Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add P&E database credentials, update dependencies, upgrade aws terraform provider #1428

Merged
merged 30 commits into from
Apr 6, 2022
Merged

Add P&E database credentials, update dependencies, upgrade aws terraform provider #1428

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
7aea62a
Add Pe db credentials to stage.tfvars worker and vars.tf
aloftus23 Mar 17, 2022
783c5de
Merge branch 'master' into add-pe-db-creds
aloftus23 Mar 17, 2022
d03af92
Add sixgill logging
aloftus23 Mar 17, 2022
29c9083
Add await to writefile in hibp and domMasq sync
aloftus23 Mar 17, 2022
e8f3069
Fix pe-scripts writefile and env passing
aloftus23 Mar 17, 2022
c2ac5f1
Merge branch 'master' into add-pe-db-creds
aloftus23 Mar 17, 2022
9fe1f4c
update mitmproxy to 8.0.0
aloftus23 Mar 31, 2022
c527a19
Update cryptography to support mitmproxy 8.0.0
aloftus23 Mar 31, 2022
68e7f62
Add cryptography dep: cargo
aloftus23 Mar 31, 2022
8b44b2f
Create directories to store temporary json data for PE
aloftus23 Mar 31, 2022
12c6dd2
Fix PE environment variables
aloftus23 Mar 31, 2022
407f6fb
Directly pass env vars for PE scripts
aloftus23 Mar 31, 2022
56d908a
Simplify env passing
aloftus23 Mar 31, 2022
e64dcd3
Increase hibp and dnstwist memory
aloftus23 Mar 31, 2022
96214e0
Clean up env var passing and logging
aloftus23 Apr 1, 2022
52a6af3
Add pe db creds to worker.tf
aloftus23 Apr 4, 2022
9e7b05c
Update main.tf for Terraform AWS Provider version 4.0.0
aloftus23 Apr 4, 2022
d5de54d
Update main.tf to handle terraform aws provider 4.0
aloftus23 Apr 4, 2022
8619c81
fix typo
aloftus23 Apr 4, 2022
f6a4801
mitmproxy update and added pe creds
aloftus23 Apr 4, 2022
c7ecae3
hibpSyncFiles folder
aloftus23 Apr 4, 2022
cc9196a
make version 4 (tf v4) to worker and frontend
aloftus23 Apr 4, 2022
2625318
Run terraform formatting
aloftus23 Apr 4, 2022
61313a3
Use aws_iam_role_policy_attachment instead of aws_iam_policy_attachment
aloftus23 Apr 4, 2022
6c02a3b
Update to Terraform AWS Provider v4
aloftus23 Apr 5, 2022
01b721a
remove source from aws provider
aloftus23 Apr 5, 2022
c6a3225
remove alias setting from aws provider
aloftus23 Apr 5, 2022
64b8feb
use for_each to attach multiple policies to accessor instance
aloftus23 Apr 5, 2022
3df713d
Revert back to old policy config
aloftus23 Apr 5, 2022
e537722
Fix prod output failure and remove prevent_destroy
aloftus23 Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion backend/Dockerfile.worker
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ FROM node:14-alpine3.14

WORKDIR /app

RUN apk add --update --no-cache wget build-base curl git unzip openssl-dev linux-headers python3=3.9.5-r2 python3-dev py3-pip ruby=2.7.5-r0 ruby-dev zlib-dev libffi-dev libxml2-dev libxslt-dev postgresql-dev gcc musl-dev py3-pandas py3-scikit-learn
RUN apk add --update --no-cache wget build-base curl git unzip openssl-dev linux-headers python3=3.9.5-r2 python3-dev py3-pip ruby=2.7.5-r0 ruby-dev zlib-dev libffi-dev libxml2-dev libxslt-dev postgresql-dev gcc musl-dev py3-pandas py3-scikit-learn cargo

