Merge pull request #7 from Ontotext-AD/TES-280

Added shredding of `/root/.ssh/authorized_keys` and `/home/ubuntu/.ssh/authorized_keys`
Ontotext-AD · Oct 4, 2023 · 7842e8f · 7842e8f
2 parents 138f6d0 + aad766d
commit 7842e8f
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ All notable changes to the Packer template for creating GraphDB AMIs will be doc
 - Updated the directory structure under /var/opt/graphdb/
 - Properly configured the home directories of GraphDB and its proxy
 - Removed provisioning of graphdb.properties
+- Added `ebs_optimized` to be true 
+- Added `encrypt_boot` to be false
+- Added shredding of `/root/.ssh/authorized_keys` and `/home/ubuntu/.ssh/authorized_keys` 
 
 ## [1.2.0]
 

diff --git a/README.md b/README.md
@@ -8,16 +8,20 @@ The Packer configuration in this repository automates the process of installing
 Before you begin, make sure you have the following prerequisites in place:
 
 1. **Packer**: Ensure that you have Packer installed on your local machine.
-2. You can download it from the official Packer website: [Packer Downloads](https://www.packer.io/downloads).
-
+   You can download it from the official Packer website: [Packer Downloads](https://www.packer.io/downloads).
 2. **AWS Account**: You should have an AWS account with necessary permissions to create EC2 instances and AMIs.
+3. **AWS VPC**: You should create a VPC, required by Packer to create a temporary security group within the VPC 
+4. **AWS Subnet**: You should create a public subnet, required by Packer to launch the EC2 instances.
+
+Please note that if you are using an account with the global "Always encrypt new EBS volumes" option set to true,
+Packer will be unable to override this setting, and the final image will be encrypted whether you set this value or not.
+To build public AMI image this option should be set to `false`.
 
 ## Usage
 
 Follow these steps to build an AMI for GraphDB using Packer:
 
 1. **Clone the Repository**:
-
    ```bash
    git clone https://github.com/Ontotext-AD/packer-aws-graphdb.git
    ```
@@ -30,26 +34,24 @@ Follow these steps to build an AMI for GraphDB using Packer:
 
    The Packer configuration allows you to customize various parameters, such as the GraphDB version, AWS region, 
    instance type, VPC ID, and subnet ID. To do so, create a variables file `variables.pkrvars.hcl`, example file: 
-
-   ```bash
-   gdb_version  = "10.3.3"
-   build_aws_regions = ["eu-central-1"]
-   build_vpc_id = "<your-vpc-id>"
-   build_subnet_id = "<your-subnet-id>"
-   build_instance_type_x86-64    = "t3.small"
-   build_instance_type_arm64     = "t4g.small"
-   source_ami_name_filter_arm64  = "ubuntu/images/hvm-ssd/ubuntu-*-22.04-arm64-server-*"
-   source_ami_name_filter_x86-64 = "ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"
+    ```bash
+    gdb_version                   = "10.3.3"
+    build_aws_regions             = ["us-east-1"]
+    build_vpc_id                  = "<your-vpc-id>"
+    build_subnet_id               = "<your-subnet-id>"
+    ami_groups                    = []                                                    # Value "all" will make the AMI public   
+    build_instance_type_x86-64    = "t3.small"                                            # default
+    build_instance_type_arm64     = "t4g.small"                                           # default
+    source_ami_name_filter_arm64  = "ubuntu/images/hvm-ssd/ubuntu-*-22.04-arm64-server-*" # default
+    source_ami_name_filter_x86-64 = "ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*" # default
    ```
 
 4. **Build the AMI**:
 
    Run Packer to build the AMI:
-
    ```bash
    packer build -var-file="variables.pkrvars.hcl" aws-ami.pkr.hcl
    ```
-
    This command will initiate the Packer build process. Packer will launch an EC2 instance, install GraphDB, 
    and create an AMI based on the instance.
 
