cool-assessment-terraform

This project is used to create an operational assessment environment in the COOL environment.

Pre-requisites

Terraform installed on your system.
An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
Access to all of the Terraform remote states specified in remote_states.tf.
Accept the terms for any AWS Marketplace subscriptions to be used by the operations instances in your assessment environment (must be done in the AWS account hosting the assessment environment):
- Kali Linux
Access to AWS AMIs for Guacamole and any other operations instance types used in your assessment.
OpenSSL server certificate and private key for the Guacamole instance in your assessment environment, stored in an accessible AWS S3 bucket; this can be easily created via certboto-docker or a similar tool.

A Terraform variables file customized for your assessment environment, for example:

assessment_account_name = "env0"
private_domain          = "env0"

vpc_cidr_block               = "10.224.0.0/21"
operations_subnet_cidr_block = "10.224.0.0/24"
private_subnet_cidr_blocks   = ["10.224.1.0/24", "10.224.2.0/24"]

tags = {
  Team        = "VM Fusion - Development"
  Application = "COOL - env0 Account"
  Workspace   = "env0"
}

Building the Terraform-based infrastructure

Create a Terraform workspace (if you haven't already done so) for your assessment by running terraform workspace new <workspace_name>.
Create a <workspace_name>.tfvars file with all of the required variables (see Inputs below for details).
Run the command terraform init.

Add all necessary permissions by running the command:

terraform apply -var-file=<workspace_name>.tfvars --target=aws_iam_policy.provisionassessment_policy --target=aws_iam_role_policy_attachment.provisionassessment_policy_attachment

Create all remaining Terraform infrastructure by running the command:
```
terraform apply -var-file=<workspace_name>.tfvars
```

Examples

Using the Terraformer instance type

Requirements

Name	Version
terraform	~> 1.0
aws	~> 3.38
cloudinit	~> 2.0
null	~> 3.0

Providers

Name	Version
aws	~> 3.38
aws.dns_sharedservices	~> 3.38
aws.organizationsreadonly	~> 3.38
aws.provisionassessment	~> 3.38
aws.provisionparameterstorereadrole	~> 3.38
aws.provisionsharedservices	~> 3.38
cloudinit	~> 2.0
null	~> 3.0
terraform	n/a

Modules

Name	Source	Version
email_sending_domain_certreadrole	github.com/cisagov/cert-read-role-tf-module	n/a
guacamole_certreadrole	github.com/cisagov/cert-read-role-tf-module	n/a
read_terraform_state	github.com/cisagov/terraform-state-read-role-tf-module	n/a
run_shell_ssm_document	gazoakley/session-manager-settings/aws	n/a
vpc_flow_logs	trussworks/vpc-flow-logs/aws	~>2.0

