Merge pull request #606 from oferromaqua/2022.4

Adding examples for possible config scripts

Author: semyonmor

enforcers/vm_enforcer/golden_image/README.md

@@ -10,4 +10,6 @@ You can prepare a golden image for automated and easy deployment of VMs (hosts)
 
 ### Deployment steps
 
-Refer to the [Product documentation](https://docs.aquasec.com/v2022.4/docs/vm-enforcer-golden-image) for the complete description and instructions.
+Refer to the [Product documentation](https://docs.aquasec.com/v2022.4/docs/vm-enforcer-golden-image) for the complete description and instructions.
+
+Inside the config_scripts_examples folder you’ll find six ready-to-adapt templates that turn a dormant VM Enforcer baked into a golden image into an active, policy-enforcing agent. Each script retrieves the needed configuration parameters from cloud-native secret stores, writes them into conifg json in the Enforcer install directory — no restarts, no manual edits. All other details on how to use these examples — secret naming, managed-identity/IAM permissions, and deployment - are covered in the full documentation. 

enforcers/vm_enforcer/golden_image/config_scripts_examples/ubuntu_on_aws.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ServerSecret="<AQUA_SERVER_SECRET_NAME>"
+TokenSecret="<AQUA_TOKEN_SECRET_NAME>"
+
+IMDS_TOKEN=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" \
+             -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
+REGION="${AWS_REGION:-$(
+  curl -sS -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
+       http://169.254.169.254/latest/meta-data/placement/region
+)}"
+
+CONFIG_DIR="/opt/aquasec"
+TMP_FILE="${CONFIG_DIR}/.config.tmp"
+FINAL_FILE="${CONFIG_DIR}/GI_AQUA_CONFIG-prod_env.json"
+
+sudo apt-get update -y
+sudo apt-get install -y docker.io jq
+sudo systemctl start docker
+
+fetch_secret () {
+  local secret_id="$1"
+  sudo docker run --rm public.ecr.aws/aws-cli/aws-cli \
+       secretsmanager get-secret-value \
+       --secret-id "$secret_id" \
+       --region "$REGION" \
+       --query SecretString --output text
+}
+
+RAW_SERVER_JSON=$(fetch_secret "$ServerSecret")
+RAW_TOKEN_JSON=$(fetch_secret "$TokenSecret")
+
+AQUA_SERVER=$(jq -r '.AQUA_SERVER' <<<"$RAW_SERVER_JSON")
+AQUA_TOKEN=$(jq -r '.AQUA_TOKEN' <<<"$RAW_TOKEN_JSON")
+
+jq -n --arg s "$AQUA_SERVER" --arg t "$AQUA_TOKEN" \
+      '{AQUA_SERVER:$s, AQUA_TOKEN:$t}' > "$TMP_FILE"
+sudo mv "$TMP_FILE" "$FINAL_FILE"

enforcers/vm_enforcer/golden_image/config_scripts_examples/ubuntu_on_azure_bootstrap.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ── 0 ▪ validate required env-vars ──────────────────────────────────────────────
+: "${KV_NAME:?Missing KV_NAME}"
+: "${SERVER_SECRET:?Missing SERVER_SECRET}"
+: "${TOKEN_SECRET:?Missing TOKEN_SECRET}"
+
+CONFIG_DIR=/opt/aquasec
+TMP_FILE="$CONFIG_DIR/.config.tmp"
+FINAL_FILE="$CONFIG_DIR/GI_AQUA_CONFIG-prod_env.json"
+
+# ── 1 ▪ get an IMDS token for Key Vault ─────────────────────────────────────────
+IMDS_TOKEN=$(curl -sf -H Metadata:true \
+  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://vault.azure.net" \
+  | jq -r .access_token)
+
+# ── 2 ▪ fetch secrets whose names came from the launcher ────────────────────────
+AQUA_SERVER=$(curl -sf -H "Authorization: Bearer $IMDS_TOKEN" \
+  "https://${KV_NAME}.vault.azure.net/secrets/${SERVER_SECRET}?api-version=7.3" \
+  | jq -r .value)
+
+AQUA_TOKEN=$(curl -sf -H "Authorization: Bearer $IMDS_TOKEN" \
+  "https://${KV_NAME}.vault.azure.net/secrets/${TOKEN_SECRET}?api-version=7.3" \
+  | jq -r .value)
+
+# ── 3 ▪ write config atomically and lock it down ───────────────────────────────
+mkdir -p "$CONFIG_DIR"
+if ! command -v jq >/dev/null 2>&1; then
+  if command -v apt-get >/dev/null 2>&1; then
+    apt-get update -y
+    apt-get install -y jq
+  elif command -v yum >/dev/null 2>&1; then
+    yum install -y jq
+  else
+    exit 1
+  fi
+fi
+jq -n --arg s "$AQUA_SERVER" --arg t "$AQUA_TOKEN" \
+  '{AQUA_SERVER:$s, AQUA_TOKEN:$t}' > "$TMP_FILE"
+
+chmod 600 "$TMP_FILE"
+mv "$TMP_FILE" "$FINAL_FILE"

