From c3d18d55820856c2c376bbe21455da085b176eac Mon Sep 17 00:00:00 2001 From: "Nicholas J. Parks" Date: Sat, 22 Apr 2017 14:22:41 -0400 Subject: [PATCH] initial add of cloudformation for platform seeding purposes --- buildspec.yml | 12 ++ platformQuickStarts/AWS/README.md | 24 ++++ .../codepipelinebuild/01_IAM_codebuild.json | 101 ++++++++++++++ .../01_IAM_codepipeline.json | 127 ++++++++++++++++++ .../codepipelinebuild/01_codepiplinebuild.yml | 112 +++++++++++++++ platformQuickStarts/README.md | 20 +++ 6 files changed, 396 insertions(+) create mode 100644 buildspec.yml create mode 100644 platformQuickStarts/AWS/README.md create mode 100644 platformQuickStarts/AWS/codepipelinebuild/01_IAM_codebuild.json create mode 100644 platformQuickStarts/AWS/codepipelinebuild/01_IAM_codepipeline.json create mode 100644 platformQuickStarts/AWS/codepipelinebuild/01_codepiplinebuild.yml create mode 100644 platformQuickStarts/README.md diff --git a/buildspec.yml b/buildspec.yml new file mode 100644 index 000000000..477440e02 --- /dev/null +++ b/buildspec.yml @@ -0,0 +1,12 @@ +version: 0.1 + +phases: + build: + commands: + - mvn package + +artifacts: + files: + - webgoat-server/target/webgoat-server-8.0-SNAPSHOT.jar + discard-paths: yes + diff --git a/platformQuickStarts/AWS/README.md b/platformQuickStarts/AWS/README.md new file mode 100644 index 000000000..ebb486837 --- /dev/null +++ b/platformQuickStarts/AWS/README.md @@ -0,0 +1,24 @@ +# AWS + +- This contains the various platform Quick Starts for Getting WebGoat Deployed into AWS. +- This IaaS quickstart uses AWS CloudFormation to perform most of the provisioning +- This IaaS quickstart is composed of three independent bundles + - Code pipeline and Build + - Deploying to EC2 + - Deploying to ECS + + + +## Code Pipeline and Build + +This Quickstart is for those that just want to perform builds with AWS. It uses CodeCommit but can be modified to use GitHub + + + +## EC2 + +This uses AWS CodePipeline, CodeBuild, and CodeDeploy to land WebGoat to Running EC2 instances + +## ECS + +This uses AWS CodePipeline, CodeBuild, CodeDeploy, ECR, to update an ECS cluster \ No newline at end of file diff --git a/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codebuild.json b/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codebuild.json new file mode 100644 index 000000000..246701d3c --- /dev/null +++ b/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codebuild.json @@ -0,0 +1,101 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "IAM Roles for Code Build WebGoat IaaS Quickstart", + "Parameters": { + "qsS3BucketName": { + "Description": "Name of the S3 Bucket for artifacts", + "Type": "String", + "MinLength": "1" + }, + "qsRoleName": { + "Description": "Name of the IAM role that CodeBuild Will Use", + "Type": "String", + "Default": "SimpleCodeBuildRole", + "MinLength": "1" + } + }, + "Resources": { + "qsCodeBuildRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "codebuild.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/webgoat/", + "RoleName": { + "Ref": "qsRoleName" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess", + "arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess" + ], + "Policies": [ + { + "PolicyName": "CloudWatchLogs", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + {"Fn::Join": [ "",["arn:aws:logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:/aws/codebuild*" ] ]} + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + } + ] + } + }, + { + "PolicyName": "S3buckets", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "qsS3BucketName" + }, + "*" + ] + ] + }, + "arn:aws:s3:::codepipeline-*" + ], + "Action": [ + "s3:Put*", + "s3:Get*", + "s3:List*" + ] + } + ] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codepipeline.json b/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codepipeline.json new file mode 100644 index 000000000..5ea138ff9 --- /dev/null +++ b/platformQuickStarts/AWS/codepipelinebuild/01_IAM_codepipeline.json @@ -0,0 +1,127 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "IAM Role for Code Pipeline WebGoat IaaS Quickstart", + "Parameters": { + "qsS3BucketName": { + "Description": "Name of the S3 Bucket for artifacts", + "Type": "String", + "MinLength": "1" + }, + "qsRoleName": { + "Description": "Name of the IAM role that CodePipeline Will Use", + "Type": "String", + "Default": "SimpleCodePipelineRole", + "MinLength": "1" + } + }, + "Resources": { + "qsCodePipelineRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "codepipeline.