@@ -58,27 +60,19 @@ Follow these steps to build an AMI for GraphDB using Packer:
 You can customize the Packer configuration and provisioning scripts to suit your specific requirements. 
 
 The following points can be customized in a packer variables file `variables.pkrvars.hcl`:
-
 - **GraphDB Version**: You can change the GraphDB version by modifying the `gdb_version` variable file.
-
 - **AWS Regions**: Modify the `build_aws_region` variable to specify a different AWS region.
-
 - **Instance Type**: Adjust the `build_instance_type_arm64` and `build_instance_type_x86-64` variables to select  
   different EC2 instance types for building the AMI images.
-
 - **AMI Groups**: You can specify the groups the AMIs will be made available to via the `ami_groups` variable.
   A list of strings is accepted. 
-
 - **iam_instance_profile**: AIM Instance profile required for the session manager access. 
   See https://developer.hashicorp.com/packer/integrations/hashicorp/amazon/latest/components/builder/ebs#session-manager-connections
-
 - **Network Configuration**: Update the `build_vpc_id` and `build_subnet_id` variables to match your VPC and subnet settings.
-
-  - **Source AMI**: Use the `source_ami_name_filter_arm64` and `source_ami_name_filter_x86-64` variables to specify the 
+- **Source AMI**: Use the `source_ami_name_filter_arm64` and `source_ami_name_filter_x86-64` variables to specify the 
     source ami name filter for each AMI, for example: 
     - `"ubuntu/images/hvm-ssd/ubuntu-*-22.04-arm64-server-*"` - Ubuntu with `arm64` architecture. 
     - `"ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"` - Ubuntu with `amd64` architecture.
-
 - **Provisioning Scripts**: You can replace or modify the provisioning scripts located in the `./files/` directory. 
   These scripts and files are copied and executed during the AMI creation process.
 

diff --git a/aws-ami.pkr.hcl b/aws-ami.pkr.hcl
@@ -18,7 +18,7 @@ variable "gdb_version" {
 variable "build_aws_regions" {
   description = "AWS regions where to publish the AMI"
   type        = list(string)
-  default     = ["eu-central-1"]
+  default     = ["us-east-1"]
 }
 
 variable "build_instance_type_x86-64" {
@@ -77,6 +77,8 @@ source "amazon-ebs" "ubuntu-x86-64" {
   subnet_id     = "${var.build_subnet_id}"
   ami_regions   = "${var.build_aws_regions}"
   ami_groups    = "${var.ami_groups}"
+  encrypt_boot  = false
+  ebs_optimized = true
 
   tags = {
     GDB_Version      = "${var.gdb_version}"
@@ -108,6 +110,8 @@ source "amazon-ebs" "ubuntu-arm64" {
   subnet_id     = "${var.build_subnet_id}"
   ami_regions   = "${var.build_aws_regions}"
   ami_groups    = "${var.ami_groups}"
+  encrypt_boot  = false
+  ebs_optimized = true
 
   tags = {
     GDB_Version      = "${var.gdb_version}"

diff --git a/files/install_graphdb.sh b/files/install_graphdb.sh
@@ -9,6 +9,9 @@ done
 
 timedatectl set-timezone UTC
 
+# Shred authorized_keys
+shred -u /root/.ssh/authorized_keys /home/ubuntu/.ssh/authorized_keys
+
 # Install Tools
 apt-get -o DPkg::Lock::Timeout=300 update -y
 apt-get -o DPkg::Lock::Timeout=300 install -y bash-completion jq nvme-cli openjdk-11-jdk unzip
@@ -58,6 +61,5 @@ mv /tmp/graphdb-cluster-proxy.service /lib/systemd/system/graphdb-cluster-proxy.
 mv /tmp/graphdb.service /lib/systemd/system/graphdb.service
 
 systemctl daemon-reload
-
 systemctl enable graphdb.service
 systemctl start graphdb.service