Switch from deny and allow config, to only deny and allow everything … (

#467)

* Switch from deny and allow config, to only deny and allow everything else

* Update changelog

* Upgrade go module version

* Upgrade terraform

CHANGELOG.md

@@ -1,3 +1,6 @@
+## v0.35.0
+
+- Add: Added blanket * allow permission in place of specific allow permissions for easier integration with future AWS products github.com/Optum/dce (#467)
 
 ## v0.34.2
 
@@ -7,7 +10,7 @@
 
 - Add: Enable network-firewall:ListRuleGroups permission (#449)
 - Fix: Recent changes to AWS S3 default bucket policy have broken the install. Removing ACL from the bucket allows the installation to proceed.
-  
+
 ## v0.34.0
 
 - Fix: get latest aws-nuke release. (#432)

go.mod

@@ -1,6 +1,6 @@
 module github.com/Optum/dce
 
-go 1.19
+go 1.20
 
 require (
 	github.com/360EntSecGroup-Skylar/excelize v1.4.1

go.sum

@@ -25,8 +25,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53/go.mod h1:+3IMCy2vIlbG1XG/0ggNQv0SvxCAIpPM5b1nCz56Xno=
 github.com/CloudyKit/jet/v3 v3.0.0/go.mod h1:HKQPgSJmdK8hdoAbKUUWajkHyHo4RaU5rMdUywE7VMo=
 github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKzY=
-github.com/Optum/aws-nuke/v2 v2.0.0 h1:kCF9BuHvaQI+OJu1CBAWMAL1YFgQSIu4Mhnv6wDk8vU=
-github.com/Optum/aws-nuke/v2 v2.0.0/go.mod h1:vHiOieYSFzuprJ0gAlc4sfYn27RnrpsN465Y9rlBr6c=
 github.com/Optum/aws-nuke/v2 v2.0.1 h1:9wjFuNLcjcfC94dNEa8/Xgxl9xciIFyUeB0CXN3vFbQ=
 github.com/Optum/aws-nuke/v2 v2.0.1/go.mod h1:vHiOieYSFzuprJ0gAlc4sfYn27RnrpsN465Y9rlBr6c=
 github.com/Shopify/goreferrer v0.0.0-20181106222321-ec9c9a553398/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0=

modules/accounts_lambda.tf

@@ -30,7 +30,7 @@ module "accounts_lambda" {
     PRINCIPAL_MAX_SESSION_DURATION = 14400
     TAG_ENVIRONMENT                = var.namespace == "prod" ? "PROD" : "NON-PROD"
     TAG_APP_NAME                   = lookup(var.global_tags, "AppName")
-    PRINCIPAL_POLICY_S3_KEY        = aws_s3_bucket_object.principal_policy.key
+    PRINCIPAL_POLICY_S3_KEY        = aws_s3_object.principal_policy.key
   }
 }
 

modules/artifacts_bucket.tf

@@ -16,20 +16,24 @@ resource "aws_s3_bucket" "artifacts" {
   # (so ephemeral PR environments can be torn down)
   force_destroy = true
 
-  # Encrypt objects by default
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
+  tags = var.global_tags
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
     }
   }
+}
 
-  versioning {
-    enabled = true
+resource "aws_s3_bucket_versioning" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  versioning_configuration {
+    status = "Enabled"
   }
-
-  tags = var.global_tags
 }
 
 # Enforce SSL only access to the bucket
@@ -58,7 +62,7 @@ POLICY
 
 }
 
-resource "aws_s3_bucket_object" "principal_policy" {
+resource "aws_s3_object" "principal_policy" {
   bucket = aws_s3_bucket.artifacts.id
   key    = "fixtures/policies/principal_policy.tmpl"
   source = local.principal_policy

modules/authentication/iam.tf

@@ -1,29 +1,31 @@
-data "template_file" "user_assume_role_policy" {
-  template = file("${path.module}/fixtures/iam/assume-role.json")
-
-  vars = {
+locals {
+  user_assume_role_policy = templatefile("${path.module}/fixtures/iam/assume-role.json", {
     cognito_identity_pool_id = aws_cognito_identity_pool._.id
-  }
-}
+  })
 
