2.199.0

cado-security · Nov 25, 2024 · 116f0ed · 116f0ed
1 parent 4e8ce3a
commit 116f0ed
Show file tree

Hide file tree

Showing 11 changed files with 58 additions and 54 deletions.
diff --git a/aws_deprecated/aws/main.tf b/aws_deprecated/aws/main.tf
@@ -8,7 +8,7 @@ terraform {
 }
 
 
-# Should be updated 
+# Should be updated
 
 variable "region" {
   type    = string
@@ -80,7 +80,7 @@ variable "tags" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 variable "proxy" {

diff --git a/aws_deprecated/aws_combined/main.tf b/aws_deprecated/aws_combined/main.tf
@@ -5,10 +5,10 @@ terraform {
       version = "~> 4.45"
     }
   }
-  # Optional: add a backend to store tf state in AWS. Otherwise, make sure to keep you tfstate!  
+  # Optional: add a backend to store tf state in AWS. Otherwise, make sure to keep you tfstate!
 }
 
-# Should be updated 
+# Should be updated
 
 variable "region" {
   type = string
@@ -61,7 +61,7 @@ variable "certificate_arn" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 variable "proxy" {

diff --git a/aws_deprecated/aws_combined_ha/main.tf b/aws_deprecated/aws_combined_ha/main.tf
@@ -5,10 +5,10 @@ terraform {
       version = "~> 4.45"
     }
   }
-  # Optional: add a backend to store tf state in AWS. Otherwise, make sure to keep you tfstate!  
+  # Optional: add a backend to store tf state in AWS. Otherwise, make sure to keep you tfstate!
 }
 
-# Should be updated 
+# Should be updated
 
 variable "region" {
   type = string
@@ -67,7 +67,7 @@ variable "certificate_arn" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 # Configure the AWS Provider

diff --git a/aws_v2/README.md b/aws_v2/README.md
@@ -1,10 +1,10 @@
 ```
-  ____          _         ____                       _ _         
- / ___|__ _  __| | ___   / ___|  ___  ___ _   _ _ __(_) |_ _   _ 
+  ____          _         ____                       _ _
+ / ___|__ _  __| | ___   / ___|  ___  ___ _   _ _ __(_) |_ _   _
 | |   / _` |/ _` |/ _ \  \___ \ / _ \/ __| | | | '__| | __| | | |
 | |__| (_| | (_| | (_) |  ___) |  __/ (__| |_| | |  | | |_| |_| |
  \____\__,_|\__,_|\___/  |____/ \___|\___|\__,_|_|  |_|\__|\__, |
-                                                           |___/ 
+                                                           |___/
 ```
 # CadoResponse AWS Terraform CLI Deployment
 ## Table of Contents
@@ -32,8 +32,8 @@ This Terraform package contains instructions to configure and deploy CadoRespons
 ## Deploy
 * Inside this directory, deploy with these commands:
   1. initialize terraform and required modules: `terraform init`
-  2. Confirm configuration and view deployment plan: `terraform plan -var-file="awsVars.tfvars"` 
-  3. Deploy: `terraform apply -var-file="awsVars.tfvars"` 
+  2. Confirm configuration and view deployment plan: `terraform plan -var-file="awsVars.tfvars"`
+  3. Deploy: `terraform apply -var-file="awsVars.tfvars"`
 
 To teardown the deployed stack: `terraform destroy -var-file="awsVars.tfvars"`
 
@@ -70,7 +70,7 @@ No resources.
 | <a name="input_custom_networking"></a> [custom\_networking](#input\_custom\_networking) | Custom networking configuration. Set to null to create new resources. | <pre>object({<br>    vpc_id             = string<br>    public_subnet_id   = string<br>    private_subnet_id  = string<br>    public_subnet_b_id = string<br>  })</pre> | `null` | no |
 | <a name="input_deploy_nfs"></a> [deploy\_nfs](#input\_deploy\_nfs) | Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files. | `bool` | `true` | no |
 | <a name="input_feature_flag_platform_upgrade"></a> [feature\_flag\_platform\_upgrade](#input\_feature\_flag\_platform\_upgrade) | n/a | `bool` | `false` | no |
-| <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Finalize command | `string` | `"sudo /home/admin/processor/release/finalize.sh --main"` | no |
+| <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Finalize command | `string` | `"sudo /home/admin/processor/release/finalize.sh"` | no |
 | <a name="input_http_location"></a> [http\_location](#input\_http\_location) | IP address to allow http access from | `list(string)` | n/a | yes |
 | <a name="input_instance_worker_type"></a> [instance\_worker\_type](#input\_instance\_worker\_type) | Set Worker instance type | `string` | `"i4i.2xlarge"` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | n/a | `string` | n/a | yes |

