From eae7797667592bf4297d6c54a224de9f988bc6d2 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:04:15 +0000
Subject: [PATCH 1/7] Update terraform for reverse shell deployment

---
 terraform/main.tf | 74 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/terraform/main.tf b/terraform/main.tf
index 2f366fb46..98bf5e297 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -23,6 +23,12 @@ variable "tavern_container_image" {
   default = "spellshift/tavern:latest"
 }
 
+variable "tavern_request_timeout_seconds" {
+  type = int
+  description = "How many seconds before a request is dropped, defaults to 3600 to accomodate reverse shells (which are killed when this timeout is reached)"
+  default = 3600
+}
+
 variable "gcp_project" {
   type = string
   description = "GCP Project ID for deployment"
@@ -36,6 +42,24 @@ variable "gcp_region" {
   description = "GCP Region for deployment"
   default = "us-east4"
 }
+
+variable "disable_gcp_pubsub" {
+  type = bool
+  description = "Disables GCP pubsub setup and instead defaults to inmem pubsub, suitable for use-cases where only one tavern instance will exist and distributed orchestration is unnecessary"
+}
+
+variable "gcp_pubsub_topic_shell_input" {
+  type = string
+  description = "Name of the GCP pubsub topic to create for shell input"
+  default = "shell_input"
+}
+
+variable "gcp_pubsub_topic_shell_output" {
+  type = string
+  description = "Name of the GCP pubsub topic to create for shell output"
+  default = "shell_output"
+}
+
 variable "mysql_user" {
   type = string
   description = "Username to set for the configured MySQL instance"
@@ -146,6 +170,25 @@ locals {
   prometheus_container_name = "prometheus-sidecar"
 }
 
+resource "google_pubsub_topic" "shell_input" {
+  count = var.disable_gcp_pubsub ? 0 : 1
+  name = var.gcp_pubsub_topic_shell_input
+}
+resource "google_pubsub_subscription" "shell_input-sub" {
+  count = var.disable_gcp_pubsub ? 0 : 1
+  name  =  gcp_pubsub_topic_shell_input + "-sub"
+  topic = google_pubsub_topic.shell_input.id
+}
+resource "google_pubsub_topic" "shell_output" {
+  count = var.disable_gcp_pubsub ? 0 : 1
+  name = var.gcp_pubsub_topic_shell_output
+}
+resource "google_pubsub_subscription" "shell_output-sub" {
+  count = var.disable_gcp_pubsub ? 0 : 1
+  name  = var.gcp_pubsub_topic_shell_output + "-sub"
+  topic = google_pubsub_topic.shell_output.id
+}
+
 resource "google_cloud_run_service" "tavern" {
   name     = "tavern"
   location = var.gcp_region
@@ -157,9 +200,13 @@ resource "google_cloud_run_service" "tavern" {
 
   template {
     spec {
+      // Controls request timeout, must be long-lived to enable reverse shell support
+      timeout_seconds = var.tavern_request_timeout_seconds
+
       containers {
         name = local.tavern_container_name
         image = var.tavern_container_image
+
         ports {
           container_port = 80
         }
@@ -195,6 +242,33 @@ resource "google_cloud_run_service" "tavern" {
           name = "OAUTH_DOMAIN"
           value = format("https://%s", var.oauth_domain)
         }
+
+        // Only configure GCP pubsub if it is not disabled
+        dynamic "env" {
+          for_each = var.disable_gcp_pubsub ? [] : [
+            {
+              name = "PUBSUB_TOPIC_SHELL_INPUT"
+              value = format("gcppubsub://%s", google_pubsub_topic.shell_input.id)
+            },
+            {
+              name = "PUBSUB_SUBSCRIPTION_SHELL_INPUT"
+              value = format("gcppubsub://%s", google_pubsub_subscription.shell_input-sub.id)
+            },
+            {
+              name = "PUBSUB_TOPIC_SHELL_OUTPUT"
+              value = format("gcppubsub://%s", google_pubsub_topic.shell_output.id)
+            },
+            {
+              name = "PUBSUB_SUBSCRIPTION_SHELL_OUTPUT"
+              value = format("gcppubsub://%s", google_pubsub_subscription.shell_output-sub.id)
+            }
+          ]
+          content {
+            name = env.value.name
+            value = env.value.value
+          }
+        }
+
         env {
           name = "ENABLE_METRICS"
           value = var.enable_metrics ? "1" : ""

From 85457f74c3ef739e75433af39bd055f314e09205 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:19:08 +0000
Subject: [PATCH 2/7] Fix terraform

---
 terraform/main.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 98bf5e297..36a0eb63d 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -24,9 +24,14 @@ variable "tavern_container_image" {
 }
 
 variable "tavern_request_timeout_seconds" {
-  type = int
-  description = "How many seconds before a request is dropped, defaults to 3600 to accomodate reverse shells (which are killed when this timeout is reached)"
+  type = number
+  description = "How many seconds before a request is dropped, defaults to 3600 (the maximum) to accomodate reverse shells (which are killed when this timeout is reached)"
   default = 3600
+
+  validation {
+    condition = var.tavern_request_timeout_seconds >= 1 && var.tavern_request_timeout_seconds <= 3600
+    error_message = "tavern_request_timeout_seconds must be a value between 1 and 3600 seconds"
+  }
 }
 
 variable "gcp_project" {

From e58806a7bc7539071cb3c80117382b4c4311581f Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:25:36 +0000
Subject: [PATCH 3/7] set default=false for disable gcp pubsub