enforcers/vm_enforcer/golden_image/config_scripts_examples/ubuntu_on_azure_launch.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ── 0 ▪ FILL IN YOUR VALUES ────────────────────────────────────────────────────
+SUB_ID="<SUBSCRIPTION_ID>"
+RG="<VM_RESOURCE_GROUP>"
+VM="<VM_NAME>"
+
+KV_NAME="<KEYVAULT_NAME>"
+SERVER_SECRET="<AQUA_SERVER_SECRET_NAME>"
+TOKEN_SECRET="<AQUA_TOKEN_SECRET_NAME>"
+
+# ── 1 ▪ select subscription ────────────────────────────────────────────────────
+az account set --subscription "$SUB_ID"
+
+# ── 2 ▪ deploy / update the Custom Script Extension ────────────────────────────
+az vm extension set \
+  --resource-group "$RG" \
+  --vm-name        "$VM" \
+  --name           CustomScript \
+  --publisher      Microsoft.Azure.Extensions \
+  --version        2.1 \
+  --protected-settings '{
+    "fileUris": [
+      "<bootstrap-aqua.sh script file url>"
+    ],
+    "commandToExecute": "bash -c '\''export KV_NAME='"$KV_NAME"' \
+SERVER_SECRET='"$SERVER_SECRET"' TOKEN_SECRET='"$TOKEN_SECRET"' && bash <bootstrap-aqua.sh>'\''"
+  }' \
+  --output none
+
+echo "Bootstrap extension applied to $VM."

enforcers/vm_enforcer/golden_image/config_scripts_examples/windows_on_aws.ps1

@@ -0,0 +1,47 @@
+<powershell>
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+[Net.ServicePointManager]::SecurityProtocol  = [Net.SecurityProtocolType]::Tls12
+
+$ServerSecret = '<AQUA_SERVER_SECRET_NAME>'
+$TokenSecret  = '<AQUA_TOKEN_SECRET_NAME>'
+
+$imdsToken = Invoke-RestMethod -Method Put `
+    -Uri     'http://169.254.169.254/latest/api/token' `
+    -Headers @{ 'X-aws-ec2-metadata-token-ttl-seconds' = '60' }
+
+$region = Invoke-RestMethod `
+    -Uri     'http://169.254.169.254/latest/meta-data/placement/region' `
+    -Headers @{ 'X-aws-ec2-metadata-token' = $imdsToken }
+
+if (-not (Get-Command Get-SECSecretValue -ErrorAction SilentlyContinue)) {
+    Install-Module -Name AWS.Tools.SecretsManager -Force -Scope AllUsers
+}
+
+function Get-PlainSecretValue {
+    param (
+        [Parameter(Mandatory)][string]$SecretId,
+        [Parameter(Mandatory)][string]$Key
+    )
+    $json = (Get-SECSecretValue -SecretId $SecretId -Region $region).SecretString
+    return ( $json | ConvertFrom-Json ).$Key
+}
+
+$AQUA_SERVER = Get-PlainSecretValue $ServerSecret 'AQUA_SERVER'
+$AQUA_TOKEN  = Get-PlainSecretValue $TokenSecret  'AQUA_TOKEN'
+
+$jsonConfig = @{ AQUA_SERVER = $AQUA_SERVER; AQUA_TOKEN = $AQUA_TOKEN } |
+              ConvertTo-Json -Depth 2
+
+$configPath = 'C:\Program Files\AquaSec\GI_AQUA_CONFIG-prod_env.json'
+$tempPath   = "$configPath.tmp"
+
+$jsonConfig | Set-Content -Path $tempPath -Encoding ASCII -Force
+
+icacls $tempPath /inheritance:d `
+                /grant:r "SYSTEM:F" "BUILTIN\Administrators:F" | Out-Null
+
+Move-Item    -Path $tempPath -Destination $configPath -Force
+
+</powershell>

