Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CORE-438 CORE-439] added test examples #41

Merged
merged 2 commits into from
Nov 3, 2022
Merged

[CORE-438 CORE-439] added test examples #41

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9db72db
added tests
Nov 3, 2022
5118bb6
aws_key_pair
Nov 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 147 additions & 0 deletions examples/complete-tcp-app/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
# Versions
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
required_version = ">= 1.0"
}

# Data
data "aws_route53_zone" "root" {
name = "${var.root_domain_name}."
private_zone = false
}

# Main
module "vpc" {
source = "registry.terraform.io/terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = "${var.env}-vpc"
cidr = "10.0.0.0/16"

azs = [
"${var.aws_region}a",
"${var.aws_region}b"
]
public_subnets = [
"10.0.10.0/23",
"10.0.12.0/23"
]

private_subnets = [
"10.0.20.0/23"
]
manage_default_network_acl = true
default_network_acl_name = "${var.env}-${var.namespace}"
}
resource "aws_security_group" "default_permissive" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_2

How to Fix

resource "aws_security_group" "example" {
  ...
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
+   cidr_blocks = ["10.0.0.1/32"]
  }  
}

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

#Rationale
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.2
  • PCI-DSS V3.2.1 1.2.1, 1.3
  • FEDRAMP (MODERATE) AC-4, CM-2, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_67

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS Security Group does not allow all traffic on SSH port 22
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_2

How to Fix

resource "aws_security_group" "example" {
  ...
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
+   cidr_blocks = ["10.0.0.1/32"]
  }  
}

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

#Rationale
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.2
  • PCI-DSS V3.2.1 1.2.1, 1.3
  • FEDRAMP (MODERATE) AC-4, CM-2, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_67

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS Security Group does not allow all traffic on SSH port 22
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

name = "${var.env}-default-permissive"
vpc_id = module.vpc.vpc_id

ingress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = [
"0.0.0.0/0"
]
}

egress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = [
"0.0.0.0/0"
]
}

}

resource "aws_route53_record" "env_ns_record" {
zone_id = data.aws_route53_zone.root.id
name = "${var.env}.${var.root_domain_name}"
type = "NS"
ttl = "60"
records = aws_route53_zone.env_domain.name_servers
}

resource "aws_route53_zone" "env_domain" {
name = "${var.env}.${var.root_domain_name}"
}

module "env_acm" {
source = "registry.terraform.io/terraform-aws-modules/acm/aws"
version = "~> 4.0"

domain_name = "${var.env}.${var.root_domain_name}"

subject_alternative_names = [
"*.${var.env}.${var.root_domain_name}"
]

zone_id = aws_route53_zone.env_domain.id

tags = {
Name = "${var.env}.${var.root_domain_name}"
}
}

module "ecs" {
source = "registry.terraform.io/terraform-aws-modules/ecs/aws"
version = "~> 4.0"
cluster_name = "${var.env}-${var.namespace}"
}

module "tcp_app" {
source = "../.."

name = "tcpapp"
app_type = "tcp-app"
env = var.env
namespace = var.namespace

# Containers
ecs_cluster_name = module.ecs.cluster_name
docker_registry = var.docker_registry
docker_image_tag = var.docker_image_tag

# Load Balancer
public = true
https_enabled = true
tls_cert_arn = local.tls_cert_arn

port_mappings = [
{
container_port = 4442
host_port = 4442
},
{
container_port = 4443
host_port = 4443
},
{
container_port = 4444
host_port = 4444
tls = true
}
]

# Network
vpc_id = module.vpc.vpc_id
public_subnets = module.vpc.public_subnets
private_subnets = module.vpc.private_subnets
security_groups = [aws_security_group.default_permissive.id]
root_domain_name = var.root_domain_name
zone_id = aws_route53_zone.env_domain.id

# Environment variables
app_secrets = [
]
environment = {
}
}

16 changes: 16 additions & 0 deletions examples/complete-tcp-app/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
output "vpc_cidr" {
value = module.vpc.vpc_cidr_block
}

output "private_subnet_cidrs" {
value = module.vpc.private_subnets_cidr_blocks
}

output "cloudwatch_log_group" {
value = module.tcp_app.cloudwatch_log_group
}

output "ecs_cluster_name" {
value = module.ecs.cluster_name
}

11 changes: 11 additions & 0 deletions examples/complete-tcp-app/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
locals {
tls_cert_arn = length(module.env_acm.acm_certificate_arn) > 0 ? module.env_acm.acm_certificate_arn : null
}

variable "env" {}
variable "namespace" {}
variable "aws_profile" {}
variable "aws_region" {}
variable "docker_registry" {}
variable "docker_image_tag" {}
variable "root_domain_name" {}
43 changes: 0 additions & 43 deletions examples/complete-web-windows/main-windows.tf
View file
Open in desktop

This file was deleted.

