A Terraform deployment of OpenCTI designed to make use of native AWS Resources (where feasible). This includes AWS ECS Fargate, AWS OpenSearch, AWS ElastiCache for Redis and AWS S3 (through a Gateway Endpoint).
Note This deployment is designed to help with OpenCTI Platform adoption. QinetiQ does not offer warranty on usage of this deployment. It is highly recommended to understand AWS, Terraform and Docker and if used within a production environment, perform an analysis of the deployment's security. This includes ensuring in production, that the state file is securely stored in S3 with a restrictive Bucket Policy. If storing credentials in the Terraform state file (in a locked down S3 Bucket) does not meet policy requirements, look into Terraform Environment variables to pass manually stored credentials or use AWS Secrets Manager that can be referenced in Terraform.
This deployment requires
- Terraform AWS Provider Version
>= 4.25.0- This is to make use of AWS EBS GP3 volumes, an important requirement to OpenCTI Platform performance.
- Terraform Version
>= 1.1.0 - OpenCTI Platform Version
>= 5.3.8- This deployment uses IAM Roles and AWS S3 Gateway Endpoint which requires the recent
aws-sdkimplementation that has been merged.
- This deployment uses IAM Roles and AWS S3 Gateway Endpoint which requires the recent
-
Regionally resilient with auto recovery capabilities
-
Autoscaling OpenCTI Worker through AWS Lambda interacting with RabbitMQ metrics
-
AWS SSM Jump Box solution to avoid SSH Keys
-
Security conscious design
-
OpenID Connect Implementation
-
Scheduled Connectors capability (discussed in the OpenCTI Platform Connectors folder)
This Terraform deployment consists of two parts; deploying the core OpenCTI Platform and separately deploying the OpenCTI Connectors. This is to avoid the issue of redeploying the same Terraform deployment twice as OpenCTI Connectors should make use of their own OpenCTI User Account.
Design decisions for each deployment are covered within the respective folder's README.
terraform initOr in the case of using an S3 bucket to store Terraform State files.
- Uncomment in
versions.tflines 8 - 10to enable backend configuration and configure in./config/dev/backend.confthe S3 bucket.
terraform init --backend-config=./config/dev/backend.confterraform apply -var-file=config/dev/variables.tfvarsNote: When running checkov, it will fire a warning regarding an AWS WAF missing from the Application Load Balancer in the main OpenCTI Platform deployment. This is a resource you will need to add to this Terraform deployment.
Checkov is a tool used for checking static Terraform code against best security practices. To run locally, install checkov and then run checkov -d . --var-file=config/dev/variables.tfvars within either deployment.
tflint checks Terraform code against style guidelines. To run locally, install tflint, then run tflint --init and tflint.
This code is released under the Apache2 License. See LICENSE.