2.188.0

cado-security · Oct 10, 2024 · cd6c31d · cd6c31d
1 parent 24416c4
commit cd6c31d
Show file tree

Hide file tree

Showing 18 changed files with 73 additions and 3 deletions.
diff --git a/aws_deprecated/aws/main.tf b/aws_deprecated/aws/main.tf
@@ -95,6 +95,13 @@ variable "proxy_cert_url" {
   default     = ""
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+
+}
+
 variable "instance_worker_type" {
   type    = string
   default = "i4i.2xlarge"
@@ -385,6 +392,7 @@ resource "aws_instance" "main" {
     "aws_stack_id=${""}", # not actually a stack id,
     "feature_flag_http_proxy=${var.proxy}",
     "proxy_cert_url=${var.proxy_cert_url}",
+    "proxy_whitelist=${join(",", var.proxy_whitelist)}",
     "feature_flag_platform_upgrade='${var.feature_flag_platform_upgrade}'",
     "feature_flag_deploy_with_alb='${var.feature_flag_deploy_with_alb}'",
     "feature_flag_deploy_with_elastic='${""}'",
@@ -401,6 +409,7 @@ resource "aws_instance" "main" {
     "echo aws_stack_id = $aws_stack_id >> /home/admin/processor/first_run.cfg",
     "echo PROXY_url = $feature_flag_http_proxy >> /home/admin/processor/first_run.cfg",
     "echo PROXY_cert_url = $proxy_cert_url >> /home/admin/processor/first_run.cfg",
+    "echo PROXY_whitelist = $proxy_whitelist >> /home/admin/processor/first_run.cfg",
     "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg",
     ],
     [
@@ -412,6 +421,8 @@ resource "aws_instance" "main" {
         "${var.finalize_cmd}",
         var.proxy != "" ? " --proxy ${var.proxy}" : "",
         var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
+        length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
+
         "2>&1 | sudo tee /home/admin/processor/init_out"
       ]))
     ],

diff --git a/aws_deprecated/aws_combined/main.tf b/aws_deprecated/aws_combined/main.tf
@@ -76,6 +76,12 @@ variable "proxy_cert_url" {
   default     = ""
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+}
+
 variable "instance_worker_type" {
   type    = string
   default = "i4i.2xlarge"
@@ -121,6 +127,7 @@ module "aws" {
   tags                         = var.tags
   proxy                        = var.proxy
   proxy_cert_url               = var.proxy_cert_url
+  proxy_whitelist              = var.proxy_whitelist
   configure_cloudwatch         = var.configure_cloudwatch
 }
 
diff --git a/aws_v2/README.md b/aws_v2/README.md
@@ -80,6 +80,7 @@ No resources.
 | <a name="input_private_load_balancer"></a> [private\_load\_balancer](#input\_private\_load\_balancer) | To determine if we should deploy an internal load balancer | `bool` | `false` | no |
 | <a name="input_proxy"></a> [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:[email protected]:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | `""` | no |
 | <a name="input_proxy_cert_url"></a> [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | `""` | no |
+| <a name="input_proxy_whitelist"></a> [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | `[]` | no |
 | <a name="input_public_deployment"></a> [public\_deployment](#input\_public\_deployment) | To determine if we should deploy without a public IP | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region to deploy to | `string` | `"us-west-1"` | no |
 | <a name="input_ssh_location"></a> [ssh\_location](#input\_ssh\_location) | IP address to allow ssh access from | `list(string)` | n/a | yes |

diff --git a/aws_v2/main.tf b/aws_v2/main.tf
@@ -50,6 +50,7 @@ module "deploy" {
   instance_role_name            = module.iam.instance_role_name
   proxy                         = var.proxy
   proxy_cert_url                = var.proxy_cert_url
+  proxy_whitelist               = var.proxy_whitelist
   configure_cloudwatch          = var.configure_cloudwatch
   deploy_nfs                    = var.deploy_nfs
   local_workers                 = var.local_workers

diff --git a/aws_v2/modules/deploy/README.md b/aws_v2/modules/deploy/README.md
@@ -53,6 +53,7 @@ No modules.
 | <a name="input_primary_subnet"></a> [primary\_subnet](#input\_primary\_subnet) | Subnet object containing various attributes | <pre>object({<br>    id                = string<br>    cidr_block        = string<br>    availability_zone = string<br>  })</pre> | n/a | yes |
 | <a name="input_proxy"></a> [proxy](#input\_proxy) | n/a | `string` | n/a | yes |
 | <a name="input_proxy_cert_url"></a> [proxy\_cert\_url](#input\_proxy\_cert\_url) | n/a | `string` | n/a | yes |
+| <a name="input_proxy_whitelist"></a> [proxy\_whitelist](#input\_proxy\_whitelist) | n/a | `list(string)` | n/a | yes |
 | <a name="input_public_deployment"></a> [public\_deployment](#input\_public\_deployment) | n/a | `bool` | n/a | yes |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | n/a | `string` | n/a | yes |
 | <a name="input_security_group_id"></a> [security\_group\_id](#input\_security\_group\_id) | n/a | `string` | n/a | yes |

