/firehawk-main

The Firehawk Main VPC contains shared resources for all Firehawk deployments

Primary LanguageShellMozilla Public License 2.0MPL-2.0

Firehawk-Main

The Firehawk Main VPC (WIP) deploys Hashicorp Vault into a private VPC with auto unsealing.

This deployment uses Cloud 9 to simplify management of AWS Secret Keys. You will need to create a custom profile to allow the cloud 9 instance permission to create these resources with Terraform.

Policies for the Cloud 9 instance.

WARNING: Do not use this in production without restricting these policies further. These policies are WIP, and are far too permissive for a production or persistant deployment.

  • Ensure you have MFA enabled for the current user.

  • In AWS Management Console | IAM | Policies: Create a new policy named: Cloud9SSMCustomInstanceProfile. Use this JSON definition for the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        }
    ]
}
  • In AWS Management Console | IAM | Policies: Create a new policy named: Cloud9CustomRole. Use this JSON definition for the policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DeleteStack"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/aws-cloud9-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:security-group/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Name": "aws-cloud9-*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/aws:cloudformation:stack-name": "aws-cloud9-*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListInstanceProfiles",
                "iam:GetInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/cloud9/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/AWSCloud9SSMAccessRole"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}
  • Create a new role called Cloud9CustomRole

Edit trust relationships for this role and use this JSON definition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloud9.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Attach these policies to the role:
Cloud9SSMCustomInstanceProfile
Cloud9CustomPolicy
IAMFullAccess
AdministratorAccess

Creating The Cloud9 Environment

  • In AWS Management Console | Cloud9: Select Create Environment

Ensure you have selected: Create a new no-ingress EC2 instance for environment (access via Systems Manager) This will create a Cloud 9 instance with no inbound access.

  • Once up, in AWS Management Console | EC2 : Select the instance, and change the instance profile to your Cloud9CustomRole

  • Ensure you can connect to the IDE through AWS Management Console | Cloud9.

  • Once connected, disable "AWS Managed Temporary Credentials" ( Select the Cloud9 Icon in the top left | AWS Settings ) Your instance should now have permission to create and destroy any resource with Terraform.

Create the Hashicorp Vault deployment in a private VPC with Bastion host

  • Clone the repo, and install required binaries and packages.
git clone --recurse-submodules https://github.com/firehawkvfx/firehawk-main.git
cd firehawk-main; ./install_packages.sh
  • Initialise the environment variables and spin up the resources.
source ./update_vars.sh
terraform init
terraform apply
  • The bastion host will be configured to be used if you ssh into any private IP in the VPC:
ssh ubuntu@some_vault_instance_private_ip
  • You can also ssh directly into the bastion with:
ssh bastion
  • Note: You can use this repository as a submodule in your own repository, but the parent repo should be private, or take care to never commit the secrets/ path produced in the parent folder outside of this repo.