harden-ssh-k8s-api-ports

enekui commented 10 months ago

Description

Added a set of new variables that will default to true to control SSH and Kubernetes API access to the EC2 instance. Added a new Data source to conditionally get the public IP of the Terraform module operator. We are manipulating the output to get the clean public IP and pass it as the default allowed CIDR block to the SSH and Kubernetes API port. Also, there are two new variables to control this just in case it's needed to open SSH or Kubernetes API ports independently to everyone or other IPs/CIDR blocks. Removed unrelated left variables from ALB. Updated README.md Tested the new changes.

Note: This is a small upgrade, but will make a huge difference in how customers take this from a security best practices point of view.

enekui commented 9 months ago

@enekui Noticed while adding EFS storage for the new monitoringcluster that you have to add the encrypted = true option while creating the EFS resource "aws_efs_file_system" "eks_efs" otherwise the EFS data will be unencrypted

Yep, but that would require creating a separate KMS key only for EFS. For now, since EFS is not mandatory for this use case it's more an optional feature that we provide to the user. I rather to keep it simple. But yes, in the next iteration I will include it for sure. Thanks for spotting this one.

enekui commented 9 months ago

Still some references to tower, there's a configmap called kubernetes_config_map_v1.tower_app_configmap

Yep, I know, but it was requested by Paolo. It had all been renamed to Seqera, but yes.

bebosudo commented 9 months ago

I'm not discussing the use of a configmap, but its name. Do we want to rename it to Seqera platform or something?

pditommaso commented 9 months ago

It's OK for now. There's a huge number of variable and settings prefixed with "tower". the idea is to keep this as near as possible to the current deployment

enekui commented 9 months ago

@pditommaso, your approval is required too. :)

pditommaso commented 9 months ago

Sure, can you please make me a summary of the new settings introduced by this PR and the default value?

enekui commented 9 months ago

Sure, can you please make me a summary of the new settings introduced by this PR and the default value?

MAIN CHANGES:

Added the following new varibales:

enable_ec2_instance_ssh_access = true
enable_ec2_instance_kubernetes_api_access = true
ec2_instance_ssh_cidr_blocks = [""]
ec2_instance_kubernetes_api_cidr_blocks = [""]

The above variables does not affect the current use of the module call. The main improvement is that now it will provide SSH and Kubernetes API access only to the public IP on the module executor. In case there is a need to extend the IP block that will access these two endpoints, the user can make use of the new parameters:

ec2_instance_ssh_cidr_blocks *ec2_instance_ssh_cidr_blocks Which will include the CIDR blocks as part of the allowed sources in the EC2 instance security group.

MINOR CHANGES:

Added a set of examples in the examples folder as a requierement for all the Terraform modules.

GENERAL OVERVIEW

Enhanced Security Features

New Variables for Access Control:
- Variables introduced to control SSH and Kubernetes API access to the EC2 instance, with a default setting of true.
Public IP Data Source:
- A new data source added to fetch the public IP of the Terraform module operator.
- This IP is utilized as the default allowed CIDR block for SSH and Kubernetes API port access.
Independent Control of SSH and Kubernetes API Ports:
- Introduction of two separate variables for independent control over SSH and Kubernetes API ports.
- These variables allow customization of access, enabling users to open ports to everyone or to specific IPs/CIDR blocks.
ALB Variable Clean-Up:
- Removal of unrelated and leftover variables from the Application Load Balancer (ALB) configuration.
Updated Documentation:
- Modifications in the README.md file to incorporate these new changes.
Testing and Validation:
- Extensive testing to ensure the effectiveness and reliability of the new features.

Impact and Significance

These changes significantly enhance the security posture of the Terraform module.
The new settings enable more granular control over access, aligning with security best practices.

Note:The focus of these changes is on security enhancements, and stability, providing more control and flexibility in managing SSH and Kubernetes API access to EC2 instances

pditommaso commented 9 months ago

Ok, thanks

seqeralabs / terraform-seqera-aws