RUN npm install -g pm2@4 wait-port@0.2.9

Expand Down
3 changes: 3 additions & 0 deletions backend/env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ staging:
PE_DB_NAME: ${ssm:/crossfeed/staging/PE_DB_NAME~true}
PE_DB_USERNAME: ${ssm:/crossfeed/staging/PE_DB_USERNAME~true}
PE_DB_PASSWORD: ${ssm:/crossfeed/staging/PE_DB_PASSWORD~true}
SIXGILL_CLIENT_ID: ${ssm:/crossfeed/staging/SIXGILL_CLIENT_ID~true}
SIXGILL_CLIENT_SECRET: ${ssm:/crossfeed/staging/SIXGILL_CLIENT_SECRET~true}
PE_SHODAN_API_KEYS: ${ssm:/crossfeed/staging/PE_SHODAN_API_KEYS~true}
JWT_SECRET: ${ssm:/crossfeed/staging/APP_JWT_SECRET~true}
LOGIN_GOV_REDIRECT_URI: ${ssm:/crossfeed/staging/LOGIN_GOV_REDIRECT_URI~true}
LOGIN_GOV_BASE_URL: ${ssm:/crossfeed/staging/LOGIN_GOV_BASE_URL~true}
Expand Down
4 changes: 4 additions & 0 deletions backend/src/api/scans.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ export const SCAN_SCHEMA: ScanSchema = {
type: 'fargate',
isPassive: true,
global: false,
cpu: '2048',
memory: '16384',
description:
'Finds emails that have appeared in breaches related to a given domain'
},
Expand All @@ -182,6 +184,8 @@ export const SCAN_SCHEMA: ScanSchema = {
type: 'fargate',
isPassive: true,
global: false,
cpu: '2048',
memory: '16384',
description:
'Domain name permutation engine for detecting similar registered domains.'
},
Expand Down
5 changes: 3 additions & 2 deletions backend/src/tasks/peDomMasq.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { CommandOptions } from './ecs-client';
import { spawnSync } from 'child_process';
import { connectToDatabase, Vulnerability } from '../models';
import * as path from 'path';
import { writeFileSync } from 'fs';
import { promises as fs } from 'fs';
import { getPeEnv } from './helpers/getPeEnv';

const DOM_MASQ_DIRECTORY = '/app/worker/pe_scripts/peDomMasq';
Expand All @@ -21,7 +21,8 @@ export const handler = async (commandOptions: CommandOptions) => {
.andWhere("vulnerability.source = 'dnstwist'")
.getRawMany();
const input_path = path.join(DOM_MASQ_DIRECTORY, organizationId + '.json');
writeFileSync(input_path, JSON.stringify(data));

await fs.writeFile(input_path, JSON.stringify(data));

const child = spawnSync(
'python3',
Expand Down
1 change: 1 addition & 0 deletions backend/worker/pe_scripts/hibpSyncFiles/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This folder stores temporary json data when passing data to sync_hibp_pe.py.
1 change: 1 addition & 0 deletions backend/worker/pe_scripts/peDomMasq/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This folder stores temporary json data when passing data to sync_dnstwist_pe.py.
4 changes: 1 addition & 3 deletions backend/worker/pe_scripts/sixgill/run_cybersixgill.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,6 @@
back = timedelta(days=16)
from_date = (to_date - back).strftime("%Y-%m-%d %H:%M:%S")
to_date = to_date.strftime("%Y-%m-%d %H:%M:%S")
print(to_date)
print(from_date)


def cve(cveid):
Expand Down Expand Up @@ -109,7 +107,7 @@ def getDataSource(conn, source):
print("Failed fetching Cybersixgill aliases.")
print(traceback.format_exc())

"""Insert/Update Aliases into PE databse instance"""
"""Insert/Update Aliases into PE database instance"""
try:
# aliases_list = json.loads(aliases.replace("'", '"'))
alias_df = pd.DataFrame(aliases, columns=["alias"])
Expand Down
4 changes: 2 additions & 2 deletions backend/worker/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
requests-http-signature==0.2.0
requests==2.24.0
mitmproxy==7.0.3
cryptography==3.3.2
mitmproxy==8.0.0
cryptography==36.0.2
pytest==6.0.1
scrapy==2.6.1
dnstwist==20201228
Expand Down
6 changes: 3 additions & 3 deletions docs/src/documentation-pages/dev/pe.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ The local database will contain the entire schema. The only table with any data
Before deploying. Generate a secure secret value for a database password, then run the following commands on the terraformer instance:

```
aws ssm put-parameter --name "/crossfeed/staging/PE_DATABASE_NAME" --value "pe" --type "SecureString"
aws ssm put-parameter --name "/crossfeed/staging/PE_DATABASE_USER" --value "pe" --type "SecureString"
aws ssm put-parameter --name "/crossfeed/staging/PE_DATABASE_PASSWORD" --value "[generated secret password]" --type "SecureString"
aws ssm put-parameter --name "/crossfeed/staging/PE_DB_NAME" --value "pe" --type "SecureString"
aws ssm put-parameter --name "/crossfeed/staging/PE_DB_USER" --value "pe" --type "SecureString"
aws ssm put-parameter --name "/crossfeed/staging/PE_DB_PASSWORD" --value "[generated secret password]" --type "SecureString"
```

