đĻ Section 3: Provisioning Infrastructure¶
đ§ Objective¶
This section explains how to provision a secure virtual server for the OpenCMMC Stack using Infrastructure as Code (IaC). We use Terraform for automated provisioning and Ansible for post-deployment configuration.
This environment will host your containerized, CMMC-aligned services and enforce key technical controls such as least privilege, rootless access, encryption, and system auditing from day one.
âšī¸ NOTE: In the OpenCMMC Stack automation workflow, the host operating system is hardened immediately during provisioning using the
bootstrap.shscript. As soon as the virtual machine is created, it usescloud-initto install Ansible and apply thesecure_ubuntu.ymlrole from Section 4. This ensures CMMC-aligned controls are enforced at first boot.
âī¸ Target Environments¶
This guide is compatible with:
- Cloud providers: DigitalOcean, AWS EC2, Hetzner Cloud, Linode
- On-premise: VirtualBox, VMware, or Proxmox (with manual adaptation)
- Bare metal: Supported via PXE or image-based deployment
We demonstrate using DigitalOcean for simplicity and speed.
𧰠Required Tools¶
Before proceeding, install the following on your local workstation:
- Terraform CLI
- Ansible
- Python 3 & pip
- SSH keypair for your user (
ssh-keygen) - DigitalOcean account and API token
đ Directory Layout¶
Your cloned repo should look like this:
open-cmmc-stack/
âââ terraform/
â âââ main.tf
â âââ variables.tf
â âââ terraform.tfvars.example
â âââ bootstrap.sh
âââ ansible/
â âââ secure_ubuntu.yml
â âââ roles/
â âââ secure_ubuntu/
â âââ tasks/main.yml
đ Step-by-Step Provisioning with Terraform¶
1. Copy and Customize Variable Values¶
cp terraform/terraform.tfvars.example terraform/terraform.tfvars
Edit terraform.tfvars to include your actual DigitalOcean token and SSH key fingerprint.
2. Initialize Terraform¶
cd terraform
terraform init
3. Apply and Provision the Droplet¶
terraform apply
Terraform will create the VM, inject your SSH key, and use bootstrap.sh to start the Ansible hardening playbook.
To retrieve the IP address of your new host:
terraform output -raw droplet_ip
You can then connect using:
ssh -i ~/.ssh/id_rsa cmmcadmin@$(terraform output -raw droplet_ip)
đ§âđģ Non-Root SSH Login¶
The Ansible hardening role will:
- Create a non-root user
cmmcadmin - Add your public SSH key to
~/.ssh/authorized_keys - Disable password login
- Disable SSH access for
root - Enable and configure UFW to allow only SSH
This ensures a minimum-privilege access posture from the start.
đ Terraform File Descriptions¶
main.tfâ Defines the DigitalOcean droplet resource and providervariables.tfâ Declares expected inputs likedo_tokenandssh_fingerprintterraform.tfvars.exampleâ Provides an example configuration you should copy and editbootstrap.shâ Runs on the VM after creation to install dependencies and run the hardening playbook automatically
đ Post-Provision Checklist¶
After provisioning, validate:
- SSH access using
cmmcadminand your private key - Root login is disabled
- Firewall is active (
ufw status) - Ansible has applied initial hardening
đ Alternative: Provision Manually + Ansible Pull¶
For air-gapped or restricted environments, you may:
- Provision an Ubuntu server manually
- Upload your SSH key
- Log in and run:
sudo apt update && sudo apt install -y git ansible
git clone https://github.com/mtkell/open-cmmc-stack.git
cd open-cmmc-stack/ansible
ansible-playbook -i localhost, secure_ubuntu.yml
đ Relevant CMMC Practices Addressed¶
| CMMC Practice | Description |
|---|---|
| AC.1.001 | Limit system access to authorized users |
| CM.2.062 | Employ security configuration baselines |
| MA.3.115 | Perform automated maintenance updates |
| SC.3.177 | Protect confidentiality with encrypted comms |
đŧī¸ Infrastructure Provisioning Diagram¶
To visualize this process, refer to the following diagram:
The source Mermaid file is available at:
docs/img/diagrams/03_provisioning-detailed-diagram.mmd
â Next Step¶
Once your infrastructure is provisioned and secured, proceed to Section 4: Securing the Host OS to continue the deployment of core CMMC capabilities.