From 563319842a7883c3a6d5ed9786ed716f02838e16 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:33:47 -0800 Subject: [PATCH 01/30] updating private release --- artifacts.tf | 16 ++++++++++++++-- main.tf | 14 -------------- variables.tf | 22 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 16 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 069afed..2e61f99 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -9,13 +9,25 @@ resource "null_resource" "download_nuclei" { } } +data "github_release" "templates" { + repository = var.github_repository + owner = var.github_owner + tag_name = var.release_tag + + provider = { + if var.github_token != "" { + token = var.github_token + } + } +} + resource "null_resource" "download_templates" { triggers = { - version = var.nuclei_templates_url + version = var.release_tag } provisioner "local-exec" { - command = "curl -o ${path.module}/src/nuclei-templates.zip -L ${var.nuclei_templates_url}" + command = "curl -o ${path.module}/src/nuclei-templates.zip -L ${data.github_release.templates.zipball_url}" } } diff --git a/main.tf b/main.tf index 845f73b..b486f1d 100644 --- a/main.tf +++ b/main.tf @@ -47,20 +47,6 @@ resource "aws_lambda_layer_version" "templates_layer" { compatible_runtimes = ["go1.x"] } -# Trigger -# resource "aws_cloudwatch_event_rule" "trigger" { -# name = "${var.project_name}-trigger" -# description = "Trigger lambda function for ${var.alert_name} at ${var.cron_expression}" -# schedule_expression = "cron(${var.cron_expression})" -# } - -# resource "aws_lambda_permission" "allow_cloudwatch" { -# action = "lambda:InvokeFunction" -# function_name = aws_lambda_function.function.arn -# principal = "events.amazonaws.com" -# source_arn = aws_cloudwatch_event_rule.trigger.arn -# } - # tfsec:ignore:aws-cloudwatch-log-group-customer-key resource "aws_cloudwatch_log_group" "log_group" { name = "/aws/lambda/${var.project_name}-function" diff --git a/variables.tf b/variables.tf index ef23db9..4a28049 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,28 @@ variable "nuclei_templates_url" { default = "https://github.com/projectdiscovery/nuclei-templates/archive/refs/tags/v9.3.4.zip" } +# Private Templates +variable "github_repository" { + description = "Github repository to use for templates" + default = "nuclei-templates" +} + +variable "github_owner" { + description = "Github owner to use for templates" + default = "projectdiscovery" +} + +variable "release_tag" { + description = "Github release tag to use for templates" + default = "v9.3.4" +} + +variable "github_token" { + description = "Github token to use for private templates, leave empty if you don't need private templates" + default = "" + sensitive = true +} + variable "nuclei_arch" { description = "Nuclei architecture to use" default = "linux_amd64" From 3530601287cff46cadc628e993b89eb12b617fa3 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:37:30 -0800 Subject: [PATCH 02/30] trying provider --- artifacts.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 2e61f99..25ce235 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -9,16 +9,16 @@ resource "null_resource" "download_nuclei" { } } +provider "github" { + if var.github_token != "" { + token = var.github_token + } +} + data "github_release" "templates" { repository = var.github_repository owner = var.github_owner tag_name = var.release_tag - - provider = { - if var.github_token != "" { - token = var.github_token - } - } } resource "null_resource" "download_templates" { From d7ac99f8a4d68a1237df2b37d9f6fda0739d5c5f Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:37:54 -0800 Subject: [PATCH 03/30] did not work --- artifacts.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 25ce235..ff69ba9 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -10,9 +10,7 @@ resource "null_resource" "download_nuclei" { } provider "github" { - if var.github_token != "" { - token = var.github_token - } + token = var.github_token } data "github_release" "templates" { From 137c6410f29778d88f6bb6d63b97ae78a450c39a Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:39:19 -0800 Subject: [PATCH 04/30] retrieved_by --- artifacts.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index ff69ba9..d1da5f9 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -13,10 +13,11 @@ provider "github" { token = var.github_token } -data "github_release" "templates" { - repository = var.github_repository - owner = var.github_owner - tag_name = var.release_tag +data "github_release" "example" { + repository = var.github_repository + owner = var.github_owner + retrieve_by = "tag" + release_tag = var.release_tag } resource "null_resource" "download_templates" { From ff7341d0b83f793ad42f25d898eb8030d27d74b4 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:40:03 -0800 Subject: [PATCH 05/30] templates reference --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index d1da5f9..920def2 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -13,7 +13,7 @@ provider "github" { token = var.github_token } -data "github_release" "example" { +data "github_release" "templates" { repository = var.github_repository owner = var.github_owner retrieve_by = "tag" From 1931e5ba59144d7a94989e8cff5ec2c968d64caf Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:51:23 -0800 Subject: [PATCH 06/30] custom nuclei configurations --- artifacts.tf | 23 ++- config/config.yaml | 419 +++++++++++++++++++++++++++++++++++++++++++++ main.tf | 9 + variables.tf | 18 +- 4 files changed, 448 insertions(+), 21 deletions(-) create mode 100644 config/config.yaml diff --git a/artifacts.tf b/artifacts.tf index 920def2..51f1481 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -1,3 +1,7 @@ +provider "github" { + token = var.github_token +} + # Download nuclei binary and templates resource "null_resource" "download_nuclei" { triggers = { @@ -9,10 +13,14 @@ resource "null_resource" "download_nuclei" { } } -provider "github" { - token = var.github_token +data "github_release" "templates" { + repository = "nuclei" + owner = "projectdiscovery" + retrieve_by = "tag" + release_tag = var.nuclei_version } +# Private templates download from github data "github_release" "templates" { repository = var.github_repository owner = var.github_owner @@ -47,18 +55,17 @@ resource "aws_s3_object" "upload_templates" { source = "${path.module}/src/nuclei-templates.zip" } - -# Nuclei Config File `-config /opt/nuclei-config.yaml` +# Nuclei configuration files data "archive_file" "report_config" { type = "zip" - source_file = "config/report-config.yaml" - output_path = "report-config.zip" + sourd_dir = "${path.module}/config" + output_path = "nuclei-configs.zip" } resource "aws_s3_object" "upload_config" { bucket = aws_s3_bucket.bucket.id - key = "report-config.zip" - source = "${path.module}/report-config.zip" + key = "nuclei-configs.zip" + source = "${path.module}/nuclei-configs.zip" } # Build the lambda function to execute binary diff --git a/config/config.yaml b/config/config.yaml new file mode 100644 index 0000000..0ba55a9 --- /dev/null +++ b/config/config.yaml @@ -0,0 +1,419 @@ +# nuclei config file +# generated by https://github.com/projectdiscovery/goflags + +# target urls/hosts to scan +#target: [] + +# path to file containing a list of target urls/hosts to scan (one per line) +#list: + +# resume scan using resume.cfg (clustering will be disabled) +#resume: + +# scan all the ip's associated with dns record +#scan-all-ips: false + +# ip version to scan of hostname (4,6) - (default 4) +#ip-version: [""] + +# run only new templates added in latest nuclei-templates release +#new-templates: false + +# run new templates added in specific version +#new-templates-version: [] + +# automatic web scan using wappalyzer technology detection to tags mapping +#automatic-scan: false + +# list of template or template directory to run (comma-separated, file) +#templates: [] + +# list of template urls to run (comma-separated, file) +#template-url: [] + +# list of workflow or workflow directory to run (comma-separated, file) +#workflows: [] + +# list of workflow urls to run (comma-separated, file) +#workflow-url: [] + +# validate the passed templates to nuclei +#validate: false + +# disable strict syntax check on templates +#no-strict-syntax: false + +# displays the templates content +#template-display: false + +# list all available templates +#tl: false + +# allowed domain list to load remote templates from +#remote-template-domain: + +# templates to run based on authors (comma-separated, file) +#author: [] + +# templates to run based on tags (comma-separated, file) +#tags: [] + +# templates to exclude based on tags (comma-separated, file) +#exclude-tags: [] + +# tags to be executed even if they are excluded either by default or configuration +#include-tags: [] + +# templates to run based on template ids (comma-separated, file) +#template-id: [] + +# templates to exclude based on template ids (comma-separated, file) +#exclude-id: [] + +# templates to be executed even if they are excluded either by default or configuration +#include-templates: [] + +# template or template directory to exclude (comma-separated, file) +#exclude-templates: [] + +# template matchers to exclude in result +#exclude-matchers: [] + +# templates to run based on severity. possible values: info, low, medium, high, critical, unknown +#severity: + +# templates to exclude based on severity. possible values: info, low, medium, high, critical, unknown +#exclude-severity: + +# templates to run based on protocol type. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois +#type: + +# templates to exclude based on protocol type. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois +#exclude-type: + +# templates to run based on expression condition +#template-condition: [] + +# output file to write found issues/vulnerabilities +#output: + +# store all request/response passed through nuclei to output directory +#store-resp: false + +# store all request/response passed through nuclei to custom directory +#store-resp-dir: output + +# display findings only +#silent: false + +# disable output content coloring (ansi escape codes) +#no-color: false + +# write output in jsonl(ines) format +#json: false + +# include request/response pairs in the jsonl output (for findings only) +#include-rr: false + +# disable printing result metadata in cli output +#no-meta: false + +# enables printing timestamp in cli output +#timestamp: false + +# nuclei reporting database (always use this to persist report data) +#report-db: + +# display match failure status +#matcher-status: false + +# directory to export results in markdown format +#markdown-export: + +# file to export results in sarif format +#sarif-export: + +# path to the nuclei configuration file +#config: + +# enable following redirects for http templates +#follow-redirects: false + +# follow redirects on the same host +#follow-host-redirects: false + +# max number of redirects to follow for http templates +#max-redirects: 10 + +# disable redirects for http templates +#disable-redirects: false + +# nuclei reporting module configuration file +#report-config: + +# custom header/cookie to include in all http request in header:value format (cli, file) +#header: [] + +# custom vars in key=value format +#var: + +# file containing resolver list for nuclei +#resolvers: + +# use system dns resolving as error fallback +#system-resolvers: false + +# disable clustering of requests +#disable-clustering: false + +# enable passive http response processing mode +#passive: false + +# force http2 connection on requests +#force-http2: false + +# enable environment variables to be used in template +#env-vars: false + +# client certificate file (pem-encoded) used for authenticating against scanned hosts +#client-cert: + +# client key file (pem-encoded) used for authenticating against scanned hosts +#client-key: + +# client certificate authority file (pem-encoded) used for authenticating against scanned hosts +#client-ca: + +# show match lines for file templates, works with extractors only +#show-match-line: false + +# use ztls