-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfss-stack-deploy.sh
executable file
·252 lines (146 loc) · 10.4 KB
/
fss-stack-deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
#!/bin/bash
# If you don't already have the AWS CLI installed
# curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# unzip awscliv2.zip
# sudo ./aws/install
# You will also need to install jq (https://github.com/stedolan/jq) and curl
# Mude essas variáveis de acordo com o que faz sentido para o seu ambiente, tanto da AWS como também do Cloud One File Storage Security:
allinone_stack_name=$allinone_stackname
region=$region
s3_bucket_to_scan=$s3bucket_to_scan
kms_master_key_arn=$kmsmaster_key_arn
kms_master_key_arn_for_sqs=$kmsmaster_key_arn_for_sqs
api_secret_key=$c1_api_key
# --! Mude essas variáveis de acordo com o que faz sentido para o seu ambiente, tanto da AWS como também do Cloud One File Storage Security.
# --! Caso queira executar no seu computador, comente ou exclua o bloco de variáveis acima,
# --! E descomente o bloco de variáveis abaixo:
# allinone_stack_name="deploy-all-in-one-stackfss"
# region="region-you-want-to-install-the-stack"
# s3_bucket_to_scan="the-name-of-your-bucket-to-scan"
# kms_master_key_arn="" # "your-KMS-master-key-which-is-used-to-encrypt-objects-in-your-s3-bucket-to-scan" # Leave it blank if you haven't enabled SSE-KMS on your bucket.
# kms_master_key_arn_for_sqs="" # "your-KMS-master-key-which-is-used-to-encrypt-SQS-massages-in your-scanner-stack" # Leave it blank if you haven't enabled SSE-KMS on your bucket.
# api_secret_key="Your Cloud One API"
# Creating a bucket
aws s3api create-bucket --bucket $s3_bucket_to_scan --region us-east-1
# Getting the FSS External ID
external_id=$(curl --location --request GET 'https://cloudone.trendmicro.com/api/filestorage/external-id' --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' | jq -r '.externalID')
# Sleeps for 20 seconds
sleep 20
# Deploy the Cloud One - File Storage Security All-in-One Stack:
# --! O retorno ao criar a Stack, irá imprimir na tela o ARN dessa Stack !--
aws cloudformation create-stack --stack-name ${allinone_stack_name} --region ${region} --template-url https://file-storage-security.s3.amazonaws.com/latest/templates/FSS-All-In-One.template --parameters ParameterKey=S3BucketToScan,ParameterValue=${s3_bucket_to_scan} ParameterKey=KMSKeyARNForBucketSSE,ParameterValue=${kms_master_key_arn} ParameterKey=KMSKeyARNForQueueSSE,ParameterValue=${kms_master_key_arn_for_sqs} ParameterKey=ExternalID,ParameterValue=${external_id} --capabilities CAPABILITY_NAMED_IAM
echo "==========---------------================-----------==========----------------=========================="
# Verify that the stack creation is complete:
# When the stack is ready, the status will become CREATE_COMPLETE.
stack_status=$(aws cloudformation describe-stacks --stack-name ${allinone_stack_name} --output json | jq -r '.Stacks[0].StackStatus')
# Before entering the loop, sleep for 10 seconds
sleep 10
echo $stack_status
# echo "==========---------------================-----------==========----------------=========================="
# Loop until the variable $stack_status is equal to "CREATE_COMPLETE"
while [[ "$stack_status" == "CREATE_IN_PROGRESS" ]]
do
stack_status=$(aws cloudformation describe-stacks --stack-name ${allinone_stack_name} --output json | jq -r '.Stacks[0].StackStatus')
echo "==========---------------================-----------==========----------------=========================="
# sleep for 17 seconds
sleep 17
echo $stack_status
if [[ "$stack_status" == "CREATE_COMPLETE" ]]
then
echo "==========---------------================-----------==========----------------=========================="
echo "Stack Created!"
echo "==========---------------================-----------==========----------------=========================="
break
fi
# If the FSS Deploy was unsuccessful in the creation of one or more stacks.
if [[ "$stack_status" == "CREATE_FAILED" ]]
then
echo "==========---------------================-----------==========----------------=========================="
echo "Stack Failed, check the AWS CloudFormation Console."
echo "==========---------------================-----------==========----------------=========================="
exit 0
fi
# Ongoing removal of one or more stacks after a failed stack creation or after an explicitly canceled stack creation.
if [[ "$stack_status" == "ROLLBACK_IN_PROGRESS" ]]
then
echo "==========---------------================-----------==========----------------=========================="
echo "Stack with Roolback in Progress, check the AWS CloudFormation Console."
