updating project automation + config

.config/.tfsec/launch_configuration_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS002",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/launch_template_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS001",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_template"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/no_launch_config_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS003",
+      "description": "Use `aws_launch_template` over `aws_launch_configuration",
+      "impact": "Launch configurations are not capable of versions",
+      "resolution": "Convert resource type and attributes to `aws_launch_template`",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "image_id"
+        },
+
+      "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS005",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "egress"
+        },
+
+      "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS004",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "ingress"
+        },
+
+      "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.config/functional_tests/post-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the end of functional test
+## Use this to load any configurations after the functional test 
+## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Post-Entrypoint Helpers"

.config/functional_tests/pre-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the start of functional test
+## use this to load any configuration before the functional test 
+## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Pre-Entrypoint Helpers"

.config/static_tests/post-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the end of static test
+## Use this to load any configurations after the static test 
+## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Post-Entrypoint Helpers"

.config/static_tests/pre-entrypoint-helpers.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+## NOTE: this script runs at the start of static test
+## use this to load any configuration before the static test 
+## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh
+## migrate any customization you did on entrypoint.sh to this helper script
+echo "Executing Pre-Entrypoint Helpers"

.project_automation/functional_tests/Dockerfile

@@ -1,12 +1,5 @@
 FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0
-ENV TERRAFORM_VERSION=1.4.2
-ENV GO_VERSION=1.20.2
+ENV TERRAFORM_VERSION=1.7.4
 RUN cd /tmp && \
     wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
-    unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && chmod 755 /usr/local/bin/terraform
-
-RUN curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
-
-RUN cd /tmp && \
-    wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
-    tar -C /usr/local/bin -xzf go${GO_VERSION}.linux-amd64.tar.gz && chmod 755 /usr/local/bin/go
+    unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && chmod 755 /usr/local/bin/terraform

.project_automation/functional_tests/entrypoint.sh

@@ -1,21 +1,50 @@
-#!/bin/bash -e
+#!/bin/bash
+
+## WARNING: DO NOT modify the content of entrypoint.sh
+# Use ./config/functional_tests/pre-entrypoint-helpers.sh or ./config/functional_tests/post-entrypoint-helpers.sh 
+# to load any customizations or additional configurations
 
 ## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
 # managed and local tasks always use these variables for the project and project type path
 PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 
-echo "Starting Functional Tests"
+#********** helper functions *************
+pre_entrypoint() {
+    if [ -f ${PROJECT_PATH}/.config/functional_tests/pre-entrypoint-helpers.sh ]; then
+        echo "Pre-entrypoint helper found"
+        source ${PROJECT_PATH}/.config/functional_tests/pre-entrypoint-helpers.sh
+        echo "Pre-entrypoint helper loaded"
+    else
+        echo "Pre-entrypoint helper not found - skipped"
+    fi
+}
+post_entrypoint() {
+    if [ -f ${PROJECT_PATH}/.config/functional_tests/post-entrypoint-helpers.sh ]; then
+        echo "Post-entrypoint helper found"
+        source ${PROJECT_PATH}/.config/functional_tests/post-entrypoint-helpers.sh        
+        echo "Post-entrypoint helper loaded"
+    else
+        echo "Post-entrypoint helper not found - skipped"
+    fi
+}
+
+#********** Pre-entrypoint helper *************
+pre_entrypoint
 
-cd ${PROJECT_PATH}
+#********** Functional Test *************
+/bin/bash ${PROJECT_PATH}/.project_automation/functional_tests/functional_tests.sh
+if [ $? -eq 0 ]
+then
+    echo "Functional test completed"
+    EXIT_CODE=0
+else
+    echo "Functional test failed"
+    EXIT_CODE=1
+fi
 
-#********** Terratest execution **********
-echo "Running Terratest"
-cd test
-rm -f go.mod
-go mod init github.com/aws-ia/terraform-project-ephemeral
-go mod tidy
-go install github.com/gruntwork-io/terratest/modules/terraform
-go test -timeout 45m
+#********** Post-entrypoint helper *************
+post_entrypoint
 
-echo "End of Functional Tests"
+#********** Exit Code *************
+exit $EXIT_CODE

.project_automation/functional_tests/functional_tests.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+
+echo "Starting Functional Tests"
+cd ${PROJECT_PATH}
+
+#********** Terraform Test **********
+
+# Look up the mandatory test file
+MANDATORY_TEST_PATH="./tests/01_mandatory.tftest.hcl"
+if test -f ${MANDATORY_TEST_PATH}; then
+    echo "File ${MANDATORY_TEST_PATH} is found, resuming test"
+    # Run Terraform test
+    terraform init
+    terraform test
+else
+    echo "File ${MANDATORY_TEST_PATH} not found. You must include at least one test run in file ${MANDATORY_TEST_PATH}"
+    (exit 1)
+fi 
+
+if [ $? -eq 0 ]; then
+    echo "Terraform Test Successfull"
+else
+    echo "Terraform Test Failed"
+    exit 1
+fi
+
+echo "End of Functional Tests"