search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 290 forks source link

Fix MP repo SCA issues #2982

Closed davidkelliott closed 1 year ago

davidkelliott commented 1 year ago

User Story

Now that checkov is fixed, the SCA is running properly again, but there are several actual issues that need to be addressed.

This issue is to investigate and resolve those issues. https://github.com/ministryofjustice/modernisation-platform/actions/runs/3946503466

User Type(s)

MP engineer

Value

The joy of looking at a green tick compared to the disappointment of looking at a red cross. And something something code quality.

Questions / Assumptions / Hypothesis

Definition of done

Reference

How to write good user stories

markgov commented 1 year ago

one error found so far Warning: terraform "required_version" attribute is required (terraform_required_version)

on line 0: (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)

on github/workspace/terraform/environments/core-shared-services/test/test_terraform/secrets.tf line 8: 8: data "aws_secretsmanager_secret_version" "environment_management" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-shared-services/test/test_terraform/secrets.tf

markgov commented 1 year ago

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.cicd_member_user File: /main.tf:2-4

    2 | resource "aws_iam_user" "cicd_member_user" {
    3 |   name = "cicd-member-user"
    4 | }

checkov_exitcode=7

Second error found

markgov commented 1 year ago

Passed checks: 61, Failed checks: 1, Skipped checks: 85

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.testing_ci File: /testing-ci.tf:4-8

    4 | resource "aws_iam_user" "testing_ci" {
    5 |   provider = aws.testing-test
    6 |   name     = "testing-ci"
    7 |   tags     = local.testing_tags
    8 | }

checkov_exitcode=6 third error found

markgov commented 1 year ago

Passed checks: 19, Failed checks: 3, Skipped checks: 1

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.mgn_user File: /iam.tf:4-8

    4 | resource "aws_iam_user" "mgn_user" {
    5 |   count = local.is-development == true ? 1 : 0
    6 |   name  = "MGN-Test"
    7 |   tags  = local.tags
    8 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)" FAILED for resource: aws_iam_user_policy_attachment.mgn_attach_policy File: /iam.tf:10-14 Guide: https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1

    10 | resource "aws_iam_user_policy_attachment" "mgn_attach_policy" {
    11 |   count      = local.is-development == true ? 1 : 0
    12 |   user       = aws_iam_user.mgn_user[0].name
    13 |   policy_arn = "arn:aws:iam::aws:policy/AWSApplicationMigrationFullAccess"
    14 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.email File: /iam.tf:17-22

    17 | resource "aws_iam_user" "email" {
    18 |   name = format("%s-%s-email_user", local.application_name, local.environment)
    19 |   tags = merge(local.tags,
    20 |     { Name = format("%s-%s-email_user", local.application_name, local.environment) }
    21 |   )
    22 | }

checkov_exitcode=5

markgov commented 1 year ago

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.email File: /iam.tf:2-7

    2 | resource "aws_iam_user" "email" {
    3 |   name = format("%s-%s-email_user", local.application_name, local.environment)
    4 |   tags = merge(local.tags,
    5 |     { Name = format("%s-%s-email_user", local.application_name, local.environment) }
    6 |   )
    7 | }

checkov_exitcode=4

markgov commented 1 year ago

terraform scan results:

Passed checks: 22, Failed checks: 1, Skipped checks: 5

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" FAILED for resource: aws_iam_policy_document.member-access File: /iam.tf:16-188

    Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=3

markgov commented 1 year ago

Passed checks: 91, Failed checks: 6, Skipped checks: 19

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" FAILED for resource: aws_iam_policy_document.developer_additional File: /policies.tf:93-205 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation

    Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: module.cicd-member-user.aws_iam_user.cicd_member_user File: /../../../modules/iam_baseline/main.tf:2-4 Calling File: /iam.tf:138-144

    2 | resource "aws_iam_user" "cicd_member_user" {
    3 |   name = "cicd-member-user"
    4 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" FAILED for resource: aws_iam_policy_document.sandbox_additional File: /policies.tf:216-333

    Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=2

markgov commented 1 year ago

Passed checks: 857, Failed checks: 11, Skipped checks: 87

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /bootstrap/delegate-access/iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /bootstrap/delegate-access/iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.SSM-Automation-Policy File: /bootstrap/delegate-access/iam.tf:35-78 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

