Feature | Open Source repository

[exequielrafaela]

What?

• ✅ Open Source Terraform AWS Ref Architecture repo

Why?

• Collaboration: Open source projects can accept changes from anybody in the world.
• Adoption and remixing: Open source projects can be used by anyone for nearly any purpose. People can even use it to build other things. WordPress, for example, started as a fork of an existing project called b2.
• Transparency: Anyone can inspect an open source project for errors or inconsistencies. Transparency matters to governments like Bulgaria or the United States, regulated industries like banking or healthcare, and security software like Let’s Encrypt.

How?

Reference Articles

• 🔗 https://marcinhoppe.com/securing-your-github-project/
• 🔗 https://opensource.guide/starting-a-project/
• 🔗 https://opensource.guide/legal/
• 🔗 https://opensource.guide/code-of-conduct/

1. Use a credential manager to protect your access credentials.

• ✅ DONE: Vía LastPass + Hashicorp Vault

2. Configure two-factor authentication (2FA)

• ✅ DONE: Activated both Github and AWS

3. Enforce signed commits

• ⚠️ PENDING: Git makes it a little bit too easy to spoof commits and allow attackers to make their code to look like yours. GitHub supports cryptographic protection against such attacks.

4. Protect the release branch:

• ✅ DONE: master branch protection will be setup when making the repo public, since this feature is not currently available in our free plan.

5. Require pull request reviews and approvals.

• ✅ DONE: PRs to master branch merge policies will be setup when making the repo public, since this feature is not currently available in our free plan.

6. Scan source code for sensitive data leaks.

• ✅ DONE: Mistakes happen and we sometimes commit sensitive data to public repositories. GitHub integrates with multiple services and can detect their leaked secrets. Options:
  • https://docs.github.com/en/developers/overview/secret-scanning
  • https://geekflare.com/github-credentials-scanner/
  • https://github.com/anshumanbh/git-all-secrets
  • https://github.com/trufflesecurity/truffleHog
  • https://www.gitguardian.com/

7. Scrub leaked secrets from git history:

• ✅ DONE: Sensitive data leaked into a public GitHub repository might be out of your control. Git and GitHub allow you to contain the damage by rewriting git history to remove the sensitive data. Needs to be addressed

8. No matter which stage you decide to open source your project, every project should include the following documentation:

• ✅ Open source license
• ✅ README (https://www.makeareadme.com/)
• ⚠️ Contributing guidelines
  • A CONTRIBUTING file tells your audience how to participate in your project. For example, you might include information on:
    • How to file a bug report (try using issue and pull request templates)
    • How to suggest a new feature
    • How to set up your environment and run tests
  • In addition to technical details, a CONTRIBUTING file is an opportunity to communicate your expectations for contributions, such as:
    • The types of contributions you’re looking for
    • Your roadmap or vision for the project
    • How contributors should (or should not) get in touch with you
• ⚠️ Code of conduct
  • Helps set ground rules for behavior for your project’s participants. This is especially valuable if you’re launching an open source project for a community or company. A code of conduct empowers you to facilitate healthy, constructive community behavior, which will reduce your stress as a maintainer.
  • Ref coc: https://github.com/kubernetes/community/blob/master/code-of-conduct.md
• 📒 NOTE: As a maintainer, these components will help you communicate expectations, manage contributions, and protect everyone’s legal rights (including your own). They significantly increase your chances of having a positive experience.
  If your project is on GitHub, putting these files in your root directory with the recommended filenames will help GitHub recognize and automatically surface them to your readers.

9. README, try to answer the following questions:

• What does this project do?
• Why is this project useful?
• How do I get started?
• Where can I get more help, if I need it?
• How to contribute?
• Under which open source license the project is being developed?

10. Only use trusted GitHub Actions.

✅ DONE: GitHub Actions are tremendously useful, but if you are not careful, you may end up running malicious or sloppy code in your build pipeline. Make sure you only run Actions you trust.

11. Protect the secrets used by GitHub Actions.

✅ DONE: GitHub Actions that handle software releases and deployment often require credentials to work. Make sure these credentials are appropriately protected.

12. Review project vulnerabilities

• ✅ DONE: https://snyk.io/ || https://dependabot.com/
  • Review project dependencies for vulnerabilities.
  • Patch dependencies with vulnerabilities.
  • Scan project source code for vulnerabilities.

