From 13e75d2f2f45cd1cdf5f9047cab3376a4c18d5c1 Mon Sep 17 00:00:00 2001
From: John Turner <turner@strongdm.com>
Date: Fri, 8 Apr 2022 11:15:57 -0400
Subject: [PATCH] Updating with templates and updating AMI's

---
 onboarding/http/main.tf                       | 27 +----------
 .../templates/http_install/http_install.tftpl | 19 ++++++++
 onboarding/mysql/main.tf                      | 47 ++++---------------
 .../mysql_install/mysql_install.tftpl         | 28 +++++++++++
 onboarding/sdm_gateway/main.tf                | 14 +-----
 .../relay_install/relay_install.tftpl         |  3 ++
 onboarding/windows_server/main.tf             |  4 +-
 7 files changed, 63 insertions(+), 79 deletions(-)
 create mode 100644 onboarding/http/templates/http_install/http_install.tftpl
 create mode 100644 onboarding/mysql/templates/mysql_install/mysql_install.tftpl
 create mode 100644 onboarding/sdm_gateway/templates/relay_install/relay_install.tftpl

diff --git a/onboarding/http/main.tf b/onboarding/http/main.tf
index b9dc691..1cd074b 100644
--- a/onboarding/http/main.tf
+++ b/onboarding/http/main.tf
@@ -62,32 +62,7 @@ resource "aws_instance" "web_page" {
   vpc_security_group_ids = [aws_security_group.web_page[0].id]
 
   # Configures a simple HTTP web page 
-  user_data = <<-EOF
-  #!/bin/bash -xe
-
-  # add sdm public key
-  cat <<SDM_KEY | tee /etc/ssh/sdm_ca.pub
-  ${var.ssh_pubkey}
-  SDM_KEY
-  cat <<SDM_TRUST | sudo tee -a /etc/ssh/sshd_config
-  TrustedUserCAKeys /etc/ssh/sdm_ca.pub
-  SDM_TRUST
-  systemctl restart sshd
-
-  # setup apache
-  yum update -y
-  amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
-  yum install -y httpd mariadb-server
-  systemctl start httpd
-  systemctl enable httpd
-  usermod -a -G apache ec2-user
-  chown -R ec2-user:apache /var/www
-  chmod 2775 /var/www
-  find /var/www -type d -exec chmod 2775 {} \;
-  find /var/www -type f -exec chmod 0664 {} \;
-  echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php
-  EOF
-
+  user_data = templatefile("${path.module}/templates/http_install/http_install.tftpl", { SSH_PUB_KEY = "${var.ssh_pubkey}" }) 
   tags = merge({ Name = "${var.prefix}-http" }, var.default_tags, var.tags)
 }
 # ---------------------------------------------------------------------------- #
diff --git a/onboarding/http/templates/http_install/http_install.tftpl b/onboarding/http/templates/http_install/http_install.tftpl
new file mode 100644
index 0000000..b96a422
--- /dev/null
+++ b/onboarding/http/templates/http_install/http_install.tftpl
@@ -0,0 +1,19 @@
+#!/bin/bash -xe
+
+# add sdm public key
+echo "${SSH_PUB_KEY}" | tee -a /etc/ssh/sdm_ca.pub
+echo "TrustedUserCAKeys /etc/ssh/sdm_ca.pub" | tee -a /etc/ssh/sshd_config
+systemctl restart sshd
+
+# setup apache
+yum update -y
+amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
+yum install -y httpd mariadb-server
+systemctl start httpd
+systemctl enable httpd
+usermod -a -G apache ec2-user
+chown -R ec2-user:apache /var/www
+chmod 2775 /var/www
+find /var/www -type d -exec chmod 2775 {} \;
+find /var/www -type f -exec chmod 0664 {} \;
+echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php
\ No newline at end of file
diff --git a/onboarding/mysql/main.tf b/onboarding/mysql/main.tf
index 274f848..693ed2a 100644
--- a/onboarding/mysql/main.tf
+++ b/onboarding/mysql/main.tf
@@ -19,43 +19,6 @@ locals {
   mysql_pw        = "strongdmpassword123!@#"
   database        = "strongdmdb"
   table_name      = "strongdm_table"
-  mysql_user_data = <<-USERDATA
-  #!/bin/bash
-
-  # add sdm public key
-  cat <<SDM_KEY | tee /etc/ssh/sdm_ca.pub
-  ${var.ssh_pubkey}
-  SDM_KEY
-  cat <<SDM_TRUST | sudo tee -a /etc/ssh/sshd_config
-  TrustedUserCAKeys /etc/ssh/sdm_ca.pub
-  SDM_TRUST
-  systemctl restart sshd
-
-  # setup mysql
-  sudo apt update -y 
-  sudo apt install -y mysql-server
-  sudo mysql_secure_installation <<EOF
-  n
-  ${local.mysql_pw}
-  ${local.mysql_pw}
-  y
-  n
-  y
-  y
-  EOF
-  sudo mysql --user=root \
-    --password=${local.mysql_pw} \
-    --execute="CREATE DATABASE ${local.database};\
-    CREATE TABLE ${local.database}.${local.table_name} (message VARCHAR(20));\
-    INSERT INTO ${local.database}.${local.table_name} VALUES ('Hello');\
-    CREATE USER '${local.username}'@'%' IDENTIFIED BY '${local.mysql_pw}';\
-    GRANT ALL PRIVILEGES ON *.* TO '${local.username}'@'%';\
-    CREATE USER '${local.username_ro}'@'%' IDENTIFIED BY '${local.mysql_pw}';\
-    GRANT SELECT ON ${local.database}.* TO '${local.username_ro}'@'%';\
-    FLUSH PRIVILEGES;"
-  sudo sed -i "s/.*bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mysql.conf.d/mysqld.cnf
-  sudo systemctl restart mysql
-  USERDATA
 }
 
