First batch of tf security improvements (#4798)

2026-05-24 01:18:42 +00:00 · 2022-03-30 13:24:30 -04:00 · 2022-03-30 13:24:30 -04:00 · 22dda3adf5
commit 22dda3adf5
parent b13984a646
19 changed files with 249 additions and 114 deletions
--- a/tools/loadtesting/terraform/ecs-iam.tf
+++ b/tools/loadtesting/terraform/ecs-iam.tf
@ -39,6 +39,8 @@ data "aws_iam_policy_document" "fleet" {
    resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
  }

+
+  // We use wildcards on these actions for buckets that are single-use.
  statement {
    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards
      "kms:Encrypt*",
--- a/tools/loadtesting/terraform/ecs-sgs.tf
+++ b/tools/loadtesting/terraform/ecs-sgs.tf
@ -10,11 +10,11 @@ resource "aws_security_group_rule" "lb-ingress" {
  description = "${local.prefix}: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "443"
-  to_port     = "443"
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-
+  from_port = "443"
+  to_port   = "443"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.lb.id
 }

@ -22,9 +22,10 @@ resource "aws_security_group_rule" "lb-http-ingress" {
  description = "${local.prefix}: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "80"
-  to_port     = "80"
-  protocol    = "tcp"
+  from_port = "80"
+  to_port   = "80"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr

  security_group_id = aws_security_group.lb.id
@ -65,7 +66,8 @@ resource "aws_security_group_rule" "lb-kibana" {
 }

 # Allow outbound traffic
-resource "aws_security_group_rule" "lb-egress" {
+// Egress filtering is not currently provided by our Terraform templates.
+resource "aws_security_group_rule" "lb-egress" { #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01
  description = "${local.prefix}: allow all outbound traffic"
  type        = "egress"

@ -103,10 +105,11 @@ resource "aws_security_group_rule" "backend-egress" {
  description = "${local.prefix}: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.backend.id
 }
--- a/tools/loadtesting/terraform/ecs.tf
+++ b/tools/loadtesting/terraform/ecs.tf
@ -1,5 +1,6 @@
 resource "aws_alb" "main" {
-  name                       = "fleetdm"
+  name = "fleetdm"
+  // Exposed to the Internet by design
  internal                   = false #tfsec:ignore:aws-elb-alb-not-public
  security_groups            = [aws_security_group.lb.id, aws_security_group.backend.id]
  subnets                    = module.vpc.public_subnets
@ -21,7 +22,8 @@ resource "aws_alb" "internal" {
 resource "aws_alb_listener" "https-fleetdm-internal" {
  load_balancer_arn = aws_alb.internal.arn
  port              = 80
-  protocol          = "HTTP" #tfsec:ignore:aws-elb-http-not-used
+  // We will evaluate removing all HTTP eventually, including the removal of HTTP redirects.
+  protocol = "HTTP" #tfsec:ignore:aws-elb-http-not-used:exp:2022-06-01

  default_action {
    target_group_arn = aws_alb_target_group.internal.arn
@ -140,8 +142,9 @@ resource "aws_ecs_service" "fleet" {

  depends_on = [aws_alb_listener.http, aws_alb_listener.https-fleetdm]
 }
-
-resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key:exp:2022-07-01
  name              = "fleetdm"
  retention_in_days = 1
 }
--- a/tools/loadtesting/terraform/elasticsearch.tf
+++ b/tools/loadtesting/terraform/elasticsearch.tf
@ -59,10 +59,11 @@ resource "aws_security_group_rule" "es-egress" {
  description = "${local.prefix}: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.elasticsearch.id
 }
--- a/tools/loadtesting/terraform/firehose.tf
+++ b/tools/loadtesting/terraform/firehose.tf
@ -1,4 +1,10 @@
-resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+// No versioning on this bucket is by design.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = "fleet-loadtest-osquery-logs-archive"
  acl    = "private"

@ -22,15 +28,19 @@ resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-cus
 }

 resource "aws_s3_bucket_public_access_block" "osquery-results" {
-  bucket = aws_s3_bucket.osquery-results.id
-
+  bucket                  = aws_s3_bucket.osquery-results.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
 }
-
-resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+// No versioning on this bucket is by design.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = "fleet-loadtest-osquery-status-archive"
  acl    = "private"