library with autofallback to standard one for tls13 +#ztls: false + +# tls sni hostname to use (default: input domain name) +#sni: + +# sandbox nuclei for safe templates execution +#sandbox: false + +# network interface to use for network scan +#interface: + +# type of payload combinations to perform (batteringram,pitchfork,clusterbomb) +#attack-type: + +# source ip address to use for network scan +#source-ip: + +# override the default config path ($home/.config) +#config-directory: + +# max response size to read in bytes +#response-size-read: 10485760 + +# max response size to read in bytes +#response-size-save: 1048576 + +# interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) +#interactsh-server: + +# authentication token for self-hosted interactsh server +#interactsh-token: + +# number of requests to keep in the interactions cache +#interactions-cache-size: 5000 + +# number of seconds to wait before evicting requests from cache +#interactions-eviction: 60 + +# number of seconds to wait before each interaction poll request +#interactions-poll-duration: 5 + +# extra time for interaction polling before exiting +#interactions-cooldown-period: 5 + +# disable interactsh server for oast testing, exclude oast based templates +#no-interactsh: false + +# enable uncover engine +#uncover: false + +# uncover search query +#uncover-query: [] + +# uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan) +#uncover-engine: [] + +# uncover fields to return (ip,port,host) +#uncover-field: ip:port + +# uncover results to return +#uncover-limit: 100 + +# delay between uncover query requests in seconds (0 to disable) +#uncover-delay: 1 + +# maximum number of requests to send per second +#rate-limit: 150 + +# maximum number of requests to send per minute +#rate-limit-minute: 0 + +# maximum number of hosts to be analyzed in parallel per template +#bulk-size: 25 + +# maximum number of templates to be executed in parallel +#concurrency: 25 + +# maximum number of headless hosts to be analyzed in parallel per template +#headless-bulk-size: 10 + +# maximum number of headless templates to be executed in parallel +#headless-concurrency: 10 + +# time to wait in seconds before timeout +#timeout: 10 + +# number of times to retry a failed request +#retries: 1 + +# leave default http/https ports (eg. host:80,host:443) +#leave-default-ports: false + +# max errors for a host before skipping from scan +#max-host-error: 30 + +# use a project folder to avoid sending same request multiple times +#project: false + +# set a specific project path +#project-path: /var/folders/4w/g73_cghx0tvcqxn_fr51yv8h0000gn/T/ + +# stop processing http requests after the first match (may break template/workflow logic) +#stop-at-first-match: false + +# stream mode - start elaborating without sorting the input +#stream: false + +# timeout on input read +#input-read-timeout: + +# disable httpx probing for non-url input +#no-httpx: false + +# disable stdin processing +#no-stdin: false + +# enable templates that require headless browser support (root user on linux will disable sandbox) +#headless: false + +# seconds to wait for each page in headless mode +#page-timeout: 20 + +# show the browser on the screen when running templates with headless mode +#show-browser: false + +# use local installed chrome browser instead of nuclei installed +#system-chrome: false + +# list available headless actions +#list-headless-action: false + +# show all requests and responses +#debug: false + +# show all sent requests +#debug-req: false + +# show all received responses +#debug-resp: false + +# list of http/socks5 proxy to use (comma separated or file input) +#proxy: [] + +# proxy all internal requests +#proxy-internal: false + +# list all supported dsl function signatures +#list-dsl-function: false + +# file to write sent requests trace log +#trace-log: + +# file to write sent requests error log +#error-log: + +# show nuclei version +#version: false + +# enable nuclei hang monitoring +#hang-monitor: false + +# show verbose output +#verbose: false + +# optional nuclei memory profile dump file +#profile-mem: + +# display templates loaded for scan +#vv: false + +# show variables dump for debugging +#show-var-dump: false + +# enable pprof debugging server +#enable-pprof: false + +# shows the version of the installed nuclei-templates +#templates-version: false + +# run diagnostic check up +#health-check: false + +# update nuclei engine to the latest released version +#update: false + +# update nuclei-templates to latest released version +#update-templates: false + +# custom directory to install / update nuclei-templates +#update-template-dir: + +# disable automatic nuclei/templates update check +#disable-update-check: false + +# display statistics about the running scan +#stats: false + +# write statistics data to an output file in jsonl(ines) format +#stats-json: false + +# number of seconds to wait between showing a statistics update +#stats-interval: 5 + +# expose nuclei metrics on a port +#metrics: false + +# port to expose nuclei metrics on +#metrics-port: 9092 + +# run scan on nuclei cloud +#cloud: false + +# nuclei cloud server to use (nuclei_cloud_server) +#cloud-server: https://cloud-dev.nuclei.sh + +# api-key for the nuclei cloud server (nuclei_cloud_apikey) +#cloud-api-key: + +# list previous cloud scans +#list-scan: false + +# disable scan/output storage on cloud +#no-store: false + +# delete scan/output on cloud by scan id +#delete-scan: + +# display scan output by scan id +#scan-output: \ No newline at end of file diff --git a/main.tf b/main.tf index b486f1d..51de51a 100644 --- a/main.tf +++ b/main.tf @@ -47,6 +47,15 @@ resource "aws_lambda_layer_version" "templates_layer" { compatible_runtimes = ["go1.x"] } +# Layer for nuclei configs +resource "aws_lambda_layer_version" "configs_layer" { + depends_on = [aws_s3_object.upload_config] + layer_name = "${var.project_name}-nuclei-config-layer" + s3_bucket = aws_s3_bucket.bucket.id + s3_key = "nuclei-configs.zip" + compatible_runtimes = ["go1.x"] +} + # tfsec:ignore:aws-cloudwatch-log-group-customer-key resource "aws_cloudwatch_log_group" "log_group" { name = "/aws/lambda/${var.project_name}-function" diff --git a/variables.tf b/variables.tf index 4a28049..c062aae 100644 --- a/variables.tf +++ b/variables.tf @@ -2,18 +2,15 @@ variable "project_name" { description = "Name of the project to create and must be unique as S3 bucket names are global" } -# You should check the latest version of Nuclei -# https://github.com/projectdiscovery/nuclei/releases/ +# Nuclei binary configuration variable "nuclei_version" { description = "Nuclei version to use" - default = "2.8.6" + default = "2.8.7" } -# You can also use private templates by download zip of your repo, copy url from downloaded file, and paste the url in here including the token -variable "nuclei_templates_url" { - description = "Nuclei templates url to use" - sensitive = true - default = "https://github.com/projectdiscovery/nuclei-templates/archive/refs/tags/v9.3.4.zip" +variable "nuclei_arch" { + description = "Nuclei architecture to use" + default = "linux_amd64" } # Private Templates @@ -38,11 +35,6 @@ variable "github_token" { sensitive = true } -variable "nuclei_arch" { - description = "Nuclei architecture to use" - default = "linux_amd64" -} - variable "nuclei_timeout" { type = number description = "Lambda function timeout" From 1865c1a387b0877722f8ccc728c6184142a9e026 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:52:08 -0800 Subject: [PATCH 07/30] different approach --- artifacts.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 51f1481..447a716 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -13,13 +13,6 @@ resource "null_resource" "download_nuclei" { } } -data "github_release" "templates" { - repository = "nuclei" - owner = "projectdiscovery" - retrieve_by = "tag" - release_tag = var.nuclei_version -} - # Private templates download from github data "github_release" "templates" { repository = var.github_repository From db849a3b6d119eaebc15f9d7f5395afe11a54b80 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:53:06 -0800 Subject: [PATCH 08/30] source directory --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index 447a716..08e0c84 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -51,7 +51,7 @@ resource "aws_s3_object" "upload_templates" { # Nuclei configuration files data "archive_file" "report_config" { type = "zip" - sourd_dir = "${path.module}/config" + source_dir = "${path.module}/config" output_path = "nuclei-configs.zip" } From 5b4bc806967e8041f0d601922c587f35600cea22 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 19:58:28 -0800 Subject: [PATCH 09/30] update config --- config/config.yaml | 451 ++++----------------------------------------- 1 file changed, 32 insertions(+), 419 deletions(-) diff --git a/config/config.yaml b/config/config.yaml index 0ba55a9..3d91261 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -1,419 +1,32 @@ -# nuclei config file -# generated by https://github.com/projectdiscovery/goflags - -# target urls/hosts to scan -#target: [] - -# path to file containing a list of target urls/hosts to scan (one per line) -#list: - -# resume scan using resume.cfg (clustering will be disabled) -#resume: - -# scan all the ip's associated with dns record -#scan-all-ips: false - -# ip version to scan of hostname (4,6) - (default 4) -#ip-version: [""] - -# run only new templates added in latest nuclei-templates release -#new-templates: false - -# run new templates added in specific version -#new-templates-version: [] - -# automatic web scan using wappalyzer technology detection to tags mapping -#automatic-scan: false - -# list of template or template directory to run (comma-separated, file) -#templates: [] - -# list of template urls to run (comma-separated, file) -#template-url: [] - -# list of workflow or workflow directory to run (comma-separated, file) -#workflows: [] - -# list of workflow urls to run (comma-separated, file) -#workflow-url: [] - -# validate the passed templates to nuclei -#validate: false - -# disable strict syntax check on templates -#no-strict-syntax: false - -# displays the templates content -#template-display: false - -# list all available templates -#tl: false - -# allowed domain list to load remote templates from -#remote-template-domain: - -# templates to run based on authors (comma-separated, file) -#author: [] - -# templates to run based on tags (comma-separated, file) -#tags: [] - -# templates to exclude based on tags (comma-separated, file) -#exclude-tags: [] - -# tags to be executed even if they are excluded either by default or configuration -#include-tags: [] - -# templates to run based on template ids (comma-separated, file) -#template-id: [] - -# templates to exclude based on template ids (comma-separated, file) -#exclude-id: [] - -# templates to be executed even if they are excluded either by default or configuration -#include-templates: [] - -# template or template directory to exclude (comma-separated, file) -#exclude-templates: [] - -# template matchers to exclude in result -#exclude-matchers: [] - -# templates to run based on severity. possible values: info, low, medium, high, critical, unknown -#severity: - -# templates to exclude based on severity. possible values: info, low, medium, high, critical, unknown -#exclude-severity: - -# templates to run based on protocol type. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois -#type: - -# templates to exclude based on protocol type. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois -#exclude-type: - -# templates to run based on expression condition -#template-condition: [] - -# output file to write found issues/vulnerabilities -#output: - -# store all request/response passed through nuclei to output directory -#store-resp: false - -# store all request/response passed through nuclei to custom directory -#store-resp-dir: output - -# display findings only -#silent: false - -# disable output content coloring (ansi escape codes) -#no-color: false - -# write output in jsonl(ines) format -#json: false - -# include request/response pairs in the jsonl output (for findings only) -#include-rr: false - -# disable printing result metadata in cli output -#no-meta: false - -# enables printing timestamp in cli output -#timestamp: false - -# nuclei reporting database (always use this to persist report data) -#report-db: - -# display match failure status -#matcher-status: false - -# directory to export results in markdown format -#markdown-export: - -# file to export results in sarif format -#sarif-export: - -# path to the nuclei configuration file -#config: - -# enable following redirects for http templates -#follow-redirects: false - -# follow redirects on the same host -#follow-host-redirects: false - -# max number of redirects to follow for http templates -#max-redirects: 10 - -# disable redirects for http templates -#disable-redirects: false - -# nuclei reporting module configuration file -#report-config: - -# custom header/cookie to include in all http request in header:value format (cli, file) -#header: [] - -# custom vars in key=value format -#var: - -# file containing resolver list for nuclei -#resolvers: - -# use system dns resolving as error fallback -#system-resolvers: false - -# disable clustering of requests -#disable-clustering: false - -# enable passive http response processing mode -#passive: false - -# force http2 connection on requests -#force-http2: false - -# enable environment variables to be used in template -#env-vars: false - -# client certificate file (pem-encoded) used for authenticating against scanned hosts -#client-cert: - -# client key file (pem-encoded) used for authenticating against scanned hosts -#client-key: - -# client certificate authority file (pem-encoded) used for authenticating against scanned hosts -#client-ca: - -# show match lines for file templates, works with extractors only -#show-match-line: false - -# use ztls library with autofallback to standard one for tls13 -#ztls: false - -# tls sni hostname to use (default: input domain name) -#sni: - -# sandbox nuclei for safe templates execution -#sandbox: false - -# network interface to use for network scan -#interface: - -# type of payload combinations to perform (batteringram,pitchfork,clusterbomb) -#attack-type: - -# source ip address to use for network scan -#source-ip: - -# override the default config path ($home/.config) -#config-directory: - -# max response size to read in bytes -#response-size-read: 10485760 - -# max response size to read in bytes -#response-size-save: 1048576 - -# interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) -#interactsh-server: - -# authentication token for self-hosted interactsh server -#interactsh-token: - -# number of requests to keep in the interactions cache -#interactions-cache-size: 5000 - -# number of seconds to wait before evicting requests from cache -#interactions-eviction: 60 - -# number of seconds to wait before each interaction poll request -#interactions-poll-duration: 5 - -# extra time for interaction polling before exiting -#interactions-cooldown-period: 5 - -# disable interactsh server for oast testing, exclude oast based templates -#no-interactsh: false - -# enable uncover engine -#uncover: false - -# uncover search query -#uncover-query: [] - -# uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan) -#uncover-engine: [] - -# uncover fields to return (ip,port,host) -#uncover-field: ip:port - -# uncover results to return -#uncover-limit: 100 - -# delay between uncover query requests in seconds (0 to disable) -#uncover-delay: 1 - -# maximum number of requests to send per second -#rate-limit: 150 - -# maximum number of requests to send per minute -#rate-limit-minute: 0 - -# maximum number of hosts to be analyzed in parallel per template -#bulk-size: 25 - -# maximum number of templates to be executed in parallel -#concurrency: 25 - -# maximum number of headless hosts to be analyzed in parallel per template -#headless-bulk-size: 10 - -# maximum number of headless templates to be executed in parallel -#headless-concurrency: 10 - -# time to wait in seconds before timeout -#timeout: 10 - -# number of times to retry a failed request -#retries: 1 - -# leave default http/https ports (eg. host:80,host:443) -#leave-default-ports: false - -# max errors for a host before skipping from scan -#max-host-error: 30 - -# use a project folder to avoid sending same request multiple times -#project: false - -# set a specific project path -#project-path: /var/folders/4w/g73_cghx0tvcqxn_fr51yv8h0000gn/T/ - -# stop processing http requests after the first match (may break template/workflow logic) -#stop-at-first-match: false - -# stream mode - start elaborating without sorting the input -#stream: false - -# timeout on input read -#input-read-timeout: - -# disable httpx probing for non-url input -#no-httpx: false - -# disable stdin processing -#no-stdin: false - -# enable templates that require headless browser support (root user on linux will disable sandbox) -#headless: false - -# seconds to wait for each page in headless mode -#page-timeout: 20 - -# show the browser on the screen when running templates with headless mode -#show-browser: false - -# use local installed chrome browser instead of nuclei installed -#system-chrome: false - -# list available headless actions -#list-headless-action: false - -# show all requests and responses -#debug: false - -# show all sent requests -#debug-req: false - -# show all received responses -#debug-resp: false - -# list of http/socks5 proxy to use (comma separated or file input) -#proxy: [] - -# proxy all internal requests -#proxy-internal: false - -# list all supported dsl function signatures -#list-dsl-function: false - -# file to write sent requests trace log -#trace-log: - -# file to write sent requests error log -#error-log: - -# show nuclei version -#version: false - -# enable nuclei hang monitoring -#hang-monitor: false - -# show verbose output -#verbose: false - -# optional nuclei memory profile dump file -#profile-mem: - -# display templates loaded for scan -#vv: false - -# show