Loading terraform/f5-sgw-ts/modules/functions/docker/userdata.tmpl→terraform/f5-sgw-ts/modules/functions/docker/files/userdata.tmpl +16 −1 Original line number Diff line number Diff line #!/bin/bash # Script must be non-blocking or run in the background for use in user_data. mkdir -p /config/cloud cat << 'EOF' > /config/cloud/startup-script.sh #!/bin/bash # prevent prompting for restart when installing core packages such as libssl DEBIAN_FRONTEND=noninteractive echo '* libraries/restart-without-asking boolean true' | sudo debconf-set-selections Loading @@ -8,4 +16,11 @@ sudo apt update sudo apt-add-repository --yes --update ppa:ansible/ansible sudo apt install software-properties-common ansible python-apt python-pip -y sudo pip install -q jmespath ansible-galaxy install -r ansible/requirements.yml No newline at end of file ### Clean up rm /config/cloud/startup-script.sh EOF # Now run in the background to not block startup chmod 755 /config/cloud/startup-script.sh nohup /config/cloud/startup-script.sh & No newline at end of file terraform/f5-sgw-ts/secure/findthehosts.sh 0 → 100755 +37 −0 Original line number Diff line number Diff line export BIGIPHOST0=`terraform output --json | jq -r '.bigip_mgmt_public_ips.value[0]'` export BIGIPHOST1=`terraform output --json | jq -r '.bigip_mgmt_public_ips.value[1]'` export BIGIPMGMTPORT=`terraform output --json | jq -r '.bigip_mgmt_port.value'` export BIGIPPASSWORD=`terraform output --json | jq -r '.bigip_password.value'` export EC2KEYNAME=`terraform output --json | jq -r '.ec2_key_name.value'` export JUMPHOSTIP0=`terraform output --json | jq -r '.jumphost_ip.value[0]'` export JUMPHOSTIP1=`terraform output --json | jq -r '.jumphost_ip.value[1]'` export JUICESHOP0=`terraform output --json | jq -r '.juiceshop_ip.value[0]'` export JUICESHOP1=`terraform output --json | jq -r '.juiceshop_ip.value[1]'` export GRAFANA0=`terraform output --json | jq -r '.grafana_ip.value[0]'` export GRAFANA1=`terraform output --json | jq -r '.grafana_ip.value[1]'` echo '** AVAILABILITY ZONE 1 **' echo connect to BIG-IP at https://$BIGIPHOST0:$BIGIPMGMTPORT with $BIGIPPASSWORD echo connect to jumphost at with echo scp -i $EC2KEYNAME.pem $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP0:~/$EC2KEYNAME.pem echo ssh -i $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP0 echo when the ansible run is complete Juiceshop and Grafana should be available at echo Juice Shop http://$JUICESHOP0 echo Grafana http://$GRAFANA0 echo you can run the load test from the jumphost with the following: echo ./run-load.sh $JUICESHOP0 10 echo and the attack with echo ./run-attack.sh http://$JUICESHOP0 echo echo echo '** AVAILABILITY ZONE 2 **' echo connect to BIG-IP at https://$BIGIPHOST1:$BIGIPMGMTPORT with $BIGIPPASSWORD echo connect to jumphost at with echo scp -i $EC2KEYNAME.pem $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP1:~/$EC2KEYNAME.pem echo ssh -i $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP1 echo when the ansible run is complete Juiceshop and Grafana should be available at echo Juice Shop http://$JUICESHOP1 echo Grafana http://$GRAFANA1 echo you can run the load test from the jumphost with the following: echo ./run-load.sh $JUICESHOP1 10 echo and the attack with echo ./run-attack.sh http://$JUICESHOP1 terraform/f5-sgw-ts/secure/inspec/bigip-ready/.gitignore 0 → 100644 +4 −0 Original line number Diff line number Diff line inspec.lock # temporary file used to hold terraform output information terraform.json No newline at end of file terraform/f5-sgw-ts/secure/inspec/bigip-ready/README.md 0 → 100644 +3 −0 Original line number Diff line number Diff line # Example InSpec Profile This example shows the implementation of an InSpec profile. terraform/f5-sgw-ts/secure/inspec/bigip-ready/controls/example.rb 0 → 100644 +107 −0 Original line number Diff line number Diff line # copyright: 2018, The Authors title "Verify BIG-IP availability" # load data from Terraform output # created by terraform output --json > inspec/bigip-ready/files/terraform.json content = inspec.profile.file("terraform.json") params = JSON.parse(content) begin BIGIP_DNS = params['bigip_mgmt_public_ips']['value'] BIGIP_PORT = params['bigip_mgmt_port']['value'] BIGIP_PASSWORD = params['bigip_password']['value'] rescue BIGIP_DNS = [] BIGIP_PORT = "" BIGIP_PASSWORD = "" end control "Connectivity" do impact 1.0 title "BIGIP is reachable" BIGIP_DNS.each do |bigip_host| # can we reach the management port on the BIG-IP? describe host(bigip_host, port: BIGIP_PORT, protocol: 'tcp') do it { should be_reachable } end end end control "Declarative Onboarding Available" do impact 1.0 title "BIGIP has DO" BIGIP_DNS.each do |bigip_host| # is the declarative onboarding end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/declarative-onboarding/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/declarative-onboarding/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its([0,'version']) { should eq '1.8.0' } its([0,'release']) { should eq '2' } # this should be replaced with a test using the json resource end end end control "Application Services Available" do impact 1.0 title "BIGIP has AS3" BIGIP_DNS.each do |bigip_host| # is the application services end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/appsvcs/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/appsvcs/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its('version') { should eq '3.14.0' } its('release') { should eq '4' } # this should be replaced with a test using the json resource end end end control "Telemetry Streaming Available" do impact 1.0 title "BIGIP has TS" BIGIP_DNS.each do |bigip_host| # is the telemetry streaming end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/telemetry/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/telemetry/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its('version') { should eq '1.6.0' } its('release') { should eq '1' } # this should be replaced with a test using the json resource end end end Loading
terraform/f5-sgw-ts/modules/functions/docker/userdata.tmpl→terraform/f5-sgw-ts/modules/functions/docker/files/userdata.tmpl +16 −1 Original line number Diff line number Diff line #!/bin/bash # Script must be non-blocking or run in the background for use in user_data. mkdir -p /config/cloud cat << 'EOF' > /config/cloud/startup-script.sh #!/bin/bash # prevent prompting for restart when installing core packages such as libssl DEBIAN_FRONTEND=noninteractive echo '* libraries/restart-without-asking boolean true' | sudo debconf-set-selections Loading @@ -8,4 +16,11 @@ sudo apt update sudo apt-add-repository --yes --update ppa:ansible/ansible sudo apt install software-properties-common ansible python-apt python-pip -y sudo pip install -q jmespath ansible-galaxy install -r ansible/requirements.yml No newline at end of file ### Clean up rm /config/cloud/startup-script.sh EOF # Now run in the background to not block startup chmod 755 /config/cloud/startup-script.sh nohup /config/cloud/startup-script.sh & No newline at end of file
terraform/f5-sgw-ts/secure/findthehosts.sh 0 → 100755 +37 −0 Original line number Diff line number Diff line export BIGIPHOST0=`terraform output --json | jq -r '.bigip_mgmt_public_ips.value[0]'` export BIGIPHOST1=`terraform output --json | jq -r '.bigip_mgmt_public_ips.value[1]'` export BIGIPMGMTPORT=`terraform output --json | jq -r '.bigip_mgmt_port.value'` export BIGIPPASSWORD=`terraform output --json | jq -r '.bigip_password.value'` export EC2KEYNAME=`terraform output --json | jq -r '.ec2_key_name.value'` export JUMPHOSTIP0=`terraform output --json | jq -r '.jumphost_ip.value[0]'` export JUMPHOSTIP1=`terraform output --json | jq -r '.jumphost_ip.value[1]'` export JUICESHOP0=`terraform output --json | jq -r '.juiceshop_ip.value[0]'` export JUICESHOP1=`terraform output --json | jq -r '.juiceshop_ip.value[1]'` export GRAFANA0=`terraform output --json | jq -r '.grafana_ip.value[0]'` export GRAFANA1=`terraform output --json | jq -r '.grafana_ip.value[1]'` echo '** AVAILABILITY ZONE 1 **' echo connect to BIG-IP at https://$BIGIPHOST0:$BIGIPMGMTPORT with $BIGIPPASSWORD echo connect to jumphost at with echo scp -i $EC2KEYNAME.pem $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP0:~/$EC2KEYNAME.pem echo ssh -i $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP0 echo when the ansible run is complete Juiceshop and Grafana should be available at echo Juice Shop http://$JUICESHOP0 echo Grafana http://$GRAFANA0 echo you can run the load test from the jumphost with the following: echo ./run-load.sh $JUICESHOP0 10 echo and the attack with echo ./run-attack.sh http://$JUICESHOP0 echo echo echo '** AVAILABILITY ZONE 2 **' echo connect to BIG-IP at https://$BIGIPHOST1:$BIGIPMGMTPORT with $BIGIPPASSWORD echo connect to jumphost at with echo scp -i $EC2KEYNAME.pem $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP1:~/$EC2KEYNAME.pem echo ssh -i $EC2KEYNAME.pem ubuntu@$JUMPHOSTIP1 echo when the ansible run is complete Juiceshop and Grafana should be available at echo Juice Shop http://$JUICESHOP1 echo Grafana http://$GRAFANA1 echo you can run the load test from the jumphost with the following: echo ./run-load.sh $JUICESHOP1 10 echo and the attack with echo ./run-attack.sh http://$JUICESHOP1
terraform/f5-sgw-ts/secure/inspec/bigip-ready/.gitignore 0 → 100644 +4 −0 Original line number Diff line number Diff line inspec.lock # temporary file used to hold terraform output information terraform.json No newline at end of file
terraform/f5-sgw-ts/secure/inspec/bigip-ready/README.md 0 → 100644 +3 −0 Original line number Diff line number Diff line # Example InSpec Profile This example shows the implementation of an InSpec profile.
terraform/f5-sgw-ts/secure/inspec/bigip-ready/controls/example.rb 0 → 100644 +107 −0 Original line number Diff line number Diff line # copyright: 2018, The Authors title "Verify BIG-IP availability" # load data from Terraform output # created by terraform output --json > inspec/bigip-ready/files/terraform.json content = inspec.profile.file("terraform.json") params = JSON.parse(content) begin BIGIP_DNS = params['bigip_mgmt_public_ips']['value'] BIGIP_PORT = params['bigip_mgmt_port']['value'] BIGIP_PASSWORD = params['bigip_password']['value'] rescue BIGIP_DNS = [] BIGIP_PORT = "" BIGIP_PASSWORD = "" end control "Connectivity" do impact 1.0 title "BIGIP is reachable" BIGIP_DNS.each do |bigip_host| # can we reach the management port on the BIG-IP? describe host(bigip_host, port: BIGIP_PORT, protocol: 'tcp') do it { should be_reachable } end end end control "Declarative Onboarding Available" do impact 1.0 title "BIGIP has DO" BIGIP_DNS.each do |bigip_host| # is the declarative onboarding end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/declarative-onboarding/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/declarative-onboarding/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its([0,'version']) { should eq '1.8.0' } its([0,'release']) { should eq '2' } # this should be replaced with a test using the json resource end end end control "Application Services Available" do impact 1.0 title "BIGIP has AS3" BIGIP_DNS.each do |bigip_host| # is the application services end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/appsvcs/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/appsvcs/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its('version') { should eq '3.14.0' } its('release') { should eq '4' } # this should be replaced with a test using the json resource end end end control "Telemetry Streaming Available" do impact 1.0 title "BIGIP has TS" BIGIP_DNS.each do |bigip_host| # is the telemetry streaming end point available? describe http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/telemetry/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false) do its('status') { should cmp 200 } its('headers.Content-Type') { should match 'application/json' } end describe json(content: http("https://#{bigip_host}:#{BIGIP_PORT}/mgmt/shared/telemetry/info", auth: {user: 'admin', pass: BIGIP_PASSWORD}, params: {format: 'html'}, method: 'GET', ssl_verify: false).body) do its('version') { should eq '1.6.0' } its('release') { should eq '1' } # this should be replaced with a test using the json resource end end end