diff --git a/aws_v2/modules/deploy/main.tf b/aws_v2/modules/deploy/main.tf
@@ -144,6 +144,7 @@ resource "aws_instance" "main" {
     "aws_stack_id=${""}", # not actually a stack id
     "feature_flag_http_proxy=${var.proxy}",
     "proxy_cert_url=${var.proxy_cert_url}",
+    "proxy_whitelist=${join(",", var.proxy_whitelist)}",
     "feature_flag_platform_upgrade='${var.feature_flag_platform_upgrade}'",
     "feature_flag_deploy_with_alb='${!var.public_deployment}'",
     "echo [FIRST_RUN] > /home/admin/processor/first_run.cfg",
@@ -162,6 +163,7 @@ resource "aws_instance" "main" {
     "echo aws_stack_id = $aws_stack_id >> /home/admin/processor/first_run.cfg",
     "echo PROXY_url = $feature_flag_http_proxy >> /home/admin/processor/first_run.cfg",
     "echo PROXY_cert_url = $proxy_cert_url >> /home/admin/processor/first_run.cfg",
+    "echo PROXY_whitelist = $proxy_whitelist >> /home/admin/processor/first_run.cfg",
     "echo minimum_role_deployment = true >> /home/admin/processor/first_run.cfg",
     ],
     [
@@ -176,6 +178,7 @@ resource "aws_instance" "main" {
         "${var.finalize_cmd}",
         var.proxy != "" ? " --proxy ${var.proxy}" : "",
         var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
+        length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
         "2>&1 | sudo tee /home/admin/processor/init_out"
       ]))
     ],

diff --git a/aws_v2/modules/deploy/variables.tf b/aws_v2/modules/deploy/variables.tf
@@ -47,6 +47,10 @@ variable "proxy_cert_url" {
   type = string
 }
 
+variable "proxy_whitelist" {
+  type = list(string)
+}
+
 variable "vol_size" {
   type = number
 }

diff --git a/aws_v2/modules/iam/main.tf b/aws_v2/modules/iam/main.tf
@@ -241,10 +241,13 @@ resource "aws_iam_role_policy" "policy" {
         {
             "Sid": "RequiredToCheckPolicy",
             "Action": [
+                "iam:ListRolePolicies",
                 "iam:GetPolicy",
-                "iam:GetPolicyVersion"
+                "iam:GetRolePolicy",
+                "iam:GetPolicyVersion",
+                "iam:SimulatePrincipalPolicy"
             ],
-            "Resource": "arn:aws:iam::*:policy/*CadoResponse*",
+            "Resource": "*",
             "Effect": "Allow"
         },
         {

diff --git a/aws_v2/variables.tf b/aws_v2/variables.tf
@@ -90,6 +90,12 @@ variable "proxy_cert_url" {
   default     = ""
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+}
+
 # DO NOT CHANGE
 
 variable "finalize_cmd" {

diff --git a/azure/azure_transient/main.tf b/azure/azure_transient/main.tf
@@ -78,6 +78,12 @@ variable "proxy_cert_url" {
   default     = ""
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+}
+
 variable "worker_vm_type" {
   type        = string
   description = "Default worker vm size"
@@ -288,6 +294,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
       "echo bucket = ${data.azurerm_storage_container.container.name} | sudo tee -a /home/admin/processor/first_run.cfg",
       "echo PROXY_url = ${var.proxy} | sudo tee -a /home/admin/processor/first_run.cfg",
       "echo PROXY_cert_url = ${var.proxy_cert_url} | sudo tee -a /home/admin/processor/first_run.cfg",
+      "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} | sudo tee -a /home/admin/processor/first_run.cfg",
       "echo -n ${azurerm_key_vault.keyvault.vault_uri} | sudo tee -a /home/admin/processor/envars/KEYVAULT_URI",
       "echo -n ${var.use_secrets_manager} | sudo tee -a /home/admin/processor/envars/USE_SECRETS_MANAGER",
       "echo local_workers = ${var.local_workers} | sudo tee -a /home/admin/processor/first_run.cfg",
@@ -306,6 +313,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
           "${var.finalize_cmd}",
           var.proxy != "" ? " --proxy ${var.proxy}" : "",
           var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
+          length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
           "2>&1 | sudo tee /home/admin/processor/init_out"
         ]))
       ],

diff --git a/azure/cado/main.tf b/azure/cado/main.tf
@@ -117,6 +117,11 @@ variable "proxy_cert_url" {
   description = "Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert."
   default     = ""
 }
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+}
 
