ASG supporting lambda and other updates

README.md

@@ -7,10 +7,25 @@ Terraform for Corelight's AWS Cloud Sensor Deployment.
 ## Usage
 ```terraform
 
+data "aws_subnet" "management" {
+  id = "<management subnet id>"
+}
+
+module "asg_lambda_role" {
+  source = "github.com/corelight/terraform-aws-sensor//modules/iam/lambda"
+
+  lambda_cloudwatch_log_group_arn = module.sensor.cloudwatch_log_group_arn
+  sensor_autoscaling_group_name   = module.sensor.autoscaling_group_name
+  security_group_arn              = module.sensor.management_security_group_arn
+  subnet_arn                      = data.aws_subnet.management.arn
+}
+
 module "sensor" {
   source = "github.com/corelight/terraform-aws-sensor"
 
-  auto_scaling_availability_zones = ["<first az>", "<second az>"]
+  # Recommend deploying a sensor per availability zone. Multiple AZs can 
+  # be set but GWLB cross availability zone support is not recommended.
+  auto_scaling_availability_zones = ["<availability zone>"]
   aws_key_pair_name = "<key pair name>"
 
   # Request access to Corelight sensor AMI from you Account Executive
@@ -19,12 +34,25 @@ module "sensor" {
   management_subnet_id = "<management subnet>"
   monitoring_subnet_id = "<monitoring subnet>"
   community_string = "<password for the sensor api>"
-  vpc_id = "<vpc where the sensor auto scale group is deployed>"
+  vpc_id = "<vpc where the sensor autoscaling group is deployed>"
+  asg_lambda_iam_role_arn = module.asg_lambda_role.role_arn
 
-  # (Optional) Enrichment Bucket - ASG should have an instance 
-  # profile when using cloud enrichment
+  # (Optional) ASG should have an instance profile when using 
+  # the cloud enrichment feature
   enrichment_bucket_name = "<cloud enrichment s3 bucket name>"
   enrichment_bucket_region = "<cloud enrichment s3 bucket region>"
+  enrichment_instance_profile_arn = aws_iam_instance_profile.corelight_sensor.arn
+}
+
+### Optional resources for enrichment
+module "enrichment_sensor_role" {
+  source = "github.com/corelight/terraform-aws-enrichment//modules/iam/sensor"
+  enrichment_bucket_arn = data.aws_s3_bucket.enrichment_bucket.arn
+}
+
+resource "aws_iam_instance_profile" "corelight_sensor" {
+  name = "<name of the instance profile>"
+  role = module.enrichment_sensor_role.sensor_role_name
 }
 ```
 

auto_scale_group.tf

@@ -9,14 +9,22 @@ resource "aws_autoscaling_group" "sensor_asg" {
     version = aws_launch_template.sensor_launch_template.latest_version
   }
 
-  availability_zones        = [var.auto_scaling_availability_zone]
+  availability_zones        = var.availability_zones
   target_group_arns         = [aws_lb_target_group.health_check.arn]
   health_check_type         = "EC2"
   health_check_grace_period = 300
   termination_policies      = ["OldestInstance"]
   protect_from_scale_in     = false
 }
 
+resource "aws_autoscaling_lifecycle_hook" "asg_scale_up_hook" {
+  autoscaling_group_name = aws_autoscaling_group.sensor_asg.name
+  lifecycle_transition   = "autoscaling:EC2_INSTANCE_LAUNCHING"
+  name                   = var.asg_lifecycle_hook_name
+  default_result         = "ABANDON"
+  heartbeat_timeout      = 300
+}
+
 resource "aws_autoscaling_policy" "sensor_autoscale_policy" {
   name                   = var.sensor_asg_auto_scale_policy_name
   autoscaling_group_name = aws_autoscaling_group.sensor_asg.name