variables dump for debugging -#show-var-dump: false - -# enable pprof debugging server -#enable-pprof: false - -# shows the version of the installed nuclei-templates -#templates-version: false - -# run diagnostic check up -#health-check: false - -# update nuclei engine to the latest released version -#update: false - -# update nuclei-templates to latest released version -#update-templates: false - -# custom directory to install / update nuclei-templates -#update-template-dir: - -# disable automatic nuclei/templates update check -#disable-update-check: false - -# display statistics about the running scan -#stats: false - -# write statistics data to an output file in jsonl(ines) format -#stats-json: false - -# number of seconds to wait between showing a statistics update -#stats-interval: 5 - -# expose nuclei metrics on a port -#metrics: false - -# port to expose nuclei metrics on -#metrics-port: 9092 - -# run scan on nuclei cloud -#cloud: false - -# nuclei cloud server to use (nuclei_cloud_server) -#cloud-server: https://cloud-dev.nuclei.sh - -# api-key for the nuclei cloud server (nuclei_cloud_apikey) -#cloud-api-key: - -# list previous cloud scans -#list-scan: false - -# disable scan/output storage on cloud -#no-store: false - -# delete scan/output on cloud by scan id -#delete-scan: - -# display scan output by scan id -#scan-output: \ No newline at end of file +# Headers to include with all HTTP request +header: + - 'X-BugBounty-Hacker: github/nuclearpond' + +# Directory based template execution +templates: + - dns/ + +# Tags based template execution +# tags: exposures,cve + +# Template Filters +# tags: exposures,cve +# author: geeknik,pikpikcu,dhiyaneshdk +# severity: critical,high,medium + +# Template Allowlist +# include-tags: dos,fuzz # Tag based inclusion (allows overwriting nuclei-ignore list) +# include-templates: # Template based inclusion (allows overwriting nuclei-ignore list) +# - vulnerabilities/xxx +# - misconfiguration/xxxx + +# Template Denylist +# exclude-tags: info # Tag based exclusion +# exclude-templates: # Template based exclusion +# - vulnerabilities/xxx +# - misconfiguration/xxxx + +# Rate Limit configuration +rate-limit: 500 +bulk-size: 50 +concurrency: 50 \ No newline at end of file From 4aa3a9e352294360b5e88648ebd98cc11c5b82ac Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 20:05:48 -0800 Subject: [PATCH 10/30] nuclei config --- artifacts.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 08e0c84..0eaef3e 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -49,16 +49,16 @@ resource "aws_s3_object" "upload_templates" { } # Nuclei configuration files -data "archive_file" "report_config" { +data "archive_file" "nuclei_config" { type = "zip" - source_dir = "${path.module}/config" - output_path = "nuclei-configs.zip" + source_file = "${path.module}/config/config.yaml" + output_path = "nuclei-config.zip" } resource "aws_s3_object" "upload_config" { bucket = aws_s3_bucket.bucket.id - key = "nuclei-configs.zip" - source = "${path.module}/nuclei-configs.zip" + key = "nuclei-config.zip" + source = "${path.module}/nuclei-config.zip" } # Build the lambda function to execute binary From 634ea6c45d3a5d2c1ae791fa9fa7c808c272d710 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 20:43:44 -0800 Subject: [PATCH 11/30] forgot to add layer --- artifacts.tf | 2 +- main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 0eaef3e..93ac6bb 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -51,7 +51,7 @@ resource "aws_s3_object" "upload_templates" { # Nuclei configuration files data "archive_file" "nuclei_config" { type = "zip" - source_file = "${path.module}/config/config.yaml" + source_dir = "${path.module}/config" output_path = "nuclei-config.zip" } diff --git a/main.tf b/main.tf index 51de51a..8b2af14 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ resource "aws_lambda_function" "function" { function_name = "${var.project_name}-function" role = aws_iam_role.lambda_role.arn - layers = [aws_lambda_layer_version.layer.arn, aws_lambda_layer_version.templates_layer.arn] + layers = [aws_lambda_layer_version.layer.arn, aws_lambda_layer_version.templates_layer.arn, aws_lambda_layer_version.configs_layer.arn] handler = "main" runtime = "go1.x" From dadac65bb3f94afaadcf247648d73743cb2caab0 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 20:49:46 -0800 Subject: [PATCH 12/30] print terminal output --- src/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.go b/src/main.go index 06a3adc..5622ea1 100644 --- a/src/main.go +++ b/src/main.go @@ -147,7 +147,7 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - return "", err + return string(output), err } return string(output), nil } From 95e739de9a68914d99e953e7f0517e86d385b913 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:43:26 -0800 Subject: [PATCH 13/30] layer debugging --- src/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main.go b/src/main.go index 5622ea1..0cd0dc3 100644 --- a/src/main.go +++ b/src/main.go @@ -147,7 +147,9 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - return string(output), err + ls := exec.Command("ls", "-la", "/opt/") + lsOutput, err := ls.CombinedOutput() + return string(lsOutput), err } return string(output), nil } From 41a151a57bf9e3bc9df59b77263d2838b3ad5407 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:45:49 -0800 Subject: [PATCH 14/30] cat config debug --- src/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.go b/src/main.go index 0cd0dc3..d783231 100644 --- a/src/main.go +++ b/src/main.go @@ -147,7 +147,7 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - ls := exec.Command("ls", "-la", "/opt/") + ls := exec.Command("cat", "/opt/config.yaml") lsOutput, err := ls.CombinedOutput() return string(lsOutput), err } From e9aabf9c24d4f4b93b701fa1ae7e85fda42b2944 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:48:54 -0800 Subject: [PATCH 15/30] debugging over maybe --- artifacts.tf | 8 ++++++++ src/main.go | 4 +--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/artifacts.tf b/artifacts.tf index 