From b0596a0fa62a4a18434983f51a049229b2d2a96d Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:06:43 +0000 Subject: [PATCH 1/2] Adding external sftp users --- .../environment-configuration.tf | 14 +++++++++ .../analytical-platform-ingestion/kms-keys.tf | 29 +++++++++++++++++++ .../analytical-platform-ingestion/s3.tf | 26 +++++++++++++++++ 3 files changed, 69 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index b3ead9b3f77..ce55494e7ef 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -92,6 +92,20 @@ locals { egress_bucket = module.bold_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } + "darren.brooke" = { + ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" + cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id + egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn + + } + "aaron.willetts" = { + ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" + cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id + egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn + + } } /* DataSync */ diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 5b78c254c70..dd4f9cba5cb 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -119,6 +119,35 @@ module "s3_bold_egress_kms" { deletion_window_in_days = 7 } +module "s3_ext_2024_egress_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/ext-2024-egress"] + description = "Used in the External 2024 Egress Solution" + enable_default_policy = true + key_statements = [ + { + sid = "AllowReadOnlyRole" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change + } + ] + } + ] + deletion_window_in_days = 7 +} + module "quarantined_sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index a3519d8c667..c0e3b55b138 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -161,6 +161,32 @@ module "bold_egress_bucket" { } } +#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket +#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket +module "ext_2024_egress_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-ext-2024-egress" + + force_destroy = true + + versioning = { + enabled = true + } + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_bold_egress_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + module "datasync_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions From 8ec96a9fdc04d01f9502949157fccbefc69d81cd Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:19:43 +0000 Subject: [PATCH 2/2] Periods to hyphens --- .../environment-configuration.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index ce55494e7ef..8fd4f32c37c 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -92,14 +92,14 @@ locals { egress_bucket = module.bold_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } - "darren.brooke" = { + "darren-brooke" = { ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn } - "aaron.willetts" = { + "aaron-willetts" = { ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id