Building a Self Service Cloud Resource deployment Portal

Introduction

If you are a trainer of an IT based course or consistently spinning up the same infrastructure for a situations like in pentesting, this setup will help you.

“Anything that you do more than twice has to be automated”

  • Adam Stone, CEO, D-Tools

If you have created any type of lab environment or setup machines for an engagement then you know how long the process is. Some people/companies come up with run books with step by step directions to ensure the system is setup the same way each time but it is still a big tasking.

Technology

In this article I will introduce you to three open source technologies that can help you setup a self service portal.

The three technologies are:

All systems are using ubuntu 18.04 Desktop as a base image.

Setting up Rundeck

Go to https://www.rundeck.com/open-source and click on the download link.

Click on,Download the rundeck community edition. You will want to select the Debian/Ubuntu install.

In my case, I copied the link and did a wget on my ubuntu host to download the file there.

cd /tmp/;wget https://dl.bintray.com/rundeck/rundeck-deb/rundeck_3.2.4.20200318-1_all.deb

On the ubuntu Rundeck host run the following commands:

sudo apt update && sudo apt install openjdk-8-jdk-headless; sudo dpkg -i rundeck_3.2.4.20200318–1_all.deb

Then change to a root user via:

sudo su

There are two configuration files that need to be edited.

edit /etc/rundeck/framework.properties, changing localhost to the ip address of your system.

After editing that file, edit the /etc/rundeck/rundeck-config.properties, changing localhost to the ip address of the systems.

Restart the service:

service rundeckd restart

After about 3–5 min, you should be able to open the website going to:

http://<ip>:4440

the default login is admin:admin

you can change that and manually add users by editing the /etc/rundeck/realm.properties

Setting up Terraform

Go to https://www.terraform.io/downloads.html and click on Linux 64-bit

In my case, I copied the link and did a wget on my ubuntu host to download the file there.

sudo apt install ssh -y;cd /tmp/;wget https://releases.hashicorp.com/terraform/0.12.24/terraform_0.12.24_linux_amd64.zip;unzip terraform_0.12.24_linux_amd64.zip;sudo cp terraform /usr/bin/

This command will download terraform to /tmp/, unzip it, and copy it to /usr/bin.

Setup two directories, one for your source and one for your deployment. In my case I named the account terraform, so the command would be:

mkdir /home/terraform/source;mkdir /home/terraform/deploy

Then git clone your infrastructure code into the /home/terraform/source directory. If you want to start with what I came up with for google cloud you can clone mine but you will of course need to change some things.

git clone https://github.com/lordsaibat/Rt-Google-Infra-Guacmole.git

Setting up Apache Guacamole

This system will be running guacamole via docker containers. To use docker and docker-compose they need to be installed. Run the following commands to install docker and docker compose.

sudo apt update && sudo apt install docker.io docker-compose -y

There is a good project that will setup guacamole via docker quick and easy. This project can be cloned to the system and setup via:

git clone https://github.com/boschkundendienst/guacamole-docker-compose;cd guacmole-docker-compose;sudo service docker start;sudo ./prepare.sh;sudo docker-compose up -d

Now all the pieces are setup and they just need to be wired together.

Wiring up Rundeck to Terraform

If you setup terraform on another system. A ssh key needs to be created in order to execute commands on that system. Splitting up the systems means that you can harden the deployment (terraform) server.

On the terraform server generate the ssh key.

cd ~;ssh-keygen -f terraform; cat terraform.pub >> ~/.ssh/authorized_keys

Go to the webpage for your rundeck setup (http://<ip>:4440)

The key needs to be added to rundeck in order to use it.

We need to create a project in rundeck to run commands on external nodes.

Go to the main screen of rundeck and click on New Project.

For the project name, I used “Twitch-demo”, then click on Default Node Executor.

Use the drop down to select “openssh/executor”. Then select “privatekey” for Authentication and then click on SSH key storage path and select the key you saved earlier.

After you create the project, you should be on the “Edit Nodes” page. If not, on the left menu click on Project Settings and the Edit Nodes..

Click on “Add a new Node Source”. Select file, on the right side click on the drop down and select “resourcexml”. Enter a path in the file path, I am going with /home/terraform.xml. Then check off Generate, Include Server Node, Writeable. Click save, then save again.

If you get a FileNotFoundException, the file will have to be created on the rundeck server.

To do that on the rundeck server.

sudo su; touch /home/terraform.xml; chown rundeck /home/terraform.xml; chgrp rundeck /home/terraform.xml

Now edit the file on rundeck webpage and just click save. You should get a different error.

You can now click Edit, next to the Sources on the top bar and click on Modify.

Use the following as a guideline to create a node. Change the username, IP, and ssh-key-storage-path to match what you setup previously.

<?xml version=”1.0" encoding=”UTF-8"?>
<project>
<node name=”terraform-server”
username=”terraform”
hostname=”192.168.2.190"
ssh-key-storage-path=”/keys/terraform-key”
/>
</project>

Click on save. To confirm you setup everything you can click on “commands”. You then have filter the nodes and select “terraform-server”. You should see the results of whatever command you run on the server.

Now we can create jobs in this project.Click on Jobs, Create New Job, Name the job “Deploy Google RT”.

Then click on workflow, near the bottom you can add steps. These are commands ran on the terraform system. One gotcha is that if you need to run something out of a certain directory you need to chain your commands together.

Click on Nodes at top bar and Select “Dispatch to Nodes”. This is similar to when you were testing the ssh connection. You will select the all Nodes, click Search, then in the matched nodes click terraform-server.

If you edited the terraform code to point to the correct project id, it should kick off and build everything.

If it did not end in success check the following:

  • make sure you have correct permissions in google cloud for your service role
  • ensure that in complete_c2.tf is the google project id and not just the name.
  • ensure that the ip, port, and username, and password are correct for guacamole.

Wiring up Terraform to Guacmole

Guacamole has an API that can be called to do tasks in it. Unfortunately, there is no terraform module to rely on. So I created three python scripts to help tie these two technologies. There are some limitations with the script but it could be modified if need be.

I plan on writing a guacmole terraform provider by the end of the year.

The three scripts are guac-auth.py, guac-new-host.py, guac-remove-host.py

guac-auth.py

Will login to guac and get an authentication token to make the rest of the calls.

guac-new-host.py

Will create the connection in guacamole and assign it to all users.

guac-remove-host.py

Will remove the host from guac on destroy.

Final thoughts

This article and steps should help you get red team infrastructure down as a quick deployment that is consistent and accurate every time.

Also don’t forget to add a new job to run terraform destroy.

Here is a quick picture for that.

Bonus

You can also create self destroying infrastructure by adding an option to the job.

If you go back to jobs and go to the far right you can edit the job.

Click on “Add an option” and set it up like I have. You can add more days if need be by editing the list values.

add an additional step to the workflow to add the destruction time.

Now your project will run terraform destroy in the amount of days you select.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tobias

Tobias

26 Followers

Penetration Tester who have helped secure many organizations. I have written publications for SANS Reading Room, and many others. https://linktr.ee/Lordsaibat