 # ---------------------------------------------------------------------------- #
@@ -69,8 +32,14 @@ data "aws_ami" "ubuntu" {
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
   }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
 }
 
 resource "aws_security_group" "mysql" {
@@ -114,7 +83,7 @@ resource "aws_instance" "mysql" {
   instance_type          = "t3.small"
   vpc_security_group_ids = [aws_security_group.mysql[0].id]
   subnet_id              = var.subnet_ids[0]
-  user_data              = local.mysql_user_data
+  user_data              = templatefile("${path.module}/templates/mysql_install/mysql_install.tftpl", { SSH_PUB_KEY = "${var.ssh_pubkey}", MYSQL_ADMIN = "${local.username}", MYSQL_RO = "${local.username_ro}", MYSQL_PW = "${local.mysql_pw}", MYSQL_DB = "${local.database}", MYSQL_TABLE = "${local.table_name}"})
   tags                   = merge({ Name = "${var.prefix}-mysql" }, var.default_tags, var.tags)
 }
 
diff --git a/onboarding/mysql/templates/mysql_install/mysql_install.tftpl b/onboarding/mysql/templates/mysql_install/mysql_install.tftpl
new file mode 100644
index 0000000..80f0323
--- /dev/null
+++ b/onboarding/mysql/templates/mysql_install/mysql_install.tftpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+echo "${SSH_PUB_KEY}" | tee -a /etc/ssh/sdm_ca.pub
+echo "TrustedUserCAKeys /etc/ssh/sdm_ca.pub" | tee -a /etc/ssh/sshd_config
+systemctl restart ssh
+
+# setup mysql
+apt update && apt install -y mysql-server
+mysql_secure_installation <<EOF
+n
+${MYSQL_PW}
+${MYSQL_PW}
+y
+n
+y
+y
+EOF
+mysql --user=root \
+--password=${MYSQL_PW} \
+--execute="CREATE DATABASE ${MYSQL_DB};\
+CREATE TABLE ${MYSQL_DB}.${MYSQL_TABLE} (message VARCHAR(20));\
+INSERT INTO ${MYSQL_DB}.${MYSQL_TABLE} VALUES ('Hello');\
+CREATE USER '${MYSQL_ADMIN}'@'%' IDENTIFIED WITH mysql_native_password BY '${MYSQL_PW}';\
+GRANT ALL PRIVILEGES ON *.* TO '${MYSQL_ADMIN}'@'%';\
+CREATE USER '${MYSQL_RO}'@'%' IDENTIFIED WITH mysql_native_password BY '${MYSQL_PW}';\
+GRANT SELECT ON ${MYSQL_DB}.* TO '${MYSQL_RO}'@'%';\
+FLUSH PRIVILEGES;"
+sed -i "s/.*bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mysql.conf.d/mysqld.cnf
+systemctl restart mysql && sysemctl enable mysql
\ No newline at end of file
diff --git a/onboarding/sdm_gateway/main.tf b/onboarding/sdm_gateway/main.tf
index 59047e5..0f19c2a 100644
--- a/onboarding/sdm_gateway/main.tf
