updates for v2.5 (#13)

README.md

@@ -1,16 +1,16 @@
-# discrimiNAT, ENI architecture
+# DiscrimiNAT, ENI architecture
 
-[discrimiNAT firewall](https://chasersystems.com/discriminat) for egress filtering by FQDNs on AWS. Just specify the allowed destination hostnames in the respective applications' native Security Groups and the firewall will take care of the rest.
+[DiscrimiNAT Firewall](https://chasersystems.com/discriminat/) for egress filtering by FQDNs on AWS. Just specify the allowed destination hostnames in the respective applications' native Security Groups and the firewall will take care of the rest.
 
 ![](https://chasersystems.com/img/aws-protocol-tls.gif)
 
 **Architecture with [ENIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in VPCs for Private Subnets' route table entries to the Internet.**
 
-[Demo Video](https://chasersystems.com/discriminat/aws/demo) | [discrimiNAT FAQ](https://chasersystems.com/discriminat/faq)
+[Demo Video](https://chasersystems.com/discriminat/aws/demo/) | [DiscrimiNAT FAQ](https://chasersystems.com/discriminat/faq/)
 
 ## Pentest Ready
 
-discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. Anything older or insecure will be denied connection automatically. Also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats. Gets your VPC ready for a proper pentest!
+DiscrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. Anything older or insecure will be denied connection automatically. Also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats. Gets your VPC ready for a proper pentest!
 
 ## Highlights
 
@@ -20,13 +20,13 @@ discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.
 
 ## Considerations
 
-* A deployment per zone is advised, just like the AWS NAT Gateways – which are not needed with discrimiNAT deployed.
+* A deployment per zone is advised, just like the AWS NAT Gateways – which are not needed with DiscrimiNAT deployed.
 * VMs and Lambdas _without_ public IPs will need to be in a subnet (typically the Private Subnet) with routing through the ENIs created by this module to access the Internet at all.
-* You must be subscribed to the [discrimiNAT firewall from the AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07YLBH34R?ref=_ptnr_gthb).
+* You must be subscribed to the [DiscrimiNAT Firewall from the AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-gdrdl5m67w6vg).
 
 ## Elastic IPs
 
-If a Public IP is not found attached to a discrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named `discriminat` (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.
+If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named `discriminat` (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.
 
 >This allows you to have a stable set of static IPs to share with your partners, who may wish to allowlist/whitelist them.
 
@@ -39,16 +39,16 @@ ec2:AssociateAddress
 
 An EC2 VPC Endpoint is needed for this mechanism to work though – since making the association needs access to the EC2 API. In the [aws_vpc example](examples/aws_vpc/), this is demonstrated by deploying the endpoint along with the VPC.
 
-It is always possible to not choose this mechanism and have a Public IP associated with the network interfaces of the discrimiNAT right from the onset. This also used to be the case before v2.4 of the discrimiNAT.
+It is always possible to not choose this mechanism and have a Public IP associated with the network interfaces of the DiscrimiNAT right from the onset. This also used to be the case before v2.4 of the DiscrimiNAT.
 
 ## Next Steps
 
-* [Understand how to configure the enhanced Security Groups](https://chasersystems.com/docs/discriminat/aws/config-ref) after deployment, from our main documentation.
+* [Understand how to configure the enhanced Security Groups](https://chasersystems.com/docs/discriminat/aws/config-ref/) after deployment, from our main documentation.
 * Contact our DevSecOps at devsecops@chasersystems.com for queries at any stage of your journey – even on the eve of a pentest!
 
 ## Discover
 
-Perhaps use the `see-thru` mode to discover what needs to be in the allowlist for an application, by monitoring its outbound network activity first. Follow our [building an allowlist from scratch](https://chasersystems.com/docs/discriminat/aws/logs-ref#building-an-allowlist-from-scratch) recipe for use with CloudWatch.
+Perhaps use the `see-thru` mode to discover what needs to be in the allowlist for an application, by monitoring its outbound network activity first. Follow our [building an allowlist from scratch](https://chasersystems.com/docs/discriminat/aws/logs-ref/#building-an-allowlist-from-scratch-video-version) recipe for use with CloudWatch.
 
 ![](https://chasersystems.com/img/aws-see-thru.gif)
 
@@ -70,12 +70,12 @@ resource "aws_security_group_rule" "saas_monitoring" {
   to_port   = 443
   protocol  = "tcp"
 
-  # The discrimiNAT firewall will apply its own checks anyway, so you could
+  # The DiscrimiNAT Firewall will apply its own checks anyway, so you could
   # choose to leave this wide open without worry.
   cidr_blocks = ["0.0.0.0/0"]
 
   # You could simply embed the allowed FQDNs, comma-separated, like below.
-  # Full syntax at https://chasersystems.com/docs/discriminat/aws/config-ref
+  # Full syntax at https://chasersystems.com/docs/discriminat/aws/config-ref/
   description = "discriminat:tls:app.datadoghq.com,collector.newrelic.com"
 }
 

discriminat.tf

@@ -2,7 +2,7 @@
 
 variable "public_subnets" {
   type        = list(string)
-  description = "The IDs of the Public Subnets to deploy the discrimiNAT firewall instances in. These must have routing to the Internet via an Internet Gateway already."
+  description = "The IDs of the Public Subnets to deploy the DiscrimiNAT Firewall instances in. These must have routing to the Internet via an Internet Gateway already."
 }
 