123 changes: 123 additions & 0 deletions examples/complete-web-windows/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
# Versions
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
required_version = ">= 1.0"
}

# Data
data "aws_route53_zone" "root" {
name = "${var.root_domain_name}."
private_zone = false
}

# Main
module "vpc" {
source = "registry.terraform.io/terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = "${var.env}-vpc"
cidr = "10.0.0.0/16"

azs = [
"${var.aws_region}a",
"${var.aws_region}b"
]
public_subnets = [
"10.0.10.0/23",
"10.0.12.0/23"
]

private_subnets = [
"10.0.20.0/23"
]
manage_default_network_acl = true
default_network_acl_name = "${var.env}-${var.namespace}"
}
resource "aws_security_group" "default_permissive" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_2

How to Fix

resource "aws_security_group" "example" {
  ...
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
+   cidr_blocks = ["10.0.0.1/32"]
  }  
}

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

#Rationale
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.2
  • PCI-DSS V3.2.1 1.2.1, 1.3
  • FEDRAMP (MODERATE) AC-4, CM-2, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS Security Group does not allow all traffic on SSH port 22
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_67

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_2

How to Fix

resource "aws_security_group" "example" {
  ...
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
+   cidr_blocks = ["10.0.0.1/32"]
  }  
}

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

#Rationale
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.2
  • PCI-DSS V3.2.1 1.2.1, 1.3
  • FEDRAMP (MODERATE) AC-4, CM-2, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS Security Group does not allow all traffic on SSH port 22
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
  • CIS AWS V1.3 5.2

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_67

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default_permissive | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

name = "${var.env}-default-permissive"
vpc_id = module.vpc.vpc_id

ingress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = [
"0.0.0.0/0"
]
}

egress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = [
"0.0.0.0/0"
]
}

}

resource "aws_route53_record" "env_ns_record" {
zone_id = data.aws_route53_zone.root.id
name = "${var.env}.${var.root_domain_name}"
type = "NS"
ttl = "60"
records = aws_route53_zone.env_domain.name_servers
}

resource "aws_route53_zone" "env_domain" {
name = "${var.env}.${var.root_domain_name}"
}

module "ecs" {
source = "registry.terraform.io/terraform-aws-modules/ecs/aws"
version = "~> 4.0"
cluster_name = "${var.env}-${var.namespace}"
}

module "web_complete" {
source = "../.."

name = "app"
app_type = "web"
env = var.env
namespace = var.namespace

# Containers
cpu = 1024
memory = 2048
operating_system_family = "WINDOWS_SERVER_2019_CORE"
ecs_cluster_name = module.ecs.cluster_name
docker_registry = var.docker_registry
docker_image_tag = var.docker_image_tag

# Load Balancer
public = true
https_enabled = false
alb_health_check_path = "/"
alb_security_groups = [aws_security_group.default_permissive.id]

# EFS settings
efs_enabled = false
efs_mount_point = "/mnt/efs"
efs_root_directory = "/"

# Network
vpc_id = module.vpc.vpc_id
public_subnets = module.vpc.public_subnets
private_subnets = module.vpc.private_subnets
security_groups = [aws_security_group.default_permissive.id]
root_domain_name = var.root_domain_name
zone_id = aws_route53_zone.env_domain.id

# Environment variables
app_secrets = [
]
environment = {
}
}

16 changes: 16 additions & 0 deletions examples/complete-web-windows/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
output "vpc_cidr" {
value = module.vpc.vpc_cidr_block
}

output "private_subnet_cidrs" {
value = module.vpc.private_subnets_cidr_blocks
}

output "cloudwatch_log_group" {
value = module.web_complete.cloudwatch_log_group
}

output "ecs_cluster_name" {
value = module.ecs.cluster_name
}

7 changes: 7 additions & 0 deletions examples/complete-web-windows/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
variable "env" {}
variable "namespace" {}
variable "aws_profile" {}
variable "aws_region" {}
variable "docker_registry" {}
variable "docker_image_tag" {}
variable "root_domain_name" {}
7 changes: 0 additions & 7 deletions examples/complete-web/data.tf
View file
Open in desktop

This file was deleted.

Loading