Sample how to: infrastructure as code with Cloud Defender and Cloud Insight

This is a sample ref architecture to showcase how to integrate AlertLogic Cloud Defender and Cloud Insight into Terraform and Ansible in AWS.

There are several custom script provided as example, feel free to adjust to your existing workflow.

This example is only meant to demonstrate where and how to plug both Cloud Defender and Cloud Insight into your existing code.

Requirements

• Terraform and Ansible installed on the workstation that will launch your infrastructure to AWS
• Credentials to Cloud Insight
• User API key for Cloud Defender
• AWS credentials file configured under ~/.aws/credentials

Strategy

1. Terraform to manage AWS resources with remote state (s3)
2. Ansible to handle AlertLogic AL Agent installation
3. Python script as wrapper for AlertLogic Cloud Defender and Cloud Insight API
4. Some ephemeral file to handle passing parameters
5. Bash script to tied all together

What inside

Here are the repo structure and some quick description:

├── ansible
│   ├── ansible.cfg
│   ├── inventories
│   │   └── inventory  <-- will be created by compute/ansible_inventory.tpl template
│   ├── roles
│   │   └── al-agents  <-- playbook for AlertLogic AL Agent
│   └── webserver.yaml <-- execute al-agents role with additional wait conditions
├── backend
│   ├── backend.tf
│   ├── initialize.tf
├── data
│   └── key
│       ├── ansible-terraform.pem <-- CREATE NEW KEY OR USE IT WITH YOUR OWN RISK
├── environment
│   └── staging
│       ├── cloud_insight
│       │   ├── cloud_insight_sg_id.txt <-- created by deploy_alertlogic.py script
│       │   ├── cloud_insight_sg.tf
│       │   ├── initialize.tf
│       │   └── vars.tfvars <-- created by 02_environment_init.sh
│       ├── cloudtrail
│       │   ├── cloudtrail.tf
│       │   ├── initialize.tf
│       │   └── vars.tfvars <-- created by 02_environment_init.sh
│       ├── compute
│       │   ├── ansible_inventory.tpl
│       │   ├── compute.tf
│       │   ├── hostname.tpl
│       │   ├── initialize.tf
│       │   ├── template.tf
│       │   └── vars.tfvars <-- created by 02_environment_init.sh
│       ├── iam
│       │   ├── iam.tf
│       │   ├── initialize.tf
│       │   └── vars.tfvars <-- created by 02_environment_init.sh
│       ├── log_manager
│       │   ├── initialize.tf
│       │   ├── lm_cloudtrail.tf
│       │   └── vars.tfvars <-- created by 02_environment_init.sh
│       ├── network
│       │   ├── ci_scope.tpl
│       │   ├── cloud_insight_scope.json <-- used by deploy_alertlogic.py as the scope
│       │   ├── initialize.tf
│       │   ├── network.tf
│       │   ├── template.tf
│       │   ├── vars.tfvars <-- created by 02_environment_init.sh
│       │   └── vpclist.tpl
│       └── threat_manager
│           ├── initialize.tf
│           ├── private_ips.txt <-- generated by null resource + local exec
│           ├── public_ips.txt <-- generated by null resource + local exec
│           ├── tmc.tf
│           └── vars.tfvars <-- created by 02_environment_init.sh
├── module
│   ├── alert_logic_cloud_defender_role
│   │   ├── alert_logic_cloud_defender_role.tf
│   │   └── vars.tf
│   ├── alert_logic_cloud_insight_role
│   │   ├── alert_logic_cloud_insight_role.tf
│   │   └── vars.tf
│   ├── alert_logic_log_manager_cloudtrail
│   │   ├── alert_logic_LM_cloudtrail.tf
│   │   └── vars.tf
│   ├── alert_logic_tmc
│   │   ├── alert_logic_tmc.tf
│   │   └── vars.tf
│   └── vpc_module
│       ├── vars.tf
│       └── vpc_module.tf
├── README.md
└── scripts
    ├── 01_backend_init.sh
    ├── 02_environment_init.sh
    ├── 03_param_init.sh
    ├── 04_deploy.sh
    ├── 05_destroy.sh
    ├── deploy_alertlogic.py
    ├── deploy_lm_cloudtrail.py
    └── tmc_is_claimed.py

How to run

1. Copy the entire repo to your workstation / utility server

2. Initialize the backend terraform support components (scripts/01_backend_init.sh)

3. Initialize terraform template (scripts/02_environment_init.sh)

4. Initialize variables for each template (scripts/03_param_init.sh)

5. Run scripts/04_deploy.sh to launch the whole infrastructure

6. Run scripts/05_destroy.sh to destroy the whole infrastructure

01_backend_init

This sample will use S3 bucket to store Terraform state, and Dynamod DB to manage the state lock.

Add all the required parameters as specified in the script.

02_environment_init

This script will perform terraform init for each template.

03_param_init

This script will generate the vars.tfvars on each Terraform template, each template has it's own required variables.

04_deploy

Here is where we launch the infrastructure, the order of launch is not absolute, you can modify it as required. Standard concept that I recommend to adopt:

1. Create all your IAM roles
2. Create the CloudTrail
3. Deploy Alert Logic Log Manager CloudTrail
4. Deploy Network / VPC
5. Deploy Alert Logic Cloud Defender environment (to allow auto-claim for below)
6. Deploy Alert Logic Threat Manager appliance (dependent to Cloud Defender environment)
7. Deploy the rest of your compute resource (EC2)
8. Verify Threat Manager is claimed
9. Execute Ansible playbook
10. Deploy Alert Logic Cloud Insight environment
11. Set scope for Alert Logic Cloud Insight (use vpc-id from your Network / VPC state)
12. Modify security group of your compute resource to allow Cloud Insight to scan it*

*You could possibly modify this steps by launching Cloud Insight immediately after your VPC is ready. The existing deploy_alertlogic.py will require modification to make sure Cloud Insight discover the newly build EC2 instances.

05_destroy

In short, this will revert all deployment in the backwards order.

Example

It's easier to see it in action rather than trying to explain it. Use the sample provided under ./example on how to fill parameters for each scripts.

Warning

1. CloudTrail S3 bucket by default is set to force_delete_bucket=false
2. This is on going project, this sample will be provided AS IS