Add variable for publishing egress IP addresses

README.md

@@ -493,7 +493,7 @@ the COOL environment.
 | assessmentfindingsbucketwrite\_sharedservices\_policy\_description | The description to associate with the IAM policy that allows assumption of the role in the Shared Services account that is allowed to write to the assessment findings bucket. | `string` | `"Allows assumption of the role in the Shared Services account that is allowed to write to the assessment findings bucket."` | no |
 | assessmentfindingsbucketwrite\_sharedservices\_policy\_name | The name to assign the IAM policy that allows assumption of the role in the Shared Services account that is allowed to write to the assessment findings bucket. | `string` | `"SharedServices-AssumeAssessmentFindingsBucketWrite"` | no |
 | assessor\_account\_role\_arn | The ARN of an IAM role that can be assumed to create, delete, and modify AWS resources in a separate assessor-owned AWS account. | `string` | `"arn:aws:iam::123456789012:role/Allow_It"` | no |
-| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.) | `string` | `"a"` | no |
+| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | `string` | `"a"` | no |
 | aws\_region | The AWS region where the non-global resources for this assessment are to be provisioned (e.g. "us-east-1"). | `string` | `"us-east-1"` | no |
 | cert\_bucket\_name | The name of the AWS S3 bucket where certificates are stored. | `string` | `"cisa-cool-certificates"` | no |
 | cool\_domain | The domain where the COOL resources reside (e.g. "cool.cyber.dhs.gov"). | `string` | `"cool.cyber.dhs.gov"` | no |
@@ -517,6 +517,7 @@ the COOL environment.
 | provisionassessment\_policy\_name | The name to assign the IAM policy that allows provisioning of the resources required in the assessment account. | `string` | `"ProvisionAssessment"` | no |
 | provisionssmsessionmanager\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account. | `string` | `"Allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account."` | no |
 | provisionssmsessionmanager\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account. | `string` | `"ProvisionSSMSessionManager"` | no |
+| publish\_egress\_ip\_addresses | A boolean value that specifies whether EC2 instances in the operations subnet should be tagged to indicate that their public IP addresses may be published.  This is useful for deconfliction purposes.  IP address publishing can be done via the code in cisagov/publish-egress-ip-lambda and cisagov/publish-egress-ip-terraform. | `bool` | `false` | no |
 | read\_terraform\_state\_role\_name | The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-assessment-terraform state in the S3 bucket where Terraform state is stored.  The %s in this name will be replaced by the value of the assessment\_account\_name variable. | `string` | `"ReadCoolAssessmentTerraformTerraformState-%s"` | no |
 | session\_cloudwatch\_log\_group\_name | The name of the log group into which session logs are to be uploaded. | `string` | `"/ssm/session-logs"` | no |
 | ssm\_key\_artifact\_export\_access\_key\_id | The AWS SSM Parameter Store parameter that contains the AWS access key of the IAM user that can write to the assessment artifact export bucket (e.g. "/assessment\_artifact\_export/access\_key\_id"). | `string` | `"/assessment_artifact_export/access_key_id"` | no |

debiandesktop_ec2.tf

@@ -56,7 +56,8 @@ resource "aws_instance" "debiandesktop" {
   }
   subnet_id = aws_subnet.operations.id
   tags = {
-    Name = format("DebianDesktop%d", count.index)
+    Name             = format("DebianDesktop%d", count.index)
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   user_data_base64 = data.cloudinit_config.debiandesktop_cloud_init_tasks[count.index].rendered
   # volume_tags does not yet inherit the default tags from the

egressassess_ec2.tf

@@ -74,7 +74,7 @@ resource "aws_eip" "egressassess" {
 
   tags = {
     Name             = format("EgressAssess%d EIP", count.index)
-    "Publish Egress" = "True"
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   vpc = true
 }

gophish_ec2.tf

@@ -85,7 +85,7 @@ resource "aws_eip" "gophish" {
 
   tags = {
     Name             = format("Gophish%d EIP", count.index)
-    "Publish Egress" = "True"
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   vpc = true
 }

kali_ec2.tf

@@ -84,7 +84,7 @@ resource "aws_eip" "kali" {
 
   tags = {
     Name             = format("Kali%d EIP", count.index)
-    "Publish Egress" = "True"
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   vpc = true
 }

nessus_ec2.tf

@@ -95,7 +95,7 @@ resource "aws_eip" "nessus" {
 
   tags = {
     Name             = format("Nessus%d EIP", count.index)
-    "Publish Egress" = "True"
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   vpc = true
 }

pentestportal_ec2.tf

@@ -80,7 +80,8 @@ resource "aws_eip" "pentestportal" {
   provider = aws.provisionassessment
 
   tags = {
-    Name             = format("PentestPortal%d EIP", count.index + 1)
+    Name = format("PentestPortal%d EIP", count.index + 1)
+    # This instance type is always excluded from egress IP publishing
     "Publish Egress" = "False"
   }
   vpc = true

teamserver_ec2.tf

@@ -95,7 +95,7 @@ resource "aws_eip" "teamserver" {
 
   tags = {
     Name             = format("Teamserver%d EIP", count.index)
-    "Publish Egress" = "True"
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   vpc = true
 }

variables.tf

@@ -270,6 +270,12 @@ variable "provisionssmsessionmanager_policy_name" {
   type        = string
 }
 
+variable "publish_egress_ip_addresses" {
+  default     = false
+  description = "A boolean value that specifies whether EC2 instances in the operations subnet should be tagged to indicate that their public IP addresses may be published.  This is useful for deconfliction purposes.  Publishing these addresses can be done via the code in cisagov/publish-egress-ip-lambda and cisagov/publish-egress-ip-terraform."
+  type        = bool
+}
+
 variable "read_terraform_state_role_name" {
   default     = "ReadCoolAssessmentTerraformTerraformState-%s"
   description = "The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-assessment-terraform state in the S3 bucket where Terraform state is stored.  The %s in this name will be replaced by the value of the assessment_account_name variable."

windows_ec2.tf

@@ -57,7 +57,8 @@ resource "aws_instance" "windows" {
   }
   subnet_id = aws_subnet.operations.id
   tags = {
-    Name = format("Windows%d", count.index)
+    Name             = format("Windows%d", count.index)
+    "Publish Egress" = var.publish_egress_ip_addresses
   }
   user_data = templatefile(
     "${path.module}/ec2launch/windows-setup.tpl.yml",