wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

Move to the ARM deployment schema (#1107)

Browse source
This commit is contained in:
Jack Ivanov 2018-09-17 03:19:29 +03:00 committed by Dan Guido
parent 4e5103986c
commit 4a42fbea35
6 changed files with 245 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -1,3 +1,7 @@
## 7 Sep 2018
### Changed
- Azure: Deployment via Azure Resource Manager
## 27 Aug 2018 ## 27 Aug 2018
### Changed ### Changed
- Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976) - Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976)

6
config.cfg
View file

@ -95,11 +95,7 @@ SSH_keys:
cloud_providers: cloud_providers:
azure: azure:
size: Basic_A0 size: Basic_A0
image: image: 18.04-LTS
offer: UbuntuServer
publisher: Canonical
sku: '18.04-LTS'
version: latest
digitalocean: digitalocean:
size: s-1vcpu-1gb size: s-1vcpu-1gb
image: "ubuntu-18-04-x64" image: "ubuntu-18-04-x64"

2
roles/cloud-azure/defaults/main.yml
View file

@ -1,5 +1,5 @@
--- ---
azure_regions: > _azure_regions: >
[ [
{ {
"displayName": "East Asia", "displayName": "East Asia",

209
roles/cloud-azure/files/deployment.json Normal file
View file

@ -0,0 +1,209 @@
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"AlgoServerName": {
"type": "string"
},
"sshKeyData": {
"type": "string"
},
"location": {
"type": "string"
},
"WireGuardPort": {
"type": "int"
},
"vmSize": {
"type": "string"
},
"imageReferenceSku": {
"type": "string"
}
},
"variables": {
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks', parameters('AlgoServerName'))]",
"subnet1Ref": "[concat(variables('vnetID'),'/subnets/', parameters('AlgoServerName'))]"
},
"resources": [
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('AlgoServerName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "AllowSSH",
"properties": {
"description": "Locks inbound down to ssh default port 22.",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "AllowIPSEC500",
"properties": {
"description": "Allow UDP to port 500",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "500",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 110,
"direction": "Inbound"
}
},
{
"name": "AllowIPSEC4500",
"properties": {
"description": "Allow UDP to port 4500",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "4500",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 120,
"direction": "Inbound"
}
},
{
"name": "AllowWireGuard",
"properties": {
"description": "Locks inbound down to ssh default port 22.",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "[parameters('WireGuardPort')]",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 130,
"direction": "Inbound"
}
}
]
}
},
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[parameters('AlgoServerName')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Static"
}
},
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('AlgoServerName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.10.0.0/16"
]
},
"subnets": [
{
"name": "[parameters('AlgoServerName')]",
"properties": {
"addressPrefix": "10.10.0.0/24"
}
}
]
}
},
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkInterfaces",
"name": "[parameters('AlgoServerName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('AlgoServerName'))]",
"[concat('Microsoft.Network/publicIPAddresses/', parameters('AlgoServerName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('AlgoServerName'))]"
],
"properties": {
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('AlgoServerName'))]"
},
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('AlgoServerName'))]"
},
"subnet": {
"id": "[variables('subnet1Ref')]"
}
}
}
]
}
},
{
"apiVersion": "2016-04-30-preview",
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('AlgoServerName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', parameters('AlgoServerName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"osProfile": {
"computerName": "[parameters('AlgoServerName')]",
"adminUsername": "ubuntu",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/ubuntu/.ssh/authorized_keys",
"keyData": "[parameters('sshKeyData')]"
}
]
}
}
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "[parameters('imageReferenceSku')]",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('AlgoServerName'))]"
}
]
}
}
}
],
"outputs": {
"publicIPAddresses": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Network/publicIPAddresses',parameters('AlgoServerName')),providers('Microsoft.Network', 'publicIPAddresses').apiVersions[0]).ipAddress]",
}
}
}