13. Publish a security policy.

If your project is successful, there is a chance that someone will discover a security flaw in your code. Make it easy for them to report it and be very clear about what you will do with that report.

• Examples
  • https://www.airbnb.com/security
  • https://www.apple.com/support/security/

14. Collaborate on fixes for security vulnerabilities in private forks.

Working in the open means that it is impossible to hide things. And yet, sometimes you will want to work on some changes in the code in private, for example when fixing a security vulnerability. Working on a fix in the open might allow attackers to reverse engineer the bug and attack your users. GitHub provides a mechanism to easily create a private fork of your repo. Use this private fork to collaborate on a fix.

15. Publish maintainer advisories for security fixes.

Fixing a security vulnerability is no small feat and you should tell your users about it. You should do it in a way that will make it easy for them to learn about it and patch (see point 11 above). GitHub provides an easy way to publish a security advisory that will be incorporated into security scanning tools that your users depend on to keep their applications secure.

Summary Pre-launch Checklist

Documentation

• ☑️ Project has a LICENSE file with an open source license
• ☑️ Project has basic documentation (README, CONTRIBUTING, CODE_OF_CONDUCT)
• ☑️ The name is easy to remember, gives some idea of what the project does, and does not conflict with an existing project or infringe on trademarks
• ☑️ The issue queue is up-to-date, with issues clearly organized and labeled

Code

• ☑️ Project uses consistent code conventions and clear function/method/variable names
• ☑️ The code is clearly commented, documenting intentions and edge cases
• ☑️ There are no sensitive materials in the revision history, issues, or pull requests (for example, passwords or other non-public information)

People

• If you’re an individual:

  • ☑️ You've talked to the legal department and/or understand the IP and open source policies of your company (if you're an employee somewhere)

• If you’re a company or organization:

  • ☑️ You've talked to your legal department
  • ☑️ You have a marketing plan for announcing and promoting the project
  • ☑️ Someone is committed to managing community interactions (responding to issues, reviewing and merging pull requests)
  • ☑️ At least two people have administrative access to the project

[exequielrafaela]

⚠️ Must replace sensitive values with proper variables

Ref Architecture: Terraform AWS

╭─    ~/B/r/L/ref-architecture/le-tf-infra-aws  on   feature/open-soruce-repo ···· ✔  at 13:32:41 
╰─ grep -R ":[0-9]\{12\}:" .

