JASPER-223: Secure JASPER to VPN'd users only (#114)

* - Implement WAF to secure jasper to VPN'd users only - Fixed existing tfsec issues - Fixed publish-infra error - Deleted jasper-aws-bootstrap folder as it is no longer needed - Include sonarlint extension to identify sonar issues earlier * Upgrade Terraform version to 1.10.2 --------- Co-authored-by: Ronaldo Macapobre <[email protected]>
bcgov · Dec 17, 2024 · 2cd8b3b · 2cd8b3b
1 parent 837f39e
commit 2cd8b3b
Show file tree

Hide file tree

Showing 25 changed files with 153 additions and 307 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -23,7 +23,8 @@
         "ms-dotnettools.csharp",
         "ms-dotnettools.vscode-dotnet-runtime",
         "amazonwebservices.aws-toolkit-vscode",
-        "hashicorp.terraform"
+        "hashicorp.terraform",
+        "sonarsource.sonarlint-vscode"
       ],
       "settings": {
         "editor.codeActionsOnSave": {

diff --git a/.github/workflows/build-infra.yml b/.github/workflows/build-infra.yml
@@ -78,7 +78,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: 1.9.0
+          terraform_version: 1.10.2
 
       - name: Terraform Init
         id: init

diff --git a/.github/workflows/publish-infra.yml b/.github/workflows/publish-infra.yml
@@ -32,7 +32,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     environment:
-      name: ${{ inputs.environment }}
+      name: ${{ inputs.environment || 'dev' }}
     env:
       TF_VAR_app_name: ${{ vars.APP_NAME }}
       TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }}
@@ -46,6 +46,16 @@ jobs:
       security-events: write
       packages: write
     steps:
+      - name: Determine environment
+        id: determine-environment
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_ENV
+          else
+            echo "environment=dev" >> $GITHUB_ENV
+            echo "WORKING_DIRECTORY=${{ env.WORKING_DIRECTORY }}/dev" >> $GITHUB_ENV
+          fi
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
@@ -73,7 +83,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: 1.9.0
+          terraform_version: 1.10.2
 
       - name: Terraform Init
         id: init

diff --git a/infrastructure/cloud/environments/dev/providers.tf b/infrastructure/cloud/environments/dev/providers.tf
@@ -1,14 +1,14 @@
 terraform {
-  required_version = "~> 1.9.0"
+  required_version = "~> 1.10.2"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 5.81.0"
     }
 
     tls = {
       source  = "hashicorp/tls"
-      version = "4.0.5"
+      version = "4.0.6"
     }
   }
 

diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf
@@ -75,6 +75,7 @@ module "iam" {
   secrets_arn_list    = module.secrets_manager.secrets_arn_list
   account_id          = data.aws_caller_identity.current.account_id
   kms_key_id          = module.initial.kms_key_arn
+  region              = var.region
 }
 
 # Parse Subnets
@@ -268,3 +269,13 @@ module "ecs_api_service" {
   subnet_ids     = module.subnets.app_subnets_ids
   port           = module.ecs_api_td.port
 }
+
+# WAF
+module "waf" {
+  source            = "../../modules/WAF"
+  environment       = var.environment
+  app_name          = var.app_name
+  region            = var.region
+  allowed_ip_ranges = module.secrets_manager.allowed_ip_ranges
+  default_lb_arn    = module.alb.default_lb_arn
+}
diff --git a/infrastructure/cloud/environments/test/main.tf b/infrastructure/cloud/environments/test/main.tf
@@ -75,6 +75,7 @@ module "iam" {
   secrets_arn_list    = module.secrets_manager.secrets_arn_list
   account_id          = data.aws_caller_identity.current.account_id
   kms_key_id          = module.initial.kms_key_arn
+  region              = var.region
 }
 
 # Parse Subnets
@@ -268,3 +269,13 @@ module "ecs_api_service" {
   subnet_ids     = module.subnets.app_subnets_ids
   port           = module.ecs_api_td.port
 }
+
+# WAF
+module "waf" {
+  source            = "../../modules/WAF"
+  environment       = var.environment
+  app_name          = var.app_name
+  region            = var.region
+  allowed_ip_ranges = module.secrets_manager.allowed_ip_ranges
+  default_lb_arn    = module.alb.default_lb_arn
+}
diff --git a/infrastructure/cloud/environments/test/providers.tf b/infrastructure/cloud/environments/test/providers.tf
@@ -1,14 +1,14 @@
 terraform {
-  required_version = "~> 1.9.0"
+  required_version = "~> 1.10.2"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 5.81.0"
     }
 
     tls = {
       source  = "hashicorp/tls"
-      version = "4.0.5"
+      version = "4.0.6"
     }
   }
 

diff --git a/infrastructure/cloud/modules/ALB/outputs.tf b/infrastructure/cloud/modules/ALB/outputs.tf
@@ -1,3 +1,7 @@
 output "default_lb_dns_name" {
   value = data.aws_lb.default_lb.dns_name
 }
+
+output "default_lb_arn" {
+  value = data.aws_lb.default_lb.arn
+}
diff --git a/infrastructure/cloud/modules/APIGateway/main.tf b/infrastructure/cloud/modules/APIGateway/main.tf
@@ -51,9 +51,11 @@ resource "aws_api_gateway_method_settings" "apgw_method_settings" {
   method_path = "*/*"
 