diff --git a/aws_v2/variables.tf b/aws_v2/variables.tf
@@ -101,7 +101,7 @@ variable "proxy_whitelist" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 

diff --git a/azure/azure_transient/main.tf b/azure/azure_transient/main.tf
@@ -62,7 +62,7 @@ variable "ssh_key_private" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 variable "proxy" {

diff --git a/azure/cado/main.tf b/azure/cado/main.tf
@@ -103,7 +103,7 @@ variable "ssh_key_private" {
 variable "finalize_cmd" {
   type        = string
   description = "Finalize command"
-  default     = "sudo /home/admin/processor/release/finalize.sh --main" # Do not change
+  default     = "sudo /home/admin/processor/release/finalize.sh" # Do not change
 }
 
 variable "proxy" {

diff --git a/gcp/README.md b/gcp/README.md
@@ -1,10 +1,10 @@
 ```
-  ____          _         ____                       _ _         
- / ___|__ _  __| | ___   / ___|  ___  ___ _   _ _ __(_) |_ _   _ 
+  ____          _         ____                       _ _
+ / ___|__ _  __| | ___   / ___|  ___  ___ _   _ _ __(_) |_ _   _
 | |   / _` |/ _` |/ _ \  \___ \ / _ \/ __| | | | '__| | __| | | |
 | |__| (_| | (_| | (_) |  ___) |  __/ (__| |_| | |  | | |_| |_| |
  \____\__,_|\__,_|\___/  |____/ \___|\___|\__,_|_|  |_|\__|\__, |
-                                                           |___/ 
+                                                           |___/
 ```
 # CadoResponse GCP Terraform CLI Deployment
 ## Table of Contents
@@ -62,7 +62,7 @@ No resources.
 | <a name="input_deploy_acquisition_permissions"></a> [deploy\_acquisition\_permissions](#input\_deploy\_acquisition\_permissions) | Deploy instance with permissions needed for same project acquisitions | `bool` | `true` | no |
 | <a name="input_deploy_nfs"></a> [deploy\_nfs](#input\_deploy\_nfs) | Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files. | `bool` | `true` | no |
 | <a name="input_enable_platform_updates"></a> [enable\_platform\_updates](#input\_enable\_platform\_updates) | Enable platform updates, False requires updates via Terraform | `bool` | `true` | no |
-| <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Command to run on the VM after deployment | `string` | `"sudo /home/admin/processor/release/finalize.sh --main"` | no |
+| <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Command to run on the VM after deployment | `string` | `"sudo /home/admin/processor/release/finalize.sh"` | no |
 | <a name="input_image"></a> [image](#input\_image) | Cado Response VM image path | `string` | `"projects/cado-public/global/images/cadoresponse"` | no |
 | <a name="input_inbound_ports"></a> [inbound\_ports](#input\_inbound\_ports) | The list of ports to open | `list(string)` | <pre>[<br/>  "22",<br/>  "443"<br/>]</pre> | no |
 | <a name="input_instance_worker_type"></a> [instance\_worker\_type](#input\_instance\_worker\_type) | Set Worker instance type | `string` | `"n2-highmem-8"` | no |

diff --git a/gcp/modules/deploy/main.tf b/gcp/modules/deploy/main.tf
@@ -32,39 +32,42 @@ resource "google_compute_instance" "vm_instance" {
     scopes = ["cloud-platform"] # TODO This gives default perms, revisit this if we're having auth issues
   }
 
