modernisation-platform
modernisation-platform copied to clipboard
ministryofjustice
Amend NACLs applied to public subnets
A reference to the issue / Description of it
#2403
How does this PR fix the problem?
Observed that rules for all private subnets were also being applied to public subnets. Re-sited block for RDP traffic so that it is only applied to public subnets, and removed rules for non-public subnets from public subnets
How has this been tested?
Checked against production VPC flow logs to ensure no services except HTTPS were listening in the 1-1023 TCP port range.
Deployment Plan / Instructions
Will this deployment impact the platform and / or services on it?
Deploy through CI
Checklist (check x in [ ] of list items)
- [x] I have performed a self-review of my own code
- [x] All checks have passed
- [x] I have made corresponding changes to the documentation
- [x] Plan and discussed how it should be deployed to PROD (If needed)
Additional comments (if any)
{Please write here}
Trivy Scan Success
Show Output
```hclTrivy will check the following folders: terraform/modules/vpc-nacls
Running Trivy in terraform/modules/vpc-nacls 2024-05-02T21:37:55.828Z [34mINFO[0m Need to update DB 2024-05-02T21:37:55.828Z [34mINFO[0m DB Repository: ghcr.io/aquasecurity/trivy-db:2 2024-05-02T21:37:55.828Z [34mINFO[0m Downloading DB... 2024-05-02T21:37:57.970Z [34mINFO[0m Vulnerability scanning is enabled 2024-05-02T21:37:57.970Z [34mINFO[0m Misconfiguration scanning is enabled 2024-05-02T21:37:57.970Z [34mINFO[0m Need to update the built-in policies 2024-05-02T21:37:57.970Z [34mINFO[0m Downloading the built-in policies... 50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-02T21:37:58.220Z [34mINFO[0m Secret scanning is enabled 2024-05-02T21:37:58.220Z [34mINFO[0m If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-02T21:37:58.220Z [34mINFO[0m Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection 2024-05-02T21:37:58.928Z [34mINFO[0m Number of language-specific files: 0 2024-05-02T21:37:58.928Z [34mINFO[0m Detected config files: 2 trivy_exitcode=0
</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/modules/vpc-nacls
*****************************
Running Checkov in terraform/modules/vpc-nacls
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:
Passed checks: 194, Failed checks: 0, Skipped checks: 87
checkov_exitcode=0
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/modules/vpc-nacls
*****************************
Running tflint in terraform/modules/vpc-nacls
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/modules/vpc-nacls
*****************************
Running Trivy in terraform/modules/vpc-nacls
2024-05-02T21:37:55.828Z [34mINFO[0m Need to update DB
2024-05-02T21:37:55.828Z [34mINFO[0m DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-05-02T21:37:55.828Z [34mINFO[0m Downloading DB...
2024-05-02T21:37:57.970Z [34mINFO[0m Vulnerability scanning is enabled
2024-05-02T21:37:57.970Z [34mINFO[0m Misconfiguration scanning is enabled
2024-05-02T21:37:57.970Z [34mINFO[0m Need to update the built-in policies
2024-05-02T21:37:57.970Z [34mINFO[0m Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-02T21:37:58.220Z [34mINFO[0m Secret scanning is enabled
2024-05-02T21:37:58.220Z [34mINFO[0m If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-02T21:37:58.220Z [34mINFO[0m Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-05-02T21:37:58.928Z [34mINFO[0m Number of language-specific files: 0
2024-05-02T21:37:58.928Z [34mINFO[0m Detected config files: 2
trivy_exitcode=0
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Moved this back to draft as I identified a case where traffic was moving directly between the public subnet and a private address range
After looking through the VPC flow logs I could see a single exception. I'd need to confer with the responsible team, but something like this would be the likely way to account for this exception:
locals {
current_environment = substr(terraform.workspace, length(local.application_name), length(terraform.workspace))
}
resource "aws_network_acl_rule" "additional-public-rule" {
network_acl_id = module.vpc-nacls[format("hmcts%s",local.current_environment)].public.id
cidr_block = ["?.?.?.?/??"]
...
}
I don't 100% love the format expression, but with current_environment set up this way it's consistent with other locals used to scrape the environment name from the workspace.
