resolving .gitignore conflict

.gitignore

@@ -25,3 +25,5 @@ env/
 poetry.lock
 .venv/
 srv/isc-agent/requirements.txt
+
+

README_Terraform.md

@@ -0,0 +1,60 @@
+### For instructions on how to install `terraform`, please consult the following: [HashiCorp Terraform Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)  
+
+### Install `git` if not part of the default OS packages:
+`sudo <OS package manager here> install git`  
+(_could be apt, yum, dpkg, etc._)
+
+### Clone this repository:
+`git clone https://github.com/DShield-ISC/dshield`
+
+### Change into the `cloud provider` automation directory of choice:
+- To deploy honeypots using AWS' infrastructure: 
+  - `cd dshield/terraform/aws/`
+
+- To deploy honeypots using Microsoft Azure's infrastructure: 
+  - `cd dshield/terraform/azure/`
+
+### Adjust the required and optional variables to reflect the environment:
+`<insert your editor of choice here> variables.tf `  
+(_no judgement if the editor isn't `vi`_)
+
+### Define the following **required** variables:
+- **dshield_email**
+- **dshield_apikey**
+- **dshield_userid**
+- **aws_ssh_key_pub**  _OR_ **azure_ssh_key_pub**  _depending on provider_
+- **aws_ssh_key_priv** _OR_ **azure_ssh_key_priv** _depending on provider_
+- **aws_credentials**       _if using **AWS**_
+- **azure_tenant_id**       _if using **Azure Service Principal**_
+- **azure_subscription_id** _if using **Azure Service Principal**_
+- **azure_client_id**       _if using **Azure Service Principal**_
+- **azure_client_secret**   _if using **Azure Service Principal**_
+
+### Optional variables:
+- **honeypot_nodes** (default: `1` *increase to scale horizontally*)
+- **aws_region** (default: `us-east-1`)            _if using **AWS**_
+- **aws_ec2_size** (default: `t2.micro`)           _if using **AWS**_
+- **azure_region** (default: `East US`)            _if using **Azure**_
+- **azure_image_size** (default: `Standard_B1ls`)  _if using **Azure**_
+- **honeypot_network** (default: `10.40.0.0/16` for VPC & `10.40.0.0/24` for SG)
+- **honeypot_ssh_port** (default: `12222`)
+- **dshield_ca_country** (default: `US`)
+- **dshield_ca_state** (default: `Florida`)
+- **dshield_ca_city** (default: `Jacksonville`)
+- **dshield_ca_company** (default: `DShield`)
+- **dshield_ca_depart** (default: `Decoy`)
+
+### General assumptions (**please update to reflect the appropriate locations as denoted above**):
+- AWS credentials are contained in the default location: 
+  - `~/.aws/credentials`
+
+- Azure credentials are successfully validated using `az login` prior to plan/apply
+
+- SSH credentials are contained in the default location: 
+  - `~/.ssh/id_rsa`
+  - `~/.ssh/id_rsa.pub`
+
+### After completing the above items, run the following commands to begin the installation:
+```terraform init; terraform plan -out=honeypot; terraform apply "honeypot"```  
+**OR**  
+```terraform init; terraform apply``` and type `yes` when prompted

