/terraform-nuclear-pond

Backend for Nuclear Pond

Primary LanguageHCLMIT LicenseMIT

Nuclei Runner

Infrastructure

This terraform module allows you to execute Nuclei within a lambda function within AWS. This is designed to be the backend for Nuclear Pond. Please go to that repository first if you have not. The purpose of which is to allow you to perform automated scans on your infrastructure and allow the results to be parsed in any way that you choose.

Nuclei can help you identify technologies running within your infrastructure, misconfigurations, exploitable vulnerabilities, network protocols, default credentials, exposed panels, takeovers, and so much more. Continuously monitoring for such vulnerabilities within your network can be crucial to providing you with a last line of defense against vulnerabilities hidden within your cloud infrastructure.

⚠️ This is vulnerable to Remote Code Execution: Be careful where you deploy this as I have made no attempt to sanitize inputs for flexibility purposes. Since it is running in lambda, the risk is generally low but if you were to attach a network interface to this it could add significant risk.

Engineering Decisions

With any engineering project, design decisions are made based on the requirements of a given project. In which these designs have some limitations which are the following:

  • Args are passed directly, to allow you to specify any arguments to nuclei, in invoking the lambda function and since the sink is exec.Command this is vulnerable to remote code execution by design and can be easily escaped
  • Never pass -u, -l, -json, or -o flag to this lambda function but you can pass any other nuclei arguments you like
  • Nuclei refuses to not write to $HOME/.config so the HOME, which is not a writable filesystem with lambda, is set to /tmp which can cause warm starts to have the same filesystem and perhaps poison future configurations
  • Lambda function in golang is rebuilt on every apply for ease of development
  • When configuration files are updated, you might have to destroy and recreate the infrastructure

Event Json

This is what must be passed to the lambda function. The Targets can be a list of one or many, the lambda function will handle passing in the -u or -l flag accordingly. The Args input are any valid flags for nuclei. The Output flag allows you to output either the command line output, json findings, or s3 key where the results are uploaded to.

{
  "Targets": [
    "https://devsecopsdocs.com"
  ],
  "Args": [
    "-t",
    "dns"
  ],
  "Output": "json"
}

Requirements

Name Version
terraform >= 1.0
archive 2.2.0
aws 4.50.0
github 5.14.0
null 3.2.1

Providers

Name Version
archive 2.2.0
aws 4.50.0
github 5.14.0
null 3.2.1

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.log_group resource
aws_dynamodb_table.scan_state_table resource
aws_glue_catalog_database.database resource
aws_glue_catalog_table.table resource
aws_iam_policy.policy resource
aws_iam_role.lambda_role resource
aws_iam_role_policy_attachment.policy resource
aws_lambda_alias.alias resource
aws_lambda_function.function resource
aws_lambda_layer_version.configs_layer resource
aws_lambda_layer_version.layer resource
aws_lambda_layer_version.templates_layer resource
aws_s3_bucket.bucket resource
aws_s3_bucket_public_access_block.block resource
aws_s3_bucket_server_side_encryption_configuration.encryption resource
aws_s3_object.upload_config resource
aws_s3_object.upload_nuclei resource
aws_s3_object.upload_templates resource
null_resource.build resource
null_resource.download_nuclei resource
null_resource.download_templates resource
archive_file.nuclei_config data source
archive_file.zip data source
aws_iam_policy_document.policy data source
aws_iam_policy_document.trust data source
github_release.templates data source

Inputs

Name Description Type Default Required
github_owner Github owner to use for templates string "projectdiscovery" no
github_repository Github repository to use for templates string "nuclei-templates" no
github_token Github token to use for private templates, leave empty if you don't need private templates string "" no
memory_size n/a number 512 no
nuclei_arch Nuclei architecture to use string "linux_amd64" no
nuclei_timeout Lambda function timeout number 900 no
nuclei_version Nuclei version to use string "2.8.7" no
project_name Name of the project to create and must be unique as S3 bucket names are global any n/a yes
release_tag Github release tag to use for templates string "v9.3.4" no
tags n/a map(string)
{
"Name": "nuclei-scanner"
}
no

Outputs

Name Description
dynamodb_state_table n/a
function_name n/a