diff --git a/tools/loadtesting/terraform/ecs-iam.tf b/tools/loadtesting/terraform/ecs-iam.tf index f628953e9f..0b6063f8b3 100644 --- a/tools/loadtesting/terraform/ecs-iam.tf +++ b/tools/loadtesting/terraform/ecs-iam.tf @@ -39,6 +39,8 @@ data "aws_iam_policy_document" "fleet" { resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn] } + + // We use wildcards on these actions for buckets that are single-use. statement { actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards "kms:Encrypt*", diff --git a/tools/loadtesting/terraform/ecs-sgs.tf b/tools/loadtesting/terraform/ecs-sgs.tf index 449dd5ddb0..8b7feacbf9 100644 --- a/tools/loadtesting/terraform/ecs-sgs.tf +++ b/tools/loadtesting/terraform/ecs-sgs.tf @@ -10,11 +10,11 @@ resource "aws_security_group_rule" "lb-ingress" { description = "${local.prefix}: allow traffic from public internet" type = "ingress" - from_port = "443" - to_port = "443" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr - + from_port = "443" + to_port = "443" + protocol = "tcp" + // Internet connectivity here is by design + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id } @@ -22,9 +22,10 @@ resource "aws_security_group_rule" "lb-http-ingress" { description = "${local.prefix}: allow traffic from public internet" type = "ingress" - from_port = "80" - to_port = "80" - protocol = "tcp" + from_port = "80" + to_port = "80" + protocol = "tcp" + // Internet connectivity here is by design cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id @@ -65,7 +66,8 @@ resource "aws_security_group_rule" "lb-kibana" { } # Allow outbound traffic -resource "aws_security_group_rule" "lb-egress" { +// Egress filtering is not currently provided by our Terraform templates. +resource "aws_security_group_rule" "lb-egress" { #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 description = "${local.prefix}: allow all outbound traffic" type = "egress" @@ -103,10 +105,11 @@ resource "aws_security_group_rule" "backend-egress" { description = "${local.prefix}: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.backend.id } diff --git a/tools/loadtesting/terraform/ecs.tf b/tools/loadtesting/terraform/ecs.tf index 87e0168e95..f4b34d7a00 100644 --- a/tools/loadtesting/terraform/ecs.tf +++ b/tools/loadtesting/terraform/ecs.tf @@ -1,5 +1,6 @@ resource "aws_alb" "main" { - name = "fleetdm" + name = "fleetdm" + // Exposed to the Internet by design internal = false #tfsec:ignore:aws-elb-alb-not-public security_groups = [aws_security_group.lb.id, aws_security_group.backend.id] subnets = module.vpc.public_subnets @@ -21,7 +22,8 @@ resource "aws_alb" "internal" { resource "aws_alb_listener" "https-fleetdm-internal" { load_balancer_arn = aws_alb.internal.arn port = 80 - protocol = "HTTP" #tfsec:ignore:aws-elb-http-not-used + // We will evaluate removing all HTTP eventually, including the removal of HTTP redirects. + protocol = "HTTP" #tfsec:ignore:aws-elb-http-not-used:exp:2022-06-01 default_action { target_group_arn = aws_alb_target_group.internal.arn @@ -140,8 +142,9 @@ resource "aws_ecs_service" "fleet" { depends_on = [aws_alb_listener.http, aws_alb_listener.https-fleetdm] } - -resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key:exp:2022-07-01 name = "fleetdm" retention_in_days = 1 } diff --git a/tools/loadtesting/terraform/elasticsearch.tf b/tools/loadtesting/terraform/elasticsearch.tf index aa18bc64cd..d98dc3b066 100644 --- a/tools/loadtesting/terraform/elasticsearch.tf +++ b/tools/loadtesting/terraform/elasticsearch.tf @@ -59,10 +59,11 @@ resource "aws_security_group_rule" "es-egress" { description = "${local.prefix}: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.elasticsearch.id } diff --git a/tools/loadtesting/terraform/firehose.tf b/tools/loadtesting/terraform/firehose.tf index c73a0d6fe2..e8ecad3345 100644 --- a/tools/loadtesting/terraform/firehose.tf +++ b/tools/loadtesting/terraform/firehose.tf @@ -1,4 +1,10 @@ -resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// No versioning on this bucket is by design. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = "fleet-loadtest-osquery-logs-archive" acl = "private" @@ -22,15 +28,19 @@ resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-cus } resource "aws_s3_bucket_public_access_block" "osquery-results" { - bucket = aws_s3_bucket.osquery-results.id - + bucket = aws_s3_bucket.osquery-results.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } - -resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// No versioning on this bucket is by design. