Update security baseline components and add encrypted/custom AMI support

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: check-executables-have-shebangs
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-yaml
+      - id: check-json
+      - id: check-xml
+      - id: detect-aws-credentials
+      - id: detect-private-key
+      - id: trailing-whitespace
+
+  - repo: git://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.52.0
+    hooks:
+      - id:  terraform_docs
+        args: ['--args=--indent 3']
+      - id: terraform_fmt
+      - id: terraform_tflint
+      - id: checkov
+        args: ['--quiet']

.tflint.hcl

@@ -4,6 +4,13 @@ config {
   disabled_by_default = false
 }
 
+plugin "aws" {
+  enabled = true
+  deep_check = false
+  source = "github.com/terraform-linters/tflint-ruleset-aws"
+  version = "0.8.0"
+}
+
 rule "terraform_deprecated_index" {
   enabled = true
 }

examples/existing-image/README.md

@@ -2,7 +2,7 @@
 
 ## About This Example
 
-This example functions as a reference for how to use this module to install 
+This example functions as a reference for how to use this module to install
 Terraform Enterprise with a custom image (AMI) in AWS.
 
 ## Module Prerequisites

main.tf

@@ -1,25 +1,46 @@
 data "aws_region" "current" {}
 
+# Seach for ubuntu AMI based on supplied AMI parameters
 data "aws_ami" "ubuntu" {
   most_recent = true
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+    values = [var.ami_name_filter]
   }
 
   filter {
     name   = "virtualization-type"
     values = ["hvm"]
   }
 
-  owners = ["099720109477"] # Canonical
+  owners = [var.ami_owner]
+}
+
+# Find encryption status of located image
+locals {
+  block_device_mappings = {
+    for device in data.aws_ami.ubuntu.block_device_mappings : device.device_name => device
+  }
+}
+
+# If the user has selected to do a copy-down of the AMI to their local account, do so and use it as the default.
+# This prevents AMI lifecycle events (disappearing AMIs for instance) from affecting ASG
+resource "aws_ami_copy" "tfe_copy" {
+  count             = var.ami_copy ? 1 : 0
+  name              = "${var.friendly_name_prefix}-${data.aws_ami.ubuntu.name}-local-copy"
+  source_ami_id     = data.aws_ami.ubuntu.id
+  source_ami_region = data.aws_region.current.name
+  encrypted         = local.block_device_mappings["/dev/sda1"].ebs.encrypted
+  tags = {
+    Name = "${var.friendly_name_prefix}-${data.aws_ami.ubuntu.name}-local-copy"
+  }
 }
 
 resource "aws_kms_key" "tfe_key" {
   deletion_window_in_days = var.kms_key_deletion_window
   description             = "AWS KMS Customer-managed key to encrypt TFE and other resources"
-  enable_key_rotation     = false
+  enable_key_rotation     = true
   is_enabled              = true
   key_usage               = "ENCRYPT_DECRYPT"
 
@@ -37,7 +58,8 @@ resource "aws_kms_alias" "key_alias" {
 
 locals {
   active_active  = var.node_count >= 2
-  ami_id         = local.default_ami_id ? data.aws_ami.ubuntu.id : var.ami_id
+  ami_id_fixup   = coalesce(join("", aws_ami_copy.tfe_copy.*.id), data.aws_ami.ubuntu.id)
+  ami_id         = local.default_ami_id ? local.ami_id_fixup : var.ami_id
   default_ami_id = var.ami_id == ""
   fqdn           = "${var.tfe_subdomain}.${var.domain_name}"
 }
@@ -106,10 +128,12 @@ module "database" {
   db_backup_window             = var.db_backup_window
   engine_version               = var.postgres_engine_version
   friendly_name_prefix         = var.friendly_name_prefix
+  monitoring_interval          = var.db_monitoring_interval
   network_id                   = local.network_id
   network_private_subnet_cidrs = var.network_private_subnet_cidrs
   network_subnets_private      = local.network_private_subnets
   tfe_instance_sg              = module.vm.tfe_instance_sg
+  enabled_cloudwatch_logs      = var.db_enabled_cloudwatch_logs
 }
 
