BishopFox · VladimirTulcinsky · Mar 14, 2025 · Mar 14, 2025 · Mar 15, 2025 · Mar 15, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,32 @@
+# Use a smaller base image (debian-slim)
+FROM debian:bullseye-slim
+
+# Set non-interactive mode to avoid prompting during apt-get install
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install dependencies, AWS CLI, Terraform in one RUN step and clean up cache
+RUN apt-get update && apt-get install -y \
+    curl \
+    nano \
+    unzip \
+    ca-certificates \
+    gnupg \
+    lsb-release \
+    jq \
+    software-properties-common \
+    && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
+    && unzip awscliv2.zip && ./aws/install \
+    && rm -rf awscliv2.zip ./aws \
+    && curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - \
+    && apt-add-repository "deb https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+    && apt-get update && apt-get install -y terraform \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Copy the application code
+COPY . /cloudfoxable
+
+# Set the working directory (optional)
+WORKDIR /cloudfoxable/aws
+
+# Default command (optional)
+ENTRYPOINT ["/bin/bash"]
diff --git a/README.md b/README.md
@@ -57,6 +57,40 @@ Whenever you want to remove all of the CloudFoxable-created resources, you can r
 1. `cd cloudfoxable/aws`
 1. `terraform destroy`
 
+
+# Build with Docker
+
+If you're using **Windows**, you might encounter issues when deploying some of the challenges due to platform-specific limitations. To avoid this, a Dockerfile is provided to help you build and run the application in a consistent environment across different systems.
+
+<details>
+    <summary>Click to expand</summary>
+
+## Clone the Repository
+
+Start by cloning the repository to your local machine:
+
+```bash
+git clone https://github.com/BishopFox/cloudfoxable.git
+cd cloudfoxable
+```
+
+## Build the Docker Image
+Once you have cloned the repository, build the Docker image with the following command. This will ensure that you are using a fresh build without any cached layers:
+```bash
+docker build --no-cache -t cloudfoxable .
+```
+
+### Run Docker on Windows with PowerShell
+If you're on Windows, use the following PowerShell command to run the Docker container. This will:
+- Mount your AWS credentials file to the container for persistence.
+- Mount your Terraform (state) file(s) to the container for persistence. You can directly edit **terraform.tfvars** in the container by means of **nano** and it will be replicated to your host by means of the bind mount.
+- Start an interactive session where you can run Terraform commands.
+```pwsh
+cd aws
+docker run -it -v $env:USERPROFILE/.aws/credentials:/root/.aws/credentials -v ${PWD}:/cloudfoxable/aws cloudfoxable
+```
+</details>
+
 # Hungry for more? 
 
 https://github.com/iknowjason/Awesome-CloudSec-Labs

diff --git a/aws/challenges/Middle/middle.tf b/aws/challenges/Middle/middle.tf
@@ -158,30 +158,29 @@ resource "aws_sqs_queue" "terraform_queue_deadletter" {
 resource "aws_sqs_queue_policy" "schedule-event-rce-policy" {
   queue_url = aws_sqs_queue.internal_message_bus.id
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "sqspolicy",
-  "Statement": [
-    {
-      "Sid": "First",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": ["sqs:SendMessage", "sqs:ReceiveMessage"],
-      "Resource": "${aws_sqs_queue.internal_message_bus.arn}",
-      "Condition": {
-          "IpAddress": {
-            "aws:SourceIp": "${var.user_ip}/32"
+  policy = jsonencode({
+    Version   = "2012-10-17"
+    Id        = "sqspolicy"
+    Statement = [
+      {
+        Sid       = "First"
+        Effect    = "Allow"
+        Principal = "*"
+        Action    = ["sqs:SendMessage", "sqs:ReceiveMessage"]
+        Resource  = aws_sqs_queue.internal_message_bus.arn
+        Condition = {
+          IpAddress = {
+            "aws:SourceIp" = "${var.user_ip}/32"
           }
+        }
       }
-    }
-  ]
-}
-POLICY
+    ]
+  })
 }
 
 
 
+
 resource "aws_iam_role" "consumer" {
   name                = "swanson"
   assume_role_policy  = jsonencode({

diff --git a/aws/challenges/The topic is exposure/the-topic-is-exposure.tf b/aws/challenges/The topic is exposure/the-topic-is-exposure.tf
@@ -48,29 +48,28 @@ resource "aws_iam_role_policy_attachment" "sns_publish_policy_attachment" {
 resource "aws_sns_topic_policy" "schedule-event-policy" {
   arn = aws_sns_topic.eventbridge_sns.arn
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "snspolicy",
-  "Statement": [
-    {
-      "Sid": "First",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": ["sns:Subscribe", "sns:Publish"],
-      "Resource": "${aws_sns_topic.eventbridge_sns.arn}",
-      "Condition": {
-          "IpAddress": {
-            "aws:SourceIp": "${var.user_ip}/32"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "snspolicy"
+    Statement = [
+      {
+        Sid       = "First"
+        Effect    = "Allow"
+        Principal = "*"
+        Action    = ["sns:Subscribe", "sns:Publish"]
+        Resource  = aws_sns_topic.eventbridge_sns.arn
+        Condition = {
+          IpAddress = {
+            "aws:SourceIp" = "${var.user_ip}/32"
           }
         }
-    }
-  ]
-}
-POLICY
+      }
+    ]
+  })
 }
 
 
+
 resource "aws_sns_topic" "eventbridge_sns" {
   name = "eventbridge-sns"
   tags = {
@@ -80,7 +79,7 @@ resource "aws_sns_topic" "eventbridge_sns" {
 
 
 variable "jsonDataSNS" {
-  type = string
+  type    = string
   default = <<JSON
 {
      "firstName": "John",
@@ -112,21 +111,21 @@ JSON
 
 // eventbridge schedule to send message to sns topic every minute
 resource "aws_scheduler_schedule" "test_eventbridge-sns" {
-  name                = "test-eventbridge-sns"
-  description         = "sends sns message to topic"
+  name        = "test-eventbridge-sns"
+  description = "sends sns message to topic"
   flexible_time_window {
     mode = "OFF"
   }
 
-schedule_expression = "rate(1 minutes)"
+  schedule_expression = "rate(1 minutes)"
+
+  target {
+    arn      = aws_sns_topic.eventbridge_sns.arn
+    role_arn = aws_iam_role.event_bridge_sns_role.arn
 
-target {
-  arn      = aws_sns_topic.eventbridge_sns.arn
-  role_arn = aws_iam_role.event_bridge_sns_role.arn
 
 
-
-  input = var.jsonDataSNS
+    input = var.jsonDataSNS
   }
 }
 

diff --git a/aws/main.tf b/aws/main.tf
@@ -31,9 +31,9 @@ provider "aws" {
 
 data "aws_caller_identity" "current" {}
 
-
+# ifconfig returns more than just the ip or could return ipv6
 data "http" "current_ip" {
-  url = "https://ifconfig.me"
+  url = "https://api.ipify.org"
 }
 
 locals {