examples/deployment/main.tf

@@ -11,6 +11,21 @@ locals {
   }
 }
 
+data "aws_subnet" "management" {
+  id = local.management_subnet
+}
+
+module "asg_lambda_role" {
+  source = "/Users/ryan/github/terraform-aws-sensor//modules/iam/lambda"
+
+  lambda_cloudwatch_log_group_arn = module.sensor.cloudwatch_log_group_arn
+  security_group_arn              = module.sensor.management_security_group_arn
+  sensor_autoscaling_group_name   = module.sensor.autoscaling_group_name
+  subnet_arn                      = data.aws_subnet.management.arn
+
+  tags = local.tags
+}
+
 module "sensor" {
   source = "github.com/corelight/terraform-aws-sensor"
 
@@ -22,16 +37,19 @@ module "sensor" {
   monitoring_subnet_id            = local.monitoring_subnet
   community_string                = "<password for the sensor api>"
   vpc_id                          = local.vpc_id
+  asg_lambda_iam_role_arn         = module.asg_lambda_role.role_arn
 
   tags = local.tags
 }
 
 module "bastion" {
   source = "github.com/corelight/terraform-aws-sensor//modules/bastion"
 
-  bastion_key_pair_name = "<AWS ssh key pair name for the bastion host>"
-  subnet_id             = "<subnet with public ssh access>"
-  vpc_id                = local.vpc_id
+  bastion_key_pair_name        = "<AWS ssh key pair name for the bastion host>"
+  subnet_id                    = data.aws_subnet.management.id
+  management_security_group_id = module.sensor.management_security_group_id
+  vpc_id                       = local.vpc_id
+  public_ssh_allow_cidr_blocks = ["0.0.0.0/0"]
 
   tags = local.tags
 }

lambda.tf

@@ -0,0 +1,66 @@
+locals {
+  script_name = "corelight_sensor_asg_nic_manager.py"
+}
+
+resource "aws_lambda_function" "auto_scaling_lambda" {
+  function_name = var.lambda_function_name
+  role          = var.asg_lambda_iam_role_arn
+  filename      = "lambda_payload.zip"
+  handler       = "corelight_sensor_asg_nic_manager.lambda_handler"
+  timeout       = 30
+  runtime       = "python3.12"
+
+  source_code_hash = filebase64sha256(data.archive_file.aws_lambda_code.output_path)
+
+  environment {
+    variables = {
+      TARGET_SUBNET            = var.management_subnet_id
+      TARGET_SECURITY_GROUP_ID = aws_security_group.management.id
+    }
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    data.archive_file.aws_lambda_code
+  ]
+}
+
+data "archive_file" "aws_lambda_code" {
+  output_path = "lambda_payload.zip"
+  source_file = "${path.module}/scripts/${local.script_name}"
+  type        = "zip"
+}
+
+resource "aws_cloudwatch_event_rule" "asg_lifecycle_rule" {
+  name = var.eventbridge_lifecycle_rule_name
+  event_pattern = jsonencode({
+    "source" : ["aws.autoscaling"],
+    "detail-type" : ["EC2 Instance-launch Lifecycle Action"],
+    "detail" : {
+      "AutoScalingGroupName" : [aws_autoscaling_group.sensor_asg.name],
+      "LifecycleHookName" : [aws_autoscaling_lifecycle_hook.asg_scale_up_hook.name]
+    }
+  })
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_log_group" "log_group" {
+  name              = "${var.cloudwatch_log_group_prefix}/${aws_lambda_function.auto_scaling_lambda.function_name}"
+  retention_in_days = var.cloudwatch_log_group_retention
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_event_target" "ec2_state_change_rule_lambda_target" {
+  arn  = aws_lambda_function.auto_scaling_lambda.arn
+  rule = aws_cloudwatch_event_rule.asg_lifecycle_rule.name
+}
+
+resource "aws_lambda_permission" "ec2_state_change_event_bridge_trigger_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.auto_scaling_lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.asg_lifecycle_rule.arn
+}

launch_template.tf

@@ -6,32 +6,21 @@ resource "aws_launch_template" "sensor_launch_template" {
   key_name      = var.aws_key_pair_name
   ebs_optimized = false
 
