Create AWS resources to host the CTF (#1)

Author: gregsienkiewicz

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @rewindio/appsec

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "rewindio/devops"
+    labels:
+      - "appsec"
+    open-pull-requests-limit: 10

.github/workflows/checkov.yml

@@ -0,0 +1,24 @@
+name: checkov
+concurrency: checkov
+
+on: [pull_request, workflow_call]
+
+permissions: read-all
+
+jobs:
+  checkov-static-analysis:
+    name: "checkov"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Checkov static analysis
+        id: static-analysis
+        uses: bridgecrewio/checkov-action@99bb2caf247dfd9f03cf984373bc6043d4e32ebf # v12.1347.0
+        with:
+          directory: .
+          framework: terraform
+          hard_fail_on: CRITICAL
+          skip_check: CKV_TF_1
+          output_format: cli

.terraform.lock.hcl

@@ -1,2 +1,11 @@
-# trust-ctf
+# Capture the Flag (CTF) Repo
+
 Trust's capture the Flag (CTF) resources for Cybersecurity Awareness month.
+
+This repository contains the Terraform that can be used to deploy an instance of OWASP Juice Shop on EC2 instance along with CFTd app to help manage the CTF event.
+
+## OWASP Juice Shop & CTFd
+
+![Juice Shop](https://raw.githubusercontent.com/juice-shop/juice-shop/develop/frontend/src/assets/public/images/JuiceShop_Logo_100px.png)    [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/) is probably the most modern and sophisticated insecure web application! 
+
+![CTFd](https://ctfd.io/static/img/ctfd.svg)    [CTFd](https://ctfd.io/) is a Capture The Flag (CTF) framework designed for ease of use.

README.md

@@ -0,0 +1,126 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+#
+# Based on AWS documentation: Encrypt log data in CloudWatch Logs using AWS Key Management Service
+# https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
+#
+data "aws_iam_policy_document" "cloudwatch_waf_kms" {
+  # checkov:skip=CKV_AWS_109: Allow `*` resources
+  # checkov:skip=CKV_AWS_111: Allow `kms:*` actions
+  # checkov:skip=CKV_AWS_356: Allow `kms:*` actions
+  statement {
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
+    }
+
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+
+      values = ["arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"]
+    }
+  }
+}
+
+resource "aws_kms_key" "cloudwatch_waf" {
+  description         = "aws-waf-logs-ctf-key"
+  key_usage           = "ENCRYPT_DECRYPT"
+  multi_region        = true
+  enable_key_rotation = true
+
+  policy = data.aws_iam_policy_document.cloudwatch_waf_kms.json
+}
+
+resource "aws_kms_alias" "cloudwatch_waf" {
+  name          = "alias/aws-waf-logs-ctf-key"
+  target_key_id = aws_kms_key.cloudwatch_waf.key_id
+}
+
+resource "aws_cloudwatch_log_group" "waf" {
+  # checkov:skip=CKV_AWS_338: Ensure CloudWatch log groups retains logs for at least 1 year
+
+  name              = "aws-waf-logs-ctf"
+  retention_in_days = 7
+  kms_key_id        = aws_kms_key.cloudwatch_waf.arn
+}
+
+###=============== CloudWatch Log Insights - Queries   =============== ###
+
+resource "aws_cloudwatch_query_definition" "tail" {
+  name = "WAF/Tail View (ctf)"
+
+  log_group_names = [aws_cloudwatch_log_group.waf.name]
+
+  query_string = <<EOF
+fields @timestamp as Timestamp,
+  action as Action,
+  terminatingRuleId as Rule,
+  httpRequest.clientIp as Request_IP,
+  httpRequest.country as Request_Country,
+  httpRequest.httpMethod as Request_Method,
+  httpRequest.uri as URI
+| sort @timestamp desc
+| limit 100
+EOF
+}
+
+resource "aws_cloudwatch_query_definition" "filter_by_clientip" {
+  name = "WAF/Filter by Client IP (ctf)"
+
+  log_group_names = [aws_cloudwatch_log_group.waf.name]
+
+  query_string = <<EOF
+fields @timestamp as Timestamp,
+  action as Action,
+  httpRequest.country as Request_Country,
+  httpRequest.httpMethod as Request_Method,
+  httpRequest.uri as URI,
+  labels.0.name	as WAF_Rule,
+  terminatingRuleId as WAF_RuleID
+| sort @timestamp desc
+| filter httpRequest.clientIp LIKE "8.8.8.8"
+EOF
+}
+
+resource "aws_cloudwatch_query_definition" "filter_by_rule" {
+  name = "WAF/Filter by Rule (ctf)"
+
+  log_group_names = [aws_cloudwatch_log_group.waf.name]
+
+  query_string = <<EOF
+fields @timestamp as Timestamp,
+  action as Action,
+  terminatingRuleId as Rule,
+  httpRequest.clientIp as Request_IP,
+  httpRequest.country as Request_Country,
+  httpRequest.httpMethod as Request_Method,
+  httpRequest.uri as URI
+| sort @timestamp desc
+| filter action not like "ALLOW" and
+| terminatingRuleId in ["AWSManagedRulesAmazonIpReputationList", "AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet", "AWSManagedRulesSQLiRuleSet", "AWSManagedRulesLinuxRuleSet"]
+EOF
+}