---
 terraform/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/terraform/main.tf b/terraform/main.tf
index 36a0eb63d..c3cbb0a7c 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -51,6 +51,7 @@ variable "gcp_region" {
 variable "disable_gcp_pubsub" {
   type = bool
   description = "Disables GCP pubsub setup and instead defaults to inmem pubsub, suitable for use-cases where only one tavern instance will exist and distributed orchestration is unnecessary"
+  default = false
 }
 
 variable "gcp_pubsub_topic_shell_input" {

From 64d3bfd7296d58697f38c71d5074caa9c540be44 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:27:31 +0000
Subject: [PATCH 4/7] Fix terraform errors

---
 terraform/main.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index c3cbb0a7c..b8364ca8f 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -182,8 +182,8 @@ resource "google_pubsub_topic" "shell_input" {
 }
 resource "google_pubsub_subscription" "shell_input-sub" {
   count = var.disable_gcp_pubsub ? 0 : 1
-  name  =  gcp_pubsub_topic_shell_input + "-sub"
-  topic = google_pubsub_topic.shell_input.id
+  name  =  format("%s-sub", gcp_pubsub_topic_shell_input)
+  topic = google_pubsub_topic.shell_input[0].id
 }
 resource "google_pubsub_topic" "shell_output" {
   count = var.disable_gcp_pubsub ? 0 : 1
@@ -191,8 +191,8 @@ resource "google_pubsub_topic" "shell_output" {
 }
 resource "google_pubsub_subscription" "shell_output-sub" {
   count = var.disable_gcp_pubsub ? 0 : 1
-  name  = var.gcp_pubsub_topic_shell_output + "-sub"
-  topic = google_pubsub_topic.shell_output.id
+  name  = format("%s-sub", var.gcp_pubsub_topic_shell_output)
+  topic = google_pubsub_topic.shell_output[0].id
 }
 
 resource "google_cloud_run_service" "tavern" {

From 810c53460babffe129724940cbfa94688d7e7d58 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:28:50 +0000
Subject: [PATCH 5/7] Fix terraform errors

---
 terraform/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index b8364ca8f..2887d9863 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -182,7 +182,7 @@ resource "google_pubsub_topic" "shell_input" {
 }
 resource "google_pubsub_subscription" "shell_input-sub" {
   count = var.disable_gcp_pubsub ? 0 : 1
-  name  =  format("%s-sub", gcp_pubsub_topic_shell_input)
+  name  = format("%s-sub", var.gcp_pubsub_topic_shell_input)
   topic = google_pubsub_topic.shell_input[0].id
 }
 resource "google_pubsub_topic" "shell_output" {

From 41dd6426fdd1b41971ecf3cd7dbdc26452d574e2 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:30:36 +0000
Subject: [PATCH 6/7] Fix terraform errors

---
 terraform/main.tf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 2887d9863..527b81cf0 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -251,22 +251,22 @@ resource "google_cloud_run_service" "tavern" {
 
         // Only configure GCP pubsub if it is not disabled
         dynamic "env" {
-          for_each = var.disable_gcp_pubsub ? [] : [
+          for_each = disable_gcp_pubsub ? [] : [
             {
               name = "PUBSUB_TOPIC_SHELL_INPUT"
-              value = format("gcppubsub://%s", google_pubsub_topic.shell_input.id)
+              value = format("gcppubsub://%s", google_pubsub_topic.shell_input[0].id)
             },
             {
               name = "PUBSUB_SUBSCRIPTION_SHELL_INPUT"
-              value = format("gcppubsub://%s", google_pubsub_subscription.shell_input-sub.id)
+              value = format("gcppubsub://%s", google_pubsub_subscription.shell_input-sub[0].id)
             },
             {
               name = "PUBSUB_TOPIC_SHELL_OUTPUT"
-              value = format("gcppubsub://%s", google_pubsub_topic.shell_output.id)
+              value = format("gcppubsub://%s", google_pubsub_topic.shell_output[0].id)
             },
             {
               name = "PUBSUB_SUBSCRIPTION_SHELL_OUTPUT"
-              value = format("gcppubsub://%s", google_pubsub_subscription.shell_output-sub.id)
+              value = format("gcppubsub://%s", google_pubsub_subscription.shell_output-sub[0].id)
             }
           ]
           content {
@@ -283,7 +283,7 @@ resource "google_cloud_run_service" "tavern" {
 
       // Only create prometheus sidecar if metrics enabled
       dynamic "containers" {
-        for_each = var.enable_metrics ? [{
+        for_each = enable_metrics ? [{
             image = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.0.0"
             name = local.prometheus_container_name
           }] : []

From 7c0bbf47d9e900e6f85fd3d7dd8f56d25e234a81 Mon Sep 17 00:00:00 2001
From: KCarretto <Kcarretto@gmail.com>
Date: Sat, 4 Jan 2025 21:31:18 +0000
Subject: [PATCH 7/7] Fix terraform errors

---
 terraform/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 527b81cf0..4a8904a73 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -251,7 +251,7 @@ resource "google_cloud_run_service" "tavern" {
 
         // Only configure GCP pubsub if it is not disabled
         dynamic "env" {
-          for_each = disable_gcp_pubsub ? [] : [
+          for_each = var.disable_gcp_pubsub ? [] : [
             {
               name = "PUBSUB_TOPIC_SHELL_INPUT"
               value = format("gcppubsub://%s", google_pubsub_topic.shell_input[0].id)
@@ -283,7 +283,7 @@ resource "google_cloud_run_service" "tavern" {
 
       // Only create prometheus sidecar if metrics enabled
       dynamic "containers" {
-        for_each = enable_metrics ? [{
+        for_each = var.enable_metrics ? [{
             image = "us-docker.pkg.dev/cloud-ops-agents-artifacts/cloud-run-gmp-sidecar/cloud-run-gmp-sidecar:1.0.0"
             name = local.prometheus_container_name
           }] : []