-
Notifications
You must be signed in to change notification settings - Fork 0
/
mongo-hardening.pkr.hcl
99 lines (89 loc) · 2.43 KB
/
mongo-hardening.pkr.hcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
packer {
required_plugins {
docker = {
version = " >= 1.0.8"
source = "github.com/hashicorp/docker"
}
ansible = {
source = "github.com/hashicorp/ansible"
version = "~> 1"
}
}
}
variable "ansible_vars" {
type = map(string)
default = {
"ansible_host" = "default",
# "ansible_connection" uses the docker socket instead of the default SSH connection.
"ansible_connection" = "docker",
"python_version" = "3.9"
"roles_path" = "spec/ansible/roles"
}
}
# Specifies the unhardened image to be used as an input.
variable "input_image" {
type = map(string)
default = {
"name" = "mongodb/mongodb-enterprise-server"
"tag" = "latest"
}
}
# Defines the naming convention for the hardened output image.
variable "output_image" {
type = map(string)
default = {
"name" = "mongo-hardened"
}
}
# Docker container to harden
source "docker" "target" {
image = "${var.input_image.name}:${var.input_image.tag}"
commit = true
pull = true
run_command = [
"-d",
"--name", "${var.output_image.name}",
"--user", "root",
"-p", "27017:27017",
"-v", "mongodb_configdb:/data/configdb",
"-v", "mongodb_db:/data/db",
"{{.Image}}"
]
}
# Run the process to harden the docker container
build {
name = "harden"
sources = ["source.docker.target"]
# Create docker volumes
provisioner "shell-local" {
inline = [
"docker volume create mongodb_configdb",
"docker volume create mongodb_db",
]
}
# Ansible requires Python and pip to be installed on the target.
provisioner "shell" {
inline = [
"apt-get update",
"apt-get install -y python${var.ansible_vars.python_version} python3-pip",
"ln -s /usr/bin/python3 /usr/bin/python",
]
}
# Run Ansible playbook
provisioner "ansible" {
playbook_file = "spec/ansible/mongo-stig-hardening-playbook.yml"
galaxy_file = "spec/ansible/requirements.yml"
roles_path = "${var.ansible_vars.roles_path}"
extra_arguments = [
"--extra-vars", "ansible_host=${var.output_image.name}",
"--extra-vars", "ansible_connection=${var.ansible_vars.ansible_connection}",
"--extra-vars", "ansible_python_interpreter=/usr/bin/python3",
"--extra-vars", "ansible_pip_executable=pip3",
]
}
### TAG DOCKER IMAGE
post-processor "docker-tag" {
repository = "${var.output_image.name}"
tags = ["latest"]
}
}