cloudwatch.tf

@@ -0,0 +1,79 @@
+data "aws_ami" "amzn-linux-2023-ami" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-2023.*-x86_64"]
+  }
+}
+
+###======================== CTFd EC2 ====================== ###
+
+resource "aws_instance" "ctfd" {
+  #checkov:skip=CKV_AWS_8:Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted
+  #checkov:skip=CKV_AWS_126:Ensure that detailed monitoring is enabled for EC2 instances
+  #checkov:skip=CKV_AWS_135:Ensure that EC2 is EBS optimized
+
+  ami               = data.aws_ami.amzn-linux-2023-ami.id
+  instance_type     = var.instance_type
+  availability_zone = var.aws_availability_zone_a
+
+  subnet_id                   = aws_subnet.ctfd.id
+  associate_public_ip_address = false
+
+  vpc_security_group_ids = [
+    aws_security_group.ctf.id
+  ]
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+  }
+
+  root_block_device {
+    volume_size = 40
+  }
+
+  iam_instance_profile = aws_iam_instance_profile.ctf.id
+
+  tags = {
+    Name = "CTFd"
+  }
+}
+
+###================= OWASP Juice Shop EC2 ================= ###
+
+resource "aws_instance" "owaspjs" {
+  #checkov:skip=CKV_AWS_8:Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted
+  #checkov:skip=CKV_AWS_126:Ensure that detailed monitoring is enabled for EC2 instances
+  #checkov:skip=CKV_AWS_135:Ensure that EC2 is EBS optimized
+
+  ami               = data.aws_ami.amzn-linux-2023-ami.id
+  instance_type     = var.instance_type
+  availability_zone = var.aws_availability_zone_a
+
+  subnet_id                   = aws_subnet.owaspjs.id
+  associate_public_ip_address = false
+
+  vpc_security_group_ids = [
+    aws_security_group.ctf.id
+  ]
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+  }
+
+  root_block_device {
+    volume_size = 40
+  }
+
+  iam_instance_profile = aws_iam_instance_profile.ctf.id
+
+  tags = {
+    Name = "OWASP Juice Shop"
+  }
+}

ec2.tf

@@ -0,0 +1,28 @@
+resource "aws_iam_instance_profile" "ctf" {
+  name = "ctf_ec2_instance_profile"
+  role = aws_iam_role.ctf_role.name
+}
+
+data "aws_iam_policy_document" "ctf_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "ctf_role" {
+  name = "ctf_ec2_role"
+  path = "/"
+
+  assume_role_policy = data.aws_iam_policy_document.ctf_assume_role.json
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  ]
+}