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/webgoat/", + "RoleName": { + "Ref": "qsRoleName" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess", + "arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess" + ], + "Policies": [ + { + "PolicyName": "CloudWatchLogsPipeline", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + {"Fn::Join": [ "",["arn:aws:logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:/aws/*" ] ]} + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + } + ] + } + }, + { + "PolicyName": "MiscComputeOpen", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": [ + "lambda:InvokeFunction", + "lambda:ListFunctions", + "elasticbeanstalk:*", + "ec2:*", + "elasticloadbalancing:*", + "autoscaling:*", + "cloudwatch:*", + "s3:*", + "sns:*", + "cloudformation:*", + "rds:*", + "sqs:*", + "ecs:*", + "iam:PassRole" + ] + } + ] + } + }, + { + "PolicyName": "S3buckets", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "qsS3BucketName" + }, + "*" + ] + ] + }, + "arn:aws:s3:::codepipeline-*", + "arn:aws:s3:::elasticbeanstalk*" + ], + "Action": [ + "s3:Put*", + "s3:Get*", + "s3:List*" + ] + } + ] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/platformQuickStarts/AWS/codepipelinebuild/01_codepiplinebuild.yml b/platformQuickStarts/AWS/codepipelinebuild/01_codepiplinebuild.yml new file mode 100644 index 000000000..58fea5055 --- /dev/null +++ b/platformQuickStarts/AWS/codepipelinebuild/01_codepiplinebuild.yml @@ -0,0 +1,112 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: > + AWS Cloud Formation for creating an AWS CodePipeline that checks a git repo for changes and then performs a build using code build + + +Parameters: + qsPipelineName: + Description: The name of the AWS Code Pipeline + Type: String + Default: WG-pipe + MinLength: 1 + qsPipelineRoleARN: + Description: The complete ARN to the IAM role that code pipeline should use + Type: String + MinLength: 1 + qsCodeRepo: + Description: The Repository + Type: String + MinLength: 1 + qsRepoBranch: + Description: The Branch in the Repository + Type: String + MinLength: 1 + qsS3PipelineArtifacts: + Description: Where Code Pipeline will state artifacts in S3 + Type: String + MinLength: 1 + qsS3CodeBuildArtifacts: + Description: Where Code Build will upload Artifacts can be same as codepipeline + Type: String + MinLength: 1 + qsCodeBuildName: + Description: Name of the AWS Code Build + Type: String + Default: WG-builder + MinLength: 1 + qsKMSKeyARN: + Description: The KMS ARN that the IAM Role is allowed to use + Type: String + MinLength: 1 + qsCodeRoleArn: + Description: The IAM Role ARN for CodePipeline and CodeDeploy + Type: String + MinLength: 1 + + + +Resources: + + + + + stkcbrCodeBuild: + Type: AWS::CodeBuild::Project + Properties: + Artifacts: + Type: CODEPIPELINE + Description: Builds WebGoat Jar using build file in repo + EncryptionKey: !Ref 'qsKMSKeyARN' + Environment: + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/java:openjdk-8 + Type: LINUX_CONTAINER + Name: !Ref 'qsCodeBuildName' + ServiceRole: !Ref 'qsCodeRoleArn' + TimeoutInMinutes: 10 + Source: + Type: CODEPIPELINE + + + + stkcplPipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + Name: !Ref 'qsPipelineName' + RoleArn: !Ref 'qsPipelineRoleARN' + ArtifactStore: + Location: !Ref 'qsS3PipelineArtifacts' + Type: S3 + Stages: + - Name: CodeRepo + Actions: + - Name: CodeSource + ActionTypeId: + Category: Source + Owner: AWS + Provider: CodeCommit + Version: 1 + Configuration: + BranchName: !Ref 'qsRepoBranch' + RepositoryName: !Ref 'qsCodeRepo' + OutputArtifacts: + - Name: MySource + RunOrder: '1' + - Name: Build + Actions: + - Name: CodeBuild + ActionTypeId: + Category: Build + Owner: AWS + Provider: CodeBuild + Version: 1 + InputArtifacts: + - Name: MySource + Configuration: + ProjectName: !Ref stkcbrCodeBuild + OutputArtifacts: + - Name: MyBuild + RunOrder: '2' + + diff --git a/platformQuickStarts/README.md b/platformQuickStarts/README.md new file mode 100644 index 000000000..9f7b096c6 --- /dev/null +++ b/platformQuickStarts/README.md @@ -0,0 +1,20 @@ +# OWASP WebGoat Platform Quick Starts + +Want to Run WebGoat? Want to run WebGoat in the Cloud? Don't want to be cloud Expert? + +Do we have a solution for you! + +Through April to June 2017 Several IaaS (and a couple PaaSs) will be added to allow anyone to run WebGoat about anywhere. + +Additionally, Each IaaS/PaaS have their deployment steps broken down giving the *app-guy-new-to-cloud* an opportunity to learn how said platform works. + + + + +## AWS + +Multi-Part Quickstart. Starts with simple pipeline for code building to deploying to EC2/ECS continiously + + + +