Resources

Name	Type
aws_default_route_table.operations	resource
aws_ebs_volume.assessorportal_docker	resource
aws_ebs_volume.gophish_docker	resource
aws_ec2_transit_gateway_route.assessment_route	resource
aws_ec2_transit_gateway_route_table_association.association	resource
aws_ec2_transit_gateway_vpc_attachment.assessment	resource
aws_efs_file_system.persistent_storage	resource
aws_efs_mount_target.target	resource
aws_eip.gophish	resource
aws_eip.kali	resource
aws_eip.nat_gw	resource
aws_eip.nessus	resource
aws_eip.pentestportal	resource
aws_eip.teamserver	resource
aws_eip_association.gophish	resource
aws_eip_association.kali	resource
aws_eip_association.nessus	resource
aws_eip_association.pentestportal	resource
aws_eip_association.teamserver	resource
aws_iam_instance_profile.assessorportal	resource
aws_iam_instance_profile.debiandesktop	resource
aws_iam_instance_profile.gophish	resource
aws_iam_instance_profile.guacamole	resource
aws_iam_instance_profile.kali	resource
aws_iam_instance_profile.nessus	resource
aws_iam_instance_profile.pentestportal	resource
aws_iam_instance_profile.samba	resource
aws_iam_instance_profile.teamserver	resource
aws_iam_instance_profile.terraformer	resource
aws_iam_policy.efs_mount_policy	resource
aws_iam_policy.nessus_parameterstorereadonly_policy	resource
aws_iam_policy.provisionassessment_policy	resource
aws_iam_policy.ssmsession_policy	resource
aws_iam_policy.terraformer_policy	resource
aws_iam_policy.vnc_parameterstorereadonly_policy	resource
aws_iam_role.assessorportal_instance_role	resource
aws_iam_role.debiandesktop_instance_role	resource
aws_iam_role.gophish_instance_role	resource
aws_iam_role.guacamole_instance_role	resource
aws_iam_role.kali_instance_role	resource
aws_iam_role.nessus_instance_role	resource
aws_iam_role.nessus_parameterstorereadonly_role	resource
aws_iam_role.pentestportal_instance_role	resource
aws_iam_role.samba_instance_role	resource
aws_iam_role.ssmsession_role	resource
aws_iam_role.teamserver_instance_role	resource
aws_iam_role.terraformer_instance_role	resource
aws_iam_role.terraformer_role	resource
aws_iam_role.vnc_parameterstorereadonly_role	resource
aws_iam_role_policy.gophish_assume_delegated_role_policy	resource
aws_iam_role_policy.guacamole_assume_delegated_role_policy	resource
aws_iam_role_policy.nessus_assume_delegated_role_policy	resource
aws_iam_role_policy.teamserver_assume_delegated_role_policy	resource
aws_iam_role_policy.terraformer_assume_delegated_role_policy	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_assessorportal	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_debiandesktop	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_gophish	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_guacamole	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_kali	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_nessus	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_pentestportal	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_samba	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_teamserver	resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment_terraformer	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_assessorportal	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_debiandesktop	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_gophish	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_kali	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_pentestportal	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_samba	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_teamserver	resource
aws_iam_role_policy_attachment.efs_mount_policy_attachment_terraformer	resource
aws_iam_role_policy_attachment.nessus_parameterstorereadonly_policy_attachment	resource
aws_iam_role_policy_attachment.provisionassessment_policy_attachment	resource
aws_iam_role_policy_attachment.read_only_policy_attachment	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_assessorportal	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_debiandesktop	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_gophish	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_guacamole	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_kali	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_nessus	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_pentestportal	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_samba	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_teamserver	resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment_terraformer	resource
aws_iam_role_policy_attachment.ssmsession_policy_attachment	resource
aws_iam_role_policy_attachment.terraformer_policy_attachment	resource
aws_iam_role_policy_attachment.vnc_parameterstorereadonly_policy_attachment	resource
aws_instance.assessorportal	resource
aws_instance.debiandesktop	resource
aws_instance.gophish	resource
aws_instance.guacamole	resource
aws_instance.kali	resource
aws_instance.nessus	resource
aws_instance.pentestportal	resource
aws_instance.samba	resource
aws_instance.teamserver	resource
aws_instance.terraformer	resource
aws_internet_gateway.assessment	resource
aws_nat_gateway.nat_gw	resource
aws_network_acl.operations	resource
aws_network_acl.private	resource
aws_network_acl_rule.operations_egress_to_anywhere_via_any_port	resource
aws_network_acl_rule.operations_ingress_from_anywhere_else_vnc	resource
aws_network_acl_rule.operations_ingress_from_anywhere_else_winrm	resource
aws_network_acl_rule.operations_ingress_from_anywhere_via_allowed_ports	resource
aws_network_acl_rule.operations_ingress_from_anywhere_via_icmp	resource
aws_network_acl_rule.operations_ingress_from_anywhere_via_ports_1024_thru_3388	resource
aws_network_acl_rule.operations_ingress_from_anywhere_via_ports_3390_thru_50049	resource
aws_network_acl_rule.operations_ingress_from_anywhere_via_ports_50051_thru_65535	resource
aws_network_acl_rule.operations_ingress_from_private_via_http	resource
aws_network_acl_rule.operations_ingress_from_private_via_https	resource
aws_network_acl_rule.operations_ingress_from_private_via_ssh	resource
aws_network_acl_rule.operations_ingress_from_private_via_vnc	resource
aws_network_acl_rule.operations_ingress_from_private_via_winrm	resource
aws_network_acl_rule.private_egress_to_anywhere_via_http	resource
aws_network_acl_rule.private_egress_to_anywhere_via_https	resource
aws_network_acl_rule.private_egress_to_anywhere_via_ssh	resource
aws_network_acl_rule.private_egress_to_cool_via_ephemeral_ports	resource
aws_network_acl_rule.private_egress_to_cool_via_ipa_ports	resource
aws_network_acl_rule.private_egress_to_operations_via_ephemeral_ports	resource
aws_network_acl_rule.private_egress_to_operations_via_ssh	resource
aws_network_acl_rule.private_egress_to_operations_via_vnc	resource
aws_network_acl_rule.private_egress_to_operations_via_winrm	resource
aws_network_acl_rule.private_ingress_from_anywhere_else_efs	resource
aws_network_acl_rule.private_ingress_from_anywhere_else_services	resource
aws_network_acl_rule.private_ingress_from_anywhere_via_ephemeral_ports	resource
aws_network_acl_rule.private_ingress_from_cool_vpn_services	resource
aws_network_acl_rule.private_ingress_from_operations_efs	resource
aws_network_acl_rule.private_ingress_from_operations_mattermost_web	resource
aws_network_acl_rule.private_ingress_from_operations_smb	resource
aws_network_acl_rule.private_ingress_from_operations_via_https	resource
aws_network_acl_rule.private_ingress_to_tg_attachment_via_ipa_ports	resource
aws_route.cool_operations	resource
aws_route.cool_private	resource
aws_route.external_operations	resource
aws_route.external_private	resource
aws_route53_record.assessorportal_A	resource
aws_route53_record.debiandesktop_A	resource
aws_route53_record.gophish_A	resource
aws_route53_record.guacamole_A	resource
aws_route53_record.guacamole_PTR	resource
aws_route53_record.kali_A	resource
aws_route53_record.nessus_A	resource
aws_route53_record.pentestportal_A	resource
aws_route53_record.samba_A	resource
aws_route53_record.teamserver_A	resource
aws_route53_record.terraformer_A	resource
aws_route53_vpc_association_authorization.assessment_private	resource
aws_route53_zone.assessment_private	resource
aws_route53_zone.private_subnet_reverse	resource
aws_route53_zone_association.assessment_private	resource
aws_route_table.private_route_table	resource
aws_route_table_association.private_route_table_associations	resource
aws_security_group.assessorportal	resource
aws_security_group.cloudwatch	resource
aws_security_group.cloudwatch_and_ssm_agent	resource
aws_security_group.debiandesktop	resource
aws_security_group.efs_client	resource
aws_security_group.efs_mount_target	resource
aws_security_group.gophish	resource
aws_security_group.guacamole	resource
aws_security_group.guacamole_accessible	resource
aws_security_group.kali	resource
aws_security_group.nessus	resource
aws_security_group.pentestportal	resource