93ac6bb..d576f9a 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -53,12 +53,20 @@ data "archive_file" "nuclei_config" { type = "zip" source_dir = "${path.module}/config" output_path = "nuclei-config.zip" + + # Always reupload the config files + triggers = { + always = timestamp() + } } resource "aws_s3_object" "upload_config" { bucket = aws_s3_bucket.bucket.id key = "nuclei-config.zip" source = "${path.module}/nuclei-config.zip" + + # Always reupload the config files + etag = data.archive_file.nuclei_config.output_md5 } # Build the lambda function to execute binary diff --git a/src/main.go b/src/main.go index d783231..5622ea1 100644 --- a/src/main.go +++ b/src/main.go @@ -147,9 +147,7 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - ls := exec.Command("cat", "/opt/config.yaml") - lsOutput, err := ls.CombinedOutput() - return string(lsOutput), err + return string(output), err } return string(output), nil } From 64b7e30ce3be4d2e37551eed972d148168bd861c Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:51:07 -0800 Subject: [PATCH 16/30] renaming config --- artifacts.tf | 8 -------- config/{config.yaml => nuclei-config.yaml} | 0 2 files changed, 8 deletions(-) rename config/{config.yaml => nuclei-config.yaml} (100%) diff --git a/artifacts.tf b/artifacts.tf index d576f9a..93ac6bb 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -53,20 +53,12 @@ data "archive_file" "nuclei_config" { type = "zip" source_dir = "${path.module}/config" output_path = "nuclei-config.zip" - - # Always reupload the config files - triggers = { - always = timestamp() - } } resource "aws_s3_object" "upload_config" { bucket = aws_s3_bucket.bucket.id key = "nuclei-config.zip" source = "${path.module}/nuclei-config.zip" - - # Always reupload the config files - etag = data.archive_file.nuclei_config.output_md5 } # Build the lambda function to execute binary diff --git a/config/config.yaml b/config/nuclei-config.yaml similarity index 100% rename from config/config.yaml rename to config/nuclei-config.yaml From c33bf45f192200364acc9fc9f979473361e641d0 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:56:54 -0800 Subject: [PATCH 17/30] maybe depends_on will fix that --- README.md | 1 + artifacts.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 40d790a..1e80f6d 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ With any engineering project, design decisions are made based on the requirement - Never pass `-u`, `-l`, `-json`, or `-o` flag to this lambda function but you can pass any other nuclei arguments you like - Nuclei refuses to not write to `$HOME/.config` so the `HOME`, which is not a writable filesystem with lambda, is set to `/tmp` which can cause warm starts to have the same filesystem and perhaps poison future configurations - Lambda function in golang is rebuilt on every apply for ease of development +- When configuration files are updated, you must remove the states for the upload and the archive files ### Event Json diff --git a/artifacts.tf b/artifacts.tf index 93ac6bb..4f20935 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -50,6 +50,7 @@ resource "aws_s3_object" "upload_templates" { # Nuclei configuration files data "archive_file" "nuclei_config" { + depends_on = [aws_s3_object.upload_config] type = "zip" source_dir = "${path.module}/config" output_path = "nuclei-config.zip" From f8be15a6751f93271cadd752273d02d9ab7e10db Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 21:59:19 -0800 Subject: [PATCH 18/30] note for config --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e80f6d..bddfccd 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ With any engineering project, design decisions are made based on the requirement - Never pass `-u`, `-l`, `-json`, or `-o` flag to this lambda function but you can pass any other nuclei arguments you like - Nuclei refuses to not write to `$HOME/.config` so the `HOME`, which is not a writable filesystem with lambda, is set to `/tmp` which can cause warm starts to have the same filesystem and perhaps poison future configurations - Lambda function in golang is rebuilt on every apply for ease of development -- When configuration files are updated, you must remove the states for the upload and the archive files +- When configuration files are updated, you must remove the file from s3 `aws s3 rm s3://example-nuclei-runner-artifacts/nuclei-config.zip` ### Event Json From 6c903336b8eaae266f8e64896259a6c6292c3a0b Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:02:39 -0800 Subject: [PATCH 19/30] more debugging --- src/main.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main.go b/src/main.go index 5622ea1..ae4c4f9 100644 --- a/src/main.go +++ b/src/main.go @@ -147,7 +147,9 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - return string(output), err + ls := exec.Command("cat", "/opt/nuclei-config.yaml") + lsOutput, err := ls.CombinedOutput() + return string(lsOutput), err } return string(output), nil } From bb074c397941133b8a95f91b208c7c151762aa3d Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:03:56 -0800 Subject: [PATCH 20/30] ls --- src/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.go b/src/main.go index ae4c4f9..8fe3f79 100644 --- a/src/main.go +++ b/src/main.go @@ -147,7 +147,7 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - ls := exec.Command("cat", "/opt/nuclei-config.yaml") + ls := exec.Command("ls", "/opt/") lsOutput, err := ls.CombinedOutput() return string(lsOutput), err } From 53212c5a5feb26584f4c0633bc6fbd032600d733 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:06:32 -0800 Subject: [PATCH 21/30] depends on --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index 4f20935..4ad081f 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -50,13 +50,13 @@ resource "aws_s3_object" "upload_templates" { # Nuclei configuration files data "archive_file" "nuclei_config" { - depends_on = [aws_s3_object.upload_config] type = "zip" source_dir = "${path.module}/config" output_path = "nuclei-config.zip" } resource "aws_s3_object" "upload_config" { + depends_on = [data.archive_file.nuclei_config] bucket = aws_s3_bucket.bucket.id key = "nuclei-config.zip" source = "${path.module}/nuclei-config.zip" From 70ead2becfa6af263c5aa69291c240d13b1a6863 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:11:19 -0800 Subject: [PATCH 22/30] updating readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bddfccd..58ab1a5 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ With any engineering project, design decisions are made based on the requirement - Never pass `-u`, `-l`, `-json`, or `-o` flag to this lambda function but you can pass any other nuclei arguments you like - Nuclei refuses to not write to `$HOME/.config` so the `HOME`, which is not a writable filesystem with lambda, is set to `/tmp` which can cause warm starts to have the same filesystem and perhaps poison future configurations - Lambda function in golang is rebuilt on every apply for ease of development -- When configuration files are updated, you must remove the file from s3 `aws s3 rm s3://example-nuclei-runner-artifacts/nuclei-config.zip` +- When configuration files are updated, you might have to destroy and recreate the infrastructure ### Event Json From 4b35bc6e2afd49ea80d693ba6f84c77b15683e7a Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:12:00 -0800 Subject: [PATCH 23/30] pretty important depends on --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 8b2af14..ffa1091 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ # tfsec:ignore:aws-lambda-enable-tracing resource "aws_lambda_function" "function" { + depends_on = [aws_lambda_layer_version.layer.arn, aws_lambda_layer_version.templates_layer.arn, aws_lambda_layer_version.configs_layer.arn] filename = "lambda.zip" function_name = "${var.project_name}-function" From 245d0e43f64c4050905cbc61bdf890e5ce43e2ac Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:13:05 -0800 Subject: [PATCH 24/30] depends on not arn --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ffa1091..81ba2fe 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ # tfsec:ignore:aws-lambda-enable-tracing resource "aws_lambda_function" "function" { - depends_on = [aws_lambda_layer_version.layer.arn, aws_lambda_layer_version.templates_layer.arn, aws_lambda_layer_version.configs_layer.arn] + depends_on = [aws_lambda_layer_version.layer, aws_lambda_layer_version.templates_layer, aws_lambda_layer_version.configs_layer] filename = "lambda.zip" function_name = "${var.project_name}-function" From 610c35a492b4f5dca7a61ee58c590082f86ffb10 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:14:10 -0800 Subject: [PATCH 25/30] hard coding versions --- versions.tf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 8ea838b..25df02d 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,19 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = "4.50.0" + } + null = { + source = "hashicorp/null" + version = "3.2.1" + } + archive = { + source = "hashicorp/archive" + version = "2.2.0" + } + github = { + source = "hashicorp/github" + version = "5.14.0" } } } \ No newline at end of file From 65ed14f054fc0d0c5fdc1db18db3097ce8868e98 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:19:32 -0800 Subject: [PATCH 26/30] updated config path --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index 4ad081f..2842283 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -52,7 +52,7 @@ resource "aws_s3_object" "upload_templates" { data "archive_file" "nuclei_config" { type = "zip" source_dir = "${path.module}/config" - output_path = "nuclei-config.zip" + output_path = "nuclei-configs.zip" } resource "aws_s3_object" "upload_config" { From 0a9a4a9e043fbbb6d03ec481e08fc1dd965e8458 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:24:04 -0800 Subject: [PATCH 27/30] update path --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index 2842283..6d13bcc 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -59,7 +59,7 @@ resource "aws_s3_object" "upload_config" { depends_on = [data.archive_file.nuclei_config] bucket = aws_s3_bucket.bucket.id key = "nuclei-config.zip" - source = "${path.module}/nuclei-config.zip" + source = "${path.module}/nuclei-configs.zip" } # Build the lambda function to execute binary From b8d209484ce9388f7680b8681fd4e524e3cece06 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:30:38 -0800 Subject: [PATCH 28/30] really --- artifacts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts.tf b/artifacts.tf index 6d13bcc..9281e6f 100644 --- a/artifacts.tf +++ b/artifacts.tf @@ -58,7 +58,7 @@ data "archive_file" "nuclei_config" { resource "aws_s3_object" "upload_config" { depends_on = [data.archive_file.nuclei_config] bucket = aws_s3_bucket.bucket.id - key = "nuclei-config.zip" + key = "nuclei-configs.zip" source = "${path.module}/nuclei-configs.zip" } From 95aba778657a8eb354c01fb3bba1ca43dae1a9ad Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:34:17 -0800 Subject: [PATCH 29/30] add force destroy --- bucket.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bucket.tf b/bucket.tf index 2528c17..a322daf 100644 --- a/bucket.tf +++ b/bucket.tf @@ -3,9 +3,8 @@ resource "aws_s3_bucket" "bucket" { bucket = "${var.project_name}-artifacts" tags = var.tags - lifecycle { - prevent_destroy = true - } + # Delete all objects in the bucket before deleting the bucket + force_destroy = true } #tfsec:ignore:aws-s3-encryption-customer-key From 3204cacf9a7c0bed2a0ec910f0fb507d8c234255 Mon Sep 17 00:00:00 2001 From: jonathanwalker <14978093+jonathanwalker@users.noreply.github.com> Date: Sun, 15 Jan 2023 22:36:58 -0800 Subject: [PATCH 30/30] output cmd --- src/main.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/main.go b/src/main.go index 8fe3f79..5622ea1 100644 --- a/src/main.go +++ b/src/main.go @@ -147,9 +147,7 @@ func runNuclei(args []string) (string, error) { cmd := exec.Command(nucleiBinary, args...) output, err := cmd.CombinedOutput() if err != nil { - ls := exec.Command("ls", "/opt/") - lsOutput, err := ls.CombinedOutput() - return string(lsOutput), err + return string(output), err } return string(output), nil }