@ -61,6 +71,14 @@ resource "aws_s3_bucket_public_access_block" "osquery-status" {
  restrict_public_buckets = true
 }

+resource "aws_s3_bucket_public_access_block" "osquery-status" {
+  bucket                  = aws_s3_bucket.osquery-status.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 data "aws_iam_policy_document" "osquery_results_policy_doc" {
  statement {
    effect = "Allow"
@ -71,6 +89,7 @@ data "aws_iam_policy_document" "osquery_results_policy_doc" {
      "s3:ListBucketMultipartUploads",
      "s3:PutObject"
    ]
+    // This bucket is single-purpose and using a wildcard is not problematic
    resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards
  }
 }
@ -85,6 +104,7 @@ data "aws_iam_policy_document" "osquery_status_policy_doc" {
      "s3:ListBucketMultipartUploads",
      "s3:PutObject"
    ]
+    // This bucket is single-purpose and using a wildcard is not problematic
    resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards
  }
 }
--- a/tools/loadtesting/terraform/redis.tf
+++ b/tools/loadtesting/terraform/redis.tf
@ -11,8 +11,8 @@ resource "aws_elasticache_replication_group" "default" {
  port                          = "6379"
  snapshot_retention_limit      = 0
  automatic_failover_enabled    = true
-  at_rest_encryption_enabled    = false #tfsec:ignore:aws-elasticache-enable-at-rest-encryption
-  transit_encryption_enabled    = false #tfsec:ignore:aws-elasticache-enable-in-transit-encryption
+  at_rest_encryption_enabled    = true
+  transit_encryption_enabled    = true
  apply_immediately             = true
  replication_group_description = "fleetdm-redis"

@ -33,15 +33,17 @@ resource "aws_elasticache_parameter_group" "default" { #tfsec:ignore:aws-vpc-add
 }

 resource "aws_security_group" "redis" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key tfsec:ignore:aws-vpc-add-description-to-security-group
-  name   = local.security_group_name
-  vpc_id = module.vpc.vpc_id
+  name        = local.security_group_name
+  description = "Security group for Redis"
+  vpc_id      = module.vpc.vpc_id
 }

 locals {
  security_group_name = "${local.prefix}-elasticache-redis"
 }

-resource "aws_security_group_rule" "ingress" { #tfsec:ignore:aws-vpc-add-description-to-security-group-rule
+resource "aws_security_group_rule" "ingress" {
+  description       = "Redis from private VPC"
  type              = "ingress"
  from_port         = "6379"
  to_port           = "6379"
@ -50,11 +52,13 @@ resource "aws_security_group_rule" "ingress" { #tfsec:ignore:aws-vpc-add-descrip
  security_group_id = aws_security_group.redis.id
 }

-resource "aws_security_group_rule" "egress" { #tfsec:ignore:aws-vpc-add-description-to-security-group-rule
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+resource "aws_security_group_rule" "egress" {
+  description = "Redis VPC egress"
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01
  security_group_id = aws_security_group.redis.id
 }
--- a/tools/terraform/ecs-iam.tf
+++ b/tools/terraform/ecs-iam.tf
@ -39,7 +39,8 @@ data "aws_iam_policy_document" "fleet" {
    resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
  }

-  statement {
+  // We use wildcards on these actions for buckets that are single-use.
+  statement { #tfsec:ignore:aws-iam-no-policy-wildcards
    effect = "Allow"
    actions = [
      "s3:GetObject*",
--- a/tools/terraform/ecs-sgs.tf
+++ b/tools/terraform/ecs-sgs.tf
@ -10,10 +10,11 @@ resource "aws_security_group_rule" "lb-ingress" {
  description = "${var.prefix}: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "443"
-  to_port     = "443"
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = "443"
+  to_port   = "443"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr

  security_group_id = aws_security_group.lb.id
 }
@ -22,10 +23,11 @@ resource "aws_security_group_rule" "lb-http-ingress" {
  description = "${var.prefix}: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "80"
-  to_port     = "80"
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = "80"
+  to_port   = "80"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr

  security_group_id = aws_security_group.lb.id
 }
@ -35,10 +37,11 @@ resource "aws_security_group_rule" "lb-egress" {
  description = "${var.prefix}: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.lb.id
 }
@ -69,10 +72,11 @@ resource "aws_security_group_rule" "backend-egress" {
  description = "${var.prefix}: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.backend.id
 }
--- a/tools/terraform/ecs.tf
+++ b/tools/terraform/ecs.tf
@ -12,11 +12,12 @@ resource "aws_route53_record" "record" {
 }

 resource "aws_alb" "main" {
-  name            = "fleetdm"
-  internal        = false
-  security_groups = [aws_security_group.lb.id, aws_security_group.backend.id]
-  subnets         = module.vpc.public_subnets
-  idle_timeout    = 120
+  // Exposed to the Internet by design
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public
+  security_groups            = [aws_security_group.lb.id, aws_security_group.backend.id]
+  subnets                    = module.vpc.public_subnets
+  idle_timeout               = 120
+  name                       = "fleetdm"
  drop_invalid_header_fields = true
 }

@ -108,8 +109,9 @@ resource "aws_ecs_service" "fleet" {

  depends_on = [aws_alb_listener.http, aws_alb_listener.https-fleetdm]
 }
-
-resource "aws_cloudwatch_log_group" "backend" {
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key:exp:2022-07-01
  name              = "fleetdm"
  retention_in_days = 1
 }
@ -194,6 +196,10 @@ resource "aws_ecs_task_definition" "backend" {
            name  = "FLEET_REDIS_ADDRESS"
            value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379"
          },
+          {
+            name  = "FLEET_REDIS_USE_TLS"
+            value = "true"
+          },
          {
            name  = "FLEET_FIREHOSE_STATUS_STREAM"
            value = aws_kinesis_firehose_delivery_stream.osquery_status.name
@ -310,6 +316,10 @@ resource "aws_ecs_task_definition" "migration" {
            name  = "FLEET_REDIS_ADDRESS"
            value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379"
          },
+          {
+            name  = "FLEET_REDIS_USE_TLS"
+            value = "true"
+          }
        ]
      }
  ])
--- a/tools/terraform/firehose.tf
+++ b/tools/terraform/firehose.tf
@ -1,4 +1,10 @@
-resource "aws_s3_bucket" "osquery-results" {
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future. 
+// No versioning on this bucket is by design.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01  #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = var.osquery_results_s3_bucket
  acl    = "private"

@ -18,7 +24,21 @@ resource "aws_s3_bucket" "osquery-results" {
  }
 }

-resource "aws_s3_bucket" "osquery-status" {
+resource "aws_s3_bucket_public_access_block" "osquery-results" {
+  bucket                  = aws_s3_bucket.osquery-results.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+// No versioning on this bucket is by design.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = var.osquery_status_s3_bucket
  acl    = "private"

@ -38,6 +58,14 @@ resource "aws_s3_bucket" "osquery-status" {
  }
 }

+resource "aws_s3_bucket_public_access_block" "osquery-status" {
+  bucket                  = aws_s3_bucket.osquery-status.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 data "aws_iam_policy_document" "osquery_results_policy_doc" {
  statement {
    effect = "Allow"
@ -48,7 +76,8 @@ data "aws_iam_policy_document" "osquery_results_policy_doc" {
      "s3:ListBucketMultipartUploads",
      "s3:PutObject"
    ]
-    resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"]
+    // This bucket is single-purpose and using a wildcard is not problematic
+    resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards
  }
 }

@ -62,7 +91,8 @@ data "aws_iam_policy_document" "osquery_status_policy_doc" {
      "s3:ListBucketMultipartUploads",
      "s3:PutObject"
    ]
-    resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"]
+    // This bucket is single-purpose and using a wildcard is not problematic
+    resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards
  }
 }

--- a/tools/terraform/gcp/loadbalancer.tf
+++ b/tools/terraform/gcp/loadbalancer.tf
@ -1,6 +1,9 @@
 resource "google_dns_managed_zone" "default" {
  dns_name = var.dns_name
  name     = "${var.prefix}-zone"
+  dnssec_config {
+    state = "on"
+  }
 }

 resource "google_dns_record_set" "default" {
--- a/tools/terraform/monitoring/monitoring.tf
+++ b/tools/terraform/monitoring/monitoring.tf
@ -37,7 +37,9 @@ locals {
 }

