terraform { required_version = ">= 1.5" required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } tls = { source = "hashicorp/tls" version = "~> 4.0" } local = { source = "hashicorp/local" version = "~> 2.0" } } } provider "aws" { region = var.region profile = var.aws_profile } # --------------------------------------------------------------------------- # Common lab tags, applied explicitly to every taggable resource. # # We intentionally do NOT use provider-level `default_tags`. The lab requires # an `expiry_ts` tag; deriving it from `timestamp()` makes its value unknown # until apply, so applying a *saved* plan recomputes `tags_all` and the AWS # provider rejects it as "Provider produced inconsistent final plan". Declaring # the tags here from plan-time-known variables keeps the saved plan stable. # --------------------------------------------------------------------------- locals { common_tags = { cve_id = var.cve_id lab_run_id = var.lab_run_id owner = "cve-reproduce-lab" expiry_ts = var.expiry_ts } } # --------------------------------------------------------------------------- # Ephemeral, per-run SSH key pair. Generated in-stack and destroyed with it; # private key written under env/ (the run dir is gitignored). Never reuse a # shared key (per lab convention). # --------------------------------------------------------------------------- resource "tls_private_key" "lab" { algorithm = "ED25519" } resource "aws_key_pair" "lab" { key_name = "${var.lab_run_id}-key" public_key = tls_private_key.lab.public_key_openssh tags = local.common_tags } resource "local_file" "private_key" { content = tls_private_key.lab.private_key_openssh filename = "${path.module}/lab_key.pem" file_permission = "0600" } # --------------------------------------------------------------------------- # Networking: default VPC + a tight SG (SSH only, ingress from allowed CIDR). # The exploit and verifier both arrive over SSH; nothing else is exposed. # --------------------------------------------------------------------------- data "aws_vpc" "default" { default = true } resource "aws_security_group" "lab" { name = "${var.lab_run_id}-sg" description = "SSH-only access to the CVE-2026-31431 lab VM" vpc_id = data.aws_vpc.default.id ingress { description = "SSH" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = [var.allowed_ssh_cidr] } egress { description = "all egress (apt hold, package fetch during init)" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = merge(local.common_tags, { Name = "${var.lab_run_id}-sg" }) } # --------------------------------------------------------------------------- # The lab VM. Boots the pinned vulnerable Ubuntu 24.04 (6.8 GA) AMI; cloud-init # holds the kernel, disables auto-upgrades, creates the unprivileged actor, # and stands up the clean root-owned target baseline + verifier OOB channel. # --------------------------------------------------------------------------- resource "aws_instance" "lab" { ami = var.ami_id instance_type = var.instance_type key_name = aws_key_pair.lab.key_name vpc_security_group_ids = [aws_security_group.lab.id] associate_public_ip_address = true root_block_device { volume_size = 16 volume_type = "gp3" } # cloud-init must NOT upgrade the kernel. We hold it before any unattended # upgrade can run, gate on the version, and provision the lab baseline. user_data = file("${path.module}/scripts/cloud-init.sh") tags = merge(local.common_tags, { Name = "${var.lab_run_id}-vm" }) }