aws_security_group.scanner	resource
aws_security_group.smb_client	resource
aws_security_group.smb_server	resource
aws_security_group.ssm	resource
aws_security_group.sts	resource
aws_security_group.teamserver	resource
aws_security_group.terraformer	resource
aws_security_group_rule.agent_egress_to_cloudwatch_via_https	resource
aws_security_group_rule.agent_egress_to_ssm_via_https	resource
aws_security_group_rule.allow_nfs_inbound	resource
aws_security_group_rule.allow_nfs_outbound	resource
aws_security_group_rule.assessorportal_egress_to_anywhere_via_http_and_https	resource
aws_security_group_rule.debiandesktop_egress_to_anywhere_via_http_and_https	resource
aws_security_group_rule.debiandesktop_egress_to_nessus_via_web_ui	resource
aws_security_group_rule.gophish_egress_to_s3_via_https	resource
aws_security_group_rule.gophish_egress_to_sts_via_https	resource
aws_security_group_rule.guacamole_egress_to_cool_via_ipa_ports	resource
aws_security_group_rule.guacamole_egress_to_hosts_via_ssh	resource
aws_security_group_rule.guacamole_egress_to_hosts_via_vnc	resource
aws_security_group_rule.guacamole_egress_to_s3_via_https	resource
aws_security_group_rule.guacamole_egress_to_sts_via_https	resource
aws_security_group_rule.guacamole_ingress_from_trusted_via_https	resource
aws_security_group_rule.ingress_from_anywhere_to_assessorportal_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_debiandesktop_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_gophish_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_kali_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_nessus_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_pentestportal_via_allowed_ports	resource
aws_security_group_rule.ingress_from_anywhere_to_teamserver_via_allowed_ports	resource
aws_security_group_rule.ingress_from_debiandesktop_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_debiandesktop_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_gophish_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_gophish_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_gophish_to_sts_via_https	resource
aws_security_group_rule.ingress_from_guacamole_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_guacamole_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_guacamole_to_sts_via_https	resource
aws_security_group_rule.ingress_from_guacamole_via_ssh	resource
aws_security_group_rule.ingress_from_guacamole_via_vnc	resource
aws_security_group_rule.ingress_from_kali_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_kali_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_nessus_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_nessus_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_nessus_to_sts_via_https	resource
aws_security_group_rule.ingress_from_operations_subnet_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_operations_subnet_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_operations_subnet_to_sts_via_https	resource
aws_security_group_rule.ingress_from_pentestportal_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_pentestportal_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_samba_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_samba_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_teamserver_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_teamserver_to_gophish_via_smtp	resource
aws_security_group_rule.ingress_from_teamserver_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_teamserver_to_sts_via_https	resource
aws_security_group_rule.ingress_from_terraformer_to_cloudwatch_via_https	resource
aws_security_group_rule.ingress_from_terraformer_to_ssm_via_https	resource
aws_security_group_rule.ingress_from_terraformer_to_sts_via_https	resource
aws_security_group_rule.kali_egress_to_nessus_via_web_ui	resource
aws_security_group_rule.kali_egress_to_pentestportal_via_web	resource
aws_security_group_rule.kali_egress_to_teamserver_via_imaps_and_cs	resource
aws_security_group_rule.nessus_ingress_from_debiandesktop_via_web_ui	resource
aws_security_group_rule.nessus_ingress_from_kali_via_web_ui	resource
aws_security_group_rule.pentestportal_egress_to_anywhere_via_http_and_https	resource
aws_security_group_rule.pentestportal_ingress_from_kali_via_web	resource
aws_security_group_rule.scanner_egress_to_anywhere_via_any_port	resource
aws_security_group_rule.scanner_ingress_from_anywhere_via_icmp	resource
aws_security_group_rule.smb_client_egress_to_smb_server	resource