 // sns topic to send cloudwatch alarms to
-resource "aws_sns_topic" "cloudwatch_alarm_topic" {
+// sns topic encryption is not currently supported but is something we will investigate providing in
+// the future
+resource "aws_sns_topic" "cloudwatch_alarm_topic" { #tfsec:ignore:aws-sns-enable-topic-encryption:exp:2022-08-01
  name = "cloudwatch-alarm-${terraform.workspace}"
 }

--- a/tools/terraform/percona/percona.tf
+++ b/tools/terraform/percona/percona.tf
@ -22,11 +22,13 @@ resource "aws_route53_record" "record" {
 }

 resource "aws_lb" "main" {
-  name            = "percona"
-  internal        = false
-  security_groups = [aws_security_group.lb.id, aws_security_group.backend.id]
-  subnets         = var.public_subnets
-  idle_timeout    = 120
+  name = "percona"
+  // Exposed to the Internet by design
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public
+  security_groups            = [aws_security_group.lb.id, aws_security_group.backend.id]
+  subnets                    = var.public_subnets
+  idle_timeout               = 120
+  drop_invalid_header_fields = true
 }

 resource "aws_lb_listener" "https" {
@ -55,12 +57,16 @@ resource "aws_lb_target_group_attachment" "percona" {
  target_id        = aws_instance.percona.id
 }

-resource "aws_instance" "percona" {
+// No permanent EBS encrypted volume at the moment.
+resource "aws_instance" "percona" { #tfsec:ignore:aws-ec2-enable-at-rest-encryption:exp:2022-07-15
  ami                    = data.aws_ami.percona.id
  instance_type          = "m5.large"
  subnet_id              = var.private_subnet
  vpc_security_group_ids = [aws_security_group.backend.id]
  iam_instance_profile   = aws_iam_instance_profile.profile.name
+  metadata_options {
+    http_tokens = "required"
+  }
 }

 resource "aws_iam_instance_profile" "profile" {
@ -87,8 +93,8 @@ resource "aws_iam_role" "role" {
 }
 EOF
 }
-
-resource "aws_iam_policy" "policy" {
+// This bucket is single-purpose and using a wildcard is not problematic
+resource "aws_iam_policy" "policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
  name        = "percona-policy"
  description = "policy to discover rds instances"

--- a/tools/terraform/percona/security_groups.tf
+++ b/tools/terraform/percona/security_groups.tf
@ -8,10 +8,11 @@ resource "aws_security_group_rule" "lb-ingress" {
  description = "percona: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "443"
-  to_port     = "443"
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = "443"
+  to_port   = "443"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr

  security_group_id = aws_security_group.lb.id
 }
@ -20,10 +21,11 @@ resource "aws_security_group_rule" "lb-http-ingress" {
  description = "percona: allow traffic from public internet"
  type        = "ingress"

-  from_port   = "80"
-  to_port     = "80"
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = "80"
+  to_port   = "80"
+  protocol  = "tcp"
+  // Internet connectivity here is by design
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr

  security_group_id = aws_security_group.lb.id
 }
@ -31,10 +33,11 @@ resource "aws_security_group_rule" "backend-egress" {
  description = "percona: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.backend.id
 }
@ -50,10 +53,11 @@ resource "aws_security_group_rule" "lb-egress" {
  description = "percona: allow all outbound traffic"
  type        = "egress"

-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01

  security_group_id = aws_security_group.lb.id
 }
--- a/tools/terraform/percona/variables.tf
+++ b/tools/terraform/percona/variables.tf
@ -1,24 +1,24 @@
 variable "zone_id" {
  description = "R53 Zone ID to host Percona in"
-  type = string
+  type        = string
 }

 variable "domain_name" {
  description = "Domain name for Percona DNS"
-  type = string
+  type        = string
 }

 variable "public_subnets" {
  description = "Public subnets for the Percona LB"
-  type = list(string)
+  type        = list(string)
 }

 variable "private_subnet" {
  description = "Private subnets for the Percona App instance"
-  type = string
+  type        = string
 }

 variable "vpc_id" {
  description = "VPC ID"
-  type = string
+  type        = string
 }
--- a/tools/terraform/rds.tf
+++ b/tools/terraform/rds.tf
@ -1,9 +1,10 @@
 resource "random_password" "database_password" {
-  length  = 16
+  length  = 32
  special = false
 }
-
-resource "aws_secretsmanager_secret" "database_password_secret" {
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+resource "aws_secretsmanager_secret" "database_password_secret" { #tfsec:ignore:aws-ssm-secret-use-customer-key:exp:2022-07-01
  name = "/fleet/database/password/master"
 }

