Merge pull request #640 from cisagov/improvement/create_cyhy_user_dur…

…ing_ami_build Move `cyhy` user creation to AMI build time
cisagov · Mar 28, 2023 · b7c63c1 · b7c63c1
2 parents 2f4e310 + d6a83bb
commit b7c63c1
Show file tree

Hide file tree

Showing 9 changed files with 28 additions and 51 deletions.
diff --git a/packer/ansible/create_cyhy_user.yml b/packer/ansible/create_cyhy_user.yml
@@ -0,0 +1,25 @@
+---
+# The bastion is the only instance that does not need a cyhy user for
+# operational functionality.
+- hosts: all:!bastion
+  name: Create the cyhy user and set up SSH access
+  become: yes
+  become_method: sudo
+  tasks:
+    - name: Create the cyhy user
+      ansible.builtin.user:
+        home: /var/cyhy
+        name: cyhy
+        shell: /bin/bash
+        uid: 2048
+      register: user_info
+
+    - name: Modify permissions on the home directory
+      ansible.builtin.file:
+        mode: 0750
+        path: "{{ user_info.home }}"
+
+    - name: Add the SSH public key as an authorized key
+      ansible.posix.authorized_key:
+        key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOreUDnms12MPI0gh7K+YGaESYgC2TY1zA+kSK/g+n5+ cyhy
+        user: cyhy
diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
@@ -2,6 +2,9 @@
 - name: Import AWS playbook
   ansible.builtin.import_playbook: aws.yml
 
+- name: Import cyhy user creation playbook
+  ansible.builtin.import_playbook: create_cyhy_user.yml
+
 - hosts: all
   name: Add a banner, persist journald, install ClamAV, and setup dev team ssh
   become: yes

diff --git a/terraform/bod_docker_cloud_init.tf b/terraform/bod_docker_cloud_init.tf
@@ -5,13 +5,6 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in

diff --git a/terraform/cloud-init/cyhy_user_ssh_setup.yml b/terraform/cloud-init/cyhy_user_ssh_setup.yml
diff --git a/terraform/cyhy_dashboard_cloud_init.tf b/terraform/cyhy_dashboard_cloud_init.tf
@@ -4,13 +4,6 @@ data "cloudinit_config" "cyhy_dashboard_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in

diff --git a/terraform/cyhy_mongo_cloud_init.tf b/terraform/cyhy_mongo_cloud_init.tf
@@ -7,13 +7,6 @@ data "cloudinit_config" "cyhy_mongo_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in

diff --git a/terraform/cyhy_nessus_cloud_init.tf b/terraform/cyhy_nessus_cloud_init.tf
@@ -7,13 +7,6 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in

diff --git a/terraform/cyhy_nmap_cloud_init.tf b/terraform/cyhy_nmap_cloud_init.tf
@@ -7,13 +7,6 @@ data "cloudinit_config" "cyhy_nmap_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in

diff --git a/terraform/cyhy_reporter_cloud_init.tf b/terraform/cyhy_reporter_cloud_init.tf
@@ -5,13 +5,6 @@ data "cloudinit_config" "cyhy_reporter_cloud_init_tasks" {
   base64_encode = true
   gzip          = true
 
-  part {
-    content      = file("${path.module}/cloud-init/cyhy_user_ssh_setup.yml")
-    content_type = "text/cloud-config"
-    filename     = "cyhy_user_ssh_setup.yml"
-    merge_type   = "list(append)+dict(recurse_array)+str()"
-  }
-
   part {
     content = templatefile("${path.module}/cloud-init/set_hostname.tpl.yml", {
       # Note that the hostname here is identical to what is set in