Trivy Scan Success
Show Output
```hclTrivy will check the following folders: terraform/environments/core-vpc terraform/modules/vpc-nacls
Running Trivy in terraform/environments/core-vpc 2024-05-07T10:45:59Z INFO Need to update DB 2024-05-07T10:45:59Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2" 2024-05-07T10:46:00Z INFO Vulnerability scanning is enabled 2024-05-07T10:46:00Z INFO Misconfiguration scanning is enabled 2024-05-07T10:46:00Z INFO Need to update the built-in policies 2024-05-07T10:46:00Z INFO Downloading the built-in policies... 50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-07T10:46:01Z INFO Secret scanning is enabled 2024-05-07T10:46:01Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-07T10:46:01Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-07T10:46:02Z INFO Number of language-specific files num=0 2024-05-07T10:46:02Z INFO Detected config files num=5
iam.tf (terraform)
Tests: 12 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 12) Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=0
Running Trivy in terraform/modules/vpc-nacls 2024-05-07T10:46:02Z INFO Vulnerability scanning is enabled 2024-05-07T10:46:02Z INFO Misconfiguration scanning is enabled 2024-05-07T10:46:02Z INFO Secret scanning is enabled 2024-05-07T10:46:02Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-07T10:46:02Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-07T10:46:03Z INFO Number of language-specific files num=0 2024-05-07T10:46:03Z INFO Detected config files num=2 trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/core-vpc terraform/modules/vpc-nacls
*****************************
Running Checkov in terraform/environments/core-vpc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-07 10:46:05,523 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-05-07 10:46:05,523 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-member-vpc?ref=ddcd36b717b937bfa72b6245fd0410861aa40b36:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 308, Failed checks: 1, Skipped checks: 108
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: module.vpc_nacls.aws_network_acl_rule.public_subnet_internet_access_rules["allow_vpc_cidr_in"]
File: /../../modules/vpc-nacls/main.tf:69-80
Calling File: /vpc.tf:113-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-352
69 | resource "aws_network_acl_rule" "public_subnet_internet_access_rules" {
70 | #checkov:skip=CKV_AWS_231:Verified - these rules are reasonable
71 | for_each = local.public_access_acl_rules
72 | cidr_block = each.value.cidr_block
73 | egress = each.value.egress
74 | from_port = each.value.from_port
75 | network_acl_id = aws_network_acl.general-public.id
76 | protocol = each.value.protocol
77 | rule_action = each.value.rule_action
78 | rule_number = each.value.rule_number
79 | to_port = each.value.to_port
80 | }
checkov_exitcode=1
*****************************
Running Checkov in terraform/modules/vpc-nacls
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:
Passed checks: 200, Failed checks: 1, Skipped checks: 89
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: aws_network_acl_rule.public_subnet_internet_access_rules["allow_vpc_cidr_in"]
File: /main.tf:69-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-352
69 | resource "aws_network_acl_rule" "public_subnet_internet_access_rules" {
70 | #checkov:skip=CKV_AWS_231:Verified - these rules are reasonable
71 | for_each = local.public_access_acl_rules
72 | cidr_block = each.value.cidr_block
73 | egress = each.value.egress
74 | from_port = each.value.from_port
75 | network_acl_id = aws_network_acl.general-public.id
76 | protocol = each.value.protocol
77 | rule_action = each.value.rule_action
78 | rule_number = each.value.rule_number
79 | to_port = each.value.to_port
80 | }
checkov_exitcode=2
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-vpc terraform/modules/vpc-nacls
*****************************
Running tflint in terraform/environments/core-vpc
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
*****************************
Running tflint in terraform/modules/vpc-nacls
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/core-vpc terraform/modules/vpc-nacls
*****************************
Running Trivy in terraform/environments/core-vpc
2024-05-07T10:45:59Z INFO Need to update DB
2024-05-07T10:45:59Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-07T10:46:00Z INFO Vulnerability scanning is enabled
2024-05-07T10:46:00Z INFO Misconfiguration scanning is enabled
2024-05-07T10:46:00Z INFO Need to update the built-in policies
2024-05-07T10:46:00Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-07T10:46:01Z INFO Secret scanning is enabled
2024-05-07T10:46:01Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-07T10:46:01Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-07T10:46:02Z INFO Number of language-specific files num=0
2024-05-07T10:46:02Z INFO Detected config files num=5
iam.tf (terraform)
==================
Tests: 12 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 12)
Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=0
*****************************
Running Trivy in terraform/modules/vpc-nacls
2024-05-07T10:46:02Z INFO Vulnerability scanning is enabled
2024-05-07T10:46:02Z INFO Misconfiguration scanning is enabled
2024-05-07T10:46:02Z INFO Secret scanning is enabled
2024-05-07T10:46:02Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-07T10:46:02Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-07T10:46:03Z INFO Number of language-specific files num=0
2024-05-07T10:46:03Z INFO Detected config files num=2
trivy_exitcode=0
Added some extra handling for xhibit-portal requirements, but it's a very first-pass solution at present.
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.
This PR was closed because it has been stalled for 40 days with no activity.