From cd6c31d8fcdc9de3fc8fc11cb9b9f9a103608fc0 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 10 Oct 2024 10:48:57 +0000 Subject: [PATCH] 2.188.0 --- aws_deprecated/aws/main.tf | 11 +++++++++++ aws_deprecated/aws_combined/main.tf | 7 +++++++ aws_v2/README.md | 1 + aws_v2/main.tf | 1 + aws_v2/modules/deploy/README.md | 1 + aws_v2/modules/deploy/main.tf | 3 +++ aws_v2/modules/deploy/variables.tf | 4 ++++ aws_v2/modules/iam/main.tf | 7 +++++-- aws_v2/variables.tf | 6 ++++++ azure/azure_transient/main.tf | 8 ++++++++ azure/cado/main.tf | 6 ++++++ cross-account/CrossAccountPolicy.yaml | 5 ++++- gcp/README.md | 1 + gcp/main.tf | 1 + gcp/modules/deploy/README.md | 1 + gcp/modules/deploy/main.tf | 2 ++ gcp/modules/deploy/variables.tf | 5 +++++ gcp/variables.tf | 6 ++++++ 18 files changed, 73 insertions(+), 3 deletions(-) diff --git a/aws_deprecated/aws/main.tf b/aws_deprecated/aws/main.tf index bc46c7d..88383e2 100644 --- a/aws_deprecated/aws/main.tf +++ b/aws_deprecated/aws/main.tf @@ -95,6 +95,13 @@ variable "proxy_cert_url" { default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] + +} + variable "instance_worker_type" { type = string default = "i4i.2xlarge" @@ -385,6 +392,7 @@ resource "aws_instance" "main" { "aws_stack_id=${""}", # not actually a stack id, "feature_flag_http_proxy=${var.proxy}", "proxy_cert_url=${var.proxy_cert_url}", + "proxy_whitelist=${join(",", var.proxy_whitelist)}", "feature_flag_platform_upgrade='${var.feature_flag_platform_upgrade}'", "feature_flag_deploy_with_alb='${var.feature_flag_deploy_with_alb}'", "feature_flag_deploy_with_elastic='${""}'", @@ -401,6 +409,7 @@ resource "aws_instance" "main" { "echo aws_stack_id = $aws_stack_id >> /home/admin/processor/first_run.cfg", "echo PROXY_url = $feature_flag_http_proxy >> /home/admin/processor/first_run.cfg", "echo PROXY_cert_url = $proxy_cert_url >> /home/admin/processor/first_run.cfg", + "echo PROXY_whitelist = $proxy_whitelist >> /home/admin/processor/first_run.cfg", "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg", ], [ @@ -412,6 +421,8 @@ resource "aws_instance" "main" { "${var.finalize_cmd}", var.proxy != "" ? " --proxy ${var.proxy}" : "", var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "", + length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "", + "2>&1 | sudo tee /home/admin/processor/init_out" ])) ], diff --git a/aws_deprecated/aws_combined/main.tf b/aws_deprecated/aws_combined/main.tf index e460bc4..e6ad141 100644 --- a/aws_deprecated/aws_combined/main.tf +++ b/aws_deprecated/aws_combined/main.tf @@ -76,6 +76,12 @@ variable "proxy_cert_url" { default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] +} + variable "instance_worker_type" { type = string default = "i4i.2xlarge" @@ -121,6 +127,7 @@ module "aws" { tags = var.tags proxy = var.proxy proxy_cert_url = var.proxy_cert_url + proxy_whitelist = var.proxy_whitelist configure_cloudwatch = var.configure_cloudwatch } diff --git a/aws_v2/README.md b/aws_v2/README.md index a297e61..079fc66 100644 --- a/aws_v2/README.md +++ b/aws_v2/README.md @@ -80,6 +80,7 @@ No resources. | [private\_load\_balancer](#input\_private\_load\_balancer) | To determine if we should deploy an internal load balancer | `bool` | `false` | no | | [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:pass@1.2.3.4:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | `""` | no | | [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | `""` | no | +| [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | `[]` | no | | [public\_deployment](#input\_public\_deployment) | To determine if we should deploy without a public IP | `bool` | `false` | no | | [region](#input\_region) | Region to deploy