answerdigital / terraform-modules Goto Github PK

There is an issue where there are two many clones, meaning we are hitting the threshold of too many requests sometimes when all the pipelines run

I propose the following fix:

1. Calculate comparing the base-ref and head-ref to determine the file has changed and then only execute the necessary actions instead of rebuilding the necessary fixes.

Note: This is absolutely required if we plug in Terratest

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/

@chrisbloe Another one that might have impact on cost, Do we want to include this by default?

On a forked PR i.e. #77

The pipeline does not execute because pull requests from forked branches do not have access to the github.event.pull_request.head.ref variable

This is due to security reasons, need to come up with something that will fix this and ideally not hamper the security of any Github secrets (If we choose to have them)

Create an ELB Module that will allow the creation of an ELB provided a set of instances to add to the Load Balancer

It should be made so that it will receive traffic on a port and redistribute traffic to the instance port on the specified listeners.

The goal of this module will allows us to simplify the process of creating a load balancer so that given a set of 2 private EC2's or resources on Private IP's can we provide the port of which the application sits and put those in-front of a public facing load balancer to route traffic too.

Inputs

• Target Port of your instance
• The Instance Id's of the EC2's
• SSL Certificate Id - Provided you will need this added either as part of another module or some form of other process. For testing purposes add this yourself.

Outputs

• TBD

See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb for info on setting this up.

Testing

Will need fairly rigorous testing to ensure that the networking is working, ideally this will be done with the Go Modules.

• Assert that Load Balancer can communicate with paired EC2 instances

At the moment, the example refers to:
aws_security_group.ec2_security_group.id

This is the security group to which the EC2 Belongs
This is not actually present anywhere and no other module provides this information.

Proposed:

• Make the EC2 Module create it's own security group.
• Make a Security Group in the VPC.
• Make a separate module for Security Groups.

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/encrypt-cluster-storage-data/

More Information

• https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/enable-performance-insights/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id

@chrisbloe I assume this has cost, might want to ignore this one and delegate to the implementor if they want it, depends if we want this?

Allow the ability to specify if this box has the ability to the AWS console (So it can manage resources on it's own network) Handing it the credentials it needs.

Useful if this box is an administration box or if you need AWS credentials for other reasons.

Create a module to manage secrets and configurations of that secret using AWS Secrets Manager

Now this is not necessarily complicated, however research on the security considerations behind this is the important part here, and making sensible decisions on what should be configurable / what we should permanently set is a key to this task.

It'd be great to have someone with a good knowledge of the security aspects of this, as there's lots of concepts which I imagine are not really considered from project to project due to time constraints.

Inputs:

• The name of the secret
• The value of the secret

We can use the Academy Org for planning, however I recommend we create a new account in that org to do so.

This PR runs the command

"terraform plan" command using the provided example.tf
e.g.

cd examples
terraform plan

This will allow us to plot out the Architecture and could help prevent bugs with the terraform code, We will need examples for other modules too!

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ssm/secret-use-customer-key/

Cluster has very low backup retention period.

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/specify-backup-retention/

RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.

@chrisbloe
I recommend the approach might be for this one is for projects to decide there backup retention period by force, as there is cost implication behind this one. Let me know if you agree? (We may provide a default for this as 1 day)

Impact The block device could be compromised and read from Resolution Turn on encryption for all block devices

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/enable-at-rest-encryption/

Not sure there is a cost impact associated with this one.

The resource Update naming policy for Terraform resource names, variables in resources of name, and the name key for resources that accept Tags

The naming convention has been discussed as a team.

Resource Names

In the scenario of which the component has a one to one relationship that will never change (subject to knowledge at the time) then the name of a resource should be this

In all other scenarios it should be an explanation of what that resource does in context of the application.

Variables for resource called 'name'

This should follow the resource naming policy
https://answerconsulting.jira.com/wiki/spaces/ARCH/pages/3206709249/Resource+Naming

Name Key in Tags

This should follow the resource naming policy
https://answerconsulting.jira.com/wiki/spaces/ARCH/pages/3206709249/Resource+Naming

A user should be able to provide a pre-created SSH Key for an EC2 instance, with a fallback of Terraform handling it if you don't want to make your own.

Route53 Example Terraform.

See module/aws/ec2/examples/example.tf for prior example

Need a bit of knowledge on domains, and possibly a sample domain to test it with, bit trickier this one.

Either MIT or Apache 2.0

An example.tf file in line with the other modules, that provides a sample implementation of terraform.

See /modules/aws/ec2/examples/example.tf for an example of a pre-existing example.

You will want to actually plan and deploy the modules into the Academy account

Create a load balancer module:

There is one for MDM that has been created for reference:
https://github.com/answerdigital/AnswerDigital-MDM/blob/main/test/lb.tf

To implement the Tagging Policy
The policy is still in progress, full details will be copied in here.

https://aquasecurity.github.io/tfsec/v0.61.3/checks/aws/ec2/enforce-http-token-imds/#possible-impact

Do not think there's any cost behind this one

https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/encrypt-cluster-storage-data/

Assuming no cost here?