terraform/aws/main.tf

@@ -0,0 +1,194 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 3.73.0"
+    }
+    http = {
+      version = ">= 2.1.0"
+    }
+    null = {
+      version = ">= 3.1.0"
+    }
+    local = {
+      version = ">= 2.1.0"
+    }
+    template = {
+      version = ">= 2.2.0"
+    }
+  }
+
+  required_version = "~> 1.1.4"
+}
+
+provider "aws" {
+  shared_credentials_file = var.aws_credentials
+  region                  = var.aws_region
+  # if using separate profiles, otherwise leave at "default" or comment out
+  profile                 = var.aws_profile
+}
+
+data "http" "local_ip" {
+  url = "https://ipv4.icanhazip.com"
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+data "aws_ami" "ubuntu_ami" {
+  owners = [var.aws_ami_owner]
+  most_recent = true
+  filter {
+    name   = "name"
+    values = [ var.aws_ami_name ]
+  }
+}
+
+# switched from template_file to local_file due to: https://github.com/hashicorp/terraform/issues/24616
+resource "local_file" "enable_logging" {
+  content = templatefile("${path.module}/../templates/install_honeypot.tpl", {output_logging  = var.output_logging})
+  filename = "${path.module}/../scripts/install_honeypot.sh"
+}
+
+# upload ssh key to provision / configure ec2
+resource "aws_key_pair" "honeypot_key" {
+  key_name   = "dshield_honeypot"
+  public_key = file(var.aws_ssh_key_pub)
+}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "honeypot_vpc" {
+  cidr_block = "${var.honeypot_network}/16"
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "honeypot_gw" {
+  vpc_id     = aws_vpc.honeypot_vpc.id
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "honeypot_internet" {
+  route_table_id         = aws_vpc.honeypot_vpc.main_route_table_id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.honeypot_gw.id
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "honeypot_subnet" {
+  vpc_id                  = aws_vpc.honeypot_vpc.id
+  cidr_block              = "${var.honeypot_network}/24"
+  availability_zone       = data.aws_availability_zones.available.names[0]
+  map_public_ip_on_launch = true 
+}
+
+resource "aws_security_group" "honeypot_security_group" {
+  name   = "honeypot_security_group"
+  vpc_id = aws_vpc.honeypot_vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "honeypot" {
+  ami                    = data.aws_ami.ubuntu_ami.id
+  instance_type          = var.aws_ec2_size
+  key_name               = aws_key_pair.honeypot_key.id
+  vpc_security_group_ids = [ aws_security_group.honeypot_security_group.id ]
+  subnet_id              = aws_subnet.honeypot_subnet.id
+  count                  = var.honeypot_nodes
+
+  tags = {
+    Name = var.aws_tag
+  }
+}
+
+resource "null_resource" "upload" {
+  count    = var.honeypot_nodes
+  triggers = {
+    ec2_public_ip = element(aws_instance.honeypot.*.public_ip, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.aws_ami_user
+    host        = element(aws_instance.honeypot.*.public_ip, count.index)
+    private_key = file(var.aws_ssh_key_priv)
+  }
+
+  provisioner "file" {
+    destination = "/tmp/dshield.ini"
+    content     = templatefile("${path.module}/../templates/dshield_ini.tpl", {
+     dshield_email  = var.dshield_email
+     dshield_userid = var.dshield_userid
+     dshield_apikey = var.dshield_apikey
+     public_ip      = element(aws_instance.honeypot.*.public_ip, count.index)
+     public_ssh     = var.honeypot_ssh_port
+     private_ip     = join("/", [var.honeypot_network, "24"])
+     deploy_ip      = chomp(data.http.local_ip.body)
+    })
+  }
+
+  provisioner "file" {
+    destination = "/tmp/dshield.sslca"
+    content     = templatefile("${path.module}/../templates/dshield_sslca.tpl", {
+     dshield_ca_country  = var.dshield_ca_country
+     dshield_ca_state    = var.dshield_ca_state
+     dshield_ca_city     = var.dshield_ca_city
+     dshield_ca_company  = var.dshield_ca_company
+     dshield_ca_depart   = var.dshield_ca_depart
+    })
+  }
+
+  # upload our provisioning scripts
+  provisioner "file" {
+    source      = "${path.module}/../scripts/"
+    destination = "/tmp/"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo sed -i.bak 's/^[#\\s]*Port 22\\s*$/Port ${var.honeypot_ssh_port}/' /etc/ssh/sshd_config",
+      "sudo mv /tmp/dshield.ini /etc/",
+      "sudo mv /tmp/dshield.sslca /etc/"
+    ]
+  }
+
+  # install required packages
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_reqs.sh"
+  }
+
+  depends_on = [ aws_instance.honeypot ]
+}
+
+resource "null_resource" "install" {
+  count    = var.honeypot_nodes
+  triggers = {
+    ec2_public_ip = element(aws_instance.honeypot.*.public_ip, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.aws_ami_user
+    host        = element(aws_instance.honeypot.*.public_ip, count.index)
+    port        = var.honeypot_ssh_port
+    private_key = file(var.aws_ssh_key_priv)
+  }
+
+  # install dshield honeypot
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_honeypot.sh"
+  }
+
+  depends_on = [null_resource.upload]
+}

terraform/aws/output.tf

@@ -0,0 +1,16 @@
+output "begin" {
+  value = <<EOF
+
+Your DShield honeypots have been configured and should be sending logs for further investigation!!
+
+Run the following SSH command if it's necessary to manage any honeypot:
+
+ssh -tt -o StrictHostKeyChecking=no ${var.aws_ami_user}@HONEYPOT_IP -p ${var.honeypot_ssh_port}
+
+EOF
+}
+
+output "honeypots" {
+  value = [ for honeypot in aws_instance.honeypot : honeypot.public_ip ]
+  description = "DShield Honeypot IPs"
+}

terraform/aws/variables.tf

@@ -0,0 +1,100 @@
+# number of honeypot instances to deploy
+variable "honeypot_nodes" {
+  default = 1
+}
+
+variable "dshield_email" {
+}
+
+variable "dshield_userid" {
+}
+
+variable "dshield_apikey" {
+}
+
+# location of YOUR ssh PUBLIC key to be uploaded to AWS
+# complimentary key pair to PRIVATE key below
+variable "aws_ssh_key_pub" {
+  default = "~/.ssh/id_rsa.pub"
+}
+
+# location of YOUR ssh PRIVATE key to run remote-exec provisioners
+# complimentary key pair to PUBLIC key above
+variable "aws_ssh_key_priv" {
+  default = "~/.ssh/id_rsa"
+}
+
+# location of AWS credentials on local machine
+variable "aws_credentials" {
+  default = "~/.aws/credentials"
+}
+
+# AWS region in which ec2 instances should be deployed
+variable "aws_region" {
+  default = "us-east-1"
+}
+
+# AWS profile (if using multiple) 
+variable "aws_profile" {
+  default = "default"
+}
+
+# Canonical AWS OwnerId
+variable "aws_ami_owner" {
+  default = "099720109477"   
+}
+
+variable "aws_ami_name" {
+  description = "Ubuntu 20.04 LTS"
+  type        = string
+  default     = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
+}
+
+variable "aws_ami_user" {
+  description = "Ubuntu AMI default user"
+  type        = string
+  default     = "ubuntu"
+}
+
+variable "aws_ec2_size" {
+  default = "t2.micro"
+}
+
+variable "aws_tag" {
+  default = "dshield_honeypot"
+}
+
+# CIDR is declared in aws_vpc & aws_subnet code blocks in main.tf
+variable "honeypot_network" {
+  default = "10.40.0.0"
+}
+
+variable "honeypot_ssh_port" {
+  default = "12222"
+}
+
+variable "dshield_ca_country" {
+  default = "US"
+}
+
+variable "dshield_ca_state" {
+  default = "Florida"
+}
+
+variable "dshield_ca_city" {
+  default = "Jacksonville"
+}
+
+variable "dshield_ca_company" {
+  default = "DShield"
+}
+
+variable "dshield_ca_depart" {
+  default = "Decoy"
+}
+
+# true or false whether cowrie should output json
+# also appends logrotate policy in /etc/logrotate.d/dshield
+variable "output_logging" {
+  default = true
+}