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = "fleet-loadtest-osquery-status-archive" acl = "private" @@ -61,6 +71,14 @@ resource "aws_s3_bucket_public_access_block" "osquery-status" { restrict_public_buckets = true } +resource "aws_s3_bucket_public_access_block" "osquery-status" { + bucket = aws_s3_bucket.osquery-status.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + data "aws_iam_policy_document" "osquery_results_policy_doc" { statement { effect = "Allow" @@ -71,6 +89,7 @@ data "aws_iam_policy_document" "osquery_results_policy_doc" { "s3:ListBucketMultipartUploads", "s3:PutObject" ] + // This bucket is single-purpose and using a wildcard is not problematic resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards } } @@ -85,6 +104,7 @@ data "aws_iam_policy_document" "osquery_status_policy_doc" { "s3:ListBucketMultipartUploads", "s3:PutObject" ] + // This bucket is single-purpose and using a wildcard is not problematic resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards } } diff --git a/tools/loadtesting/terraform/redis.tf b/tools/loadtesting/terraform/redis.tf index 726efcfc26..dad7351a18 100644 --- a/tools/loadtesting/terraform/redis.tf +++ b/tools/loadtesting/terraform/redis.tf @@ -11,8 +11,8 @@ resource "aws_elasticache_replication_group" "default" { port = "6379" snapshot_retention_limit = 0 automatic_failover_enabled = true - at_rest_encryption_enabled = false #tfsec:ignore:aws-elasticache-enable-at-rest-encryption - transit_encryption_enabled = false #tfsec:ignore:aws-elasticache-enable-in-transit-encryption + at_rest_encryption_enabled = true + transit_encryption_enabled = true apply_immediately = true replication_group_description = "fleetdm-redis" @@ -33,15 +33,17 @@ resource "aws_elasticache_parameter_group" "default" { #tfsec:ignore:aws-vpc-add } resource "aws_security_group" "redis" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key tfsec:ignore:aws-vpc-add-description-to-security-group - name = local.security_group_name - vpc_id = module.vpc.vpc_id + name = local.security_group_name + description = "Security group for Redis" + vpc_id = module.vpc.vpc_id } locals { security_group_name = "${local.prefix}-elasticache-redis" } -resource "aws_security_group_rule" "ingress" { #tfsec:ignore:aws-vpc-add-description-to-security-group-rule +resource "aws_security_group_rule" "ingress" { + description = "Redis from private VPC" type = "ingress" from_port = "6379" to_port = "6379" @@ -50,11 +52,13 @@ resource "aws_security_group_rule" "ingress" { #tfsec:ignore:aws-vpc-add-descrip security_group_id = aws_security_group.redis.id } -resource "aws_security_group_rule" "egress" { #tfsec:ignore:aws-vpc-add-description-to-security-group-rule - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr +resource "aws_security_group_rule" "egress" { + description = "Redis VPC egress" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.redis.id } diff --git a/tools/terraform/ecs-iam.tf b/tools/terraform/ecs-iam.tf index c0acce1bdc..60af0660b4 100644 --- a/tools/terraform/ecs-iam.tf +++ b/tools/terraform/ecs-iam.tf @@ -39,7 +39,8 @@ data "aws_iam_policy_document" "fleet" { resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn] } - statement { + // We use wildcards on these actions for buckets that are single-use. + statement { #tfsec:ignore:aws-iam-no-policy-wildcards effect = "Allow" actions = [ "s3:GetObject*", diff --git a/tools/terraform/ecs-sgs.tf b/tools/terraform/ecs-sgs.tf index c5d3222dbd..8e361ceb3a 100644 --- a/tools/terraform/ecs-sgs.tf +++ b/tools/terraform/ecs-sgs.tf @@ -10,10 +10,11 @@ resource "aws_security_group_rule" "lb-ingress" { description = "${var.prefix}: allow traffic from public internet" type = "ingress" - from_port = "443" - to_port = "443" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = "443" + to_port = "443" + protocol = "tcp" + // Internet connectivity here is by design + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id } @@ -22,10 +23,11 @@ resource "aws_security_group_rule" "lb-http-ingress" { description = "${var.prefix}: allow traffic from public internet" type = "ingress" - from_port = "80" - to_port = "80" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = "80" + to_port = "80" + protocol = "tcp" + // Internet connectivity here is by design + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id } @@ -35,10 +37,11 @@ resource "aws_security_group_rule" "lb-egress" { description = "${var.prefix}: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.lb.id } @@ -69,10 +72,11 @@ resource "aws_security_group_rule" "backend-egress" { description = "${var.prefix}: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.backend.id } \ No newline at end of file diff --git a/tools/terraform/ecs.tf b/tools/terraform/ecs.tf index 806e4d38cb..aabbbb1883 100644 --- a/tools/terraform/ecs.tf +++ b/tools/terraform/ecs.tf @@ -12,11 +12,12 @@ resource "aws_route53_record" "record" { } resource "aws_alb" "main" { - name = "fleetdm" - internal = false - security_groups = [aws_security_group.lb.id, aws_security_group.backend.id] - subnets = module.vpc.public_subnets - idle_timeout = 120 + // Exposed to the Internet by design + internal = false #tfsec:ignore:aws-elb-alb-not-public + security_groups = [aws_security_group.lb.id, aws_security_group.backend.id] + subnets = module.vpc.public_subnets + idle_timeout = 120 + name = "fleetdm" drop_invalid_header_fields = true } @@ -108,8 +109,9 @@ resource "aws_ecs_service" "fleet" { depends_on = [aws_alb_listener.http, aws_alb_listener.https-fleetdm] } - -resource "aws_cloudwatch_log_group" "backend" { +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key:exp:2022-07-01 name = "fleetdm" retention_in_days = 1 } @@ -194,6 +196,10 @@ resource "aws_ecs_task_definition" "backend" { name = "FLEET_REDIS_ADDRESS" value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379" }, + { + name = "FLEET_REDIS_USE_TLS" + value = "true" + }, { name = "FLEET_FIREHOSE_STATUS_STREAM" value = aws_kinesis_firehose_delivery_stream.osquery_status.name @@ -310,6 +316,10 @@ resource "aws_ecs_task_definition" "migration" { name = "FLEET_REDIS_ADDRESS" value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379" }, + { + name = "FLEET_REDIS_USE_TLS" + value = "true" + } ] } ]) diff --git a/tools/terraform/firehose.tf b/tools/terraform/firehose.tf index 2873db3c53..ed224b8cee 100644 --- a/tools/terraform/firehose.tf +++ b/tools/terraform/firehose.tf @@ -1,4 +1,10 @@ -resource "aws_s3_bucket" "osquery-results" { +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// No versioning on this bucket is by design. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = var.osquery_results_s3_bucket acl = "private" @@ -18,7 +24,21 @@ resource "aws_s3_bucket" "osquery-results" { } } -resource "aws_s3_bucket" "osquery-status" { +resource "aws_s3_bucket_public_access_block" "osquery-results" { + bucket = aws_s3_bucket.osquery-results.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// No versioning on this bucket is by design. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = var.osquery_status_s3_bucket acl = "private" @@ -38,6 +58,14 @@ resource "aws_s3_bucket" "osquery-status" { } } +resource "aws_s3_bucket_public_access_block" "osquery-status" { + bucket = aws_s3_bucket.osquery-status.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + data "aws_iam_policy_document" "osquery_results_policy_doc" { statement { effect = "Allow" @@ -48,7 +76,8 @@ data "aws_iam_policy_document" "osquery_results_policy_doc" { "s3:ListBucketMultipartUploads", "s3:PutObject" ] - resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"] + // This bucket is single-purpose and using a wildcard is not problematic + resources = [aws_s3_bucket.osquery-results.arn, "${aws_s3_bucket.osquery-results.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards } } @@ -62,7 +91,8 @@ data "aws_iam_policy_document" "osquery_status_policy_doc" { "s3:ListBucketMultipartUploads", "s3:PutObject" ] - resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"] + // This bucket is single-purpose and using a wildcard is not problematic + resources = [aws_s3_bucket.osquery-status.arn, "${aws_s3_bucket.osquery-status.arn}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards } } diff --git a/tools/terraform/gcp/loadbalancer.tf b/tools/terraform/gcp/loadbalancer.tf index 0ed4ef1931..fa97687137 100644 --- a/tools/terraform/gcp/loadbalancer.tf +++ b/tools/terraform/gcp/loadbalancer.tf @@ -1,6 +1,9 @@ resource "google_dns_managed_zone" "default" { dns_name = var.dns_name name = "${var.prefix}-zone" + dnssec_config { + state = "on" + } } resource "google_dns_record_set" "default" { diff --git a/tools/terraform/monitoring/monitoring.tf b/tools/terraform/monitoring/monitoring.tf index 01f514c1ab..fc30b56e36 100644 --- a/tools/terraform/monitoring/monitoring.tf +++ b/tools/terraform/monitoring/monitoring.tf @@ -37,7 +37,9 @@ locals { } // sns topic to send cloudwatch alarms to -resource "aws_sns_topic" "cloudwatch_alarm_topic" { +// sns topic encryption is not currently supported but is something we will investigate providing in +// the future +resource "aws_sns_topic" "cloudwatch_alarm_topic" { #tfsec:ignore:aws-sns-enable-topic-encryption:exp:2022-08-01 name = "cloudwatch-alarm-${terraform.workspace}" } diff --git a/tools/terraform/percona/percona.tf b/tools/terraform/percona/percona.tf index a65acd583d..64d0d5e891 100644 --- a/tools/terraform/percona/percona.tf +++ b/tools/terraform/percona/percona.tf @@ -22,11 +22,13 @@ resource "aws_route53_record" "record" { } resource "aws_lb" "main" { - name = "percona" - internal = false - security_groups = [aws_security_group.lb.id, aws_security_group.backend.id] - subnets = var.public_subnets - idle_timeout = 120 + name = "percona" + // Exposed to the Internet by design + internal = false #tfsec:ignore:aws-elb-alb-not-public + security_groups = [aws_security_group.lb.id, aws_security_group.backend.id] + subnets = var.public_subnets + idle_timeout = 120 + drop_invalid_header_fields = true } resource "aws_lb_listener" "https" { @@ -55,12 +57,16 @@ resource "aws_lb_target_group_attachment" "percona" { target_id = aws_instance.percona.id } -resource "aws_instance" "percona" { +// No permanent EBS encrypted volume at the moment. +resource "aws_instance" "percona" { #tfsec:ignore:aws-ec2-enable-at-rest-encryption:exp:2022-07-15 ami = data.aws_ami.percona.id instance_type = "m5.large" subnet_id = var.private_subnet vpc_security_group_ids = [aws_security_group.backend.id] iam_instance_profile = aws_iam_instance_profile.profile.name + metadata_options { + http_tokens = "required" + } } resource "aws_iam_instance_profile" "profile" { @@ -87,8 +93,8 @@ resource "aws_iam_role" "role" { } EOF } - -resource "aws_iam_policy" "policy" { +// This bucket is single-purpose and using a wildcard is not problematic +resource "aws_iam_policy" "policy" { #tfsec:ignore:aws-iam-no-policy-wildcards name = "percona-policy" description = "policy to discover rds instances" diff --git a/tools/terraform/percona/security_groups.tf b/tools/terraform/percona/security_groups.tf index b0c3608d67..1c46b084b8 100644 --- a/tools/terraform/percona/security_groups.tf +++ b/tools/terraform/percona/security_groups.tf @@ -8,10 +8,11 @@ resource "aws_security_group_rule" "lb-ingress" { description = "percona: allow traffic from public internet" type = "ingress" - from_port = "443" - to_port = "443" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = "443" + to_port = "443" + protocol = "tcp" + // Internet connectivity here is by design + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id } @@ -20,10 +21,11 @@ resource "aws_security_group_rule" "lb-http-ingress" { description = "percona: allow traffic from public internet" type = "ingress" - from_port = "80" - to_port = "80" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = "80" + to_port = "80" + protocol = "tcp" + // Internet connectivity here is by design + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr security_group_id = aws_security_group.lb.id } @@ -31,10 +33,11 @@ resource "aws_security_group_rule" "backend-egress" { description = "percona: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.backend.id } @@ -50,10 +53,11 @@ resource "aws_security_group_rule" "lb-egress" { description = "percona: allow all outbound traffic" type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.lb.id } diff --git a/tools/terraform/percona/variables.tf b/tools/terraform/percona/variables.tf index 9c2ab4f548..f4df1a76c4 100644 --- a/tools/terraform/percona/variables.tf +++ b/tools/terraform/percona/variables.tf @@ -1,24 +1,24 @@ variable "zone_id" { description = "R53 Zone ID to host Percona in" - type = string + type = string } variable "domain_name" { description = "Domain name for Percona DNS" - type = string + type = string } variable "public_subnets" { description = "Public subnets for the Percona LB" - type = list(string) + type = list(string) } variable "private_subnet" { description = "Private subnets for the Percona App instance" - type = string + type = string } variable "vpc_id" { description = "VPC ID" - type = string + type = string } \ No newline at end of file diff --git a/tools/terraform/rds.tf b/tools/terraform/rds.tf index 474550ebe0..2a5ddb768c 100644 --- a/tools/terraform/rds.tf +++ b/tools/terraform/rds.tf @@ -1,9 +1,10 @@ resource "random_password" "database_password" { - length = 16 + length = 32 special = false } - -resource "aws_secretsmanager_secret" "database_password_secret" { +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +resource "aws_secretsmanager_secret" "database_password_secret" { #tfsec:ignore:aws-ssm-secret-use-customer-key:exp:2022-07-01 name = "/fleet/database/password/master" } diff --git a/tools/terraform/redis.tf b/tools/terraform/redis.tf index 55fbcbce1f..726b6174c0 100644 --- a/tools/terraform/redis.tf +++ b/tools/terraform/redis.tf @@ -23,14 +23,15 @@ resource "aws_elasticache_replication_group" "default" { port = "6379" maintenance_window = var.maintenance_window snapshot_retention_limit = 0 - automatic_failover_enabled = false - at_rest_encryption_enabled = false - transit_encryption_enabled = false + automatic_failover_enabled = true + at_rest_encryption_enabled = true + transit_encryption_enabled = true apply_immediately = true replication_group_description = "fleetdm-redis" } -resource "aws_security_group" "redis" { +resource "aws_security_group" "redis" { #tfsec:ignore:aws-vpc-add-description-to-security-group + // description = "Security group for Redis" // cannot add description without recreation name = local.security_group_name vpc_id = module.vpc.vpc_id } @@ -40,6 +41,7 @@ locals { } resource "aws_security_group_rule" "ingress" { + description = "Redis from private VPC" type = "ingress" from_port = "6379" to_port = "6379" @@ -49,11 +51,13 @@ resource "aws_security_group_rule" "ingress" { } resource "aws_security_group_rule" "egress" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Redis VPC egress" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + // Egress filtering is not currently provided by our Terraform templates. + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr:exp:2022-10-01 security_group_id = aws_security_group.redis.id } diff --git a/tools/terraform/remote-state/main.tf b/tools/terraform/remote-state/main.tf index 60ace85352..e199ccaea4 100644 --- a/tools/terraform/remote-state/main.tf +++ b/tools/terraform/remote-state/main.tf @@ -9,8 +9,12 @@ variable "region" { provider "aws" { region = var.region } - -resource "aws_s3_bucket" "remote_state" { +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "remote_state" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = "${var.prefix}-terraform-remote-state" acl = "private" versioning { @@ -19,15 +23,24 @@ resource "aws_s3_bucket" "remote_state" { lifecycle { prevent_destroy = true } + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } tags = { Name = "S3 Remote Terraform State Store" } } resource "aws_s3_bucket_public_access_block" "fleet_terraform_state" { - bucket = aws_s3_bucket.remote_state.id - block_public_acls = true - block_public_policy = true + bucket = aws_s3_bucket.remote_state.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } @@ -44,4 +57,13 @@ resource "aws_dynamodb_table" "fleet_terraform_state_lock" { tags = { Name = "DynamoDB Terraform State Lock Table" } + // Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the + // possibility of providing this capability in the future. + server_side_encryption { #tfsec:ignore:aws-dynamodb-table-customer-key:exp:2022-07-01 + enabled = true // enabled server side encryption + } + + point_in_time_recovery { + enabled = true + } } \ No newline at end of file diff --git a/tools/terraform/s3.tf b/tools/terraform/s3.tf index f7b5fcb858..c0edb2db44 100644 --- a/tools/terraform/s3.tf +++ b/tools/terraform/s3.tf @@ -1,5 +1,12 @@ -// file carving destination -resource "aws_s3_bucket" "osquery-carve" { +// file carving destination with versioning disabled and lifecycle to ensure files get deleted and +// no version is ever kept + +// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the +// possibility of providing this capability in the future. +// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the +// organizations deploying Fleet, and we will evaluate the possibility of providing this capability +// in the future. +resource "aws_s3_bucket" "osquery-carve" { #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 bucket = "osquery-carve-${terraform.workspace}" acl = "private" @@ -17,4 +24,12 @@ resource "aws_s3_bucket" "osquery-carve" { } } } +} + +resource "aws_s3_bucket_public_access_block" "osquery-carve" { + bucket = aws_s3_bucket.osquery-carve.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } \ No newline at end of file