 module "user_data" {
@@ -152,6 +176,8 @@ module "load_balancer" {
   network_public_subnets         = local.network_public_subnets
   network_private_subnets        = local.network_private_subnets
   ssl_policy                     = var.ssl_policy
+  logging_bucket                 = var.logging_bucket
+  logging_prefix                 = var.logging_prefix
 }
 
 module "private_tcp_load_balancer" {
@@ -166,6 +192,8 @@ module "private_tcp_load_balancer" {
   network_id              = local.network_id
   network_private_subnets = local.network_private_subnets
   ssl_policy              = var.ssl_policy
+  logging_bucket          = var.logging_bucket
+  logging_prefix          = var.logging_prefix
 }
 
 module "vm" {
@@ -174,6 +202,7 @@ module "vm" {
   active_active                       = local.active_active
   aws_iam_instance_profile            = module.service_accounts.aws_iam_instance_profile
   ami_id                              = local.ami_id
+  ami_kms_key_arn                     = var.ami_kms_key_arn
   aws_lb                              = var.load_balancing_scheme == "PRIVATE_TCP" ? null : module.load_balancer[0].aws_lb_security_group
   aws_lb_target_group_tfe_tg_443_arn  = var.load_balancing_scheme == "PRIVATE_TCP" ? module.private_tcp_load_balancer[0].aws_lb_target_group_tfe_tg_443_arn : module.load_balancer[0].aws_lb_target_group_tfe_tg_443_arn
   aws_lb_target_group_tfe_tg_8800_arn = var.load_balancing_scheme == "PRIVATE_TCP" ? module.private_tcp_load_balancer[0].aws_lb_target_group_tfe_tg_8800_arn : module.load_balancer[0].aws_lb_target_group_tfe_tg_8800_arn

modules/application_load_balancer/main.tf

@@ -1,6 +1,7 @@
 resource "aws_security_group" "tfe_lb_allow" {
-  name   = "${var.friendly_name_prefix}-tfe-lb-allow"
-  vpc_id = var.network_id
+  name        = "${var.friendly_name_prefix}-tfe-lb-allow"
+  description = "Managed by Terraform"
+  vpc_id      = var.network_id
 }
 
 resource "aws_security_group_rule" "tfe_lb_allow_inbound_http" {
@@ -35,8 +36,9 @@ resource "aws_security_group_rule" "tfe_lb_allow_inbound_dashboard" {
 }
 
 resource "aws_security_group" "tfe_outbound_allow" {
-  name   = "${var.friendly_name_prefix}-tfe-outbound-allow"
-  vpc_id = var.network_id
+  name        = "${var.friendly_name_prefix}-tfe-outbound-allow"
+  description = "Managed by Terraform"
+  vpc_id      = var.network_id
 }
 
 resource "aws_security_group_rule" "tfe_outbound_allow_all" {
@@ -51,10 +53,21 @@ resource "aws_security_group_rule" "tfe_outbound_allow_all" {
 }
 
 resource "aws_lb" "tfe_lb" {
-  name               = "${var.friendly_name_prefix}-tfe-web-alb"
-  internal           = (var.load_balancing_scheme == "PRIVATE")
-  load_balancer_type = "application"
-  subnets            = var.load_balancing_scheme == "PRIVATE" ? var.network_private_subnets : var.network_public_subnets
+  #checkov:skip=CKV_AWS_150:We will expect that people might want to spin up/down infrastructure quickly. Skip checking for delete protection.
+  name                       = "${var.friendly_name_prefix}-tfe-web-alb"
+  internal                   = (var.load_balancing_scheme == "PRIVATE")
+  load_balancer_type         = "application"
+  subnets                    = var.load_balancing_scheme == "PRIVATE" ? var.network_private_subnets : var.network_public_subnets
+  drop_invalid_header_fields = true
+
+  dynamic "access_logs" {
+    for_each = var.logging_bucket != null ? [var.logging_bucket] : []
+    content {
+      bucket  = var.logging_bucket
+      prefix  = var.logging_prefix
+      enabled = true
+    }
+  }
 
