AWSTemplateFormatVersion: 2010-09-09 Description: > This template creates a EC2 instance and deploys open source tools SonarQube and OWASP Zap. Please note, you will be billed for the AWS resources used if you create a stack from this template. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 Parameters: InstanceType: Description: WebServer EC2 instance type Type: String Default: t2.medium AllowedValues: - t1.micro - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m1.small - m1.medium - m1.large - m1.xlarge - m2.xlarge - m2.2xlarge - m2.4xlarge - m3.medium - m3.large - m3.xlarge ConstraintDescription: must be a valid EC2 instance type. LatestAmiId: Type: "AWS::SSM::Parameter::Value" Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 AllowedValues: - /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 Resources: WebServerInstance: Type: 'AWS::EC2::Instance' Metadata: 'AWS::CloudFormation::Init': configSets: InstallAndRun: - Install - Configure Install: packages: yum: httpd: [] files: /var/www/html/index.html: content: | "Hello world!!!!!!!" mode: 000644 owner: "root" group: "root" /etc/httpd/conf/httpd.conf: content: | ServerRoot "/etc/httpd" Listen 80 ProxyPass / http://localhost:8085/ ProxyPassReverse / http://localhost:8085/ Listen 81 ProxyPass / http://localhost:9000/ ProxyPassReverse / http://localhost:9000/ Include conf.modules.d/*.conf IncludeOptional conf.d/*.conf User apache Group apache AllowOverride none Require all denied DocumentRoot "/var/www/html" AllowOverride None Require all granted CustomLog "logs/access_log" combined ErrorLog "logs/error_log" LogLevel warn ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig /etc/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml AddDefaultCharset UTF-8 Protocols h2 h2c http/1.1 mode: 000644 owner: "apache" group: "apache" /etc/cfn/cfn-hup.conf: content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} # The interval used to check for changes to the resource metadata in minutes. Default is 15 interval=2 mode: 000400 owner: "root" group: "root" /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} mode: 000400 owner: "root" group: "root" services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' cfn-hup: enabled: 'true' ensureRunning: 'true' files: - /etc/cfn/cfn-hup.conf - /etc/cfn/hooks.d/cfn-auto-reloader.conf Configure: commands: start_sonar_qube: command: echo "test" > /home/ec2-user/ec2-echo.test CreationPolicy: ResourceSignal: Timeout: PT5M Properties: ImageId: !Ref LatestAmiId InstanceType: !Ref InstanceType SecurityGroups: - !Ref WebServerSecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash -xe exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 # Get the latest CloudFormation package yum install -y aws-cfn-bootstrap yum install -y java-11-amazon-corretto yum install -y https://s3.us-east-2.amazonaws.com/amazon-ssm-us-east-2/latest/linux_amd64/amazon-ssm-agent.rpm yum install -y docker systemctl start amazon-ssm-agent systemctl status amazon-ssm-agent cd /home/ec2-user wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.7.1.42226.zip unzip sonarqube-8.7.1.42226.zip # sudo ln -s $SONAR_HOME/bin/linux-x86-64/sonar.sh /usr/bin/sonar # sudo chmod 755 /etc/init.d/sonar # sudo chkconfig --add sonar sed -i "s/#RUN_AS_USER=/RUN_AS_USER=ec2-user/g" /home/ec2-user/sonarqube-8.7.1.42226/bin/linux-x86-64/sonar.sh chown -R ec2-user:ec2-user /home/ec2-user/sonarqube-8.7.1.42226/ /home/ec2-user/sonarqube-8.7.1.42226/bin/linux-x86-64/sonar.sh start & #sudo useradd zap && sudo usermod -a -G docker zap #### Installing Zap ## Starting docker service and creating user/group for owasp zap sudo service docker start && sudo useradd zap && sudo usermod -a -G docker zap ## Pulling owasp zap cdocker container from docker hub docker pull owasp/zap2docker-stable docker run -u zap -p 8085:8085 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8085 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config api.key=workshopzapkey & ## Checking cfn init /opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerInstance --configsets InstallAndRun --region ${AWS::Region} || error_exit 'Failed to run cfn-init' ## Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata # /opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup' # All done so signal success /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource WebServerInstance --region ${AWS::Region} WebServerSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enable HTTP access via port 80, 81 SecurityGroupIngress: - IpProtocol: tcp Description: allow traffic on port 80 for OWASP ZAP Instance FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp Description: allow traffic on port 81 for the SonarQube Instance FromPort: 81 ToPort: 81 CidrIp: 0.0.0.0/0 Outputs: SonarQubeURL: Description: URL for newly created SonarQube Instance Value: !Join - '' - - 'http://' - !GetAtt - WebServerInstance - PublicDnsName - ':81' Export: Name: SonarQubeURL OWASPZapURL: Description: URL for newly created OWASP ZAP Instance Value: !Join - '' - - 'http://' - !GetAtt - WebServerInstance - PublicDnsName Export: Name: OWASPZapURL