qinetiq-cyber-intelligence / opencti-terraform Goto Github PK

Hello,

I am running into an issue as seen below. It looks like time_static only runs once, so subsequent deployment attempts cause an error.

Error: Error creating OpenSearch domain: ValidationException: The StartAt time you provided occurs in the past. Specify a time in the future.
│ 
│   with module.opensearch.aws_opensearch_domain.this,
│   on modules/opensearch/main.tf line 8, in resource "aws_opensearch_domain" "this":
│    8: resource "aws_opensearch_domain" "this" {

Is there any chance to have the architecture diagram template uploaded into the assets as well?

This is really awesome work. The solution looks very slick. I can't use AWS however, I have to stick in Azure.

Can I ask how you are doing your load balancing? Specifically from the connectors to the OpenCTI frontend. I find with my current set up The front-end slows down and the RabbitMQ management portal show's that my consumer capacity is at 0% most of the time. I believe the GraphQL API is what's bottlenecking the system. I think replicating the OpenCTI front end will fix this but I am unsure how to load balance if I replicate the service.

First of very nice deployment I am sure this will become a great starting point for people wanting to deploy their own instances.
I am aware the below describe issue is very nit picky, but this config is very well made and great contribution to the community so I want to help improve it even if its just a tiny thing.

When I went over your code I noticed that you are leaking credentials into terraform state in some places, most notably the opencti master password. Having the credentials in the terraform state introduces a few additional security risks e.g.,

• read permissions to the state file/bucket become will give access to all the secrets leaked into the state
• if used with a CI/CD pipeline anyone who can trigger a terraform plan is able to leak the secrets (see example below)

data "http" "example" {
  url = "http://localhost:8888/${var.test}"
}

variable "test" {
 default = "foobar"
 sensitive = true
}

$ terraform plan

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no
differences, so no changes are needed.

$ python3 -m http.server 8888
Serving HTTP on :: port 8888 (http://[::]:8888/) ...
::1 - - [19/Aug/2022 08:50:19] code 404, message File not found
::1 - - [19/Aug/2022 08:50:19] "GET /foobar HTTP/1.1" 404 -

Since this is not supposed to be a production ready deployment this is not an issue per say, but it might be worth mentioning this in the documentation so that people less familiar with terraform will be aware and modify the code accordingly when preparing for a production configuration.

Steps to produce:

• clone repo: gh repo clone QinetiQ-Cyber-Intelligence/OpenCTI-Terraform
• terraform apply -var-file=config/dev/variables.tfvars

╷
│ Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with module.kms.aws_kms_key.this,
│   on modules/kms/main.tf line 87, in resource "aws_kms_key" "this":
│   87: resource "aws_kms_key" "this" {
│ 
╵
╷
│ Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
│ 
│   with module.kms.aws_kms_key.connector,
│   on modules/kms/main.tf line 103, in resource "aws_kms_key" "connector":
│  103: resource "aws_kms_key" "connector" {
│ 
╵