/terraform-aws-resource-exposure

Terraform for resources exposed to the internet in AWS

Primary LanguageHCL

terraform-aws-resource-exposure

Terraform to demonstrate exposed resources in AWS.

Note: Do not run this in production. Probably don't even run this in dev. Run it in a sandboxed account that you intend on nuking afterwards.

Instructions

If you are using a non-default AWS credentials profile, then set it using these variables (one is used by AWS CLI, one is used by Terraform). In this case, I called my profile vulnerable-aws.

export AWS_DEFAULT_PROFILE=vulnerable-aws
export AWS_PROFILE=vulnerable-aws
  • Now set your AWS region
export AWS_DEFAULT_REGION=us-east-1

terraform init
terraform plan
terraform apply -auto-approve

Module Reference

Requirements

Name Version
terraform 1.0.6
aws 3.63.0

Providers

Name Version
archive 2.2.0
aws 3.63.0
null 3.1.0
random 3.1.0

Modules

No modules.

Resources

Name Type
aws_ami_copy.example resource
aws_ebs_snapshot.example resource
aws_ebs_volume.example resource
aws_ecr_repository.example resource
aws_ecr_repository_policy.example resource
aws_efs_file_system.example resource
aws_efs_file_system_policy.example resource
aws_iam_role.example resource
aws_iam_role.lambda_exec_role resource
aws_kms_alias.example resource
aws_kms_key.example resource
aws_lambda_function.example resource
aws_lambda_layer_version.lambda_layer resource
aws_lambda_layer_version.lambda_layer_2 resource
aws_s3_bucket.example resource
aws_s3_bucket_object.example resource
aws_s3_bucket_policy.example resource
aws_secretsmanager_secret.example resource
aws_secretsmanager_secret_policy.example resource
aws_secretsmanager_secret_version.example resource
aws_ses_domain_identity.example resource
aws_ses_identity_policy.example resource
aws_sns_topic.example resource
aws_sns_topic_policy.example resource
aws_sqs_queue.example resource
aws_sqs_queue_policy.example resource
null_resource.create_kms_grant resource
null_resource.share_ami_publicly resource
null_resource.share_ebs_volume_publicly resource
null_resource.share_lambda_function_publicly resource
random_string.random resource
archive_file.layer data source
aws_ami.example data source
aws_caller_identity.current data source
aws_iam_policy_document.ecr data source
aws_iam_policy_document.efs data source
aws_iam_policy_document.iam data source
aws_iam_policy_document.s3 data source
aws_iam_policy_document.ses data source
aws_iam_policy_document.sns data source
aws_iam_policy_document.sqs data source

Inputs

Name Description Type Default Required
domain_name n/a string "test-resource-exposure.com" no
kms_grantee_principal KMS Grants require a valid IAM principal, and I don't want to expose my own AWS Account ID, so let's give New Relic (randomly selected) access to the KMS key. string "arn:aws:iam::754728514883:root" no
name n/a string "test-resource-exposure" no
region n/a string "us-east-1" no

Outputs

No outputs.