Merge pull request #822 from cisagov/improvement/make_cyhy_user_info_…

…dynamic Turn information about the `cyhy` user into a Terraform variable
cisagov · Aug 27, 2024 · dcc7d5a · dcc7d5a
2 parents 4a89d63 + bc88d29
commit dcc7d5a
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 51 deletions.
diff --git a/packer/ansible/create_cyhy_user.yml b/packer/ansible/create_cyhy_user.yml
@@ -8,7 +8,7 @@
   tasks:
     - name: Create the cyhy user
       ansible.builtin.user:
-        home: /var/cyhy
+        home: "{{ cyhy_user_home_directory }}"
         name: "{{ cyhy_user_username }}"
         shell: /bin/bash
         uid: "{{ cyhy_user_uid }}"

diff --git a/packer/ansible/vars/cyhy_user.yml b/packer/ansible/vars/cyhy_user.yml
@@ -1,4 +1,5 @@
 ---
 # CyHy user information
+cyhy_user_home_directory: /var/cyhy
 cyhy_user_uid: 2048
 cyhy_user_username: cyhy
diff --git a/terraform/README.md b/terraform/README.md
@@ -643,6 +643,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | cyhy\_archive\_bucket\_name | S3 bucket for storing compressed archive files created by cyhy-archive. | `string` | `"ncats-cyhy-archive"` | no |
 | cyhy\_elastic\_ip\_cidr\_block | The CIDR block of elastic addresses available for use by CyHy scanner instances. | `string` | `""` | no |
 | cyhy\_portscan\_first\_elastic\_ip\_offset | The offset of the address (from the start of the elastic IP CIDR block) to be assigned to the *first* CyHy portscan instance.  For example, if the CIDR block is 192.168.1.0/24 and the offset is set to 10, the first portscan address used will be 192.168.1.10.  This is only used in production workspaces.  Each additional portscan instance will get the next consecutive address in the block.  NOTE: This will only work as intended when a contiguous CIDR block of EIP addresses is available. | `number` | `0` | no |
+| cyhy\_user\_info | User information for the CyHy user created in our AMIs. Please see `packer/ansible/vars/cyhy_user.yml` for the configuration used when AMIs are built. | `object({ gid = number, home = string, name = string, uid = number })` | ```{ "gid": 2048, "home": "/var/cyhy", "name": "cyhy", "uid": 2048 }``` | no |
 | cyhy\_vulnscan\_first\_elastic\_ip\_offset | The offset of the address (from the start of the elastic IP CIDR block) to be assigned to the *first* CyHy vulnscan instance.  For example, if the CIDR block is 192.168.1.0/24 and the offset is set to 10, the first vulnscan address used will be 192.168.1.10.  This is only used in production workspaces.  Each additional vulnscan instance will get the next consecutive address in the block.  NOTE: This will only work as intended when a contiguous CIDR block of EIP addresses is available. | `number` | `1` | no |
 | dmarc\_import\_aws\_region | The AWS region where the dmarc-import Elasticsearch database resides. | `string` | `"us-east-1"` | no |
 | dmarc\_import\_es\_role\_arn | The ARN of the role that must be assumed in order to read the dmarc-import Elasticsearch database. | `string` | n/a | yes |

diff --git a/terraform/bod_docker_cloud_init.tf b/terraform/bod_docker_cloud_init.tf
@@ -19,20 +19,20 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_docker_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"
@@ -45,7 +45,7 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
       fs_type       = "xfs"
       label         = "report_data"
       mount_options = "defaults"
-      mount_point   = "/var/cyhy/orchestrator/output"
+      mount_point   = "${var.cyhy_user_info.home}/orchestrator/output"
       num_disks     = 3
     })
     content_type = "text/x-shellscript"
@@ -54,10 +54,10 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = true
-      owner          = "cyhy"
-      path           = "/var/cyhy/orchestrator/output"
+      owner          = var.cyhy_user_info.name
+      path           = "${var.cyhy_user_info.home}/orchestrator/output"
     })
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_docker_chown_orchestrator_output_directory.sh"
@@ -69,7 +69,7 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
       fs_type       = "xfs"
       label         = "vdp_data"
       mount_options = "defaults"
-      mount_point   = "/var/cyhy/vdp/output"
+      mount_point   = "${var.cyhy_user_info.home}/vdp/output"
       num_disks     = 3
     })
     content_type = "text/x-shellscript"
@@ -78,10 +78,10 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = true
-      owner          = "cyhy"
-      path           = "/var/cyhy/vdp/output"
+      owner          = var.cyhy_user_info.name
+      path           = "${var.cyhy_user_info.home}/vdp/output"
     })
     content_type = "text/x-shellscript"
     filename     = "04_cyhy_docker_chown_vdp_output_directory.sh"

diff --git a/terraform/cyhy_dashboard_cloud_init.tf b/terraform/cyhy_dashboard_cloud_init.tf
@@ -18,20 +18,20 @@ data "cloudinit_config" "cyhy_dashboard_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_dashboard_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"