   security_groups = [
     aws_security_group.tfe_lb_allow.id,

modules/application_load_balancer/variables.tf

@@ -30,6 +30,7 @@ variable "load_balancing_scheme" {
 }
 
 variable "ssl_policy" {
+  default     = "ELBSecurityPolicy-TLS-1-2-2017-01"
   description = "The name of the SSL policy to assign to the load balancer listeners."
   type        = string
 }
@@ -57,3 +58,15 @@ variable "friendly_name_prefix" {
   type        = string
   description = "(Required) Friendly name prefix used for tagging and naming AWS resources."
 }
+
+variable "logging_bucket" {
+  type        = string
+  description = "S3 bucket name for logging of resources to. Requires a bucket in the same region that TFE is in."
+  default     = null
+}
+
+variable "logging_prefix" {
+  type        = string
+  description = "Optional prefix to prepend to TFE resource logs in S3 bucket"
+  default     = null
+}

modules/database/main.tf

@@ -11,6 +11,7 @@ resource "aws_security_group" "postgresql" {
 
 resource "aws_security_group_rule" "postgresql_tfe_ingress" {
   security_group_id        = aws_security_group.postgresql.id
+  description              = "Inbound traffic to postgresql port from TFE"
   type                     = "ingress"
   from_port                = 5432
   to_port                  = 5432
@@ -20,6 +21,7 @@ resource "aws_security_group_rule" "postgresql_tfe_ingress" {
 
 resource "aws_security_group_rule" "postgresql_tfe_egress" {
   security_group_id        = aws_security_group.postgresql.id
+  description              = "Outbound ICMP traffic from RDS"
   type                     = "egress"
   from_port                = 0
   to_port                  = 0
@@ -29,6 +31,7 @@ resource "aws_security_group_rule" "postgresql_tfe_egress" {
 
 resource "aws_security_group_rule" "postgresql_ingress" {
   security_group_id = aws_security_group.postgresql.id
+  description       = "Inbound traffic to postgresql port from VPC"
   type              = "ingress"
   from_port         = 5432
   to_port           = 5432
@@ -38,6 +41,7 @@ resource "aws_security_group_rule" "postgresql_ingress" {
 
 resource "aws_security_group_rule" "postgresql_egress" {
   security_group_id = aws_security_group.postgresql.id
+  description       = "Outbound traffic from postgresql port to VPC"
   type              = "egress"
   from_port         = 5432
   to_port           = 5432
@@ -51,31 +55,35 @@ resource "aws_db_subnet_group" "tfe" {
 }
 
 resource "aws_db_instance" "postgresql" {
+  #checkov:skip=CKV_AWS_129:We allow enabling this, but it's not on by default so skip the check.
   allocated_storage = 20
   engine            = "postgres"
   instance_class    = var.db_size
   password          = random_string.postgresql_password.result
   # no special characters allowed
   username = "espdtfe"
 
-  allow_major_version_upgrade = false
-  apply_immediately           = true
-  auto_minor_version_upgrade  = true
-  backup_retention_period     = var.db_backup_retention
-  backup_window               = var.db_backup_window
-  db_subnet_group_name        = aws_db_subnet_group.tfe.name
-  delete_automated_backups    = true
-  deletion_protection         = false
-  engine_version              = var.engine_version
-  identifier_prefix           = "${var.friendly_name_prefix}-tfe"
-  max_allocated_storage       = 0
-  multi_az                    = true
+  iam_database_authentication_enabled = true
+  allow_major_version_upgrade         = false
+  apply_immediately                   = true
+  auto_minor_version_upgrade          = true
+  backup_retention_period             = var.db_backup_retention
+  backup_window                       = var.db_backup_window
+  db_subnet_group_name                = aws_db_subnet_group.tfe.name
+  delete_automated_backups            = true
+  deletion_protection                 = false
+  engine_version                      = var.engine_version
+  identifier_prefix                   = "${var.friendly_name_prefix}-tfe"
+  max_allocated_storage               = 0
+  multi_az                            = true
+  monitoring_interval                 = var.monitoring_interval
   # no special characters allowed
-  name                   = "espdtfe"
-  port                   = 5432
-  publicly_accessible    = false
-  skip_final_snapshot    = true
-  storage_encrypted      = true
-  storage_type           = "gp2"
-  vpc_security_group_ids = [aws_security_group.postgresql.id]
+  name                            = "espdtfe"
+  port                            = 5432
+  publicly_accessible             = false
+  skip_final_snapshot             = true
+  storage_encrypted               = true
+  storage_type                    = "gp2"
+  vpc_security_group_ids          = [aws_security_group.postgresql.id]
+  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs
 }

