From 4aa31fd474cd199a942a0c48331a7333fff7cb31 Mon Sep 17 00:00:00 2001 From: Alexa Perlov Date: Sun, 10 Nov 2024 22:40:25 -0500 Subject: [PATCH] updating project automation + config --- .../launch_configuration_imdsv2_tfchecks.json | 39 ++++++++++++++ .../launch_template_imdsv2_tfchecks.json | 39 ++++++++++++++ .config/.tfsec/no_launch_config_tfchecks.json | 27 ++++++++++ .../sg_no_embedded_egress_rules_tfchecks.json | 27 ++++++++++ ...sg_no_embedded_ingress_rules_tfchecks.json | 27 ++++++++++ .../post-entrypoint-helpers.sh | 6 +++ .../pre-entrypoint-helpers.sh | 6 +++ .../static_tests/post-entrypoint-helpers.sh | 6 +++ .../static_tests/pre-entrypoint-helpers.sh | 6 +++ .../functional_tests/Dockerfile | 11 +--- .../functional_tests/entrypoint.sh | 53 ++++++++++++++----- .../functional_tests/functional_tests.sh | 32 +++++++++++ 12 files changed, 258 insertions(+), 21 deletions(-) create mode 100644 .config/.tfsec/launch_configuration_imdsv2_tfchecks.json create mode 100644 .config/.tfsec/launch_template_imdsv2_tfchecks.json create mode 100644 .config/.tfsec/no_launch_config_tfchecks.json create mode 100644 .config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json create mode 100644 .config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json create mode 100644 .config/functional_tests/post-entrypoint-helpers.sh create mode 100644 .config/functional_tests/pre-entrypoint-helpers.sh create mode 100644 .config/static_tests/post-entrypoint-helpers.sh create mode 100644 .config/static_tests/pre-entrypoint-helpers.sh create mode 100644 .project_automation/functional_tests/functional_tests.sh diff --git a/.config/.tfsec/launch_configuration_imdsv2_tfchecks.json b/.config/.tfsec/launch_configuration_imdsv2_tfchecks.json new file mode 100644 index 0000000..308ef01 --- /dev/null +++ b/.config/.tfsec/launch_configuration_imdsv2_tfchecks.json @@ -0,0 +1,39 @@ +{ + "checks": [ + { + "code": "CUS002", + "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template", + "impact": "Instance metadata service can be interacted with freely", + "resolution": "Enable HTTP token requirement for IMDS", + "requiredTypes": [ + "resource" + ], + "requiredLabels": [ + "aws_launch_configuration" + ], + "severity": "CRITICAL", + "matchSpec": { + "action": "isPresent", + "name": "metadata_options", + "subMatch": { + "action": "and", + "predicateMatchSpec": [ + { + "action": "equals", + "name": "http_tokens", + "value": "required" + + } + ] + } + }, + + "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.", + "relatedLinks": [ + "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options", + "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" + ] + } + ] +} diff --git a/.config/.tfsec/launch_template_imdsv2_tfchecks.json b/.config/.tfsec/launch_template_imdsv2_tfchecks.json new file mode 100644 index 0000000..e1f1aa7 --- /dev/null +++ b/.config/.tfsec/launch_template_imdsv2_tfchecks.json @@ -0,0 +1,39 @@ +{ + "checks": [ + { + "code": "CUS001", + "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template", + "impact": "Instance metadata service can be interacted with freely", + "resolution": "Enable HTTP token requirement for IMDS", + "requiredTypes": [ + "resource" + ], + "requiredLabels": [ + "aws_launch_template" + ], + "severity": "CRITICAL", + "matchSpec": { + "action": "isPresent", + "name": "metadata_options", + "subMatch": { + "action": "and", + "predicateMatchSpec": [ + { + "action": "equals", + "name": "http_tokens", + "value": "required" + + } + ] + } + }, + + "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.", + "relatedLinks": [ + "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options", + "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" + ] + } + ] +} diff --git a/.config/.tfsec/no_launch_config_tfchecks.json b/.config/.tfsec/no_launch_config_tfchecks.json new file mode 100644 index 0000000..89b6328 --- /dev/null +++ b/.config/.tfsec/no_launch_config_tfchecks.json @@ -0,0 +1,27 @@ +{ + "checks": [ + { + "code": "CUS003", + "description": "Use `aws_launch_template` over `aws_launch_configuration", + "impact": "Launch configurations are not capable of versions", + "resolution": "Convert resource type and attributes to `aws_launch_template`", + "requiredTypes": [ + "resource" + ], + "requiredLabels": [ + "aws_launch_configuration" + ], + "severity": "MEDIUM", + "matchSpec": { + "action": "notPresent", + "name": "image_id" + }, + + "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.", + "relatedLinks": [ + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template", + "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" + ] + } + ] +} diff --git a/.