echo "==========---------------================-----------==========----------------=========================="
exit 0
fi
done
# Obtain the ARNs of the scanner and storage stacks:
# In the command Output, take note of the ScannerStackManagementRoleARN && StorageStackManagementRoleARN output values!
storagestackmanagementrolearn=$(aws cloudformation describe-stacks --stack-name ${allinone_stack_name} --output json --query 'Stacks[0].Outputs[2].OutputValue')
scannerstackmanagementrolearn=$(aws cloudformation describe-stacks --stack-name ${allinone_stack_name} --output json --query 'Stacks[0].Outputs[5].OutputValue')
# echo $scannerstackmanagementrolearn
# echo $storagestackmanagementrolearn
# ----------------------==============================================---------------------------------====================
# Add the scanner and storage stacks to File Storage Security:
# First, add the Scanner Stack:
# Call Create Stack and include the ScannerStackManagementRoleARN output value in the request body.
# The creation of the scanner stack will begin.
stackid=$(curl --location --request POST 'https://cloudone.trendmicro.com/api/filestorage/stacks' --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' --header 'Content-Type: text/plain' --data-raw '{
"type": "scanner",
"provider": "aws",
"details": {
"managementRole": '$scannerstackmanagementrolearn'
}
}')
echo "==========---------------================-----------==========----------------=========================="
echo $stackid
echo "==========---------------================-----------==========----------------=========================="
stackid_result=$(echo $stackid | jq -r '.stackID')
c1_url=$(echo 'https://cloudone.trendmicro.com/api/filestorage/stacks/'$stackid_result)
check_stack_in_fss_console=$(curl --location --request GET $c1_url --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' | jq -r '.status')
echo "==========---------------================-----------==========----------------=========================="
echo "Status ao Adicionar a Scanner Stack na Console do FSS: " $check_stack_in_fss_console
echo "==========---------------================-----------==========----------------=========================="
# Continue calling until the status in the response body becomes ok
while [[ "$check_stack_in_fss_console" != "ok" ]]
do
# sleep for 10 seconds
sleep 10
check_stack_in_fss_console=$(curl --location --request GET $c1_url --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' | jq -r '.status')
echo "==========---------------================-----------==========----------------=========================="
echo "Status ao Adicionar a Scanner Stack na Console do FSS: " $check_stack_in_fss_console
echo "==========---------------================-----------==========----------------=========================="
done
printf "Scanner Stack Added in the Console!\n"
echo "==========---------------================-----------==========----------------=========================="
# Take note of stackID in the API response, which is the scanner stack’s ID.
# Call Describe Stack using the scanner stack's stackID noted in the previous step, and continue calling until the status in the response body becomes ok.
# You have now added the scanner stack.
# # ----------------------==============================================---------------------------------====================
# Now add the Storage Stack:
# Call Create Stack, and include the previously-noted scanner stack stackID and storage stack StorageStackManagementRoleARN output value in the request body.
# The creation of the storage stack will begin.
# Take note of stackID in the API response, which is the storage stack’s ID.
# Call Describe Stack using the storage stack's stackID noted in the previous step, and continue calling until the status in the response body becomes ok.
stackid_result=$(echo $stackid | jq '.stackID')
stackid=$(curl --location --request POST 'https://cloudone.trendmicro.com/api/filestorage/stacks' --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' --header 'Content-Type: text/plain' --data-raw '{
"type": "storage",
"scannerStack": '$stackid_result',
"provider": "aws",
"details": {
"managementRole": '$storagestackmanagementrolearn'
}
}')
echo "==========---------------================-----------==========----------------=========================="
stackid_result=$(echo $stackid | jq -r '.stackID')
c1_url=$(echo 'https://cloudone.trendmicro.com/api/filestorage/stacks/'$stackid_result)
check_storage_in_fss_console=$(curl --location --request GET $c1_url --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' | jq -r '.status')
echo "==========---------------================-----------==========----------------=========================="
echo "Status ao Adicionar a Storage Stack na Console do FSS: " $check_storage_in_fss_console
echo "==========---------------================-----------==========----------------=========================="
# Continue calling until the status in the response body becomes ok
while [[ "$check_storage_in_fss_console" != "ok" ]]
do
# sleep for 10 seconds
sleep 10
check_storage_in_fss_console=$(curl --location --request GET $c1_url --header 'api-secret-key: '${api_secret_key}'' --header 'Api-Version: v1' | jq -r '.status')
echo "==========---------------================-----------==========----------------=========================="
echo "Status ao Adicionar a Storage Stack na Console do FSS: " $check_storage_in_fss_console
echo "==========---------------================-----------==========----------------=========================="
done
printf "Storage Stack Added in the Console!\n"