-  metadata_startup_script = join("\n", concat([
-    "#!/bin/bash -x",
-    "storage_bucket=${google_storage_bucket.bucket.name}",
-    "echo [FIRST_RUN] > /home/admin/processor/first_run.cfg",
-    var.deploy_nfs ? "echo filestore_ip = ${google_filestore_instance.filestore_instance[0].networks[0].ip_addresses[0]} >> /home/admin/processor/first_run.cfg" : "",
-    var.deploy_nfs ? "echo filestore_name = ${google_filestore_instance.filestore_instance[0].file_shares[0].name} >> /home/admin/processor/first_run.cfg" : "",
-    "echo bucket = $storage_bucket >> /home/admin/processor/first_run.cfg",
-    "echo service_account_email = ${var.service_account} >> /home/admin/processor/first_run.cfg",
-    "echo deployment_mode = terraform >> /home/admin/processor/first_run.cfg",
-    "echo feature_flag_platform_upgrade = ${var.enable_platform_updates} >> /home/admin/processor/first_run.cfg",
-    "echo PROXY_url = ${var.proxy} >> /home/admin/processor/first_run.cfg",
-    "echo PROXY_cert_url = ${var.proxy_cert_url} >> /home/admin/processor/first_run.cfg",
-    "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} >> /home/admin/processor/first_run.cfg",
-    "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg",
-    "echo local_workers = ${var.local_workers} >> /home/admin/processor/first_run.cfg",
-    "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} >> /home/admin/processor/first_run.cfg",
-    "echo -n ${var.use_secrets_manager} > /home/admin/processor/envars/USE_SECRETS_MANAGER",
-    ],
-    [
-      for k, v in var.tags :
-      "echo CUSTOM_TAG_${k} = ${v} | sudo tee -a /home/admin/processor/first_run.cfg"
-    ],
-    [
-      join(" ", concat([
-        "${var.finalize_cmd}",
-        var.proxy != "" ? " --proxy ${var.proxy}" : "",
-        var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
-        length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
-        "2>&1 | sudo tee /home/admin/processor/init_out"
-      ]))
-    ],
+  metadata = {
+    user-data = join("\n", concat([
+      "#!/bin/bash -x",
+      "storage_bucket=${google_storage_bucket.bucket.name}",
+      "echo [FIRST_RUN] > /home/admin/processor/first_run.cfg",
+      var.deploy_nfs ? "echo filestore_ip = ${google_filestore_instance.filestore_instance[0].networks[0].ip_addresses[0]} >> /home/admin/processor/first_run.cfg" : "",
+      var.deploy_nfs ? "echo filestore_name = ${google_filestore_instance.filestore_instance[0].file_shares[0].name} >> /home/admin/processor/first_run.cfg" : "",
+      "echo bucket = $storage_bucket >> /home/admin/processor/first_run.cfg",
+      "echo service_account_email = ${var.service_account} >> /home/admin/processor/first_run.cfg",
+      "echo deployment_mode = terraform >> /home/admin/processor/first_run.cfg",
+      "echo feature_flag_platform_upgrade = ${var.enable_platform_updates} >> /home/admin/processor/first_run.cfg",
+      "echo PROXY_url = ${var.proxy} >> /home/admin/processor/first_run.cfg",
+      "echo PROXY_cert_url = ${var.proxy_cert_url} >> /home/admin/processor/first_run.cfg",
+      "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} >> /home/admin/processor/first_run.cfg",
+      "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg",
+      "echo local_workers = ${var.local_workers} >> /home/admin/processor/first_run.cfg",
+      "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} >> /home/admin/processor/first_run.cfg",
+      "echo -n ${var.use_secrets_manager} > /home/admin/processor/envars/USE_SECRETS_MANAGER",
+      ],
+      [
+        for k, v in var.tags :
+        "echo CUSTOM_TAG_${k} = ${v} | sudo tee -a /home/admin/processor/first_run.cfg"
+      ],
+      [
+        join(" ", concat([
+          "${var.finalize_cmd}",
+          var.proxy != "" ? " --proxy ${var.proxy}" : "",
+          var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
+          length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
+          "2>&1 | sudo tee /home/admin/processor/init_out"
+        ]))
+      ],
+      )
     )
-  )
+  }
+
 }
 
 resource "google_compute_address" "ip" {

diff --git a/gcp/modules/iam/main.tf b/gcp/modules/iam/main.tf
@@ -38,6 +38,7 @@ locals {
     "compute.networks.get",
     "compute.networks.list",
     "compute.instances.setTags",
+    "compute.instances.get",
 
     // Adjusting Settings
     "compute.machineTypes.get",

diff --git a/gcp/variables.tf b/gcp/variables.tf
@@ -53,7 +53,7 @@ variable "vol_size" {
 variable "finalize_cmd" {
   description = "Command to run on the VM after deployment"
   type        = string
-  default     = "sudo /home/admin/processor/release/finalize.sh --main"
+  default     = "sudo /home/admin/processor/release/finalize.sh"
 }
 
 # Networking options