vulnerable_lambda resource_cleaning.sh needs aws profile

[andrew-kline]

Hi there,

Loved the new vulnerable_lambda scenario, thanks so much for pushing this out. Noticed during clean up that the iam module runs the resource_cleaning.sh (scenarios/vulnerable_lambda/terraform/resource_cleaning.sh) makes AWS calls, but doesn't accept or use a profile argument - therefore failing as it defaults to the default AWS profile.

Using default profile "akgoat" from config.yml...
Destroy "vulnerable_lambda_cgidx17poqnn66"? [y/n]: y
aws_iam_user.bilbo: Refreshing state... [id=cg-bilbo-vulnerable_lambda_cgidx17poqnn66]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_iam_user.bilbo will be destroyed
  - resource "aws_iam_user" "bilbo" {
      - arn           = "arn:aws:iam::222641179579:user/cg-bilbo-vulnerable_lambda_cgidx17poqnn66" -> null
      - force_destroy = false -> null
      - id            = "cg-bilbo-vulnerable_lambda_cgidx17poqnn66" -> null
      - name          = "cg-bilbo-vulnerable_lambda_cgidx17poqnn66" -> null
      - path          = "/" -> null
      - tags          = {
          - "Name" = "cg-vulnerable_lambda_cgidx17poqnn66"
        } -> null
      - tags_all      = {
          - "Name"     = "cg-vulnerable_lambda_cgidx17poqnn66"
          - "Scenario" = "lambda-sql-injection"
          - "Stack"    = "CloudGoat"
        } -> null
      - unique_id     = "AIDATHVTSZO574IAIMXPW" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Changes to Outputs:
  - cloudgoat_output_aws_account_id = "222641179579" -> null
  - scenario_cg_id                  = "cgidx17poqnn66" -> null
aws_iam_user.bilbo: Destroying... [id=cg-bilbo-vulnerable_lambda_cgidx17poqnn66]
aws_iam_user.bilbo: Provisioning with 'local-exec'...
aws_iam_user.bilbo (local-exec): Executing: ["/bin/sh" "-c" "./resource_cleaning.sh cg-bilbo-vulnerable_lambda_cgidx17poqnn66"]

aws_iam_user.bilbo (local-exec): An error occurred (ExpiredToken) when calling the ListAttachedUserPolicies operation: The security token included in the request is expired
╷
│ Error: Error deleting IAM User cg-bilbo-vulnerable_lambda_cgidx17poqnn66: DeleteConflict: Cannot delete entity, must detach all policies first.
│ 	status code: 409, request id: 1144d899-089c-40e2-b048-01d7ae342774
│ 
│ 
╵

[cloudgoat] Error while running `terraform destroy`.
    exit code: 1
    stdout: None
    stderr: None```

[cmd-ctrl-freq]

@andrew-kline good catch! Thank you for the detailed issue! This was totally an oversight on my part, as my default creds just worked during my development process by happenstance. I'll work on prioritizing this issue ASAP.

[andrew-kline]

Thanks @cmd-ctrl-freq for the really quick response and for looking into it!

[cmd-ctrl-freq]

@andrew-kline Alrighty I just pushed out a fix for this. I'm kinda pushing the boundaries of what terraform will allow provisioners to be used for, so the way it works is wonky in my opinion, but it should work unless there's a bizarre edge case I'm not thinking of where AWS would reject a valid profile name from occurring in a tag.

if you're interested in the coding changes: https://github.com/RhinoSecurityLabs/cloudgoat/commit/6b414c9a0c1aa6b0486679f30ebe697c8835481c

Thanks again for this. I'll leave this issue open for a day or two in case you want to test this on your end.

[daehee]

Not sure if related, but I ran into the below "Permission denied" error when attempting to destroy the lab:

aws_iam_user.bilbo: Destroying... [id=cg-bilbo-vulnerable_lambda_cgidp8qfucf5l2]
aws_iam_user.bilbo: Provisioning with 'local-exec'...
aws_iam_user.bilbo (local-exec): Executing: ["/bin/sh" "-c" "./resource_cleaning.sh cg-bilbo-vulnerable_lambda_cgidp8qfucf5l2 default"]
aws_iam_user.bilbo (local-exec): /bin/sh: 1: ./resource_cleaning.sh: Permission denied
╷
│ Error: local-exec provisioner error
│
│   with aws_iam_user.bilbo,
│   on iam.tf line 7, in resource "aws_iam_user" "bilbo":
│    7:   provisioner "local-exec" {
│
│ Error running command './resource_cleaning.sh cg-bilbo-vulnerable_lambda_cgidp8qfucf5l2 default': exit status 126. Output: /bin/sh: 1: ./resource_cleaning.sh: Permission denied
│
╵

[cloudgoat] Error while running `terraform destroy`.
    exit code: 1
    stdout: None
    stderr: None

Dirty patch but what worked to resolve was to prepend the command with bash in the iam.tf file:

  provisioner "local-exec" {
    when    = destroy
    command = "bash ./resource_cleaning.sh ${self.name} ${self.tags.deployment_profile}"
  }

[ravitejasssihl]

Hello, Am Ravi,as part of a collage assignment am interested in solving this issue.For which I need your approval and guidance.Can you accept me as a contributer?

[cmd-ctrl-freq]

@ravitejasssihl thanks for expressing interest!

I'm no longer a privileged user in this repo so I can't close the issue. I believe the original issue was fixed. If you want to look into @daehee's issue above, that may still need to be fixed in the main branch. If so:

• fork this repo so that you have a personal copy
• implement and test your fix in your own fork
• open a pull request to this repo with your fix

let me know if you have an questions!

[jdearmas]

Hello everyone,

I just wanted to take a moment to thank each of you for taking the time to help with this pull request.

I confirm that the original issue has been solved on the latest commit on the main branch (at time of writing: https://github.com/RhinoSecurityLabs/cloudgoat/commit/8477f00f64d7326952b3514b45e7f207e2ecd4ba).

I would like to encourage @daehee (and everyone else) who has related but different issues to create their own pull requests. This will ensure that these new issues get the proper attention they deserve, and that we can better organize our efforts moving forward.

Thank you for your time and understanding.

Kind regards, John.