./apps-devstg/k8s-eks-demoapps/cluster/variables.tf:      rolearn  = "arn:aws:iam::523857393444:role/DeployMaster"
./apps-devstg/k8s-eks-demoapps/cluster/variables.tf:      rolearn  = "arn:aws:iam::523857393444:role/DevOps"
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/external-dns-public.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-external-dns-public
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/cluster_autoscaler.yaml:      eks.amazonaws.com/role-arn: arn:aws:iam::523857393444:role/demoapps-cluster-autoscaler
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/external-dns-private.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-external-dns-private
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/fluentd-elasticsearch-aws.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-aws-es-proxy
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/fluentd-elasticsearch-aws.yaml:    value: "arn:aws:iam::763606934258:role/demoapps-aws-es-proxy"
./apps-devstg/k8s-eks-demoapps/k8s-resources/chart-values/cert-manager.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-cert-manager
./apps-devstg/storage/s3_bucket_demo_files/bucket_policies.tf:      #--ssekms-key-id arn:aws:kms:us-east-1:111122223333:key/*
./apps-devstg/storage/s3_bucket_demo_files/README.md:--ssekms-key-id arn:aws:kms:us-east-1:523857393444:key/63c14fe9-c3e7-4d3d-9856-ce372cf961b7 \
./apps-devstg/storage/s3_bucket_demo_files/README.md:--ssekms-key-id arn:aws:kms:us-east-1:523857393444:key/63c14fe9-c3e7-4d3d-9856-ce372cf961b7 \
./apps-devstg/storage/s3_bucket_demo_files/README.md:    "SSEKMSKeyId": "arn:aws:kms:us-east-1:392609628445:key/df674901-9a54-471c-a03b-65ecab96544a"
./apps-devstg/storage/s3_bucket_demo_files/README.md:    "SSEKMSKeyId": "arn:aws:kms:us-east-1:523857393444:key/63c14fe9-c3e7-4d3d-9856-ce372cf961b7",
./apps-devstg/storage/s3_bucket_demo_files/README.md:    "SSEKMSKeyId": "arn:aws:kms:us-east-1:523857393444:key/63c14fe9-c3e7-4d3d-9856-ce372cf961b7",
./apps-devstg/k8s-kind/k8s-resources/chart-values/external-dns-public.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-external-dns-public
./apps-devstg/k8s-kind/k8s-resources/chart-values/external-dns-private.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-external-dns-private
./apps-devstg/k8s-kind/k8s-resources/chart-values/cert-manager.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-cert-manager
./apps-devstg/databases-aurora/rds-export-to-s3/main.tf:  notifications_topic_arn = "arn:aws:sns:us-east-1:523857393444:sns-topic-slack-notify-monitoring-sec"
./apps-devstg/k8s-eks/cluster/variables.tf:      rolearn  = "arn:aws:iam::523857393444:role/DeployMaster"
./apps-devstg/k8s-eks/k8s-resources/chart-values/external-dns-public.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/external-dns-public
./apps-devstg/k8s-eks/k8s-resources/chart-values/external-dns-private.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-external-dns-private
./apps-devstg/k8s-eks/k8s-resources/chart-values/cert-manager.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-cert-manager
./apps-prd/k8s-eks/cluster/variables.tf:      rolearn  = "arn:aws:iam::523857393444:role/DeployMaster"
./apps-prd/k8s-eks/k8s-resources/chart-values/external-dns-public.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/prd-external-dns-public
./apps-prd/k8s-eks/k8s-resources/chart-values/external-dns-private.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/prd-external-dns-private
./apps-prd/k8s-eks/k8s-resources/chart-values/cert-manager.yaml:    eks.amazonaws.com/role-arn: arn:aws:iam::763606934258:role/demoapps-cert-manager
./shared/k8s-eks-demoapps/identities/policies.tf:            "Resource": "arn:aws:es:us-east-1:763606934258:domain/es-aws-binbash/*"
./shared/tools-managedeskibana/main.tf:    custom_endpoint_certificate_arn = "arn:aws:acm:us-east-1:111111111111:certificate/abcd1234"
./shared/tools-managedeskibana/main.tf:          "arn:aws:iam::763606934258:role/demoapps-aws-es-proxy"

Ref Architecture: Ansible

╭─    ~/B/r/L/ref-architecture/le-ansible-infra  on   feature/open-soruce-repo ··· ✔  at 13:17:59 
╰─ grep -R ":[0-9]\{12\}:" .
./prometheus/group_vars/grafana.yml:      assumeRoleArn: arn:aws:iam::802787198489:role/Grafana
./prometheus/group_vars/grafana.yml:      assumeRoleArn: arn:aws:iam::523857393444:role/Grafana
./prometheus/group_vars/grafana.yml:      assumeRoleArn: arn:aws:iam::822280187662:role/Grafana
./jenkins/templates/aws-config.j2:role_arn=arn:aws:iam::763606934258:role/DeployMaster
./jenkins/templates/aws-config.j2:role_arn=arn:aws:iam::523857393444:role/DeployMaster

@binbashar/leverage-ref-architecture-aws-dev @binbashar/leverage-ref-architecture-aws-admin

[exequielrafaela]

we'll also consider https://goteleport.com/blog/hack-via-pull-request/ before opening the repo.

[exequielrafaela]

Latest regex to find AWS account IDs facilitated by @diego-ojeda-binbash

grep -rE "([0-9]{12}\.)+|([0-9]{12}:)+" --include="*.tf" --include="*.yaml" --exclude-dir=".terraform" .

And one more concern regarding sensitive data that must be moved to Vault HCP and consumed as secrets

• https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/global/base-dns/binbash.com.ar/variables.tf
• https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/global/base-dns/binbash.com.ar/zone_public.binbash.com.ar.tf

CC: @binbashar/leverage-ref-architecture-aws-admin @binbashar/leverage-ref-architecture-aws-dev

[exequielrafaela]

@exequielrafaela should review any pending activity in this issue and close it, while creating a new one for Ansible Open Source tasks.

[exequielrafaela]

Repo has successfully being made public.