aws_security_group_rule.smb_server_ingress_from_smb_client	resource
aws_security_group_rule.teamserver_egress_to_gophish_via_587	resource
aws_security_group_rule.teamserver_egress_to_s3_via_https	resource
aws_security_group_rule.teamserver_egress_to_sts_via_https	resource
aws_security_group_rule.teamserver_ingress_from_kali_via_imaps_and_cs	resource
aws_security_group_rule.terraformer_egress_anywhere_via_http	resource
aws_security_group_rule.terraformer_egress_anywhere_via_https	resource
aws_security_group_rule.terraformer_egress_anywhere_via_ssh	resource
aws_security_group_rule.terraformer_egress_to_dynamodb_via_https	resource
aws_security_group_rule.terraformer_egress_to_operations_via_winrm	resource
aws_security_group_rule.terraformer_egress_to_s3_via_https	resource
aws_security_group_rule.terraformer_egress_to_sts_via_https	resource
aws_subnet.operations	resource
aws_subnet.private	resource
aws_volume_attachment.assessorportal_docker	resource
aws_volume_attachment.gophish_docker	resource
aws_vpc.assessment	resource
aws_vpc_dhcp_options.assessment	resource
aws_vpc_dhcp_options_association.assessment	resource
aws_vpc_endpoint.dynamodb	resource
aws_vpc_endpoint.ec2	resource
aws_vpc_endpoint.ec2messages	resource
aws_vpc_endpoint.kms	resource
aws_vpc_endpoint.logs	resource
aws_vpc_endpoint.monitoring	resource
aws_vpc_endpoint.s3	resource
aws_vpc_endpoint.ssm	resource
aws_vpc_endpoint.ssmmessages	resource
aws_vpc_endpoint.sts	resource
aws_vpc_endpoint_route_table_association.s3_operations	resource
aws_vpc_endpoint_route_table_association.s3_private	resource
aws_vpc_endpoint_subnet_association.ec2	resource
aws_vpc_endpoint_subnet_association.ec2messages	resource
aws_vpc_endpoint_subnet_association.kms	resource
aws_vpc_endpoint_subnet_association.logs	resource
aws_vpc_endpoint_subnet_association.monitoring	resource
aws_vpc_endpoint_subnet_association.ssm	resource
aws_vpc_endpoint_subnet_association.ssmmessages	resource
aws_vpc_endpoint_subnet_association.sts	resource
null_resource.break_association_with_default_route_table	resource
aws_ami.assessorportal	data source
aws_ami.debiandesktop	data source
aws_ami.docker	data source
aws_ami.gophish	data source
aws_ami.guacamole	data source
aws_ami.kali	data source
aws_ami.nessus	data source
aws_ami.samba	data source
aws_ami.teamserver	data source
aws_ami.terraformer	data source
aws_caller_identity.assessment	data source
aws_caller_identity.current	data source
aws_default_tags.assessment	data source
aws_iam_policy_document.ec2_service_assume_role_doc	data source
aws_iam_policy_document.efs_mount_policy_doc	data source
aws_iam_policy_document.gophish_assume_delegated_role_policy_doc	data source
aws_iam_policy_document.guacamole_assume_delegated_role_policy_doc	data source
aws_iam_policy_document.nessus_assume_delegated_role_policy_doc	data source
aws_iam_policy_document.nessus_assume_role_doc	data source
aws_iam_policy_document.nessus_parameterstorereadonly_doc	data source
aws_iam_policy_document.provisionassessment_policy_doc	data source
aws_iam_policy_document.ssmsession_doc	data source
aws_iam_policy_document.teamserver_assume_delegated_role_policy_doc	data source
aws_iam_policy_document.terraformer_assume_delegated_role_policy_doc	data source
aws_iam_policy_document.terraformer_assume_role_doc	data source
aws_iam_policy_document.terraformer_policy_doc	data source
aws_iam_policy_document.users_account_assume_role_doc	data source
aws_iam_policy_document.vnc_assume_role_doc	data source
aws_iam_policy_document.vnc_parameterstorereadonly_doc	data source
aws_organizations_organization.cool	data source
cloudinit_config.assessorportal_cloud_init_tasks	data source
cloudinit_config.gophish_cloud_init_tasks	data source
cloudinit_config.guacamole_cloud_init_tasks	data source
cloudinit_config.kali_cloud_init_tasks	data source
cloudinit_config.nessus_cloud_init_tasks	data source
cloudinit_config.samba_cloud_init_tasks	data source
cloudinit_config.teamserver_cloud_init_tasks	data source
cloudinit_config.terraformer_cloud_init_tasks	data source
terraform_remote_state.dns_certboto	data source
terraform_remote_state.dynamic_assessment	data source
terraform_remote_state.images	data source
terraform_remote_state.images_parameterstore	data source
terraform_remote_state.master	data source
terraform_remote_state.sharedservices	data source
terraform_remote_state.sharedservices_networking	data source
terraform_remote_state.terraform	data source