-data "template_file" "user_policy" {
-  template = file("${path.module}/fixtures/iam/user-policy.json")
+  user_policy = templatefile("${path.module}/fixtures/iam/user-policy.json", {
+    api_gateway_arn = var.api_gateway_arn
+  })
 
-  vars = {
+  admin_assume_role_policy = templatefile("${path.module}/fixtures/iam/assume-role.json", {
+    cognito_identity_pool_id = aws_cognito_identity_pool._.id
+  })
+
+  admin_policy = templatefile("${path.module}/fixtures/iam/admin-policy.json", {
     api_gateway_arn = var.api_gateway_arn
-  }
+  })
 }
 
 resource "aws_iam_role" "user" {
   name = "${var.name}-user-${var.namespace}"
 
-  assume_role_policy = data.template_file.user_assume_role_policy.rendered
+  assume_role_policy = local.user_assume_role_policy
 }
 
 resource "aws_iam_policy" "user" {
   name = "${var.name}-user-${var.namespace}"
 
-  policy = data.template_file.user_policy.rendered
+  policy = local.user_policy
 }
 resource "aws_iam_policy_attachment" "user" {
   name = "${var.name}-user-${var.namespace}"
@@ -32,33 +34,16 @@ resource "aws_iam_policy_attachment" "user" {
   roles      = [aws_iam_role.user.name]
 }
 
-
-data "template_file" "admin_assume_role_policy" {
-  template = file("${path.module}/fixtures/iam/assume-role.json")
-
-  vars = {
-    cognito_identity_pool_id = aws_cognito_identity_pool._.id
-  }
-}
-
-data "template_file" "admin_policy" {
-  template = file("${path.module}/fixtures/iam/admin-policy.json")
-
-  vars = {
-    api_gateway_arn = var.api_gateway_arn
-  }
-}
-
 resource "aws_iam_role" "admin" {
   name = "${var.name}-admin-${var.namespace}"
 
-  assume_role_policy = data.template_file.admin_assume_role_policy.rendered
+  assume_role_policy = local.admin_assume_role_policy
 }
 
 resource "aws_iam_policy" "admin" {
   name = "${var.name}-admin-${var.namespace}"
 
-  policy = data.template_file.admin_policy.rendered
+  policy = local.admin_policy
 }
 resource "aws_iam_policy_attachment" "admin" {
   name = "${var.name}-admin-${var.namespace}"