### Sync DB
Expand Down
3 changes: 2 additions & 1 deletion infrastructure/database.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ resource "aws_db_instance" "db" {
iam_database_authentication_enabled = true

// database information
name = var.db_table_name
db_name = var.db_table_name
username = data.aws_ssm_parameter.db_username.value
password = data.aws_ssm_parameter.db_password.value
port = var.db_port
Expand Down Expand Up @@ -121,6 +121,7 @@ resource "aws_instance" "db_accessor" {

lifecycle {
# prevent_destroy = true
ignore_changes = [ami]
}
}

Expand Down
43 changes: 24 additions & 19 deletions infrastructure/frontend.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,34 @@
resource "aws_s3_bucket" "frontend_bucket" {
bucket = var.frontend_bucket
acl = "private"

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
tags = {
Project = var.project
Stage = var.stage
}
}

versioning {
enabled = true
mfa_delete = false
resource "aws_s3_bucket_acl" "frontend_bucket" {
bucket = aws_s3_bucket.frontend_bucket.id
acl = "private"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "frontend_bucket" {
bucket = aws_s3_bucket.frontend_bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}

logging {
target_bucket = aws_s3_bucket.logging_bucket.id
target_prefix = "frontend_bucket/"
}
resource "aws_s3_bucket_versioning" "frontend_bucket" {
bucket = aws_s3_bucket.frontend_bucket.id
versioning_configuration {
status = "Enabled"
}
}

tags = {
Project = var.project
Stage = var.stage
}
resource "aws_s3_bucket_logging" "frontend_bucket" {
bucket = aws_s3_bucket.frontend_bucket.id
target_bucket = aws_s3_bucket.logging_bucket.id
target_prefix = "frontend_bucket/"
}

data "template_file" "policy_file" {
Expand Down
44 changes: 26 additions & 18 deletions infrastructure/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,36 @@ resource "aws_ssm_parameter" "stage_api_domain" {

resource "aws_s3_bucket" "logging_bucket" {
bucket = var.logging_bucket_name
acl = "private"

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
tags = {
Project = var.project
Stage = var.stage
}
}

versioning {
enabled = true
mfa_delete = false
resource "aws_s3_bucket_acl" "logging_bucket" {
bucket = aws_s3_bucket.logging_bucket.id
acl = "private"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "logging_bucket" {
bucket = aws_s3_bucket.logging_bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

logging {
target_bucket = var.logging_bucket_name
target_prefix = "logging_bucket/"
resource "aws_s3_bucket_versioning" "logging_bucket" {
bucket = aws_s3_bucket.logging_bucket.id
versioning_configuration {
status = "Enabled"
}
}

tags = {
Project = var.project
Stage = var.stage
}
resource "aws_s3_bucket_logging" "logging_bucket" {
bucket = aws_s3_bucket.logging_bucket.id
target_bucket = aws_s3_bucket.logging_bucket.id
target_prefix = "logging_bucket/"
}


10 changes: 7 additions & 3 deletions infrastructure/matomo.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
resource "aws_ecs_cluster" "matomo" {
name = var.matomo_ecs_cluster_name
capacity_providers = ["FARGATE"]
name = var.matomo_ecs_cluster_name

setting {
name = "containerInsights"
Expand All @@ -13,6 +12,11 @@ resource "aws_ecs_cluster" "matomo" {
}
}

resource "aws_ecs_cluster_capacity_providers" "motomo" {
cluster_name = aws_ecs_cluster.matomo.name
capacity_providers = ["FARGATE"]
}

resource "aws_iam_role" "matomo_task_execution_role" {
name = var.matomo_ecs_role_name
assume_role_policy = <<EOF
Expand Down Expand Up @@ -193,7 +197,7 @@ resource "aws_db_instance" "matomo_db" {
storage_encrypted = true