 ##
@@ -35,13 +35,13 @@ variable "startup_script_base64" {
 
 variable "ami_owner" {
   type        = string
-  description = "Reserved for use with Chaser support. Allows overriding the source AMI account for discrimiNAT."
+  description = "Reserved for use with Chaser support. Allows overriding the source AMI account for DiscrimiNAT."
   default     = null
 }
 
 variable "ami_name" {
   type        = string
-  description = "Reserved for use with Chaser support. Allows overriding the source AMI version for discrimiNAT."
+  description = "Reserved for use with Chaser support. Allows overriding the source AMI version for DiscrimiNAT."
   default     = null
 }
 
@@ -75,7 +75,7 @@ data "aws_ami" "discriminat" {
 
   filter {
     name   = "name"
-    values = ["discrimiNAT-2.4.*"]
+    values = var.ami_name == null ? ["DiscrimiNAT-2.5.*"] : [var.ami_name]
   }
 }
 
@@ -145,6 +145,7 @@ resource "aws_launch_template" "discriminat" {
     ebs {
       encrypted   = true
       volume_size = tolist(data.aws_ami.discriminat.block_device_mappings)[0].ebs.volume_size
+      volume_type = "gp3"
     }
   }
 
@@ -154,8 +155,9 @@ resource "aws_launch_template" "discriminat" {
 
   tag_specifications {
     resource_type = "instance"
-    tags          = local.tags
+    tags          = merge(local.tags, { "discriminat" : "self-manage" })
   }
+
   tag_specifications {
     resource_type = "volume"
     tags          = local.tags
@@ -182,7 +184,7 @@ resource "aws_autoscaling_group" "discriminat" {
   desired_capacity = 1
 
   default_cooldown          = 1
-  health_check_grace_period = 1
+  health_check_grace_period = 0
   health_check_type         = "EC2"
 
   launch_template {
@@ -196,6 +198,16 @@ resource "aws_autoscaling_group" "discriminat" {
       min_healthy_percentage = 0
     }
   }
+
+  dynamic "tag" {
+    for_each = local.tags
+    iterator = i
+    content {
+      key                 = i.key
+      value               = i.value
+      propagate_at_launch = false
+    }
+  }
 }
 
 ##
@@ -221,7 +233,7 @@ resource "aws_iam_policy" "discriminat" {
                 "logs:DescribeLogStreams"
             ],
             "Resource": [
-                "arn:aws:logs:*:*:log-group:discrimiNAT:log-stream:*"
+                "arn:aws:logs:*:*:log-group:DiscrimiNAT:log-stream:*"
             ]
         },
         {
@@ -234,10 +246,21 @@ resource "aws_iam_policy" "discriminat" {
             "Action": [
                 "ec2:DescribeNetworkInterfaces",
                 "ec2:DescribeSecurityGroups",
-                "ec2:DescribeAddresses",
-                "ec2:AssociateAddress"
+                "ec2:DescribeAddresses"
             ],
             "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AssociateAddress"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/discriminat": false
+                }
+            }
         }
     ]
 }
@@ -289,8 +312,8 @@ resource "aws_iam_instance_profile" "discriminat" {
 locals {
   tags = merge(
     {
-      "Name" : "discrimiNAT",
-      "documentation" : "https://chasersystems.com/docs/discriminat/aws/installation-overview"
+      "Name" : "DiscrimiNAT",
+      "documentation" : "https://chasersystems.com/docs/discriminat/aws/installation-overview/"
     },
     var.tags
   )

examples/aws_vpc/README.md

@@ -1,6 +1,6 @@
-# discrimiNAT, ENI architecture, alongside "terraform-aws-modules/vpc/aws" example
+# DiscrimiNAT, ENI architecture, alongside "terraform-aws-modules/vpc/aws" example
 
-Demonstrates how to install discrimiNAT egress filtering in a VPC provisioned with the [terraform-aws-modules/vpc/aws](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws) v2 module from the Terraform Registry.
+Demonstrates how to install DiscrimiNAT egress filtering in a VPC provisioned with the [terraform-aws-modules/vpc/aws](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws) v2 module from the Terraform Registry.
 
 ## Elastic IPs
 

examples/retrofit/README.md

@@ -1,6 +1,6 @@
-# discrimiNAT, ENI architecture, retrofit example
+# DiscrimiNAT, ENI architecture, retrofit example
 
-Demonstrates how to retrofit discrimiNAT egress filtering in a pre-existing VPC, for chosen zones.
+Demonstrates how to retrofit DiscrimiNAT egress filtering in a pre-existing VPC, for chosen zones.
 
 ## Example
 

examples/retrofit/example.tf

@@ -1,6 +1,6 @@
 variable "public_subnets" {
   type        = list(any)
-  description = "List of public subnets to deploy the discrimiNAT firewall in. These would be the same as where a NAT Gateway/Instance would normally be placed in your design and should have their default route set to an Internet Gateway."
+  description = "List of public subnets to deploy the DiscrimiNAT Firewall in. These would be the same as where a NAT Gateway/Instance would normally be placed in your design and should have their default route set to an Internet Gateway."
 }
 
 module "discriminat" {