The following module spins up a Wazuh-OSSEC environment. It creates:
- an Elastic Load Balancer (classic) alongside an S3 bucket for logging
- an AutoScaling Group
- two S3 buckets, one for the georeplica and the other for logs
- related IAM roles to make everything works
- associate a DNS to the ELB with an ACM certificate
It supports SSL/TLS termination on the ELB with TLS 1.2 with strong chipers.
For more details please take a look here.
- working AWS credentials
- aws cli
- terraform
- htpasswd
wazuh_name
- Name to assign to the whole infrastructure.wazuh_username
- Username to access Wazuh's APIwazuh_passwd
- Password to access Wazuh's APIupload_path
- Directory where to store files to be uploaded to S3s3_bucket_name
- S3 bucket names3_replica_region
- S3 replica regionkeypair_name
- Keypair name used to access EC2 instancesasg_number_of_instances
- Maximum number of instances in ASG (default to 1).asg_minimum_number_of_instances
- Minimum number of instances in ASG (default to 1).extra_tags
- A map of additional tags to add to ELBs and SGs. Each element in the map must have the key = value format.cluster_extra_tags
- A list of additional tags to add to each Instance in the ASG. Each element in the list must be a map with the keys key, value, and propagate_at_launch.ossec_ami_id
- AMI ID to use.ossec_instance_type
- EC2 instance type (default t2.micro).vpc_id
- VPC ID where to spin the infrastructure.subnet_pub_ids
- Public subnet IDs where to spin the ELB.subnet_priv_ids
- Private subnet IDs where to spin the EC2 instances.bastion_host_sg_id
- Security Group ID of the bastion host (used to SSH into EC2 intances).sns_topic
- SNS topic to use for ASG notifications.dns_name
- The DNS name to associate with the ELB. It's the infrastructure's endpoint.route53_zone_id
- Route53 Zone ID, used to create the DNS name.
wazuh_asg_name
- Name of the ASG.lb_zone_id
- Load balancer ID.lb_dns
- Load balancer DNS name.lb_name
- Load balancer name
You can see a complete example usage in the example
directory within this repository.
Here is a simple usage:
module "ossec" {
source = "git::https://github.com/Cimpress-MCP/terraform.git//ossec_wazuh"
vpc_id = "vpc-e568d381"
extra_tags = {
project = "wazuh",
squad = "SET"
}
cluster_extra_tags = [
{
key = "chaos_monkey"
value = "true"
propagate_at_launch = true
}, {
key = "project"
value = "wazuh3"
propagate_at_launch = true
}, {
key = "squad"
value = "SET"
propagate_at_launch = true
}
]
subnet_pub_ids = "subnet-99a114c1,subnet-e1a43c97"
subnet_priv_ids = "subnet-e2a93b94,subnet-e6a194be"
wazuh_name = "wazuh"
wazuh_username = "contemascetti"
wazuh_passwd = "antani"
s3_bucket_name = "fim-bucket"
s3_replica_region = "us-west-1"
upload_path = "${path.root}/upload/ossec"
keypair_name = "fim_keypair"
ossec_ami_id = "ami-123431"
bastion_host_sg_id = "sg-12132121"
sns_topic = "arn:aws:sns:eu-west-1:XXXXXXXX:SlackNotify"
dns_name = "supercazzola.example.com"
route53_zone_id = "ZC918BNT12XX"
}
In the directory packer-ami
there is a script (build.sh
) that calls packer to create a Wazuh AMI in your AWS account.
Simply run it with:
packer-ami/$ bash build.sh
It creates a CIS hardened (using the script found here) AMI with an encrypted snapshot.