Merge pull request #1436 from guardian/cross-spawn-cd-vuln-fix

CDK cross-span vuln fix (WIP)
guardian · Jan 8, 2025 · bba7454 · bba7454
2 parents a086e8a + b35e4cb
commit bba7454
Show file tree

Hide file tree

Showing 4 changed files with 258 additions and 205 deletions.
diff --git a/cdk/lib/__snapshots__/manage-frontend.test.ts.snap b/cdk/lib/__snapshots__/manage-frontend.test.ts.snap
@@ -21,6 +21,7 @@ Object {
       "GuEc2App",
       "GuCertificate",
       "GuInstanceRole",
+      "GuSsmSshPolicy",
       "GuDescribeEC2Policy",
       "GuLoggingStreamNameParameter",
       "GuLogShippingPolicy",
@@ -134,6 +135,11 @@ Object {
           },
         },
         "MaxSize": "6",
+        "MetricsCollection": Array [
+          Object {
+            "Granularity": "1Minute",
+          },
+        ],
         "MinSize": "3",
         "Tags": Array [
           Object {
@@ -1805,20 +1811,6 @@ Object {
           ],
           "Version": "2012-10-17",
         },
-        "ManagedPolicyArns": Array [
-          Object {
-            "Fn::Join": Array [
-              "",
-              Array [
-                "arn:",
-                Object {
-                  "Ref": "AWS::Partition",
-                },
-                ":iam::aws:policy/AmazonSSMManagedInstanceCore",
-              ],
-            ],
-          },
-        ],
         "Path": "/",
         "Tags": Array [
           Object {
@@ -1921,6 +1913,7 @@ Object {
         },
         "Port": 443,
         "Protocol": "HTTPS",
+        "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
       },
       "Type": "AWS::ElasticLoadBalancingV2::Listener",
     },
@@ -1931,6 +1924,14 @@ Object {
             "Key": "deletion_protection.enabled",
             "Value": "true",
           },
+          Object {
+            "Key": "routing.http.x_amzn_tls_version_and_cipher_suite.enabled",
+            "Value": "true",
+          },
+          Object {
+            "Key": "routing.http.drop_invalid_header_fields.enabled",
+            "Value": "true",
+          },
         ],
         "Scheme": "internet-facing",
         "SecurityGroups": Array [
@@ -2231,6 +2232,42 @@ Object {
       },
       "Type": "AWS::IAM::Policy",
     },
+    "SsmSshPolicy4CFC977E": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "ec2messages:AcknowledgeMessage",
+                "ec2messages:DeleteMessage",
+                "ec2messages:FailMessage",
+                "ec2messages:GetEndpoint",
+                "ec2messages:GetMessages",
+                "ec2messages:SendReply",
+                "ssm:UpdateInstanceInformation",
+                "ssm:ListInstanceAssociations",
+                "ssm:DescribeInstanceProperties",
+                "ssm:DescribeDocumentParameters",
+                "ssmmessages:CreateControlChannel",
+                "ssmmessages:CreateDataChannel",
+                "ssmmessages:OpenControlChannel",
+                "ssmmessages:OpenDataChannel",
+              ],
+              "Effect": "Allow",
+              "Resource": "*",
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "ssm-ssh-policy",
+        "Roles": Array [
+          Object {
+            "Ref": "InstanceRoleManagefrontendC8EBF20D",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "TargetGroupManagefrontend7AE2B787": Object {
       "Properties": Object {
         "HealthCheckIntervalSeconds": 10,
@@ -2345,6 +2382,9 @@ Object {
       "Type": "AWS::EC2::SecurityGroupIngress",
     },
     "supportPRODmanagefrontend8911518E": Object {
+      "DependsOn": Array [
+        "InstanceRoleManagefrontendC8EBF20D",
+      ],
       "Properties": Object {
         "LaunchTemplateData": Object {
           "IamInstanceProfile": Object {
@@ -2359,6 +2399,9 @@ Object {
             "Ref": "AMIManagefrontend",
           },
           "InstanceType": "t4g.small",
+          "MetadataOptions": Object {
+            "InstanceMetadataTags": "enabled",
+          },
           "SecurityGroupIds": Array [
             Object {
               "Fn::GetAtt": Array [
@@ -2377,6 +2420,10 @@ Object {
             Object {
               "ResourceType": "instance",
               "Tags": Array [
+                Object {
+                  "Key": "App",
+                  "Value": "manage-frontend",
+                },
                 Object {
                   "Key": "gu:cdk:version",
                   "Value": "TEST",
@@ -2402,6 +2449,10 @@ Object {
             Object {
               "ResourceType": "volume",
               "Tags": Array [
+                Object {
+                  "Key": "App",
+                  "Value": "manage-frontend",
+                },
                 Object {
                   "Key": "gu:cdk:version",
                   "Value": "TEST",
@@ -2482,6 +2533,10 @@ systemctl start manage-frontend
           Object {
             "ResourceType": "launch-template",
             "Tags": Array [
+              Object {
+                "Key": "App",
+                "Value": "manage-frontend",
+              },
               Object {
                 "Key": "gu:cdk:version",
                 "Value": "TEST",