135
roles/cloud-azure/tasks/main.yml
View file

@ -4,123 +4,38 @@
import_tasks: prompts.yml import_tasks: prompts.yml
- set_fact: - set_fact:
resource_group: "Algo_{{ region }}" algo_region: >-
secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}" {% if region is defined %}{{ region }}
tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}" {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ azure_regions[_algo_region.user_input | int -1 ]['name'] }}
client_id: "{{ azure_client_id | default(lookup('env','AZURE_CLIENT_ID'), true) }}" {%- else %}{{ azure_regions[default_region | int - 1]['name'] }}{% endif %}
subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}"
- name: Create a resource group - name: Create AlgoVPN Server
azure_rm_resourcegroup: azure_rm_deployment:
state: present
deployment_name: "AlgoVPN-{{ algo_server_name }}"
template: "{{ lookup('file', 'deployment.json') }}"
secret: "{{ secret }}" secret: "{{ secret }}"
tenant: "{{ tenant }}" tenant: "{{ tenant }}"
client_id: "{{ client_id }}" client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}" subscription_id: "{{ subscription_id }}"
name: "{{ resource_group }}" resource_group_name: "AlgoVPN-{{ algo_server_name }}"
location: "{{ region }}" parameters:
tags: AlgoServerName:
Environment: Algo value: "{{ algo_server_name }}"
sshKeyData:
- name: Create a virtual network value: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
azure_rm_virtualnetwork: location:
secret: "{{ secret }}" value: "{{ algo_region }}"
tenant: "{{ tenant }}" WireGuardPort:
client_id: "{{ client_id }}" value: "{{ wireguard_port }}"
subscription_id: "{{ subscription_id }}" vmSize:
resource_group: "{{ resource_group }}" value: "{{ cloud_providers.azure.size }}"
name: algo_net imageReferenceSku:
address_prefixes: "10.10.0.0/16" value: "{{ cloud_providers.azure.image }}"
tags: register: azure_rm_deployment
Environment: Algo
- name: Create a security group
azure_rm_securitygroup:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
resource_group: "{{ resource_group }}"
name: AlgoSecGroup
purge_rules: yes
rules:
- name: AllowSSH
protocol: Tcp
destination_port_range: 22
access: Allow
priority: 100
direction: Inbound
- name: AllowIPSEC500
protocol: Udp
destination_port_range: 500
access: Allow
priority: 110
direction: Inbound
- name: AllowIPSEC4500
protocol: Udp
destination_port_range: 4500
access: Allow
priority: 120
direction: Inbound
- name: AllowWireGuard
protocol: Udp
destination_port_range: "{{ wireguard_port }}"
access: Allow
priority: 130
direction: Inbound
- name: Create a subnet
azure_rm_subnet:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
resource_group: "{{ resource_group }}"
name: algo_subnet
address_prefix: "10.10.0.0/24"
virtual_network: algo_net
security_group_name: AlgoSecGroup
tags:
Environment: Algo
- name: Create an instance
azure_rm_virtualmachine:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
resource_group: "{{ resource_group }}"
admin_username: ubuntu
virtual_network: algo_net
name: "{{ azure_server_name }}"
ssh_password_enabled: false
vm_size: "{{ cloud_providers.azure.size }}"
tags:
Environment: Algo
ssh_public_keys:
- { path: "/home/ubuntu/.ssh/authorized_keys", key_data: "{{ lookup('file', '{{ SSH_keys.public }}') }}" }
image: "{{ cloud_providers.azure.image }}"
register: azure_rm_virtualmachine
# To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
- set_fact: - set_fact:
ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}" cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}"
networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}"
- name: Ensure the network interface includes all required parameters
azure_rm_networkinterface:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
name: "{{ networkinterface_name }}"
resource_group: "{{ resource_group }}"
virtual_network_name: algo_net
subnet_name: algo_subnet
security_group_name: AlgoSecGroup
- set_fact:
cloud_instance_ip: "{{ ip_address }}"
ansible_ssh_user: ubuntu ansible_ssh_user: ubuntu
rescue: rescue:

10
roles/cloud-azure/tasks/prompts.yml
View file

@ -48,20 +48,20 @@
- block: - block:
- name: Set facts about the regions - name: Set facts about the regions
set_fact: set_fact:
aws_regions: "{{ azure_regions | sort(attribute='region_name') }}" azure_regions: "{{ _azure_regions|from_json | sort(attribute='name') }}"
- name: Set the default region - name: Set the default region
set_fact: set_fact:
default_region: >- default_region: >-
{% for r in aws_regions %} {% for r in azure_regions %}
{%- if r['region_name'] == "us-east-1" %}{{ loop.index }}{% endif %} {%- if r['name'] == "eastus" %}{{ loop.index }}{% endif %}
{%- endfor %} {%- endfor %}
- pause: - pause:
prompt: | prompt: |
What region should the server be located in? What region should the server be located in?
{% for r in aws_regions %} {% for r in azure_regions %}
{{ loop.index }}. {{ r['region_name'] }} {{ loop.index }}. {{ r['displayName'] }}
{% endfor %} {% endfor %}
Enter the number of your desired region Enter the number of your desired region