to | `string` | `"us-west-1"` | no | | [ssh\_location](#input\_ssh\_location) | IP address to allow ssh access from | `list(string)` | n/a | yes | diff --git a/aws_v2/main.tf b/aws_v2/main.tf index d517b38..12e0fcc 100644 --- a/aws_v2/main.tf +++ b/aws_v2/main.tf @@ -50,6 +50,7 @@ module "deploy" { instance_role_name = module.iam.instance_role_name proxy = var.proxy proxy_cert_url = var.proxy_cert_url + proxy_whitelist = var.proxy_whitelist configure_cloudwatch = var.configure_cloudwatch deploy_nfs = var.deploy_nfs local_workers = var.local_workers diff --git a/aws_v2/modules/deploy/README.md b/aws_v2/modules/deploy/README.md index 7da4ad9..939686e 100644 --- a/aws_v2/modules/deploy/README.md +++ b/aws_v2/modules/deploy/README.md @@ -53,6 +53,7 @@ No modules. | [primary\_subnet](#input\_primary\_subnet) | Subnet object containing various attributes | 
object({
    id                = string
    cidr_block        = string
    availability_zone = string
  })
| n/a | yes | | [proxy](#input\_proxy) | n/a | `string` | n/a | yes | | [proxy\_cert\_url](#input\_proxy\_cert\_url) | n/a | `string` | n/a | yes | +| [proxy\_whitelist](#input\_proxy\_whitelist) | n/a | `list(string)` | n/a | yes | | [public\_deployment](#input\_public\_deployment) | n/a | `bool` | n/a | yes | | [role\_name](#input\_role\_name) | n/a | `string` | n/a | yes | | [security\_group\_id](#input\_security\_group\_id) | n/a | `string` | n/a | yes | diff --git a/aws_v2/modules/deploy/main.tf b/aws_v2/modules/deploy/main.tf index 801ea02..1b3382f 100644 --- a/aws_v2/modules/deploy/main.tf +++ b/aws_v2/modules/deploy/main.tf @@ -144,6 +144,7 @@ resource "aws_instance" "main" { "aws_stack_id=${""}", # not actually a stack id "feature_flag_http_proxy=${var.proxy}", "proxy_cert_url=${var.proxy_cert_url}", + "proxy_whitelist=${join(",", var.proxy_whitelist)}", "feature_flag_platform_upgrade='${var.feature_flag_platform_upgrade}'", "feature_flag_deploy_with_alb='${!var.public_deployment}'", "echo [FIRST_RUN] > /home/admin/processor/first_run.cfg", @@ -162,6 +163,7 @@ resource "aws_instance" "main" { "echo aws_stack_id = $aws_stack_id >> /home/admin/processor/first_run.cfg", "echo PROXY_url = $feature_flag_http_proxy >> /home/admin/processor/first_run.cfg", "echo PROXY_cert_url = $proxy_cert_url >> /home/admin/processor/first_run.cfg", + "echo PROXY_whitelist = $proxy_whitelist >> /home/admin/processor/first_run.cfg", "echo minimum_role_deployment = true >> /home/admin/processor/first_run.cfg", ], [ @@ -176,6 +178,7 @@ resource "aws_instance" "main" { "${var.finalize_cmd}", var.proxy != "" ? " --proxy ${var.proxy}" : "", var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "", + length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "", "2>&1 | sudo tee /home/admin/processor/init_out" ])) ], diff --git a/aws_v2/modules/deploy/variables.tf b/aws_v2/modules/deploy/variables.tf index 8a9650a..d5de5dd 100644 --- a/aws_v2/modules/deploy/variables.tf +++ b/aws_v2/modules/deploy/variables.tf @@ -47,6 +47,10 @@ variable "proxy_cert_url" { type = string } +variable "proxy_whitelist" { + type = list(string) +} + variable "vol_size" { type = number } diff --git a/aws_v2/modules/iam/main.tf b/aws_v2/modules/iam/main.tf index a6c90a7..9d20128 100644 --- a/aws_v2/modules/iam/main.tf +++ b/aws_v2/modules/iam/main.tf @@ -241,10 +241,13 @@ resource "aws_iam_role_policy" "policy" { { "Sid": "RequiredToCheckPolicy", "Action": [ + "iam:ListRolePolicies", "iam:GetPolicy", - "iam:GetPolicyVersion" + "iam:GetRolePolicy", + "iam:GetPolicyVersion", + "iam:SimulatePrincipalPolicy" ], - "Resource": "arn:aws:iam::*:policy/*CadoResponse*", + "Resource": "*", "Effect": "Allow" }, { diff --git