diff --git a/terraform/environments/example/certificates.tf b/terraform/environments/example/certificates.tf index 38a8ac6866a..31864376d43 100644 --- a/terraform/environments/example/certificates.tf +++ b/terraform/environments/example/certificates.tf @@ -60,31 +60,32 @@ # # Build loadbalancer #tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. -# resource "aws_lb" "certificate_example_lb" { -# name = "certificate-example-loadbalancer" -# load_balancer_type = "application" -# subnets = data.aws_subnets.shared-public.ids -# #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection -# enable_deletion_protection = false -# # allow 60*4 seconds before 504 gateway timeout for long-running DB operations -# idle_timeout = 240 -# drop_invalid_header_fields = true +resource "aws_lb" "certificate_example_lb" { + #checkov:skip=CKV2_AWS_28:Ensure public facing ALB are protected by WAF + name = "certificate-example-loadbalancer" + load_balancer_type = "application" + subnets = data.aws_subnets.shared-public.ids + #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection + enable_deletion_protection = false + # allow 60*4 seconds before 504 gateway timeout for long-running DB operations + idle_timeout = 240 + drop_invalid_header_fields = true -# security_groups = [aws_security_group.certificate_example_load_balancer_sg.id] + security_groups = [aws_security_group.certificate_example_load_balancer_sg.id] -# access_logs { -# bucket = module.s3-bucket-lb.bucket.id -# prefix = "test-lb" -# enabled = true -# } + access_logs { + bucket = module.s3-bucket-lb.bucket.id + prefix = "test-lb" + enabled = true + } -# tags = { Name = "${local.application_name}-external-loadbalancer" } -# depends_on = [aws_security_group.certificate_example_load_balancer_sg] -# } + tags = { Name = "${local.application_name}-external-loadbalancer" } + depends_on = [aws_security_group.certificate_example_load_balancer_sg] +} -# resource "aws_security_group" "certificate_example_load_balancer_sg" { -# name = "certificate-example-lb-sg" -# description = "controls access to load balancer" -# vpc_id = data.aws_vpc.shared.id -# tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } -# } \ No newline at end of file +resource "aws_security_group" "certificate_example_load_balancer_sg" { + name = "certificate-example-lb-sg" + description = "controls access to load balancer" + vpc_id = data.aws_vpc.shared.id + tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } +} \ No newline at end of file diff --git a/terraform/environments/example/clean.sh b/terraform/environments/example/clean.sh new file mode 100755 index 00000000000..d1084783297 --- /dev/null +++ b/terraform/environments/example/clean.sh @@ -0,0 +1,4 @@ +rm -Rf .terraform +rm .terraform.lock.hcl +terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::946070829339:role/modernisation-account-terraform-state-member-access\"} +terraform workspace select example-development \ No newline at end of file diff --git a/terraform/environments/example/data.tf b/terraform/environments/example/data.tf index 156e048c8de..fb01c43c501 100644 --- a/terraform/environments/example/data.tf +++ b/terraform/environments/example/data.tf @@ -1,7 +1,3 @@ -# ########################################################################################## -# # ------------------------Comment out file if not required---------------------------------- -# ########################################################################################## - #### This file can be used to store data specific to the member account #### #For macie code diff --git a/terraform/environments/example/ec2_bastion_linux.tf b/terraform/environments/example/ec2_bastion_linux.tf index c1de14dfbec..aca36eb6dc2 100644 --- a/terraform/environments/example/ec2_bastion_linux.tf +++ b/terraform/environments/example/ec2_bastion_linux.tf @@ -1,38 +1,35 @@ -# ########################################################################################## -# # ------------------------Comment out file if not required---------------------------------- -# ########################################################################################## # # tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning -# module "bastion_linux" { -# source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1 +module "bastion_linux" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1 -# providers = { -# aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts -# aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant -# } -# # s3 - used for logs and user ssh public keys -# bucket_name = "bastion-example" -# # public keys -# public_key_data = local.public_key_data.keys[local.environment] -# # logs -# log_auto_clean = "Enabled" -# log_standard_ia_days = 30 # days before moving to IA storage -# log_glacier_days = 60 # days before moving to Glacier -# log_expiry_days = 180 # days before log expiration -# # bastion -# allow_ssh_commands = false -# app_name = var.networking[0].application -# business_unit = local.vpc_name -# subnet_set = local.subnet_set -# environment = local.environment -# region = "eu-west-2" + providers = { + aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts + aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant + } + # s3 - used for logs and user ssh public keys + bucket_name = "bastion-example" + # public keys + public_key_data = local.public_key_data.keys[local.environment] + # logs + log_auto_clean = "Enabled" + log_standard_ia_days = 30 # days before moving to IA storage + log_glacier_days = 60 # days before moving to Glacier + log_expiry_days = 180 # days before log expiration + # bastion + allow_ssh_commands = false + app_name = var.networking[0].application + business_unit = local.vpc_name + subnet_set = local.subnet_set + environment = local.environment + region = "eu-west-2" -# # Tags -# tags_common = local.tags -# tags_prefix = terraform.workspace -# } + # Tags + tags_common = local.tags + tags_prefix = terraform.workspace +} -# locals { -# public_key_data = jsondecode(file("./bastion_linux.json")) -# } +locals { + public_key_data = jsondecode(file("./bastion_linux.json")) +} diff --git a/terraform/environments/example/identity_store.tf b/terraform/environments/example/identity_store.tf index d0adb1725cf..3d4a2cea32c 100644 --- a/terraform/environments/example/identity_store.tf +++ b/terraform/environments/example/identity_store.tf @@ -1,13 +1,13 @@ -data "aws_ssoadmin_instances" "example" { - provider = aws.sso-readonly -} +# data "aws_ssoadmin_instances" "example" { +# provider = aws.sso-readonly +# } -data "aws_identitystore_group" "example" { - provider = aws.sso-readonly - identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0] +# data "aws_identitystore_group" "example" { +# provider = aws.sso-readonly +# identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0] - filter { - attribute_path = "DisplayName" - attribute_value = "modernisation-platform" - } -} \ No newline at end of file +# filter { +# attribute_path = "DisplayName" +# attribute_value = "modernisation-platform" +# } +# } \ No newline at end of file diff --git a/terraform/environments/example/loadbalancer.tf b/terraform/environments/example/loadbalancer.tf index ec7ac05acf2..3450069ae43 100644 --- a/terraform/environments/example/loadbalancer.tf +++ b/terraform/environments/example/loadbalancer.tf @@ -4,342 +4,344 @@ # Build loadbalancer security group -# resource "aws_security_group" "example_load_balancer_sg" { -# name = "example-lb-sg" -# description = "controls access to load balancer" -# vpc_id = data.aws_vpc.shared.id -# tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } - -# # Set up the ingress and egress parts of the security group -# } -# resource "aws_security_group_rule" "ingress_traffic_lb" { -# for_each = local.application_data.example_ec2_sg_rules -# description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) -# from_port = each.value.from_port -# protocol = each.value.protocol -# security_group_id = aws_security_group.example_load_balancer_sg.id -# to_port = each.value.to_port -# type = "ingress" -# cidr_blocks = [data.aws_vpc.shared.cidr_block] -# } -# resource "aws_security_group_rule" "egress_traffic_lb" { -# for_each = local.application_data.example_ec2_sg_rules -# description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) -# from_port = each.value.from_port -# protocol = each.value.protocol -# security_group_id = aws_security_group.example_load_balancer_sg.id -# to_port = each.value.to_port -# type = "egress" -# source_security_group_id = aws_security_group.example_load_balancer_sg.id -# } - -# # # Build loadbalancer -# # #tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. -# resource "aws_lb" "external" { -# name = "${local.application_name}-loadbalancer" -# load_balancer_type = "application" -# subnets = data.aws_subnets.shared-public.ids -# #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection -# enable_deletion_protection = false -# # allow 60*4 seconds before 504 gateway timeout for long-running DB operations -# idle_timeout = 240 -# drop_invalid_header_fields = true - -# security_groups = [aws_security_group.example_load_balancer_sg.id] - -# access_logs { -# bucket = module.s3-bucket-lb.bucket.id -# prefix = "test-lb" -# enabled = true -# } - -# tags = { Name = "${local.application_name}-external-loadbalancer" } -# depends_on = [aws_security_group.example_load_balancer_sg] -# } -# # Create the target group -# resource "aws_lb_target_group" "target_group" { -# name = "${local.application_name}-tg-${local.environment}" -# port = local.application_data.accounts[local.environment].server_port -# protocol = "HTTP" -# vpc_id = data.aws_vpc.shared.id -# target_type = "instance" -# deregistration_delay = 30 - -# stickiness { -# type = "lb_cookie" -# } -# #checkov:skip=CKV_AWS_261: "health_check defined below, but not picked up" -# health_check { -# healthy_threshold = "5" -# interval = "120" -# protocol = "HTTP" -# unhealthy_threshold = "2" -# matcher = "200-499" -# timeout = "5" -# } - -# tags = { Name = "${local.application_name}-tg-${local.environment}" } -# lifecycle { -# create_before_destroy = true -# } -# } - -# # Link target group to the EC2 instance on port 80 -# resource "aws_lb_target_group_attachment" "develop" { -# target_group_arn = aws_lb_target_group.target_group.arn -# target_id = aws_instance.lb_example_instance.id -# port = 80 -# } +resource "aws_security_group" "example_load_balancer_sg" { + name = "example-lb-sg" + description = "controls access to load balancer" + vpc_id = data.aws_vpc.shared.id + tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } + + # Set up the ingress and egress parts of the security group +} +resource "aws_security_group_rule" "ingress_traffic_lb" { + for_each = local.application_data.example_ec2_sg_rules + description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) + from_port = each.value.from_port + protocol = each.value.protocol + security_group_id = aws_security_group.example_load_balancer_sg.id + to_port = each.value.to_port + type = "ingress" + cidr_blocks = [data.aws_vpc.shared.cidr_block] +} +resource "aws_security_group_rule" "egress_traffic_lb" { + for_each = local.application_data.example_ec2_sg_rules + description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) + from_port = each.value.from_port + protocol = each.value.protocol + security_group_id = aws_security_group.example_load_balancer_sg.id + to_port = each.value.to_port + type = "egress" + source_security_group_id = aws_security_group.example_load_balancer_sg.id +} + +# # Build loadbalancer +#tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. +resource "aws_lb" "external" { + name = "${local.application_name}-loadbalancer" + load_balancer_type = "application" + subnets = data.aws_subnets.shared-public.ids + #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection + enable_deletion_protection = false + # allow 60*4 seconds before 504 gateway timeout for long-running DB operations + idle_timeout = 240 + drop_invalid_header_fields = true + + security_groups = [aws_security_group.example_load_balancer_sg.id] + + access_logs { + bucket = module.s3-bucket-lb.bucket.id + prefix = "test-lb" + enabled = true + } + + tags = { Name = "${local.application_name}-external-loadbalancer" } + depends_on = [aws_security_group.example_load_balancer_sg] +} +# Create the target group +resource "aws_lb_target_group" "target_group" { + #checkov:skip=CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" + name = "${local.application_name}-tg-${local.environment}" + port = local.application_data.accounts[local.environment].server_port + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "instance" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" + } + #checkov:skip=CKV_AWS_261: "health_check defined below, but not picked up" + health_check { + healthy_threshold = "5" + interval = "120" + protocol = "HTTP" + unhealthy_threshold = "2" + matcher = "200-499" + timeout = "5" + } + + tags = { Name = "${local.application_name}-tg-${local.environment}" } + lifecycle { + create_before_destroy = true + } +} + +# Link target group to the EC2 instance on port 80 +resource "aws_lb_target_group_attachment" "develop" { + target_group_arn = aws_lb_target_group.target_group.arn + target_id = aws_instance.lb_example_instance.id + port = 80 +} # Load balancer listener -# resource "aws_lb_listener" "external" { -# load_balancer_arn = aws_lb.external.arn -# port = local.application_data.accounts[local.environment].server_port -# protocol = local.application_data.accounts[local.environment].lb_listener_protocol -# #checkov:skip=CKV_AWS_2: "protocol for lb set in application_variables" -# ssl_policy = local.application_data.accounts[local.environment].lb_listener_protocol == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06" -# #checkov:skip=CKV_AWS_103: "ssl_policy for lb set in application_variables" - -# default_action { -# type = "forward" -# target_group_arn = aws_lb_target_group.target_group.arn -# } -# } +resource "aws_lb_listener" "external" { + load_balancer_arn = aws_lb.external.arn + port = local.application_data.accounts[local.environment].server_port + protocol = local.application_data.accounts[local.environment].lb_listener_protocol + #checkov:skip=CKV_AWS_2: "protocol for lb set in application_variables" + ssl_policy = local.application_data.accounts[local.environment].lb_listener_protocol == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06" + #checkov:skip=CKV_AWS_103: "ssl_policy for lb set in application_variables" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.target_group.arn + } +} # # This will build on the core-vpc development account under platforms-development.modernisation-platform.service.justice.gov.uk, and route traffic back to example LB -# resource "aws_route53_record" "example" { -# provider = aws.core-vpc -# zone_id = data.aws_route53_zone.external.zone_id -# name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" -# type = "A" - -# alias { -# name = aws_lb.external.dns_name -# zone_id = aws_lb.external.zone_id -# evaluate_target_health = true -# } -# } - -# # Creation of a WAFv2 -# resource "aws_wafv2_web_acl" "external" { -# #checkov:skip=CKV2_AWS_31:Logging example commented out below, example is sound but no logging configuration for it to build. -# name = "example-web-acl" -# scope = "REGIONAL" - -# default_action { -# allow {} -# } - -# rule { -# name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" -# priority = 1 - -# override_action { -# none {} -# } +resource "aws_route53_record" "example" { + provider = aws.core-vpc + zone_id = data.aws_route53_zone.external.zone_id + name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + + alias { + name = aws_lb.external.dns_name + zone_id = aws_lb.external.zone_id + evaluate_target_health = true + } +} + +# Creation of a WAFv2 +resource "aws_wafv2_web_acl" "external" { + #checkov:skip=CKV2_AWS_31:Logging example commented out below, example is sound but no logging configuration for it to build. + name = "example-web-acl" + scope = "REGIONAL" + + default_action { + allow {} + } + + rule { + name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" + priority = 1 + + override_action { + none {} + } + + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "friendly-rule-metric-name" + sampled_requests_enabled = false + } + } + + visibility_config { + cloudwatch_metrics_enabled = false + metric_name = "my-web-acl" + sampled_requests_enabled = false + } +} + +# Association code for WAFv2 to the LB +resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" { + resource_arn = aws_lb.external.arn + web_acl_arn = aws_wafv2_web_acl.external.arn +} -# statement { -# managed_rule_group_statement { -# name = "AWSManagedRulesKnownBadInputsRuleSet" -# vendor_name = "AWS" -# } -# } +# Logging for WAF, it's commented out because it wouldn't build, however it's a basic example. -# visibility_config { -# cloudwatch_metrics_enabled = false -# metric_name = "friendly-rule-metric-name" -# sampled_requests_enabled = false +# resource "aws_wafv2_web_acl_logging_configuration" "external" { +# log_destination_configs = [aws_kinesis_firehose_delivery_stream.example.arn] +# resource_arn = aws_wafv2_web_acl.external.arn +# redacted_fields { +# single_header { +# name = "user-agent" # } # } - -# visibility_config { -# cloudwatch_metrics_enabled = false -# metric_name = "my-web-acl" -# sampled_requests_enabled = false -# } -# } - -# # Association code for WAFv2 to the LB -# resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" { -# resource_arn = aws_lb.external.arn -# web_acl_arn = aws_wafv2_web_acl.external.arn # } -# Logging for WAF, it's commented out because it wouldn't build, however it's a basic example. - -#resource "aws_wafv2_web_acl_logging_configuration" "external" { -# log_destination_configs = [aws_kinesis_firehose_delivery_stream.example.arn] -# resource_arn = aws_wafv2_web_acl.external.arn -# redacted_fields { -# single_header { -# name = "user-agent" -# } -# } -#} - ################################################################################# ######################### S3 Bucket required for logs ########################## ################################################################################# -# module "s3-bucket-lb" { #tfsec:ignore:aws-s3-enable-versioning -# source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239" #v7.1.0 - -# bucket_prefix = "s3-bucket-example-lb" -# versioning_enabled = false -# bucket_policy = [data.aws_iam_policy_document.bucket_policy_lb.json] - -# # Enable bucket to be destroyed when not empty -# force_destroy = true -# # Refer to the below section "Replication" before enabling replication -# replication_enabled = false -# # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true -# replication_region = "eu-west-2" -# # replication_role_arn = module.s3-bucket-replication-role.role.arn -# providers = { -# # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the -# # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation -# # Platform team to add a new provider for the additional Region. -# aws.bucket-replication = aws -# } - -# lifecycle_rule = [ -# { -# id = "main" -# enabled = "Enabled" -# prefix = "" - -# tags = { -# rule = "log" -# autoclean = "true" -# } - -# transition = [ -# { -# days = 90 -# storage_class = "STANDARD_IA" -# }, { -# days = 365 -# storage_class = "GLACIER" -# } -# ] - -# expiration = { -# days = 730 -# } - -# noncurrent_version_transition = [ -# { -# days = 90 -# storage_class = "STANDARD_IA" -# }, { -# days = 365 -# storage_class = "GLACIER" -# } -# ] - -# noncurrent_version_expiration = { -# days = 730 -# } -# } -# ] - -# tags = { Name = lower(format("s3-bucket-%s-%s-example", local.application_name, local.environment)) } -# } - -# data "aws_iam_policy_document" "bucket_policy_lb" { -# statement { -# effect = "Allow" -# actions = [ -# "s3:PutObject" -# ] -# resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] -# principals { -# type = "AWS" -# identifiers = [data.aws_elb_service_account.default_lb.arn] -# } -# } -# statement { -# sid = "AWSLogDeliveryWrite" - -# principals { -# type = "Service" -# identifiers = ["delivery.logs.amazonaws.com"] -# } - -# actions = [ -# "s3:PutObject" -# ] - -# resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] - -# condition { -# test = "StringEquals" -# variable = "s3:x-amz-acl" - -# values = [ -# "bucket-owner-full-control" -# ] -# } -# } - -# statement { -# sid = "AWSLogDeliveryAclCheck" - -# principals { -# type = "Service" -# identifiers = ["delivery.logs.amazonaws.com"] -# } - -# actions = [ -# "s3:GetBucketAcl" -# ] - -# resources = [ -# module.s3-bucket-lb.bucket.arn -# ] -# } -# } - -# data "aws_iam_policy_document" "s3-access-policy-lb" { -# version = "2012-10-17" -# statement { -# sid = "" -# effect = "Allow" -# actions = [ -# "sts:AssumeRole", -# ] -# principals { -# type = "Service" -# identifiers = [ -# "rds.amazonaws.com", -# "ec2.amazonaws.com", -# ] -# } -# } -# } - -# data "aws_elb_service_account" "default_lb" {} +module "s3-bucket-lb" { + #tfsec:ignore:aws-s3-enable-versioning + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239" #v7.1.0 + + bucket_prefix = "s3-bucket-example-lb" + versioning_enabled = false + bucket_policy = [data.aws_iam_policy_document.bucket_policy_lb.json] + + # Enable bucket to be destroyed when not empty + force_destroy = true + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true + replication_region = "eu-west-2" + # replication_role_arn = module.s3-bucket-replication-role.role.arn + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = { Name = lower(format("s3-bucket-%s-%s-example", local.application_name, local.environment)) } +} + +data "aws_iam_policy_document" "bucket_policy_lb" { + statement { + effect = "Allow" + actions = [ + "s3:PutObject" + ] + resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.default_lb.arn] + } + } + statement { + sid = "AWSLogDeliveryWrite" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = [ + "s3:PutObject" + ] + + resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + + values = [ + "bucket-owner-full-control" + ] + } + } + + statement { + sid = "AWSLogDeliveryAclCheck" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl" + ] + + resources = [ + module.s3-bucket-lb.bucket.arn + ] + } +} + +data "aws_iam_policy_document" "s3-access-policy-lb" { + version = "2012-10-17" + statement { + sid = "" + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + principals { + type = "Service" + identifiers = [ + "rds.amazonaws.com", + "ec2.amazonaws.com", + ] + } + } +} + +data "aws_elb_service_account" "default_lb" {} ################################################################################# #################### EC2 build for load balancer targets. ####################### ################################################################################# -# resource "aws_instance" "lb_example_instance" { -# #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." -# #checkov:skip=CKV_AWS_8: "Encryption not required for example instance" -# # Specify the instance type and ami to be used (this is the Amazon free tier option) -# instance_type = local.application_data.accounts[local.environment].instance_type -# ami = local.application_data.accounts[local.environment].ami_image_id -# vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id] -# subnet_id = data.aws_subnet.private_subnets_a.id -# monitoring = true -# ebs_optimized = true - -# metadata_options { -# http_endpoint = "enabled" -# http_tokens = "required" -# } -# tags = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) } -# depends_on = [aws_security_group.example_load_balancer_sg] -# } \ No newline at end of file +resource "aws_instance" "lb_example_instance" { + #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." + #checkov:skip=CKV_AWS_8: "Encryption not required for example instance" + # Specify the instance type and ami to be used (this is the Amazon free tier option) + instance_type = local.application_data.accounts[local.environment].instance_type + ami = local.application_data.accounts[local.environment].ami_image_id + vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id] + subnet_id = data.aws_subnet.private_subnets_a.id + monitoring = true + ebs_optimized = true + + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + tags = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) } + depends_on = [aws_security_group.example_load_balancer_sg] +} \ No newline at end of file diff --git a/terraform/environments/example/platform_versions.tf b/terraform/environments/example/platform_versions.tf index e9d031214e6..63e0b5996b8 100644 --- a/terraform/environments/example/platform_versions.tf +++ b/terraform/environments/example/platform_versions.tf @@ -8,6 +8,10 @@ terraform { version = "~> 3.0" source = "hashicorp/http" } + cloudinit = { + source = "hashicorp/cloudinit" + version = "~> 2.3.0" # Use the latest version or specify your desired version + } random = { source = "hashicorp/random" version = "~> 3.0" diff --git a/terraform/environments/example/shield.tf b/terraform/environments/example/shield.tf index 8a62512bf3f..284068d80a0 100644 --- a/terraform/environments/example/shield.tf +++ b/terraform/environments/example/shield.tf @@ -1,29 +1,26 @@ -# ########################################################################################## -# # ------------------------Comment out file if not required---------------------------------- -# ########################################################################################## -# module "shield" { -# source = "../../modules/shield_advanced" -# providers = { -# aws.modernisation-platform = aws.modernisation-platform -# } -# application_name = local.application_name -# excluded_protections = local.application_data.accounts[local.environment].excluded_protections -# resources = { -# certificate_lb = { -# arn = aws_lb.certificate_example_lb.arn -# } -# public_lb = { -# action = "count", -# arn = aws_lb.external.arn -# } -# } -# waf_acl_rules = { -# example = { -# "action" = "count", -# "name" = "example-count-rule", -# "priority" = 0, -# "threshold" = "1000" -# } -# } -# } +module "shield" { + source = "../../modules/shield_advanced" + providers = { + aws.modernisation-platform = aws.modernisation-platform + } + application_name = local.application_name + excluded_protections = local.application_data.accounts[local.environment].excluded_protections + resources = { + certificate_lb = { + arn = aws_lb.certificate_example_lb.arn + } + public_lb = { + action = "count", + arn = aws_lb.external.arn + } + } + waf_acl_rules = { + example = { + "action" = "count", + "name" = "example-count-rule", + "priority" = 0, + "threshold" = "1000" + } + } +}