release: API security risk register fixes

[patheard]

Summary

• Set secure=True on API cookie.
• Update healthcheck endpoint to /version.
• Limit max URL length that can be shortened.

Related

• Closes cds-snc/security-risk-register#147
• Closes cds-snc/security-risk-register#150
• Closes cds-snc/security-risk-register#153

[github-actions[bot]]

Production: hosted_zone

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|------------------------------------------------| | update | `aws_route53_health_check.sre_bot_healthcheck` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_route53_health_check.sre_bot_healthcheck will be updated in-place ~ resource "aws_route53_health_check" "sre_bot_healthcheck" { id = "46553ba4-165e-4192-a50a-c92618d50025" ~ resource_path = "/healthcheck" -> "/version" tags = { "CostCentre" = "url-shortener-production" } # (14 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_route53_health_check.sre_bot_healthcheck"] 18 tests, 17 passed, 1 warning, 0 failures, 0 exceptions ```

[github-actions[bot]]

Production: cloudfront

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 2 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------------------------| | update | `aws_cloudfront_distribution.url_shortener_api` | | | `aws_wafv2_regex_pattern_set.valid_uri_paths` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_cloudfront_distribution.url_shortener_api will be updated in-place ~ resource "aws_cloudfront_distribution" "url_shortener_api" { id = "EAB1JWDT87NXB" tags = { "CostCentre" = "url-shortener-production" "Terraform" = "true" } # (20 unchanged attributes hidden) ~ ordered_cache_behavior { ~ path_pattern = "/healthcheck" -> "/version" # (12 unchanged attributes hidden) # (1 unchanged block hidden) } origin { # At least one attribute in this block is (or was) sensitive, # so its contents will not be displayed. } # (3 unchanged blocks hidden) } # aws_wafv2_regex_pattern_set.valid_uri_paths will be updated in-place ~ resource "aws_wafv2_regex_pattern_set" "valid_uri_paths" { id = "65e4e942-25e1-435a-9b5d-e2cb694e7f5a" name = "valid-api-paths" tags = { "CostCentre" = "url-shortener-production" "Terraform" = "true" } # (5 unchanged attributes hidden) - regular_expression { - regex_string = "^/(version|healthcheck|openapi.json|.well-known/security.txt)$" -> null } + regular_expression { + regex_string = "^/(version|openapi.json|.well-known/security.txt)$" } # (7 unchanged blocks hidden) } Plan: 0 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["module.resolver_dns.aws_route53_resolver_firewall_rule_group_association.firewall_rules[0]"] WARN - plan.json - main - Missing Common Tags: ["module.resolver_dns.aws_route53_resolver_query_log_config.route53_vpc_dns"] 19 tests, 17 passed, 2 warnings, 0 failures, 0 exceptions ```