
 
   ssm_parameters = [
+    "/cdm/tanium_hostname",
     "/cyhy/dev/users",
     "/openvpn/server/*",
     "/ssh/public_keys/*",
   ]
   user_name = "build-openvpn-packer"
 }
 
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-tanium-client to the production
+# EC2AMICreate role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_tanium_production" {
+  provider = aws.images-production-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_tanium_client.outputs.production_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_production.name
+}
+
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-tanium-client to the staging EC2AMICreate
+# role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_tanium_staging" {
+  provider = aws.images-staging-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_tanium_client.outputs.staging_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_staging.name
+}
+
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-nessus-agent to the production
+# EC2AMICreate role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_nessus_production" {
+  provider = aws.images-production-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_nessus_agent.outputs.production_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_production.name
+}
+
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-nessus-agent to the staging EC2AMICreate
+# role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_nessus_staging" {
+  provider = aws.images-staging-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_nessus_agent.outputs.staging_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_staging.name
+}
+
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-certificates to the production EC2AMICreate
+# role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_certificates_production" {
+  provider = aws.images-production-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_certificates.outputs.production_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_production.name
+}
+
+# Attach 3rd party S3 bucket read-only policy from
+# cisagov/ansible-role-cdm-certificates to the staging EC2AMICreate
+# role
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread_certificates_staging" {
+  provider = aws.images-staging-ami
+
+  policy_arn = data.terraform_remote_state.ansible_role_cdm_certificates.outputs.staging_bucket_policy.arn
+  role       = module.iam_user.ec2amicreate_role_staging.name
+}
+
 # Attach 3rd party S3 bucket read-only policy from
 # cisagov/ansible-role-crowdstrike to the production EC2AMICreate role
 resource "aws_iam_role_policy_attachment" "thirdpartybucketread_crowdstrike_production" {
diff --git a/terraform-build-user/remote_states.tf b/terraform-build-user/remote_states.tf
@@ -64,6 +64,45 @@ data "terraform_remote_state" "images_staging" {
   workspace = "staging"
 }
 
+data "terraform_remote_state" "ansible_role_cdm_certificates" {
+  backend = "s3"
+
+  config = {
+    encrypt        = true
+    bucket         = "cisa-cool-terraform-state"
+    dynamodb_table = "terraform-state-lock"
+    profile        = "cool-terraform-backend"
+    region         = "us-east-1"
+    key            = "ansible-role-cdm-certificates/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "ansible_role_cdm_nessus_agent" {
+  backend = "s3"
+
+  config = {
+    encrypt        = true
+    bucket         = "cisa-cool-terraform-state"
+    dynamodb_table = "terraform-state-lock"
+    profile        = "cool-terraform-backend"
+    region         = "us-east-1"
+    key            = "ansible-role-cdm-nessus-agent/terraform.tfstate"
+  }
+}
+
+data "terraform_remote_state" "ansible_role_cdm_tanium_client" {
+  backend = "s3"
+
+  config = {
+    encrypt        = true
+    bucket         = "cisa-cool-terraform-state"
+    dynamodb_table = "terraform-state-lock"
+    profile        = "cool-terraform-backend"
+    region         = "us-east-1"
+    key            = "ansible-role-cdm-tanium-client/terraform.tfstate"
+  }
+}
+
 data "terraform_remote_state" "ansible_role_crowdstrike" {
   backend = "s3"
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.3.6"`
	`1`	`+__version__ = "0.3.7"`