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json b/.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json new file mode 100644 index 0000000..ce43e66 --- /dev/null +++ b/.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json @@ -0,0 +1,27 @@ +{ + "checks": [ + { + "code": "CUS005", + "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.", + "impact": "Embedded security group rules can cause issues during configuration updates.", + "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.", + "requiredTypes": [ + "resource" + ], + "requiredLabels": [ + "aws_security_group" + ], + "severity": "MEDIUM", + "matchSpec": { + "action": "notPresent", + "name": "egress" + }, + + "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.", + "relatedLinks": [ + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" + ] + } + ] +} diff --git a/.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json b/.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json new file mode 100644 index 0000000..333ebc5 --- /dev/null +++ b/.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json @@ -0,0 +1,27 @@ +{ + "checks": [ + { + "code": "CUS004", + "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.", + "impact": "Embedded security group rules can cause issues during configuration updates.", + "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.", + "requiredTypes": [ + "resource" + ], + "requiredLabels": [ + "aws_security_group" + ], + "severity": "MEDIUM", + "matchSpec": { + "action": "notPresent", + "name": "ingress" + }, + + "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.", + "relatedLinks": [ + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" + ] + } + ] +} diff --git a/.config/functional_tests/post-entrypoint-helpers.sh b/.config/functional_tests/post-entrypoint-helpers.sh new file mode 100644 index 0000000..9ed42cd --- /dev/null +++ b/.config/functional_tests/post-entrypoint-helpers.sh @@ -0,0 +1,6 @@ +#!/bin/bash +## NOTE: this script runs at the end of functional test +## Use this to load any configurations after the functional test +## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh +## migrate any customization you did on entrypoint.sh to this helper script +echo "Executing Post-Entrypoint Helpers" \ No newline at end of file diff --git a/.config/functional_tests/pre-entrypoint-helpers.sh b/.config/functional_tests/pre-entrypoint-helpers.sh new file mode 100644 index 0000000..a1bc78c --- /dev/null +++ b/.config/functional_tests/pre-entrypoint-helpers.sh @@ -0,0 +1,6 @@ +#!/bin/bash +## NOTE: this script runs at the start of functional test +## use this to load any configuration before the functional test +## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh +## migrate any customization you did on entrypoint.sh to this helper script +echo "Executing Pre-Entrypoint Helpers" \ No newline at end of file diff --git a/.config/static_tests/post-entrypoint-helpers.sh b/.config/static_tests/post-entrypoint-helpers.sh new file mode 100644 index 0000000..25fbae1 --- /dev/null +++ b/.config/static_tests/post-entrypoint-helpers.sh @@ -0,0 +1,6 @@ +#!/bin/bash +## NOTE: this script runs at the end of static test +## Use this to load any configurations after the static test +## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh +## migrate any customization you did on entrypoint.sh to this helper script +echo "Executing Post-Entrypoint Helpers" \ No newline at end of file diff --git a/.config/static_tests/pre-entrypoint-helpers.sh b/.config/static_tests/pre-entrypoint-helpers.sh new file mode 100644 index 0000000..d24d7a6 --- /dev/null +++ b/.config/static_tests/pre-entrypoint-helpers.sh @@ -0,0 +1,6 @@ +#!