From c08a2596698219c4439846b51c44a18943121a67 Mon Sep 17 00:00:00 2001 From: David Sibley Date: Tue, 24 Sep 2024 15:14:22 +0100 Subject: [PATCH 1/2] remove unused firehose module --- terraform/modules/firehose/README.md | 61 ----- terraform/modules/firehose/main.tf | 310 ------------------------ terraform/modules/firehose/variables.tf | 30 --- terraform/modules/firehose/versions.tf | 13 - 4 files changed, 414 deletions(-) delete mode 100644 terraform/modules/firehose/README.md delete mode 100644 terraform/modules/firehose/main.tf delete mode 100644 terraform/modules/firehose/variables.tf delete mode 100644 terraform/modules/firehose/versions.tf diff --git a/terraform/modules/firehose/README.md b/terraform/modules/firehose/README.md deleted file mode 100644 index 1f0aa486f..000000000 --- a/terraform/modules/firehose/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Firehose - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [aws](#requirement\_aws) | ~> 5.0 | -| [random](#requirement\_random) | ~> 3.4 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 5.0 | -| [random](#provider\_random) | ~> 3.4 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_cloudwatch_log_group.delivery_errors_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_stream.delivery_errors_log_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream) | resource | -| [aws_cloudwatch_log_subscription_filter.subscription_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource | -| [aws_iam_policy.error_log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.put_record_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.delivery_stream_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.put_record_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.delivery_stream_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy_attachment.error_log_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.put_record_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.s3_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kinesis_firehose_delivery_stream.delivery_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | -| [aws_s3_bucket.firehose_error_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.bucket_lifecycle_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_public_access_block.bucket_block_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_s3_bucket_versioning.bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | -| [random_string.firehose_rnd](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [common\_attribute](#input\_common\_attribute) | The value of the common\_attributes property which should be the name of the aws account or the account name & live / non-live | `string` | n/a | yes | -| [log\_group\_name](#input\_log\_group\_name) | The name of the log group that the subscription will be added to | `string` | n/a | yes | -| [resource\_prefix](#input\_resource\_prefix) | The prefix to be used for the resource names - used for easy identification | `string` | n/a | yes | -| [tags](#input\_tags) | A map of keys and values used to create resource metadata tags | `map(any)` | n/a | yes | -| [xsiam\_endpoint](#input\_xsiam\_endpoint) | The http endpoint URL for the transfer of log data via firehose | `string` | n/a | yes | -| [xsiam\_secret](#input\_xsiam\_secret) | The secret for the xsiam http endpoint | `string` | n/a | yes | - -## Outputs - -No outputs. - diff --git a/terraform/modules/firehose/main.tf b/terraform/modules/firehose/main.tf deleted file mode 100644 index 5f0ba1c3a..000000000 --- a/terraform/modules/firehose/main.tf +++ /dev/null @@ -1,310 +0,0 @@ - - - -# Firehose Resources for the sharing of network firewall inspection log data - -resource "random_string" "firehose_rnd" { - length = 8 - special = false - upper = false -} - - -resource "aws_kinesis_firehose_delivery_stream" "delivery_stream" { - #checkov:skip=CKV_AWS_241: We are using the default key for encryption. - name = format("%s-%s-%s", var.resource_prefix, "delivery-stream", random_string.firehose_rnd.result) - destination = "http_endpoint" - tags = merge( - var.tags, - { - Name = format("%s-%s-%s", var.resource_prefix, "delivery-stream", random_string.firehose_rnd.result) - } - ) - - server_side_encryption { - enabled = true - } - - http_endpoint_configuration { - url = var.xsiam_endpoint - name = format("%s-%s-%s", var.resource_prefix, "delivery-stream-endpoint-", random_string.firehose_rnd.result) - access_key = var.xsiam_secret - buffering_size = 5 - buffering_interval = 300 - role_arn = aws_iam_role.delivery_stream_role.arn - s3_backup_mode = "FailedDataOnly" - - cloudwatch_logging_options { - enabled = true - log_group_name = aws_cloudwatch_log_group.delivery_errors_log_group.name - log_stream_name = aws_cloudwatch_log_stream.delivery_errors_log_stream.name - } - - s3_configuration { - role_arn = aws_iam_role.delivery_stream_role.arn - bucket_arn = aws_s3_bucket.firehose_error_logging_bucket.arn - buffering_size = 10 - buffering_interval = 400 - compression_format = "GZIP" - } - - request_configuration { - content_encoding = "GZIP" - - common_attributes { - name = "Firewall Name & Log Type" - value = var.common_attribute - } - } - - } -} - -# Cloudwatch Log Subscription Filters -# This acts as the interface between the flow log data in cloudwatch & the Firehose Stream. - -resource "aws_cloudwatch_log_subscription_filter" "subscription_filter" { - name = format("%s-%s-%s", var.resource_prefix, "subscription_filter", random_string.firehose_rnd.result) - role_arn = aws_iam_role.put_record_role.arn - log_group_name = var.log_group_name - filter_pattern = "" - destination_arn = aws_kinesis_firehose_delivery_stream.delivery_stream.arn -} - -resource "aws_cloudwatch_log_group" "delivery_errors_log_group" { - #checkov:skip=CKV_AWS_158:"Temporarily skip KMS encryption check while logging solution is being updated" - name = format("%s-%s-%s", var.resource_prefix, "delivery-errors-log", random_string.firehose_rnd.result) - tags = merge( - var.tags, - { - Name = format("%s-%s-%s", var.resource_prefix, "delivery-errors-log", random_string.firehose_rnd.result) - } - ) - retention_in_days = 400 # Because it's more than a year. -} - -resource "aws_cloudwatch_log_stream" "delivery_errors_log_stream" { - name = format("%s-%s-%s", var.resource_prefix, "delivery-errors-log", random_string.firehose_rnd.result) - log_group_name = aws_cloudwatch_log_group.delivery_errors_log_group.name -} - -# S3 Bucket to hold the transfer failure logs. We are using the default s3 key and no logging as it is not needed. We also have public access blocked by default - -#tfsec:ignore:aws-ssm-secret-use-customer-key -#tfsec:ignore:aws-s3-encryption-customer-key -#tfsec:ignore:aws-s3-enable-bucket-logging -#tfsec:ignore:aws-s3-specify-public-access-block -#tfsec:ignore:aws-s3-block-public-acls -#tfsec:ignore:aws-s3-block-public-policy -#tfsec:ignore:aws-s3-no-public-buckets -#tfsec:ignore:aws-s3-ignore-public-acls -resource "aws_s3_bucket" "firehose_error_logging_bucket" { - #checkov:skip=CKV_AWS_241: We have encryption already in place using the default s3 kms key. - #checkov:skip=CKV_AWS_21: We already have versioning enabled. - #checkov:skip=CKV_AWS_145: We use the default encryption key. - #checkov:skip=CKV2_AWS_62: We do not need event notifications enabled. - #checkov:skip=CKV_AWS_144: We are not using cross-region replication. - #checkov:skip=CKV_AWS_18: No access logging required - #checkov:skip=CKV2_AWS_61: Lifecycle is enabled but this error still gets thrown. - #checkov:skip=CKV2_AWS_6: Public Access Block enabled - see below - but the error still gets thrown. - bucket = format("%s-%s-%s", var.resource_prefix, "firehose-error-log", random_string.firehose_rnd.result) -} - -#tfsec:ignore:aws-ssm-secret-use-customer-key -#tfsec:ignore:aws-s3-encryption-customer-key -resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_encryption" { - #checkov:skip=CKV2_AWS_67 - bucket = aws_s3_bucket.firehose_error_logging_bucket.id - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } -} - -resource "aws_s3_bucket_lifecycle_configuration" "bucket_lifecycle_config" { - #checkov:skip=CKV_AWS_300: Event notifications not used. - bucket = aws_s3_bucket.firehose_error_logging_bucket.id - rule { - id = "delete-old" - expiration { - days = 366 - } - status = "Enabled" - transition { - days = 60 - storage_class = "GLACIER" - } - } -} - -# Ideally we would not be using versioning of s3 files but it's added for the tfsec & checkov checks. -resource "aws_s3_bucket_versioning" "bucket_versioning" { - bucket = aws_s3_bucket.firehose_error_logging_bucket.id - versioning_configuration { - status = "Enabled" - } -} - -# By default s3 already blocks public access but this added for the tfsec & checkov checks. -resource "aws_s3_bucket_public_access_block" "bucket_block_public" { - bucket = aws_s3_bucket.firehose_error_logging_bucket.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - - - -resource "aws_iam_role" "delivery_stream_role" { - name = format("%s-%s-%s", var.resource_prefix, "delivery-stream-role", random_string.firehose_rnd.result) - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "firehose.amazonaws.com" - } - } - ] - }) - tags = merge( - var.tags, - { - Name = format("%s-%s-%s", var.resource_prefix, "delivery-stream-role", random_string.firehose_rnd.result) - } - ) -} - -#tfsec:ignore:aws-iam-no-policy-wildcards -resource "aws_iam_role_policy" "delivery_stream_role_policy" { - #checkov:skip=CKV_AWS_355: - Ignore for now whilst we look into this. - role = aws_iam_role.delivery_stream_role.id - name = format("%s-%s-%s", var.resource_prefix, "delivery-stream-policy", random_string.firehose_rnd.result) - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "logaccess" - Effect = "Allow" - Action = [ - "logs:DescribeLogGroups", - "logs:DescribeLogStreams", - "logs:GetLogEvents" - ] - Resource = "*" - } - ] - } - ) -} - -resource "aws_iam_role_policy_attachment" "error_log_role_attachment" { - policy_arn = aws_iam_policy.error_log_policy.arn - role = aws_iam_role.delivery_stream_role.name -} - -#tfsec:ignore:aws-iam-no-policy-wildcards -resource "aws_iam_policy" "error_log_policy" { - name = format("%s-%s-%s", var.resource_prefix, "error-log-policy", random_string.firehose_rnd.result) - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "logs:PutLogEvents", - ] - Effect = "Allow" - Resource = [ - "${aws_cloudwatch_log_group.delivery_errors_log_group.arn}/*" - ] - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "s3_role_attachment" { - policy_arn = aws_iam_policy.s3_policy.arn - role = aws_iam_role.delivery_stream_role.name - -} - -#tfsec:ignore:aws-iam-no-policy-wildcards - this is to allow s3:AbortMultiPartUpload. -resource "aws_iam_policy" "s3_policy" { - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - name = format("%s-%s-%s", var.resource_prefix, "s3-policy", random_string.firehose_rnd.result) - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "s3:AbortMultipartUpload", - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:PutObject" - ] - Effect = "Allow" - Resource = [ - aws_s3_bucket.firehose_error_logging_bucket.arn, - "${aws_s3_bucket.firehose_error_logging_bucket.arn}/*" - ] - } - ] - }) -} - - - -resource "aws_iam_role" "put_record_role" { - name_prefix = format("%s-%s-%s", var.resource_prefix, "put-record-role", random_string.firehose_rnd.result) - assume_role_policy = < Date: Tue, 24 Sep 2024 14:15:53 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- terraform/modules/vpc-hub/README.md | 2 ++ terraform/modules/vpc-inspection/README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/terraform/modules/vpc-hub/README.md b/terraform/modules/vpc-hub/README.md index 077efaf9d..4b182bbf5 100644 --- a/terraform/modules/vpc-hub/README.md +++ b/terraform/modules/vpc-hub/README.md @@ -36,6 +36,7 @@ No modules. | [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | | [aws_eip.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [aws_flow_log.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | +| [aws_flow_log.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | | [aws_internet_gateway.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | | [aws_nat_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | | [aws_network_acl.data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | @@ -75,6 +76,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [flow\_log\_s3\_destination\_arn](#input\_flow\_log\_s3\_destination\_arn) | Optionally supply an ARN of an S3 bucket to send flow logs to | `string` | `""` | no | | [gateway](#input\_gateway) | Type of gateway to use for environment | `string` | `"none"` | no | | [tags\_common](#input\_tags\_common) | Ministry of Justice required tags | `map(any)` | n/a | yes | | [tags\_prefix](#input\_tags\_prefix) | Prefix for name tags, e.g. "live\_data" | `string` | n/a | yes | diff --git a/terraform/modules/vpc-inspection/README.md b/terraform/modules/vpc-inspection/README.md index 6fee20e34..86479ba68 100644 --- a/terraform/modules/vpc-inspection/README.md +++ b/terraform/modules/vpc-inspection/README.md @@ -32,6 +32,7 @@ | [aws_ec2_transit_gateway_vpc_attachment.attachments-inspection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource | | [aws_eip.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [aws_flow_log.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | +| [aws_flow_log.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | | [aws_internet_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | | [aws_nat_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | | [aws_network_acl.inspection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | @@ -75,6 +76,7 @@ |------|-------------|------|---------|:--------:| | [application\_name](#input\_application\_name) | Application name, eg `core-shared-services` or `core-network-services` | `string` | n/a | yes | | [cloudwatch\_kms\_key\_id](#input\_cloudwatch\_kms\_key\_id) | Optional KMS key ID to use in encrypting VPC flow logs CloudWatch group. | `string` | `""` | no | +| [flow\_log\_s3\_destination\_arn](#input\_flow\_log\_s3\_destination\_arn) | Optionally supply an ARN of an S3 bucket to send flow logs to | `string` | `""` | no | | [fw\_allowed\_domains](#input\_fw\_allowed\_domains) | List of strings containing allowed domains | `list(string)` | n/a | yes | | [fw\_delete\_protection](#input\_fw\_delete\_protection) | Boolean to enable or disable firewall deletion protection | `bool` | `true` | no | | [fw\_home\_net\_ips](#input\_fw\_home\_net\_ips) | List of strings covering firewall HOME\_NET values | `list(string)` | n/a | yes |