enforcers/vm_enforcer/golden_image/config_scripts_examples/windows_on_azure_bootstrap.ps1

@@ -0,0 +1,34 @@
+param(
+  [Parameter(Mandatory=$true)][string]$KvName,
+  [Parameter(Mandatory=$true)][string]$ServerSecret,
+  [Parameter(Mandatory=$true)][string]$TokenSecret
+)
+
+$ErrorActionPreference = 'Stop'
+
+$configDir = 'C:\Program Files\AquaSec'
+$tmpFile   = Join-Path $configDir '.config.tmp'
+$finalFile = Join-Path $configDir 'GI_AQUA_CONFIG-prod_env.json'
+
+# 1 ▪ get IMDS token
+$imdsUrl   = 'http://169.254.169.254/metadata/identity/oauth2/token' +
+             '?api-version=2019-08-01&resource=https://vault.azure.net'
+$imdsToken = (Invoke-RestMethod -Headers @{Metadata='true'} -Uri $imdsUrl).access_token
+
+# 2 ▪ fetch secrets
+$base = "https://$KvName.vault.azure.net/secrets"
+$api  = '?api-version=7.3'
+
+$aquaServer = (Invoke-RestMethod -Headers @{Authorization = "Bearer $imdsToken"} `
+                                 -Uri ("$base/${ServerSecret}$api")).value
+$aquaToken  = (Invoke-RestMethod -Headers @{Authorization = "Bearer $imdsToken"} `
+                                 -Uri ("$base/${TokenSecret}$api")).value
+
+# 3 ▪ write JSON atomically
+New-Item -ItemType Directory -Force -Path $configDir | Out-Null
+@{AQUA_SERVER = $aquaServer; AQUA_TOKEN = $aquaToken} `
+  | ConvertTo-Json -Depth 2 `
+  | Set-Content -Encoding ASCII -Path $tmpFile
+
+icacls $tmpFile /inheritance:d /grant:r "SYSTEM:F" "BUILTIN\Administrators:F" | Out-Null
+Move-Item -Force $tmpFile $finalFile

enforcers/vm_enforcer/golden_image/config_scripts_examples/windows_on_azure_launch.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SUB_ID="<SUBSCRIPTION_ID>"
+RG="<VM_RESOURCE_GROUP>"
+VM="<VM_NAME>"
+
+KV_NAME="<KEYVAULT_NAME>"
+SERVER_SECRET="<AQUA_SERVER_SECRET_NAME>"
+TOKEN_SECRET="<AQUA_TOKEN_SECRET_NAME>"
+
+az account set --subscription "$SUB_ID"
+
+az vm extension set \
+  --resource-group "$RG" \
+  --vm-name        "$VM" \
+  --name           CustomScriptExtension \
+  --publisher      Microsoft.Compute \
+  --protected-settings '{
+    "fileUris": [
+      "<bootsctrap script url> "
+    ],
+    "commandToExecute": "powershell -ExecutionPolicy Bypass -File <bootstrap script name>.ps1 -KvName '"$KV_NAME"' -ServerSecret '"$SERVER_SECRET"' -TokenSecret '"$TOKEN_SECRET"'"
+  }' \
+  --output none
+
+echo "Bootstrap extension applied to $VM."