modules/database/variables.tf

@@ -28,6 +28,12 @@ variable "engine_version" {
   description = "PostgreSQL version."
 }
 
+variable "monitoring_interval" {
+  type        = number
+  description = "Interval in seconds for monitoring of the RDS database. Any value other than null will enable enhanced monitoring."
+  default     = null
+}
+
 variable "network_subnets_private" {
   description = <<-EOD
   A list of the identities of the private subnetworks in which the PostgreSQL RDS instance will be deployed.
@@ -52,3 +58,14 @@ variable "network_private_subnet_cidrs" {
   description = "(Optional) List of private subnet CIDR ranges to create in VPC."
   default     = ["10.0.32.0/20", "10.0.48.0/20"]
 }
+
+
+variable "enabled_cloudwatch_logs" {
+  type        = list(string)
+  description = "List of enabled cloudwatch log export types. From list here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports"
+  default     = null
+  validation {
+    condition     = var.enabled_cloudwatch_logs != null ? can(contains(["postgresql", "upgrade"], var.enabled_cloudwatch_logs)) : true
+    error_message = "Allowed cloudwatch log export types don't match allowed. Must be: postgresql, upgrade."
+  }
+}

modules/network_load_balancer/main.tf

@@ -1,8 +1,19 @@
 resource "aws_lb" "tfe_lb" {
-  name               = "${var.friendly_name_prefix}-tfe-nlb"
-  internal           = true
-  load_balancer_type = "network"
-  subnets            = var.network_private_subnets
+  #checkov:skip=CKV_AWS_150:Given we are automating this for the most part we can recover from a deleted load-balancer. Okay for now.
+  name                             = "${var.friendly_name_prefix}-tfe-nlb"
+  internal                         = true
+  load_balancer_type               = "network"
+  enable_cross_zone_load_balancing = true
+  subnets                          = var.network_private_subnets
+
+  dynamic "access_logs" {
+    for_each = var.logging_bucket != null ? [var.logging_bucket] : []
+    content {
+      bucket  = var.logging_bucket
+      prefix  = var.logging_prefix
+      enabled = true
+    }
+  }
 }
 
 resource "aws_lb_listener" "tfe_listener_443" {

modules/network_load_balancer/variables.tf

@@ -37,3 +37,15 @@ variable "friendly_name_prefix" {
   type        = string
   description = "(Required) Friendly name prefix used for tagging and naming AWS resources."
 }
+
+variable "logging_bucket" {
+  type        = string
+  description = "S3 bucket name for logging of resources to. Requires a bucket in the same region that TFE is in."
+  default     = null
+}
+
+variable "logging_prefix" {
+  type        = string
+  description = "Optional prefix to prepend to TFE resource logs in S3 bucket"
+  default     = null
+}

modules/object_storage/main.tf

@@ -1,4 +1,5 @@
 resource "aws_s3_bucket" "tfe_data_bucket" {
+  #checkov:skip=CKV_AWS_144:While cross-region might make sense someday, right now it doesn't for TFE
   bucket = "${var.friendly_name_prefix}-tfe-data"
   acl    = "private"
 
@@ -15,6 +16,14 @@ resource "aws_s3_bucket" "tfe_data_bucket" {
     }
   }
 
+  dynamic "logging" {
+    for_each = var.logging_bucket == null ? [] : [var.logging_bucket]
+    content {
+      target_bucket = logging.value
+      target_prefix = var.logging_prefix
+    }
+  }
+
   force_destroy = true
 }