modules/fixtures/policies/principal_policy.tmpl

@@ -68,108 +68,7 @@
       "Sid": "AllowedServices",
       "Effect": "Allow",
       "Action": [
-        "acm:*",
-        "acm-pca:*",
-        "apigateway:*",
-        "application-autoscaling:*",
-        "appstream:*",
-        "athena:*",
-        "autoscaling:*",
-        "backup:*",
-        "backup-storage:MountCapsule",
-        "batch:*",
-        "cloud9:*",
-        "clouddirectory:*",
-        "cloudformation:*",
-        "cloudfront:*",
-        "cloudhsm:*",
-        "cloudsearch:*",
-        "cloudtrail:*",
-        "cloudwatch:*",
-        "codebuild:*",
-        "codecommit:*",
-        "codedeploy:*",
-        "codepipeline:*",
-        "codestar:*",
-        "cognito-identity:*",
-        "cognito-idp:*",
-        "comprehend:*",
-        "config:*",
-        "datapipeline:*",
-        "dax:*",
-        "devicefarm:*",
-        "dms:*",
-        "ds:*",
-        "dynamodb:*",
-        "ec2:*",
-        "ecr:*",
-        "ecs:*",
-        "eks:*",
-        "elasticache:*",
-        "elasticbeanstalk:*",
-        "elasticfilesystem:*",
-        "elasticloadbalancing:*",
-        "elasticmapreduce:*",
-        "elastictranscoder:*",
-        "es:*",
-        "events:*",
-        "execute-api:*",
-        "firehose:*",
-        "fms:*",
-        "fsx:*",
-        "globalaccelerator:*",
-        "glue:*",
-        "iam:*",
-        "imagebuilder:*",
-        "iot:*",
-        "iotanalytics:*",
-        "kafka:*",
-        "kinesis:*",
-        "kinesisanalytics:*",
-        "kinesisvideo:*",
-        "kms:*",
-        "lakeformation:*",
-        "lambda:*",
-        "lex:*",
-        "lightsail:*",
-        "logs:*",
-        "machinelearning:*",
-        "mediaconvert:*",
-        "medialive:*",
-        "mediapackage:*",
-        "mediastore:*",
-        "mediatailor:*",
-        "mobilehub:*",
-        "mq:*",
-        "neptune-db:*",
-       "network-firewall:*",
-        "opsworks:*",
-        "opsworks-cm:*",
-        "rds:*",
-        "redshift:*",
-        "rekognition:*",
-        "resource-groups:*",
-        "robomaker:*",
-        "route53:*",
-        "s3:*",
-        "sagemaker:*",
-        "secretsmanager:*",
-        "servicecatalog:*",
-        "servicediscovery:*",
-        "ses:*",
-        "sns:*",
-        "sqs:*",
-        "ssm:*",
-        "states:*",
-        "storagegateway:*",
-        "sts:*",
-        "tag:*",
-        "transfer:*",
-        "waf:*",
-        "wafv2:*",
-        "waf-regional:*",
-        "worklink:*",
-        "workspaces:*"
+        "*"
       ],
       "Resource": "*",
       "Condition": {

modules/gateway.tf

@@ -1,12 +1,21 @@
 locals {
   portal_gateway_name = "${var.namespace_prefix}-${var.namespace}"
   stage_name          = "api"
+
+  api_swagger_tpl = templatefile("${path.module}/swagger.yaml", {
+    leases_lambda               = module.leases_lambda.invoke_arn
+    lease_auth_lambda           = module.lease_auth_lambda.invoke_arn
+    accounts_lambda             = module.accounts_lambda.invoke_arn
+    usages_lambda               = module.usage_lambda.invoke_arn
+    credentials_web_page_lambda = module.credentials_web_page_lambda.invoke_arn
+    namespace                   = "${var.namespace_prefix}-${var.namespace}"
+  })
 }
 
 resource "aws_api_gateway_rest_api" "gateway_api" {
   name        = local.portal_gateway_name
   description = local.portal_gateway_name
-  body        = data.template_file.api_swagger.rendered
+  body        = local.api_swagger_tpl
 }
 
 module "api_gateway_authorizer" {
@@ -54,19 +63,6 @@ resource "aws_ssm_parameter" "user_pool_endpoint" {
   value = module.api_gateway_authorizer.user_pool_endpoint
 }
 
-data "template_file" "api_swagger" {
-  template = file("${path.module}/swagger.yaml")
-
-  vars = {
-    leases_lambda               = module.leases_lambda.invoke_arn
-    lease_auth_lambda           = module.lease_auth_lambda.invoke_arn
-    accounts_lambda             = module.accounts_lambda.invoke_arn
-    usages_lambda               = module.usage_lambda.invoke_arn
-    credentials_web_page_lambda = module.credentials_web_page_lambda.invoke_arn
-    namespace                   = "${var.namespace_prefix}-${var.namespace}"
-  }
-}
-
 resource "aws_lambda_permission" "allow_api_gateway" {
   function_name = module.leases_lambda.arn
   statement_id  = "AllowExecutionFromApiGateway"
@@ -122,7 +118,7 @@ resource "aws_api_gateway_deployment" "gateway_deployment" {
     // API Changes won't get deployed, without a trigger in TF
     // See https://medium.com/coryodaniel/til-forcing-terraform-to-deploy-a-aws-api-gateway-deployment-ed36a9f60c1a
     // and https://github.com/terraform-providers/terraform-provider-aws/issues/162#issuecomment-475323730
-    change_trigger = sha256(data.template_file.api_swagger.rendered)
+    change_trigger = sha256(local.api_swagger_tpl)
   }
 