 variable "worker_vm_type" {
   type        = string
@@ -167,6 +172,7 @@ module "azure_transient" {
   finalize_cmd                   = var.finalize_cmd
   proxy                          = var.proxy
   proxy_cert_url                 = var.proxy_cert_url
+  proxy_whitelist                = var.proxy_whitelist
   feature_flag_platform_upgrade  = var.feature_flag_platform_upgrade
   use_secrets_manager            = var.use_secrets_manager
   deploy_acquisition_permissions = var.deploy_acquisition_permissions

diff --git a/cross-account/CrossAccountPolicy.yaml b/cross-account/CrossAccountPolicy.yaml
@@ -17,9 +17,12 @@ Statement:
       aws:ResourceTag/Name: CadoResponse*
 - Sid: RequiredToCheckPolicy
   Action:
+  - iam:ListRolePolicies
   - iam:GetPolicy
+  - iam:GetRolePolicy
   - iam:GetPolicyVersion
-  Resource: arn:aws:iam::*:policy/*CadoResponse*
+  - iam:SimulatePrincipalPolicy
+  Resource: '*'
   Effect: Allow
 - Sid: RequiredForMemoryForensics
   Effect: Allow

diff --git a/gcp/README.md b/gcp/README.md
@@ -72,6 +72,7 @@ No resources.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project id to deploy to | `string` | n/a | yes |
 | <a name="input_proxy"></a> [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:[email protected]:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | `""` | no |
 | <a name="input_proxy_cert_url"></a> [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | `""` | no |
+| <a name="input_proxy_whitelist"></a> [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region to deploy to | `string` | `"us-central1"` | no |
 | <a name="input_role"></a> [role](#input\_role) | The role to assign to the service account | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to main vm and any spawned workers | `map(string)` | `{}` | no |

diff --git a/gcp/main.tf b/gcp/main.tf
@@ -63,6 +63,7 @@ module "deploy" {
   finalize_cmd                   = var.finalize_cmd
   proxy                          = var.proxy
   proxy_cert_url                 = var.proxy_cert_url
+  proxy_whitelist                = var.proxy_whitelist
   instance_worker_type           = var.instance_worker_type
   use_beta                       = local.use_beta
   deploy_nfs                     = var.deploy_nfs

diff --git a/gcp/modules/deploy/README.md b/gcp/modules/deploy/README.md
@@ -43,6 +43,7 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Value of the project id to deploy to | `string` | n/a | yes |
 | <a name="input_proxy"></a> [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:[email protected]:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | n/a | yes |
 | <a name="input_proxy_cert_url"></a> [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | n/a | yes |
+| <a name="input_proxy_whitelist"></a> [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The zone where the VM will be deployed | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The service account to use for the VM | `string` | n/a | yes |
 | <a name="input_subnetwork_config"></a> [subnetwork\_config](#input\_subnetwork\_config) | The subnetwork configuration for the VM | `any` | n/a | yes |

diff --git a/gcp/modules/deploy/main.tf b/gcp/modules/deploy/main.tf
@@ -45,6 +45,7 @@ resource "google_compute_instance" "vm_instance" {
     "echo feature_flag_platform_upgrade = ${var.enable_platform_updates} >> /home/admin/processor/first_run.cfg",
     "echo PROXY_url = ${var.proxy} >> /home/admin/processor/first_run.cfg",
     "echo PROXY_cert_url = ${var.proxy_cert_url} >> /home/admin/processor/first_run.cfg",
+    "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} >> /home/admin/processor/first_run.cfg",
     "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg",
     "echo local_workers = ${var.local_workers} >> /home/admin/processor/first_run.cfg",
     "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} >> /home/admin/processor/first_run.cfg",
@@ -59,6 +60,7 @@ resource "google_compute_instance" "vm_instance" {
         "${var.finalize_cmd}",
         var.proxy != "" ? " --proxy ${var.proxy}" : "",
         var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "",
+        length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "",
         "2>&1 | sudo tee /home/admin/processor/init_out"
       ]))
     ],

diff --git a/gcp/modules/deploy/variables.tf b/gcp/modules/deploy/variables.tf
@@ -65,6 +65,11 @@ variable "proxy_cert_url" {
   description = "Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert."
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+}
+
 variable "instance_worker_type" {
   type        = string
   description = "Set Worker instance type"

diff --git a/gcp/variables.tf b/gcp/variables.tf
@@ -113,6 +113,12 @@ variable "proxy_cert_url" {
   default     = ""
 }
 
+variable "proxy_whitelist" {
+  type        = list(string)
+  description = "List of IPs/domains to be included in the no_proxy environment variable"
+  default     = []
+}
+
 variable "instance_worker_type" {
   type        = string
   default     = "n2-highmem-8"