/bin/bash +## NOTE: this script runs at the start of static test +## use this to load any configuration before the static test +## TIPS: avoid modifying the .project_automation/static_test/entrypoint.sh +## migrate any customization you did on entrypoint.sh to this helper script +echo "Executing Pre-Entrypoint Helpers" \ No newline at end of file diff --git a/.project_automation/functional_tests/Dockerfile b/.project_automation/functional_tests/Dockerfile index ab852a2..f3d5a48 100644 --- a/.project_automation/functional_tests/Dockerfile +++ b/.project_automation/functional_tests/Dockerfile @@ -1,12 +1,5 @@ FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0 -ENV TERRAFORM_VERSION=1.4.2 -ENV GO_VERSION=1.20.2 +ENV TERRAFORM_VERSION=1.7.4 RUN cd /tmp && \ wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ - unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && chmod 755 /usr/local/bin/terraform - -RUN curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash - -RUN cd /tmp && \ - wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \ - tar -C /usr/local/bin -xzf go${GO_VERSION}.linux-amd64.tar.gz && chmod 755 /usr/local/bin/go + unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin && chmod 755 /usr/local/bin/terraform \ No newline at end of file diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh index 7a27670..f6de09f 100755 --- a/.project_automation/functional_tests/entrypoint.sh +++ b/.project_automation/functional_tests/entrypoint.sh @@ -1,21 +1,50 @@ -#!/bin/bash -e +#!/bin/bash + +## WARNING: DO NOT modify the content of entrypoint.sh +# Use ./config/functional_tests/pre-entrypoint-helpers.sh or ./config/functional_tests/post-entrypoint-helpers.sh +# to load any customizations or additional configurations ## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between # managed and local tasks always use these variables for the project and project type path PROJECT_PATH=${BASE_PATH}/project PROJECT_TYPE_PATH=${BASE_PATH}/projecttype -echo "Starting Functional Tests" +#********** helper functions ************* +pre_entrypoint() { + if [ -f ${PROJECT_PATH}/.config/functional_tests/pre-entrypoint-helpers.sh ]; then + echo "Pre-entrypoint helper found" + source ${PROJECT_PATH}/.config/functional_tests/pre-entrypoint-helpers.sh + echo "Pre-entrypoint helper loaded" + else + echo "Pre-entrypoint helper not found - skipped" + fi +} +post_entrypoint() { + if [ -f ${PROJECT_PATH}/.config/functional_tests/post-entrypoint-helpers.sh ]; then + echo "Post-entrypoint helper found" + source ${PROJECT_PATH}/.config/functional_tests/post-entrypoint-helpers.sh + echo "Post-entrypoint helper loaded" + else + echo "Post-entrypoint helper not found - skipped" + fi +} + +#********** Pre-entrypoint helper ************* +pre_entrypoint -cd ${PROJECT_PATH} +#********** Functional Test ************* +/bin/bash ${PROJECT_PATH}/.project_automation/functional_tests/functional_tests.sh +if [ $? -eq 0 ] +then + echo "Functional test completed" + EXIT_CODE=0 +else + echo "Functional test failed" + EXIT_CODE=1 +fi -#********** Terratest execution ********** -echo "Running Terratest" -cd test -rm -f go.mod -go mod init github.com/aws-ia/terraform-project-ephemeral -go mod tidy -go install github.com/gruntwork-io/terratest/modules/terraform -go test -timeout 45m +#********** Post-entrypoint helper ************* +post_entrypoint -echo "End of Functional Tests" \ No newline at end of file +#********** Exit Code ************* +exit $EXIT_CODE \ No newline at end of file diff --git a/.project_automation/functional_tests/functional_tests.sh b/.project_automation/functional_tests/functional_tests.sh new file mode 100644 index 0000000..f18c8ac --- /dev/null +++ b/.project_automation/functional_tests/functional_tests.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between +# managed and local tasks always use these variables for the project and project type path +PROJECT_PATH=${BASE_PATH}/project +PROJECT_TYPE_PATH=${BASE_PATH}/projecttype + +echo "Starting Functional Tests" +cd ${PROJECT_PATH} + +#********** Terraform Test ********** + +# Look up the mandatory test file +MANDATORY_TEST_PATH="./tests/01_mandatory.tftest.hcl" +if test -f ${MANDATORY_TEST_PATH}; then + echo "File ${MANDATORY_TEST_PATH} is found, resuming test" + # Run Terraform test + terraform init + terraform test +else + echo "File ${MANDATORY_TEST_PATH} not found. You must include at least one test run in file ${MANDATORY_TEST_PATH}" + (exit 1) +fi + +if [ $? -eq 0 ]; then + echo "Terraform Test Successfull" +else + echo "Terraform Test Failed" + exit 1 +fi + +echo "End of Functional Tests" \ No newline at end of file