    35 | data "aws_iam_policy_document" "SSM-Automation-Policy" {
    36 |   statement {
    37 |     sid       = ""
    38 |     effect    = "Allow"
    39 |     resources = ["arn:aws:lambda:*:*:function:Automation*"]
    40 |     actions   = ["lambda:InvokeFunction"]
    41 |   }
    42 | 
    43 |   statement {
    44 |     sid       = ""
    45 |     effect    = "Allow"
    46 |     resources = ["*"]
    47 | 
    48 |     actions = [
    49 |       "ec2:CreateImage",
    50 |       "ec2:CopyImage",
    51 |       "ec2:DeregisterImage",
    52 |       "ec2:DescribeImages",
    53 |       "ec2:DeleteSnapshot",
    54 |       "ec2:StartInstances",
    55 |       "ec2:RunInstances",
    56 |       "ec2:StopInstances",
    57 |       "ec2:TerminateInstances",
    58 |       "ec2:DescribeInstanceStatus",
    59 |       "ec2:CreateTags",
    60 |       "ec2:DeleteTags",
    61 |       "ec2:DescribeTags"
    62 |     ]
    63 |   }
    64 | 
    65 |   statement {
    66 |     sid       = ""
    67 |     effect    = "Allow"
    68 |     resources = ["*"]
    69 |     actions   = ["ssm:*"]
    70 |   }
    71 | 
    72 |   statement {
    73 |     sid       = ""
    74 |     effect    = "Allow"
    75 |     resources = ["arn:aws:sns:*:*:Automation*"]
    76 |     actions   = ["sns:Publish"]
    77 |   }
    78 | }

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" FAILED for resource: aws_iam_policy_document.developer_additional File: /bootstrap/delegate-access/policies.tf:93-205 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation

    Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.email File: /equip/iam.tf:2-7

    2 | resource "aws_iam_user" "email" {
    3 |   name = format("%s-%s-email_user", local.application_name, local.environment)
    4 |   tags = merge(local.tags,
    5 |     { Name = format("%s-%s-email_user", local.application_name, local.environment) }
    6 |   )
    7 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.mgn_user File: /ppud/iam.tf:4-8

    4 | resource "aws_iam_user" "mgn_user" {
    5 |   count = local.is-development == true ? 1 : 0
    6 |   name  = "MGN-Test"
    7 |   tags  = local.tags
    8 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)" FAILED for resource: aws_iam_user_policy_attachment.mgn_attach_policy File: /ppud/iam.tf:10-14 Guide: https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1

    10 | resource "aws_iam_user_policy_attachment" "mgn_attach_policy" {
    11 |   count      = local.is-development == true ? 1 : 0
    12 |   user       = aws_iam_user.mgn_user[0].name
    13 |   policy_arn = "arn:aws:iam::aws:policy/AWSApplicationMigrationFullAccess"
    14 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.email File: /ppud/iam.tf:17-22

    17 | resource "aws_iam_user" "email" {
    18 |   name = format("%s-%s-email_user", local.application_name, local.environment)
    19 |   tags = merge(local.tags,
    20 |     { Name = format("%s-%s-email_user", local.application_name, local.environment) }
    21 |   )
    22 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: module.cicd-member-user.aws_iam_user.cicd_member_user File: /../modules/iam_baseline/main.tf:2-4 Calling File: /bootstrap/delegate-access/iam.tf:138-144

    2 | resource "aws_iam_user" "cicd_member_user" {
    3 |   name = "cicd-member-user"
    4 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" FAILED for resource: aws_iam_policy_document.sandbox_additional File: /bootstrap/delegate-access/policies.tf:216-333

    Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" FAILED for resource: aws_iam_policy_document.member-access File: /bootstrap/member-bootstrap/iam.tf:16-188

    Code lines for this resource are too many. Please use IDE of your choice to review the file.
markgov commented 1 year ago

pr created and sent for review fix's add to pr new tickets to be created for iam policy amendments

markgov commented 1 year ago

new story created and added to the backlog

markgov commented 1 year ago

new pr raised as check was still not completing

markgov commented 1 year ago

SCA is now working as expected and has a green tick