Inputs

Name	Description	Type	Default	Required
assessment_account_name	The name of the AWS account for this assessment (e.g. "env0").	`string`	n/a	yes
assessor_account_role_arn	The ARN of an IAM role that can be assumed to create, delete, and modify AWS resources in a separate assessor-owned AWS account.	`string`	`"arn:aws:iam::123456789012:role/Allow_It"`	no
aws_availability_zone	The AWS availability zone to deploy into (e.g. a, b, c, etc.)	`string`	`"a"`	no
aws_region	The AWS region where the non-global resources for this assessment are to be provisioned (e.g. "us-east-1").	`string`	`"us-east-1"`	no
cert_bucket_name	The name of the AWS S3 bucket where certificates are stored.	`string`	`"cisa-cool-certificates"`	no
cool_domain	The domain where the COOL resources reside (e.g. "cool.cyber.dhs.gov").	`string`	`"cool.cyber.dhs.gov"`	no
dns_ttl	The TTL value to use for Route53 DNS records (e.g. 86400). A smaller value may be useful when the DNS records are changing often, for example when testing.	`number`	`60`	no
email_sending_domain	The domain to send emails from within the assessment environment (e.g. "example.com").	`string`	`"example.com"`	no
guac_connection_setup_path	The full path to the dbinit directory where initialization files must be stored in order to work properly. (e.g. "/var/guacamole/dbinit")	`string`	`"/var/guacamole/dbinit"`	no
inbound_ports_allowed	A map specifying the ports allowed inbound (from anywhere) to the various instance types (e.g. {"kali": [{"protocol": "tcp", "from_port": 443, "to_port": 443}, {"protocol": "tcp", "from_port": 9000, "to_port": 9009}]}). The currently-supported keys are: "assessorportal", "debiandesktop", "gophish", "kali", "nessus", "pentestportal", "samba", "teamserver", and "terraformer".	`map(list(object({ protocol = string, from_port = number, to_port = number })))`	`{ "assessorportal": [], "debiandesktop": [], "gophish": [], "kali": [], "nessus": [], "pentestportal": [], "samba": [], "teamserver": [], "terraformer": [] }`	no
nessus_activation_codes	The list of Nessus activation codes (e.g. ["AAAA-BBBB-CCCC-DDDD"]). The number of codes in this list should match the number of Nessus instances defined in operations_instance_counts.	`list(string)`	`[]`	no
operations_instance_counts	A map specifying how many instances of each type should be created in the operations subnet (e.g. { "kali": 1 }). The currently-supported instance keys are: ["assessorportal", "debiandesktop", "gophish", "kali", "nessus", "pentestportal", "samba", "teamserver", "terraformer"].	`map(number)`	`{ "kali": 1 }`	no
operations_subnet_cidr_block	The operations subnet CIDR block for this assessment (e.g. "10.10.0.0/24").	`string`	n/a	yes
private_domain	The local domain to use for this assessment (e.g. "env0"). If not provided, `local.private_domain` will be set to the base of the assessment account name. For example, if the account name is "env0 (Staging)", `local.private_domain` will default to "env0". Note that `local.private_domain` should be used in place of `var.private_domain` throughout this project.	`string`	`""`	no
private_subnet_cidr_blocks	The list of private subnet CIDR blocks for this assessment (e.g. ["10.10.1.0/24", "10.10.2.0/24"]).	`list(string)`	n/a	yes
provisionaccount_role_name	The name of the IAM role that allows sufficient permissions to provision all AWS resources in the assessment account.	`string`	`"ProvisionAccount"`	no
provisionassessment_policy_description	The description to associate with the IAM policy that allows provisioning of the resources required in the assessment account.	`string`	`"Allows provisioning of the resources required in the assessment account."`	no
provisionassessment_policy_name	The name to assign the IAM policy that allows provisioning of the resources required in the assessment account.	`string`	`"ProvisionAssessment"`	no
read_terraform_state_role_name	The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-assessment-terraform state in the S3 bucket where Terraform state is stored. The %s in this name will be replaced by the value of the assessment_account_name variable.	`string`	`"ReadCoolAssessmentTerraformTerraformState-%s"`	no
ssm_key_nessus_admin_password	The AWS SSM Parameter Store parameter that contains the password of the Nessus admin user (e.g. "/nessus/assessment/admin_password").	`string`	`"/nessus/assessment/admin_password"`	no
ssm_key_nessus_admin_username	The AWS SSM Parameter Store parameter that contains the username of the Nessus admin user (e.g. "/nessus/assessment/admin_username").	`string`	`"/nessus/assessment/admin_username"`	no
ssm_key_vnc_password	The AWS SSM Parameter Store parameter that contains the password needed to connect to the TBD instance via VNC (e.g. "/vnc/password")	`string`	`"/vnc/password"`	no
ssm_key_vnc_user_private_ssh_key	The AWS SSM Parameter Store parameter that contains the private SSH key of the VNC user on the TBD instance (e.g. "/vnc/ssh/rsa_private_key")	`string`	`"/vnc/ssh/rsa_private_key"`	no
ssm_key_vnc_username	The AWS SSM Parameter Store parameter that contains the username of the VNC user on the TBD instance (e.g. "/vnc/username")	`string`	`"/vnc/username"`	no
ssmsession_role_description	The description to associate with the IAM role (and policy) that allows creation of SSM SessionManager sessions to any EC2 instance in this account.	`string`	`"Allows creation of SSM SessionManager sessions to any EC2 instance in this account."`	no
ssmsession_role_name	The name to assign the IAM role (and policy) that allows creation of SSM SessionManager sessions to any EC2 instance in this account.	`string`	`"StartStopSSMSession"`	no
tags	Tags to apply to all AWS resources created	`map(string)`	`{}`	no
terraformer_role_description	The description to associate with the IAM role (and policy) that allows Terraformer instances to create appropriate AWS resources in this account.	`string`	`"Allows Terraformer instances to create appropriate AWS resources in this account."`	no
terraformer_role_name	The name to assign the IAM role (and policy) that allows Terraformer instances to create appropriate AWS resources in this account.	`string`	`"Terraformer"`	no
vpc_cidr_block	The CIDR block to use this assessment's VPC (e.g. "10.224.0.0/21").	`string`	n/a	yes