--- a/tools/terraform/redis.tf
+++ b/tools/terraform/redis.tf
@ -23,14 +23,15 @@ resource "aws_elasticache_replication_group" "default" {
  port                          = "6379"
  maintenance_window            = var.maintenance_window
  snapshot_retention_limit      = 0
-  automatic_failover_enabled    = false
-  at_rest_encryption_enabled    = false
-  transit_encryption_enabled    = false
+  automatic_failover_enabled    = true
+  at_rest_encryption_enabled    = true
+  transit_encryption_enabled    = true
  apply_immediately             = true
  replication_group_description = "fleetdm-redis"
 }

-resource "aws_security_group" "redis" {
+resource "aws_security_group" "redis" { #tfsec:ignore:aws-vpc-add-description-to-security-group
+  // description = "Security group for Redis" // cannot add description without recreation
  name   = local.security_group_name
  vpc_id = module.vpc.vpc_id
 }
@ -40,6 +41,7 @@ locals {
 }

 resource "aws_security_group_rule" "ingress" {
+  description       = "Redis from private VPC"
  type              = "ingress"
  from_port         = "6379"
  to_port           = "6379"
@ -49,11 +51,13 @@ resource "aws_security_group_rule" "ingress" {
 }

 resource "aws_security_group_rule" "egress" {
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
+  description = "Redis VPC egress"
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  // Egress filtering is not currently provided by our Terraform templates.
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01
  security_group_id = aws_security_group.redis.id
 }

--- a/tools/terraform/remote-state/main.tf
+++ b/tools/terraform/remote-state/main.tf
@ -9,8 +9,12 @@ variable "region" {
 provider "aws" {
  region = var.region
 }
-
-resource "aws_s3_bucket" "remote_state" {
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "remote_state" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = "${var.prefix}-terraform-remote-state"
  acl    = "private"
  versioning {
@ -19,15 +23,24 @@ resource "aws_s3_bucket" "remote_state" {
  lifecycle {
    prevent_destroy = true
  }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
  tags = {
    Name = "S3 Remote Terraform State Store"
  }
 }

 resource "aws_s3_bucket_public_access_block" "fleet_terraform_state" {
-  bucket              = aws_s3_bucket.remote_state.id
-  block_public_acls   = true
-  block_public_policy = true
+  bucket                  = aws_s3_bucket.remote_state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 }


@ -44,4 +57,13 @@ resource "aws_dynamodb_table" "fleet_terraform_state_lock" {
  tags = {
    Name = "DynamoDB Terraform State Lock Table"
  }
+  // Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+  // possibility of providing this capability in the future.
+  server_side_encryption { #tfsec:ignore:aws-dynamodb-table-customer-key:exp:2022-07-01
+    enabled = true         // enabled server side encryption
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
 }
--- a/tools/terraform/s3.tf
+++ b/tools/terraform/s3.tf
@ -1,5 +1,12 @@
-// file carving destination
-resource "aws_s3_bucket" "osquery-carve" {
+// file carving destination with versioning disabled and lifecycle to ensure files get deleted and
+// no version is ever kept
+
+// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
+// possibility of providing this capability in the future.
+// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
+// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
+// in the future.
+resource "aws_s3_bucket" "osquery-carve" { #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket = "osquery-carve-${terraform.workspace}"
  acl    = "private"

@ -17,4 +24,12 @@ resource "aws_s3_bucket" "osquery-carve" {
      }
    }
  }
+}
+
+resource "aws_s3_bucket_public_access_block" "osquery-carve" {
+  bucket                  = aws_s3_bucket.osquery-carve.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 }