diff --git a/terraform/cyhy_mongo_cloud_init.tf b/terraform/cyhy_mongo_cloud_init.tf
@@ -21,20 +21,20 @@ data "cloudinit_config" "cyhy_mongo_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_mongo_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"

diff --git a/terraform/cyhy_nessus_cloud_init.tf b/terraform/cyhy_nessus_cloud_init.tf
@@ -21,20 +21,20 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_nessus_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"
@@ -47,7 +47,7 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
       fs_type       = "ext4"
       label         = "cyhy_runner"
       mount_options = "defaults"
-      mount_point   = "/var/cyhy/runner"
+      mount_point   = "${var.cyhy_user_info.home}/runner"
       num_disks     = 2
     })
     content_type = "text/x-shellscript"
@@ -56,10 +56,10 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = true
-      owner          = "cyhy"
-      path           = "/var/cyhy/runner"
+      owner          = var.cyhy_user_info.name
+      path           = "${var.cyhy_user_info.home}/runner"
     })
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_nessus_chown_runner_directory.sh"

diff --git a/terraform/cyhy_nmap_cloud_init.tf b/terraform/cyhy_nmap_cloud_init.tf
@@ -21,20 +21,20 @@ data "cloudinit_config" "cyhy_nmap_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_nmap_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"
@@ -47,7 +47,7 @@ data "cloudinit_config" "cyhy_nmap_cloud_init_tasks" {
       fs_type       = "ext4"
       label         = "cyhy_runner"
       mount_options = "defaults"
-      mount_point   = "/var/cyhy/runner"
+      mount_point   = "${var.cyhy_user_info.home}/runner"
       num_disks     = 2
     })
     content_type = "text/x-shellscript"
@@ -56,10 +56,10 @@ data "cloudinit_config" "cyhy_nmap_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = true
-      owner          = "cyhy"
-      path           = "/var/cyhy/runner"
+      owner          = var.cyhy_user_info.name
+      path           = "${var.cyhy_user_info.home}/runner"
     })
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_nmap_chown_runner_directory.sh"

diff --git a/terraform/cyhy_reporter_cloud_init.tf b/terraform/cyhy_reporter_cloud_init.tf
@@ -19,20 +19,20 @@ data "cloudinit_config" "cyhy_reporter_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
-      path           = "/var/cyhy"
+      owner          = var.cyhy_user_info.name
+      path           = var.cyhy_user_info.home
     })
     content_type = "text/x-shellscript"
     filename     = "00_cyhy_reports_chown_cyhy_directory.sh"
   }
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = false
-      owner          = "cyhy"
+      owner          = var.cyhy_user_info.name
       path           = "/var/log/cyhy"
     })
     content_type = "text/x-shellscript"
@@ -45,7 +45,7 @@ data "cloudinit_config" "cyhy_reporter_cloud_init_tasks" {
       fs_type       = "xfs"
       label         = "report_data"
       mount_options = "defaults"
-      mount_point   = "/var/cyhy/reports/output"
+      mount_point   = "${var.cyhy_user_info.home}/reports/output"
       num_disks     = 2
     })
     content_type = "text/x-shellscript"
@@ -54,10 +54,10 @@ data "cloudinit_config" "cyhy_reporter_cloud_init_tasks" {
 
   part {
     content = templatefile("${path.module}/cloud-init/chown_directory.tpl.sh", {
-      group          = "cyhy"
+      group          = var.cyhy_user_info.name
       is_mount_point = true
-      owner          = "cyhy"
-      path           = "/var/cyhy/reports/output"
+      owner          = var.cyhy_user_info.name
+      path           = "${var.cyhy_user_info.home}/reports/output"
     })
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_reports_chown_reports_output_directory.sh"

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -172,6 +172,17 @@ variable "cyhy_portscan_first_elastic_ip_offset" {
   type        = number
 }
 
+variable "cyhy_user_info" {
+  default = {
+    gid  = 2048
+    home = "/var/cyhy"
+    name = "cyhy"
+    uid  = 2048
+  }
+  description = "User information for the CyHy user created in our AMIs. Please see `packer/ansible/vars/cyhy_user.yml` for the configuration used when AMIs are built."
+  type        = object({ gid = number, home = string, name = string, uid = number })
+}
+
 variable "cyhy_vulnscan_first_elastic_ip_offset" {
   default     = 1
   description = "The offset of the address (from the start of the elastic IP CIDR block) to be assigned to the *first* CyHy vulnscan instance.  For example, if the CIDR block is 192.168.1.0/24 and the offset is set to 10, the first vulnscan address used will be 192.168.1.10.  This is only used in production workspaces.  Each additional vulnscan instance will get the next consecutive address in the block.  NOTE: This will only work as intended when a contiguous CIDR block of EIP addresses is available."