This lab consists of EC2 instances deployed using Terraform in any AWS region of your choosing. It represents three environments with a mix of Ubuntu Linux and Microsoft Windows Virtual Machines, a Kubernetes cluster running a small Istio-enabled application, and also includes three un-agentable systems served by a ColorTokens Gatekeeper appliance. Built-in traffic generators send HTTP requests to the CRM, HRMS and Wordpress front-ends. Infrastructure services include a SIEM, a vulnerability scanner, and an Inventory Management system.
Xshield agents are deployed during Terraform-ation, and optional Ansible scripts are also included. The Ansible scripts are useful if you decommision the agents from the Xshield console, and would like to re-install them withot destroying and rebuilding the environment.
You may use your own macOS or Windows system to execute Terraform (and Ansible), or deploy a small Ubuntu server VM.
Deploy a Boostrap VM
The instructions below assume the use of an Ubuntu 22.04 VM (1 vCPU, 4GB RAM should be adequate.)
Before proceeding, let's update the apt repositories.
sudo apt update
Install saml2aws if required
We use multifactor authentication with JumpCloud for AWS CLI access at our organization. The open source saml2aws tool makes this easy. Install this tool using the following steps:
mkdir -p ~/.local/bin
CURRENT_VERSION=$(curl -Ls https://api.github.com/repos/Versent/saml2aws/releases/latest | grep 'tag_name' | cut -d'v' -f2 | cut -d'"' -f1)
wget -c https://github.com/Versent/saml2aws/releases/download/v${CURRENT_VERSION}/saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz -O - | tar -xzv -C ~/.local/bin
chmod u+x ~/.local/bin/saml2aws
sudo install .local/bin/saml2aws /usr/local/bin
Next, configure saml2aws
saml2aws configure --idp-provider <IDP name> --username <Your Username> --url <Your SSO URL> -p default --mfa Auto --skip-prompt
To test the installation, authenticate as follows:
saml2aws login --idp-account=default --role arn:aws:iam::<Your URN>
Install the AWS CLI
apt get install unzip
curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
To test the installation, run a CLI command, for example:
aws ec2 describe-instances
Install Terraform
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common
wget -O- https://apt.releases.hashicorp.com/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
sudo apt-get install terraform
To test if installation is successful, simply run:
terraform
You should see terraform output its usage information.
(Optional) Install Ansible
sudo add-apt-repository --yes --update ppa:ansible/ansible sudo apt install -y ansible
Download the scripts
Clone this repo:
git clone https://github.com/ColorTokens-Labs/xshield-ng-lab-builder.git
Configure
Edit the configuration file config.txt.sample and fill in the fields.
NOTE: Save the file as config.txt
Now run the configure.sh script:
./configure.sh
Your output should look like this:
bash $ ./configure.sh
Writing xshield/config.json...
Writing terraform/terraform.tfvars...
Writing terraform/provider.tf
If you run into errors, please verify the parameters you entered in the config.txt file.
You are now ready to deploy:
cd terraform
terraform init
terraform plan
terraform apply
If you encounter issues during terraform plan, please re-check the parameters in the configuration file. Insufficient IAM permissions may also cause some errors, especially when running terraform apply.
If all goes well, terraform apply will output the Bastion server IP, it's PEM filename, and the Wordpress URLs for Prod and Test.