a/aws_v2/variables.tf b/aws_v2/variables.tf index fef5398..8212318 100644 --- a/aws_v2/variables.tf +++ b/aws_v2/variables.tf @@ -90,6 +90,12 @@ variable "proxy_cert_url" { default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] +} + # DO NOT CHANGE variable "finalize_cmd" { diff --git a/azure/azure_transient/main.tf b/azure/azure_transient/main.tf index 99c7142..6bd1ff7 100644 --- a/azure/azure_transient/main.tf +++ b/azure/azure_transient/main.tf @@ -78,6 +78,12 @@ variable "proxy_cert_url" { default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] +} + variable "worker_vm_type" { type = string description = "Default worker vm size" @@ -288,6 +294,7 @@ resource "azurerm_linux_virtual_machine" "vm" { "echo bucket = ${data.azurerm_storage_container.container.name} | sudo tee -a /home/admin/processor/first_run.cfg", "echo PROXY_url = ${var.proxy} | sudo tee -a /home/admin/processor/first_run.cfg", "echo PROXY_cert_url = ${var.proxy_cert_url} | sudo tee -a /home/admin/processor/first_run.cfg", + "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} | sudo tee -a /home/admin/processor/first_run.cfg", "echo -n ${azurerm_key_vault.keyvault.vault_uri} | sudo tee -a /home/admin/processor/envars/KEYVAULT_URI", "echo -n ${var.use_secrets_manager} | sudo tee -a /home/admin/processor/envars/USE_SECRETS_MANAGER", "echo local_workers = ${var.local_workers} | sudo tee -a /home/admin/processor/first_run.cfg", @@ -306,6 +313,7 @@ resource "azurerm_linux_virtual_machine" "vm" { "${var.finalize_cmd}", var.proxy != "" ? " --proxy ${var.proxy}" : "", var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "", + length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "", "2>&1 | sudo tee /home/admin/processor/init_out" ])) ], diff --git a/azure/cado/main.tf b/azure/cado/main.tf index fee1a27..a81bbdb 100644 --- a/azure/cado/main.tf +++ b/azure/cado/main.tf @@ -117,6 +117,11 @@ variable "proxy_cert_url" { description = "Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert." default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] +} variable "worker_vm_type" { type = string @@ -167,6 +172,7 @@ module "azure_transient" { finalize_cmd = var.finalize_cmd proxy = var.proxy proxy_cert_url = var.proxy_cert_url + proxy_whitelist = var.proxy_whitelist feature_flag_platform_upgrade = var.feature_flag_platform_upgrade use_secrets_manager = var.use_secrets_manager deploy_acquisition_permissions = var.deploy_acquisition_permissions diff --git a/cross-account/CrossAccountPolicy.yaml b/cross-account/CrossAccountPolicy.yaml index 8cc1f49..c7bea61 100644 --- a/cross-account/CrossAccountPolicy.yaml +++ b/cross-account/CrossAccountPolicy.yaml @@ -17,9 +17,12 @@ Statement: aws:ResourceTag/Name: CadoResponse* - Sid: RequiredToCheckPolicy Action: + - iam:ListRolePolicies - iam:GetPolicy + - iam:GetRolePolicy - iam:GetPolicyVersion - Resource: arn:aws:iam::*:policy/*CadoResponse* + - iam:SimulatePrincipalPolicy + Resource: '*' Effect: Allow - Sid: RequiredForMemoryForensics Effect: Allow diff --git a/gcp/README.md b/gcp/README.md index 4779c06..4d15563 100644 --- a/gcp/README.md +++ b/gcp/README.md @@ -72,6 +72,7 @@ No resources. | [project\_id](#input\_project\_id) | Project id to deploy to | `string` | n/a | yes | | [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:pass@1.2.3.4:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | `""` | no | | [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | `""` | no | +| [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | `[]` | no | | [region](#input\_region) | Region to deploy to | `string` | `"us-central1"` | no | | [role](#input\_role) | The role to assign to the service account | `string` | `""` | no | | [tags](#input\_tags) | Tags to apply to main vm and any spawned workers | `map(string)` | `{}` | no | diff --git a/gcp/main.tf b/gcp/main.tf index e577926..cf89540 100644 --- a/gcp/main.tf +++ b/gcp/main.tf @@ -63,6 +63,7 @@ module "deploy" { finalize_cmd = var.finalize_cmd proxy = var.proxy proxy_cert_url = var.proxy_cert_url + proxy_whitelist = var.proxy_whitelist instance_worker_type = var.instance_worker_type use_beta = local.use_beta deploy_nfs = var.deploy_nfs diff --git a/gcp/modules/deploy/README.md b/gcp/modules/deploy/README.md index e0decae..00bc3ac 100644 --- a/gcp/modules/deploy/README.md +++ b/gcp/modules/deploy/README.md @@ -43,6 +43,7 @@ No modules. | [project\_id](#input\_project\_id) | Value of the project id to deploy to | `string` | n/a | yes | | [proxy](#input\_proxy) | Proxy URL to use for outbound connections in format / User Pass - https://user:pass@1.2.3.4:1234 \| IP Auth - https://1.2.3.4:1234 | `string` | n/a | yes | | [proxy\_cert\_url](#input\_proxy\_cert\_url) | Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert. | `string` | n/a | yes | +| [proxy\_whitelist](#input\_proxy\_whitelist) | List of IPs/domains to be included in the no\_proxy environment variable | `list(string)` | n/a | yes | | [region](#input\_region) | The zone where the VM will be deployed | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The service account to use for the VM | `string` | n/a | yes | | [subnetwork\_config](#input\_subnetwork\_config) | The subnetwork configuration for the VM | `any` | n/a | yes | diff --git a/gcp/modules/deploy/main.tf b/gcp/modules/deploy/main.tf index 743dca9..f1935a0 100644 --- a/gcp/modules/deploy/main.tf +++ b/gcp/modules/deploy/main.tf @@ -45,6 +45,7 @@ resource "google_compute_instance" "vm_instance" { "echo feature_flag_platform_upgrade = ${var.enable_platform_updates} >> /home/admin/processor/first_run.cfg", "echo PROXY_url = ${var.proxy} >> /home/admin/processor/first_run.cfg", "echo PROXY_cert_url = ${var.proxy_cert_url} >> /home/admin/processor/first_run.cfg", + "echo PROXY_whitelist = ${join(",", var.proxy_whitelist)} >> /home/admin/processor/first_run.cfg", "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg", "echo local_workers = ${var.local_workers} >> /home/admin/processor/first_run.cfg", "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} >> /home/admin/processor/first_run.cfg", @@ -59,6 +60,7 @@ resource "google_compute_instance" "vm_instance" { "${var.finalize_cmd}", var.proxy != "" ? " --proxy ${var.proxy}" : "", var.proxy_cert_url != "" ? " --proxy-cert-url ${var.proxy_cert_url}" : "", + length(var.proxy_whitelist) > 0 ? " --proxy-whitelist ${join(",", var.proxy_whitelist)}" : "", "2>&1 | sudo tee /home/admin/processor/init_out" ])) ], diff --git a/gcp/modules/deploy/variables.tf b/gcp/modules/deploy/variables.tf index d79fcbe..6707a57 100644 --- a/gcp/modules/deploy/variables.tf +++ b/gcp/modules/deploy/variables.tf @@ -65,6 +65,11 @@ variable "proxy_cert_url" { description = "Location of where to download and trust the proxy certificate, leave blank to use proxy without a cert." } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" +} + variable "instance_worker_type" { type = string description = "Set Worker instance type" diff --git a/gcp/variables.tf b/gcp/variables.tf index 37f5045..3fa0976 100644 --- a/gcp/variables.tf +++ b/gcp/variables.tf @@ -113,6 +113,12 @@ variable "proxy_cert_url" { default = "" } +variable "proxy_whitelist" { + type = list(string) + description = "List of IPs/domains to be included in the no_proxy environment variable" + default = [] +} + variable "instance_worker_type" { type = string default = "n2-highmem-8"