// database information
name = "matomo"
db_name = "matomo"
username = "matomo"
password = random_password.matomo_db_password.result

Expand Down
6 changes: 3 additions & 3 deletions infrastructure/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ output "worker_ecs_repository_url" {
value = aws_ecr_repository.worker.repository_url
}

output "db_accessor_instance_id" {
value = aws_instance.db_accessor[0].id
}
# output "db_accessor_instance_id" {
# value = try(aws_instance.db_accessor[0].id, null)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aloftus23 I think we should uncomment this out, could you do that in a separate PR?

# }
3 changes: 0 additions & 3 deletions infrastructure/prod.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ ssm_censys_api_id = "/crossfeed/prod/CENSYS_API_ID"
ssm_censys_api_secret = "/crossfeed/prod/CENSYS_API_SECRET"
ssm_shodan_api_key = "/crossfeed/prod/SHODAN_API_KEY"
ssm_hibp_api_key = "/crossfeed/prod/HIBP_API_KEY"
ssm_pe_shodan_api_keys = "/crossfeed/prod/PE_SHODAN_API_KEYS"
ssm_sixgill_client_id = "/crossfeed/prod/SIXGILL_CLIENT_ID"
ssm_sixgill_client_secret = "/crossfeed/prod/SIXGILL_CLIENT_SECRET"
ssm_lg_api_key = "/crossfeed/prod/LG_API_KEY"
ssm_lg_workspace_name = "/crossfeed/prod/LG_WORKSPACE_NAME"
cloudfront_name = "Crossfeed Prod Frontend"
Expand Down
13 changes: 8 additions & 5 deletions infrastructure/provider.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,17 @@
# provider.tf

# Specify the provider and access details
provider "aws" {
shared_credentials_file = "$HOME/.aws/credentials"
region = var.aws_region
terraform {
required_providers {
aws = {
version = "~> 4.0"
}
}
}

provider "aws" {
alias = "virginia"
region = "us-east-1"
region = "us-east-1"
shared_credentials_files = ["$HOME/.aws/credentials"]
}

terraform {
Expand Down
3 changes: 3 additions & 0 deletions infrastructure/stage.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ ssm_db_name = "/crossfeed/staging/DATABASE_NAME"
ssm_db_host = "/crossfeed/staging/DATABASE_HOST"
ssm_db_username = "/crossfeed/staging/DATABASE_USER"
ssm_db_password = "/crossfeed/staging/DATABASE_PASSWORD"
ssm_pe_db_name = "/crossfeed/staging/PE_DB_NAME"
ssm_pe_db_username = "/crossfeed/staging/PE_DB_USERNAME"
ssm_pe_db_password = "/crossfeed/staging/PE_DB_PASSWORD"
ssm_matomo_db_password = "/crossfeed/staging/MATOMO_DATABASE_PASSWORD"
ssm_worker_signature_public_key = "/crossfeed/staging/WORKER_SIGNATURE_PUBLIC_KEY"
ssm_worker_signature_private_key = "/crossfeed/staging/WORKER_SIGNATURE_PRIVATE_KEY"
Expand Down
14 changes: 14 additions & 0 deletions infrastructure/vars.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,20 @@ variable "ssm_db_host" {
default = "/crossfeed/staging/DATABASE_HOST"
}

variable "ssm_pe_db_name" {
type = string
default = "/crossfeed/staging/PE_DB_NAME"
}

variable "ssm_pe_db_username" {
type = string
default = "/crossfeed/staging/PE_DB_USERNAME"
}

variable "ssm_pe_db_password" {
type = string
default = "/crossfeed/staging/PE_DB_PASSWORD"
}
variable "ssm_lambda_sg" {
type = string
default = "/crossfeed/staging/SG_ID"
Expand Down
Loading