   lifecycle {

modules/main.tf

@@ -1,10 +1,16 @@
 terraform {
-  required_version = "~>0.12.31"
+  required_version = "~>0.13.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.25.0"
+    }
+  }
 }
 
 provider "aws" {
   region  = var.aws_region
-  version = "3.41.0"
 }
 
 # Current AWS Account User
@@ -15,4 +21,3 @@ locals {
   account_id            = data.aws_caller_identity.current.account_id
   sns_encryption_key_id = "alias/aws/sns"
 }
-

modules/update_lease_status.tf

@@ -44,8 +44,8 @@ module "update_lease_status_lambda" {
     BUDGET_NOTIFICATION_FROM_EMAIL            = var.budget_notification_from_email
     BUDGET_NOTIFICATION_BCC_EMAILS            = join(",", var.budget_notification_bcc_emails)
     BUDGET_NOTIFICATION_TEMPLATES_BUCKET      = local.budget_notification_templates_bucket
-    BUDGET_NOTIFICATION_TEMPLATE_HTML_KEY     = aws_s3_bucket_object.budget_notification_template_html.key
-    BUDGET_NOTIFICATION_TEMPLATE_TEXT_KEY     = aws_s3_bucket_object.budget_notification_template_text.key
+    BUDGET_NOTIFICATION_TEMPLATE_HTML_KEY     = aws_s3_object.budget_notification_template_html.key
+    BUDGET_NOTIFICATION_TEMPLATE_TEXT_KEY     = aws_s3_object.budget_notification_template_text.key
     BUDGET_NOTIFICATION_TEMPLATE_SUBJECT      = var.budget_notification_template_subject
     BUDGET_NOTIFICATION_THRESHOLD_PERCENTILES = join(",", var.budget_notification_threshold_percentiles)
     PRINCIPAL_BUDGET_AMOUNT                   = var.principal_budget_amount
@@ -56,12 +56,12 @@ module "update_lease_status_lambda" {
 
 // Upload budget notification email templates to S3
 // (templates may be too large to pass in as env vars)
-resource "aws_s3_bucket_object" "budget_notification_template_html" {
+resource "aws_s3_object" "budget_notification_template_html" {
   bucket  = local.budget_notification_templates_bucket
   key     = "budget_notification_templates/html.tmpl"
   content = var.budget_notification_template_html
 }
-resource "aws_s3_bucket_object" "budget_notification_template_text" {
+resource "aws_s3_object" "budget_notification_template_text" {
   bucket  = local.budget_notification_templates_bucket
   key     = "budget_notification_templates/text.tmpl"
   content = var.budget_notification_template_text

modules/update_principal_policy_lambda.tf

@@ -17,7 +17,7 @@ module "update_principal_policy" {
     ARTIFACTS_BUCKET               = aws_s3_bucket.artifacts.id
     PRINCIPAL_ROLE_NAME            = local.principal_role_name
     PRINCIPAL_POLICY_NAME          = local.principal_policy_name
-    PRINCIPAL_POLICY_S3_KEY        = aws_s3_bucket_object.principal_policy.key
+    PRINCIPAL_POLICY_S3_KEY        = aws_s3_object.principal_policy.key
     PRINCIPAL_IAM_DENY_TAGS        = join(",", var.principal_iam_deny_tags)
     ALLOWED_REGIONS                = join(",", var.allowed_regions)
     PRINCIPAL_MAX_SESSION_DURATION = 14400

pipelines/destroy-pr-env.yml

@@ -44,7 +44,7 @@ steps:
   # Install Terraform
   - task: TerraformInstaller@0
     inputs:
-      terraformVersion: "0.12.18"
+      terraformVersion: "0.13.7"
     displayName: "Install Terraform"
 
   # terraform init