-  network_interfaces {
-    device_index         = 0
-    network_interface_id = aws_network_interface.monitoring_nic.id
+  dynamic "iam_instance_profile" {
+    for_each = var.enrichment_instance_profile_arn == "" ? toset([]) : toset([1])
+
+    content {
+      arn = var.enrichment_instance_profile_arn
+    }
   }
 
   network_interfaces {
-    device_index         = 1
-    network_interface_id = aws_network_interface.management_nic.id
+    subnet_id             = var.monitoring_subnet_id
+    security_groups       = [aws_security_group.monitoring.id]
+    delete_on_termination = true
   }
 
   user_data = module.sensor_config.cloudinit_config.rendered
 
   tags = var.tags
-}
-
-resource "aws_network_interface" "monitoring_nic" {
-  subnet_id       = data.aws_subnet.monitoring_subnet.id
-  security_groups = [aws_security_group.monitoring.id]
-
-  tags = merge(var.tags, { name : var.monitoring_nic_name })
-}
-
-resource "aws_network_interface" "management_nic" {
-  subnet_id       = data.aws_subnet.management_subnet.id
-  security_groups = [aws_security_group.management.id]
-
-  tags = merge(var.tags, { name : var.management_nic_name })
-}
-
+}

modules/bastion/instance.tf

@@ -0,0 +1,35 @@
+resource "aws_instance" "bastion" {
+  ami           = var.ami_id
+  instance_type = var.instance_type
+  key_name      = var.bastion_key_pair_name
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = aws_network_interface.bastion_nic.id
+  }
+
+  root_block_device {
+    volume_size = var.os_disk_size
+    encrypted   = true
+  }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
+  tags = merge(var.tags, { Name : var.bastion_instance_name })
+}
+
+resource "aws_network_interface" "bastion_nic" {
+  subnet_id       = var.public_subnet_id
+  security_groups = [aws_security_group.bastion_sg.id]
+
+  tags = merge({ Name : "${var.bastion_instance_name}-nic" }, var.tags)
+}
+
+resource "aws_eip" "bastion_public_ip" {
+  network_interface = aws_network_interface.bastion_nic.id
+
+  tags = merge({ Name : "${var.bastion_instance_name}-public-ip" }, var.tags)
+}

modules/bastion/outputs.tf

@@ -3,13 +3,5 @@ output "bastion_instance_id" {
 }
 
 output "bastion_ssh_security_group_arn" {
-  value = aws_security_group.allow_ssh.arn
-}
-
-output "bastion_nic_arn" {
-  value = aws_network_interface.bastion_nic.arn
-}
-
-output "bastion_eip_id" {
-  value = aws_eip.bastion_public_ip.id
+  value = aws_security_group.bastion_sg.arn
 }

modules/bastion/security_group.tf

@@ -0,0 +1,38 @@
+resource "aws_security_group" "bastion_sg" {
+  vpc_id      = var.vpc_id
+  name        = var.bastion_security_group_name
+  description = var.bastion_security_group_description
+
+  tags = merge(var.tags, { Name = var.bastion_security_group_name })
+}
+
+resource "aws_security_group_rule" "public_network_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  security_group_id = aws_security_group.bastion_sg.id
+  description       = "Public SSH to bastion host"
+  cidr_blocks       = var.public_ssh_allow_cidr_blocks
+}
+
+resource "aws_security_group_rule" "public_network_egress_all" {
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.bastion_sg.id
+  description       = "Default egress rule"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+
+resource "aws_security_group_rule" "management_subnet_ssh_access" {
+  type                     = "ingress"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+  security_group_id        = var.management_security_group_id
+  description              = "SSH Access from Bastion"
+  source_security_group_id = aws_security_group.bastion_sg.id
+}