   settings {
-    data_trace_enabled = true
-    metrics_enabled    = true
-    logging_level      = "INFO"
+    data_trace_enabled   = true
+    metrics_enabled      = true
+    logging_level        = "INFO"
+    cache_data_encrypted = true
+    caching_enabled      = true
   }
 }
 

diff --git a/infrastructure/cloud/modules/IAM/main.tf b/infrastructure/cloud/modules/IAM/main.tf
@@ -199,7 +199,7 @@ resource "aws_iam_policy" "openshift_role_policy" {
         ],
         "Effect" : "Allow",
         "Resource" : [
-          "arn:aws:ssm:*:*:parameter/iam_users/${var.openshift_iam_user}_keys",
+          "arn:aws:ssm:${var.region}:${var.account_id}:parameter/iam_users/${var.openshift_iam_user}_keys",
           var.kms_key_arn
         ]
       },

diff --git a/infrastructure/cloud/modules/IAM/variables.tf b/infrastructure/cloud/modules/IAM/variables.tf
@@ -42,3 +42,8 @@ variable "kms_key_id" {
   description = "The custom KMS Key Id"
   type        = string
 }
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}
diff --git a/infrastructure/cloud/modules/SecretsManager/main.tf b/infrastructure/cloud/modules/SecretsManager/main.tf
@@ -149,10 +149,15 @@ resource "aws_secretsmanager_secret_version" "misc_secret_value" {
     apiUrl                         = ""
     siteMinderLogoutUrl            = "",
     includeSiteMinderHeaders       = "",
-    mtlsCert                       = ""
+    mtlsCert                       = "",
+    allowedIpRanges                = ""
   })
 }
 
+data "aws_secretsmanager_secret_version" "current_misc_secret_value" {
+  secret_id = aws_secretsmanager_secret.misc_secret.id
+}
+
 resource "aws_secretsmanager_secret" "auth_secret" {
   name       = "external/${var.app_name}-auth-secret-${var.environment}"
   kms_key_id = var.kms_key_arn

diff --git a/infrastructure/cloud/modules/SecretsManager/output.tf b/infrastructure/cloud/modules/SecretsManager/output.tf
@@ -84,3 +84,8 @@ output "mtls_secret_name" {
 output "api_authorizer_secret" {
   value = aws_secretsmanager_secret.api_authorizer_secret
 }
+
+output "allowed_ip_ranges" {
+  value     = jsondecode(data.aws_secretsmanager_secret_version.current_misc_secret_value.secret_string).allowedIpRanges
+  sensitive = true
+}
diff --git a/infrastructure/cloud/modules/WAF/main.tf b/infrastructure/cloud/modules/WAF/main.tf
@@ -0,0 +1,59 @@
+locals {
+  ip_list = split(",", var.allowed_ip_ranges)
+}
+
+resource "aws_wafv2_ip_set" "waf_ip_set" {
+  name               = "${var.app_name}-bcgov-ip-set-${var.environment}"
+  description        = "BC Gov CIDRs ranges to restrict JASPER access to users connected to VPN only"
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+  addresses          = local.ip_list
+}
+
+resource "aws_wafv2_web_acl" "waf_web_acl" {
+  name        = "${var.app_name}-waf-web-acl-${var.environment}"
+  description = "Load Balancer Web Application Firewall"
+  scope       = "REGIONAL"
+
+  default_action {
+    block {}
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "lb-waf-web-acl-metric"
+    sampled_requests_enabled   = true
+  }
+
+  rule {
+    name     = "${var.app_name}-allow-bcgov-ips-rule-${var.environment}"
+    priority = 1
+
+    statement {
+      ip_set_reference_statement {
+        arn = aws_wafv2_ip_set.waf_ip_set.arn
+
+        ip_set_forwarded_ip_config {
+          header_name       = "X-Forwarded-For"
+          position          = "ANY"
+          fallback_behavior = "NO_MATCH"
+        }
+      }
+    }
+
+    action {
+      allow {}
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "allow-bcgov-ips-rule-metric"
+      sampled_requests_enabled   = true
+    }
+  }
+}
+
+resource "aws_wafv2_web_acl_association" "waf_web_acl_assoc" {
+  resource_arn = var.default_lb_arn
+  web_acl_arn  = aws_wafv2_web_acl.waf_web_acl.arn
+}
diff --git a/infrastructure/cloud/modules/WAF/variables.tf b/infrastructure/cloud/modules/WAF/variables.tf
@@ -0,0 +1,25 @@
+variable "app_name" {
+  description = "The name of the application"
+  type        = string
+}
+
+variable "environment" {
+  description = "The AWS environment to deploy to"
+  type        = string
+}
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}
+
+variable "allowed_ip_ranges" {
+  description = "Comma delimited list of BC Gov CIDR IP addresses or CIDR ranges"
+  type        = string
+  sensitive   = true
+}
+
+variable "default_lb_arn" {
+  description = "The default Load Balancer ARN"
+  type        = string
+}
diff --git a/infrastructure/jasper-aws-bootstrap/.gitignore b/infrastructure/jasper-aws-bootstrap/.gitignore
diff --git a/infrastructure/jasper-aws-bootstrap/.npmignore b/infrastructure/jasper-aws-bootstrap/.npmignore
diff --git a/infrastructure/jasper-aws-bootstrap/README.md b/infrastructure/jasper-aws-bootstrap/README.md
diff --git a/infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts b/infrastructure/jasper-aws-bootstrap/bin/jasper-aws-bootstrap.ts