Outputs

Name	Description
assessment_private_zone	The private DNS zone for this assessment.
assessor_portal_instance_profile	The instance profile for the Assessor Portal instances.
assessor_portal_instances	The Assessor Portal instances.
assessor_portal_security_group	The security group for the Assessor Portal instances.
aws_region	The AWS region where this assessment environment lives.
certificate_bucket_name	The name of the S3 bucket where certificate information is stored for this assessment.
cloudwatch_and_ssm_agent_security_group	A security group for all instances. Allows access to the VPC endpoint resources necessary for the AWS CloudWatch agent and the AWS SSM agent.
debian_desktop_instance_profile	The instance profile for the Debian desktop instances.
debian_desktop_instances	The Debian desktop instances.
debian_desktop_security_group	The security group for the Debian desktop instances.
efs_client_security_group	A security group that should be applied to all instances that will mount the EFS file share.
efs_mount_targets	The mount targets for the EFS file share.
email_sending_domain_certreadrole	The IAM role that allows for reading the certificate for the email-sending domain.
gophish_instance_profile	The instance profile for the Gophish instances.
gophish_instances	The Gophish instances.
gophish_security_group	The security group for the Gophish instances.
guacamole_accessible_security_group	A security group that should be applied to all instances that are to be accessible from Guacamole.
guacamole_server	The AWS EC2 instance hosting Guacamole.
kali_instance_profile	The instance profile for the Kali instances.
kali_instances	The Kali instances.
kali_security_group	The security group for the Kali instances.
nessus_instance_profile	The instance profile for the Nessus instances.
nessus_instances	The Nessus instances.
nessus_security_group	The security group for the Nessus instances.
operations_subnet	The operations subnet.
operations_subnet_acl	The access control list (ACL) for the operations subnet.
pentest_portal_instance_profile	The instance profile for the Pentest Portal instances.
pentest_portal_instances	The Pentest Portal instances.
pentest_portal_security_group	The security group for the Pentest Portal instances.
private_subnet_acls	The access control lists (ACLs) for the private subnets.
private_subnet_cidr_blocks	The private subnet CIDR blocks. These are used to index into the private_subnets and efs_mount_targets outputs.
private_subnet_nat_gateway	The NAT gateway for the private subnets.
private_subnets	The private subnets.
read_terraform_state_module	The IAM policies and role that allow read-only access to the cool-assessment-terraform workspace-specific state in the Terraform state bucket.
remote_desktop_url	The URL of the remote desktop gateway (Guacamole) for this assessment.
samba_client_security_group	The security group that should be applied to all instance types that wish to mount the Samba file share being served by the Samba file share server instances.
samba_instance_profile	The instance profile for the Samba file share server instances.
samba_instances	The Samba file share server instances.
samba_server_security_group	The security group for the Samba file share server instances.
scanner_security_group	A security group that should be applied to all instance types that perform scanning. This security group allows egress to anywhere as well as ingress from anywhere via ICMP.
ssm_session_role	An IAM role that allows creation of SSM SessionManager sessions to any EC2 instance in this account.
teamserver_instance_profile	The instance profile for the Teamserver instances.
teamserver_instances	The Teamserver instances.
teamserver_security_group	The security group for the Teamserver instances.
terraformer_instances	The Terraformer instances.
terraformer_security_group	The security group for the Terraformer instances.
vpc	The VPC for this assessment environment.
vpn_server_cidr_block	The CIDR block for the COOL VPN.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

shogunlab / cool-assessment-terraform