+++ b/onboarding/sdm_gateway/main.tf
@@ -55,12 +55,7 @@ resource "aws_instance" "gateway" {
 
   ami           = data.aws_ami.amazon_linux_2.image_id
   instance_type = var.dev_mode ? "t3.micro" : "t3.medium"
-
-  user_data = <<USERDATA
-#!/bin/bash -xe
-curl -J -O -L https://app.strongdm.com/releases/cli/linux && unzip sdmcli* && rm -f sdmcli*
-sudo ./sdm install --relay --token="${aws_ssm_parameter.gateway[count.index].value}"
-USERDATA
+  user_data = templatefile("${path.module}/templates/relay_install/relay_install.tftpl", { SDM_TOKEN = "${aws_ssm_parameter.gateway[count.index].value}" })
 
   key_name   = var.ssh_key
   monitoring = var.detailed_monitoiring
@@ -125,12 +120,7 @@ resource "aws_instance" "relay" {
 
   ami           = data.aws_ami.amazon_linux_2.image_id
   instance_type = var.dev_mode ? "t3.micro" : "t3.medium"
-
-  user_data = <<USERDATA
-#!/bin/bash -xe
-curl -J -O -L https://app.strongdm.com/releases/cli/linux && unzip sdmcli* && rm -f sdmcli*
-sudo ./sdm install --relay --token="${aws_ssm_parameter.relay[count.index].value}"
-USERDATA
+  user_data = templatefile("${path.module}/templates/relay_install/relay_install.tftpl", { SDM_TOKEN = "${aws_ssm_parameter.relay[count.index].value}" })
 
   key_name   = var.ssh_key
   monitoring = var.detailed_monitoiring
diff --git a/onboarding/sdm_gateway/templates/relay_install/relay_install.tftpl b/onboarding/sdm_gateway/templates/relay_install/relay_install.tftpl
new file mode 100644
index 0000000..2260ce3
--- /dev/null
+++ b/onboarding/sdm_gateway/templates/relay_install/relay_install.tftpl
@@ -0,0 +1,3 @@
+#!/bin/bash -xe
+curl -J -O -L https://app.strongdm.com/releases/cli/linux && unzip sdmcli* && rm -f sdmcli*
+sudo ./sdm install --relay --token="${SDM_TOKEN}"
\ No newline at end of file
diff --git a/onboarding/windows_server/main.tf b/onboarding/windows_server/main.tf
index 6b4290e..df9849c 100644
--- a/onboarding/windows_server/main.tf
+++ b/onboarding/windows_server/main.tf
@@ -54,11 +54,11 @@ resource "aws_security_group" "windows_server" {
 # ---------------------------------------------------------------------------- #
 
 data "aws_ami" "windows_server" {
-  owners      = ["amazon"]
   most_recent = true
+  owners      = ["amazon"]
   filter {
     name   = "name"
-    values = ["Windows_Server-2016-English*"]
+    values = ["Windows_Server-2022-English-Full-Base*"]
   }
 }