diff --git a/cdk/lib/manage-frontend.ts b/cdk/lib/manage-frontend.ts
@@ -13,7 +13,12 @@ import type { GuAsgCapacity } from '@guardian/cdk/lib/types';
 import type { App } from 'aws-cdk-lib';
 import { Duration } from 'aws-cdk-lib';
 import { CfnDashboard } from 'aws-cdk-lib/aws-cloudwatch';
-import { InstanceClass, InstanceSize, InstanceType } from 'aws-cdk-lib/aws-ec2';
+import {
+	InstanceClass,
+	InstanceSize,
+	InstanceType,
+	UserData,
+} from 'aws-cdk-lib/aws-ec2';
 import { Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { CfnRecordSet } from 'aws-cdk-lib/aws-route53';
@@ -45,9 +50,9 @@ export class ManageFrontend extends GuStack {
 			default: `/${this.stage}/${this.stack}/${app}/serverRavenDSN`,
 		});
 
-		// intentionally removed tabs from the following string for bash's sake!
-		const userData = `#!/bin/bash -ev
-# get runnable tar from S3
+		const userData = UserData.forLinux({ shebang: '#!/bin/bash -ev' });
+		userData.addCommands(
+			`# get runnable tar from S3
 aws --region ${this.region} s3 cp s3://membership-dist/${this.stack}/${this.stage}/${app}/manage-frontend.zip /tmp
 mkdir /etc/gu
 unzip /tmp/manage-frontend.zip -d /etc/gu/dist/
@@ -76,7 +81,8 @@ EOL
 # RUN
 systemctl enable manage-frontend
 systemctl start manage-frontend
-/opt/cloudwatch-logs/configure-logs application ${this.stack} ${this.stage} ${app} /var/log/manage-frontend.log`;
+/opt/cloudwatch-logs/configure-logs application ${this.stack} ${this.stage} ${app} /var/log/manage-frontend.log`,
+		);
 
 		const logGroup = new LogGroup(this, 'ManageFrontendLogGroup', {
 			logGroupName: `support-manage-frontend-${this.stage}`,

diff --git a/cdk/package.json b/cdk/package.json
@@ -12,18 +12,18 @@
     "deploy-code": "cdk deploy --path-metadata false --version-reporting false ManageFrontend-CODE"
   },
   "devDependencies": {
-    "@guardian/cdk": "50.10.6",
+    "@guardian/cdk": "61.1.0",
     "@guardian/eslint-config-typescript": "1.0.7",
     "@guardian/prettier": "1.0.0",
     "@types/jest": "^27.5.0",
     "@types/node": "18.7.14",
-    "aws-cdk": "2.87.0",
-    "aws-cdk-lib": "2.87.0",
-    "constructs": "10.2.69",
+    "aws-cdk": "2.172.0",
+    "aws-cdk-lib": "2.172.0",
+    "constructs": "10.4.2",
     "eslint": "^8.23.0",
     "jest": "^27.5.1",
     "prettier": "^2.7.1",
-    "source-map-support": "^0.5.20",
+    "source-map-support": "0.5.21",
     "ts-jest": "^27.1.4",
     "ts-node": "^10.9.1",
     "typescript": "~4.7.4"