wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-15 09:13:01 +02:00
Code Issues Projects Releases Wiki Activity

EC2 Encryption Implemented #133

Browse source
This commit is contained in:
Jack Ivanov 2016-11-30 12:23:24 +03:00 committed by Defunct
parent fa66b8ff95
commit cfcb31d1c8
3 changed files with 78 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
requirements.txt
View file

@ -1,7 +1,7 @@
ansible>=2.1 ansible>=2.1
dopy==0.3.5 dopy==0.3.5
boto boto>=2.5
azure==2.0.0rc5 azure>=2.0.0rc5
apache-libcloud apache-libcloud
six six
pyopenssl pyopenssl

72
roles/cloud-ec2/tasks/encrypt_image.yml Normal file
View file

@ -0,0 +1,72 @@
- name: Locate official Ubuntu 16.04 AMI for region
ec2_ami_find:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
owner: 099720109477
sort: name
sort_order: descending
sort_end: 1
region: "{{ region }}"
register: ami_search
- set_fact:
source_ami_image: "{{ ami_search.results[0].ami_id }}"
#
# https://github.com/ansible/ansible-modules-extras/issues/3565
#
#- name: Copy to an encrypted image
#ec2_ami_copy:
#aws_access_key: "{{ aws_access_key }}"
#aws_secret_key: "{{ aws_secret_key }}"
#description: ENC_IMAGE
#encrypted: yes
#name: newimage
#region: "{{ region }}"
#source_image_id: "{{ source_ami_image }}"
#source_region: "{{ region }}"
#register: ec2_ami_copy
#when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != true)
#- debug: var=ec2_ami_copy
#
# https://github.com/ansible/ansible-modules-extras/issues/3565
#
- name: Copy to an encrypted image
shell: >
aws ec2 copy-image --source-region '{{ region }}' --region '{{ region }}' --encrypted --source-image-id '{{ source_ami_image }}' --name 'ubuntu-xenial-16.04-amd64-server-encrypted'
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
register: ec2_ami_copy
- set_fact:
ami_image_ouput: "{{ ec2_ami_copy.stdout|from_json }}"
- set_fact:
ami_encrypted_image: "{{ ami_image_ouput['ImageId'] }}"
- name: Add tags to the encrypted image
ec2_tag:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
region: "{{ region }}"
resource: "{{ ami_encrypted_image }}"
state: present
tags:
Name: "ubuntu-xenial-16.04-amd64-server-encrypted"
Encrypted: "true"
- name: Confirm the encrypted image
ec2_ami_find:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
ami_id: "{{ ami_encrypted_image }}"
region: "{{ region }}"
owner: self
state: available
register: ec2_ami_find_encrypted
until: ec2_ami_find_encrypted.results|length > 0
retries: 60
delay: 10

8
roles/cloud-ec2/tasks/main.yml
View file

@ -1,7 +1,7 @@
- name: Locate official Ubuntu 16.04 AMI for region - name: Locate official Ubuntu 16.04 AMI for region
ec2_ami_find: ec2_ami_find:
aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" aws_secret_key: "{{ aws_secret_key }}"
name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
owner: 099720109477 owner: 099720109477
sort: creationDate sort: creationDate
@ -10,8 +10,8 @@
region: "{{ region }}" region: "{{ region }}"
register: ami_search register: ami_search
- set_fact: - include: encrypt_image.yml
ami_image: "{{ ami_search.results[0].ami_id }}" when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != "true1")
- name: Add ssh public key - name: Add ssh public key
ec2_key: ec2_key: