diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cfb305a87..c399b5275 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -427,6 +427,10 @@ updates: directory: "/terraform/modules/kms" schedule: interval: "daily" + - package-ecosystem: "terraform" + directory: "/terraform/modules/r53-dns-firewall" + schedule: + interval: "daily" - package-ecosystem: "terraform" directory: "/terraform/modules/ram-ec2-retagging" schedule: diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 305feebd8..35055c0d0 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -39,7 +39,7 @@ jobs: run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: tflint.sarif trivy: @@ -64,7 +64,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() - uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: 'trivy-results.sarif' checkov: @@ -82,7 +82,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@3cb001754ea6e3e3fdd99cf32c0fc0e52b299453 # v12.2946.0 + uses: bridgecrewio/checkov-action@50b959918599bb15388ef018e2f51c5e83e2d0e2 # v12.2948.0 with: directory: ./ framework: terraform @@ -92,6 +92,6 @@ jobs: skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: ./checkov.sarif diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index b76aed919..4b4a2ab4e 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -41,7 +41,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/terraform@1fc052d03c7a43c78fe0fee19c9d648b749e0c01 #v8.3.0 + uses: oxsecurity/megalinter/flavors/terraform@f90c800040e4f84800700b27b2394d3eecc1fdad #v8.4.0 env: # All available variables are described in documentation # https://megalinter.io/configuration/#shared-variables diff --git a/.github/workflows/notify-user-new-environment-created.yml b/.github/workflows/notify-user-new-environment-created.yml index 9120ffb58..f6953191a 100644 --- a/.github/workflows/notify-user-new-environment-created.yml +++ b/.github/workflows/notify-user-new-environment-created.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: 20 - name: Send message to user on onboarding issue close diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e58c1bf9f..c4aabe9bb 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: results.sarif diff --git a/environments/mojfin.json b/environments/mojfin.json index 75c0639f8..c5973d83a 100644 --- a/environments/mojfin.json +++ b/environments/mojfin.json @@ -11,6 +11,10 @@ { "sso_group_name": "laa-mojfin-developers", "level": "developer" + }, + { + "sso_group_name": "laa-mojfin-database-access", + "level": "instance-management" } ] }, @@ -37,6 +41,10 @@ { "sso_group_name": "laa-mojfin-developers", "level": "developer" + }, + { + "sso_group_name": "laa-mojfin-database-access", + "level": "instance-management" } ] }, @@ -57,7 +65,7 @@ "tags": { "application": "mojfin", "business-unit": "LAA", - "infrastructure-support": "aws-webops-laa@digital.justice.gov.uk", + "infrastructure-support": "laa_ops@digital.justice.gov.uk", "owner": "william.moran@justice.gov.uk", "critical-national-infrastructure": false }, diff --git a/scripts/internal/get-security-hub-findings/go.mod b/scripts/internal/get-security-hub-findings/go.mod index 3129fc8c5..3ae347523 100644 --- a/scripts/internal/get-security-hub-findings/go.mod +++ b/scripts/internal/get-security-hub-findings/go.mod @@ -3,22 +3,22 @@ module modernisation-platform/get-security-hub-findings go 1.23 require ( - github.com/aws/aws-sdk-go-v2 v1.33.0 - github.com/aws/aws-sdk-go-v2/config v1.29.1 - github.com/aws/aws-sdk-go-v2/credentials v1.17.54 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13 - github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.5 - github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 + github.com/aws/aws-sdk-go-v2 v1.34.0 + github.com/aws/aws-sdk-go-v2/config v1.29.2 + github.com/aws/aws-sdk-go-v2/credentials v1.17.55 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.6 + github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 ) require ( - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.11 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 // indirect - github.com/aws/smithy-go v1.22.1 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect + github.com/aws/smithy-go v1.22.2 // indirect ) diff --git a/scripts/internal/get-security-hub-findings/go.sum b/scripts/internal/get-security-hub-findings/go.sum index f909ca3c3..22f97b025 100644 --- a/scripts/internal/get-security-hub-findings/go.sum +++ b/scripts/internal/get-security-hub-findings/go.sum @@ -1,30 +1,30 @@ -github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= -github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= -github.com/aws/aws-sdk-go-v2/config v1.29.1 h1:JZhGawAyZ/EuJeBtbQYnaoftczcb2drR2Iq36Wgz4sQ= -github.com/aws/aws-sdk-go-v2/config v1.29.1/go.mod h1:7bR2YD5euaxBhzt2y/oDkt3uNRb6tjFp98GlTFueRwk= -github.com/aws/aws-sdk-go-v2/credentials v1.17.54 h1:4UmqeOqJPvdvASZWrKlhzpRahAulBfyTJQUaYy4+hEI= -github.com/aws/aws-sdk-go-v2/credentials v1.17.54/go.mod h1:RTdfo0P0hbbTxIhmQrOsC/PquBZGabEPnCaxxKRPSnI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 h1:5grmdTdMsovn9kPZPI23Hhvp0ZyNm5cRO+IZFIYiAfw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24/go.mod h1:zqi7TVKTswH3Ozq28PkmBmgzG1tona7mo9G2IJg4Cis= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 h1:igORFSiH3bfq4lxKFkTSYDhJEUCYo6C8VKiWJjYwQuQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28/go.mod h1:3So8EA/aAYm36L7XIvCVwLa0s5N0P7o2b1oqnx/2R4g= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 h1:1mOW9zAUMhTSrMDssEHS/ajx8JcAj/IcftzcmNlmVLI= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28/go.mod h1:kGlXVIWDfvt2Ox5zEaNglmq0hXPHgQFNMix33Tw22jA= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 h1:TQmKDyETFGiXVhZfQ/I0cCFziqqX58pi4tKJGYGFSz0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9/go.mod h1:HVLPK2iHQBUx7HfZeOQSEu3v2ubZaAY2YPbAm5/WUyY= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13 h1:+dFX6kb0ekos09TP4icFIyqq/u3POCQDSrShc9ZkCCI= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.5 h1:1f8l9jG/6vP0WP1Lo8QJNGL0DaJRFiD+pqeAaCcUVBk= -github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.5/go.mod h1:8IYDBdfP7wR5P1hZ9WacHyV97Fnvrvbz/LvDjSOynKM= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.11 h1:kuIyu4fTT38Kj7YCC7ouNbVZSSpqkZ+LzIfhCr6Dg+I= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.11/go.mod h1:Ro744S4fKiCCuZECXgOi760TiYylUM8ZBf6OGiZzJtY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 h1:l+dgv/64iVlQ3WsBbnn+JSbkj01jIi+SM0wYsj3y/hY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10/go.mod h1:Fzsj6lZEb8AkTE5S68OhcbBqeWPsR8RnGuKPr8Todl8= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 h1:BRVDbewN6VZcwr+FBOszDKvYeXY1kJ+GGMCcpghlw0U= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.9/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= -github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= -github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU= +github.com/aws/aws-sdk-go-v2 v1.34.0/go.mod h1:JgstGg0JjWU1KpVJjD5H0y0yyAIpSdKEq556EI6yOOM= +github.com/aws/aws-sdk-go-v2/config v1.29.2 h1:JuIxOEPcSKpMB0J+khMjznG9LIhIBdmqNiEcPclnwqc= +github.com/aws/aws-sdk-go-v2/config v1.29.2/go.mod h1:HktTHregOZwNSM/e7WTfVSu9RCX+3eOv+6ij27PtaYs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.55 h1:CDhKnDEaGkLA5ZszV/qw5uwN5M8rbv9Cl0JRN+PRsaM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.55/go.mod h1:kPD/vj+RB5MREDUky376+zdnjZpR+WgdBBvwrmnlmKE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 h1:kU7tmXNaJ07LsyN3BUgGqAmVmQtq0w6duVIHAKfp0/w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25/go.mod h1:OiC8+OiqrURb1wrwmr/UbOVLFSWEGxjinj5C299VQdo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 h1:Ej0Rf3GMv50Qh4G4852j2djtoDb7AzQ7MuQeFHa3D70= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29/go.mod h1:oeNTC7PwJNoM5AznVr23wxhLnuJv0ZDe5v7w0wqIs9M= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 h1:6e8a71X+9GfghragVevC5bZqvATtc3mAMgxpSNbgzF0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29/go.mod h1:c4jkZiQ+BWpNqq7VtrxjwISrLrt/VvPq3XiopkUIolI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 h1:hN4yJBGswmFTOVYqmbz1GBs9ZMtQe8SrYxPwrkrlRv8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10/go.mod h1:TsxON4fEZXyrKY+D+3d2gSTyJkGORexIYab9PTf56DA= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14 h1:rhT0h8cSV5ZNZWy67Eqe3OQTFGRu9xwgyFsuGeIXmGQ= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14/go.mod h1:CLEjbx0xH3ptihCb1l0XlrqoGfWD9xU0na47/s7fR/s= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.6 h1:dqBbbqO0VIoGHsT8ZfH3MMOYP59xckJ4mnC/luO2LqQ= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.6/go.mod h1:Tk4wQGDT645pvvQD142cn4u2qZLER+76SabLY3HknBo= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 h1:kznaW4f81mNMlREkU9w3jUuJvU5g/KsqDV43ab7Rp6s= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.12/go.mod h1:bZy9r8e0/s0P7BSDHgMLXK2KvdyRRBIQ2blKlvLt0IU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 h1:mUwIpAvILeKFnRx4h1dEgGEFGuV8KJ3pEScZWVFYuZA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11/go.mod h1:JDJtD+b8HNVv71axz8+S5492KM8wTzHRFpMKQbPlYxw= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 h1:g9d+TOsu3ac7SgmY2dUf1qMgu/uJVTlQ4VCbH6hRxSw= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.10/go.mod h1:WZfNmntu92HO44MVZAubQaz3qCuIdeOdog2sADfU6hU= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= diff --git a/scripts/internal/get-testing-ci-user-creds/go.mod b/scripts/internal/get-testing-ci-user-creds/go.mod index 3acb5c898..3abc60fae 100644 --- a/scripts/internal/get-testing-ci-user-creds/go.mod +++ b/scripts/internal/get-testing-ci-user-creds/go.mod @@ -3,21 +3,21 @@ module modernisation-platform/get-testing-creds go 1.23 require ( - github.com/aws/aws-sdk-go-v2 v1.33.0 - github.com/aws/aws-sdk-go-v2/config v1.29.1 - github.com/aws/aws-sdk-go-v2/credentials v1.17.54 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13 - github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 + github.com/aws/aws-sdk-go-v2 v1.34.0 + github.com/aws/aws-sdk-go-v2/config v1.29.2 + github.com/aws/aws-sdk-go-v2/credentials v1.17.55 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14 + github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 ) require ( - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.11 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 // indirect - github.com/aws/smithy-go v1.22.1 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect + github.com/aws/smithy-go v1.22.2 // indirect ) diff --git a/scripts/internal/get-testing-ci-user-creds/go.sum b/scripts/internal/get-testing-ci-user-creds/go.sum index a38dea3f7..d8bded580 100644 --- a/scripts/internal/get-testing-ci-user-creds/go.sum +++ b/scripts/internal/get-testing-ci-user-creds/go.sum @@ -1,28 +1,28 @@ -github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= -github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= -github.com/aws/aws-sdk-go-v2/config v1.29.1 h1:JZhGawAyZ/EuJeBtbQYnaoftczcb2drR2Iq36Wgz4sQ= -github.com/aws/aws-sdk-go-v2/config v1.29.1/go.mod h1:7bR2YD5euaxBhzt2y/oDkt3uNRb6tjFp98GlTFueRwk= -github.com/aws/aws-sdk-go-v2/credentials v1.17.54 h1:4UmqeOqJPvdvASZWrKlhzpRahAulBfyTJQUaYy4+hEI= -github.com/aws/aws-sdk-go-v2/credentials v1.17.54/go.mod h1:RTdfo0P0hbbTxIhmQrOsC/PquBZGabEPnCaxxKRPSnI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24 h1:5grmdTdMsovn9kPZPI23Hhvp0ZyNm5cRO+IZFIYiAfw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24/go.mod h1:zqi7TVKTswH3Ozq28PkmBmgzG1tona7mo9G2IJg4Cis= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28 h1:igORFSiH3bfq4lxKFkTSYDhJEUCYo6C8VKiWJjYwQuQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.28/go.mod h1:3So8EA/aAYm36L7XIvCVwLa0s5N0P7o2b1oqnx/2R4g= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28 h1:1mOW9zAUMhTSrMDssEHS/ajx8JcAj/IcftzcmNlmVLI= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.28/go.mod h1:kGlXVIWDfvt2Ox5zEaNglmq0hXPHgQFNMix33Tw22jA= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9 h1:TQmKDyETFGiXVhZfQ/I0cCFziqqX58pi4tKJGYGFSz0= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.9/go.mod h1:HVLPK2iHQBUx7HfZeOQSEu3v2ubZaAY2YPbAm5/WUyY= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13 h1:+dFX6kb0ekos09TP4icFIyqq/u3POCQDSrShc9ZkCCI= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.13/go.mod h1:l+Fboycn+g9RMQcYbTfpqF/d3qZn90q5PYmO7Biu+WM= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.11 h1:kuIyu4fTT38Kj7YCC7ouNbVZSSpqkZ+LzIfhCr6Dg+I= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.11/go.mod h1:Ro744S4fKiCCuZECXgOi760TiYylUM8ZBf6OGiZzJtY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 h1:l+dgv/64iVlQ3WsBbnn+JSbkj01jIi+SM0wYsj3y/hY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10/go.mod h1:Fzsj6lZEb8AkTE5S68OhcbBqeWPsR8RnGuKPr8Todl8= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 h1:BRVDbewN6VZcwr+FBOszDKvYeXY1kJ+GGMCcpghlw0U= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.9/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= -github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= -github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU= +github.com/aws/aws-sdk-go-v2 v1.34.0/go.mod h1:JgstGg0JjWU1KpVJjD5H0y0yyAIpSdKEq556EI6yOOM= +github.com/aws/aws-sdk-go-v2/config v1.29.2 h1:JuIxOEPcSKpMB0J+khMjznG9LIhIBdmqNiEcPclnwqc= +github.com/aws/aws-sdk-go-v2/config v1.29.2/go.mod h1:HktTHregOZwNSM/e7WTfVSu9RCX+3eOv+6ij27PtaYs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.55 h1:CDhKnDEaGkLA5ZszV/qw5uwN5M8rbv9Cl0JRN+PRsaM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.55/go.mod h1:kPD/vj+RB5MREDUky376+zdnjZpR+WgdBBvwrmnlmKE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 h1:kU7tmXNaJ07LsyN3BUgGqAmVmQtq0w6duVIHAKfp0/w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25/go.mod h1:OiC8+OiqrURb1wrwmr/UbOVLFSWEGxjinj5C299VQdo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 h1:Ej0Rf3GMv50Qh4G4852j2djtoDb7AzQ7MuQeFHa3D70= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29/go.mod h1:oeNTC7PwJNoM5AznVr23wxhLnuJv0ZDe5v7w0wqIs9M= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 h1:6e8a71X+9GfghragVevC5bZqvATtc3mAMgxpSNbgzF0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29/go.mod h1:c4jkZiQ+BWpNqq7VtrxjwISrLrt/VvPq3XiopkUIolI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 h1:hN4yJBGswmFTOVYqmbz1GBs9ZMtQe8SrYxPwrkrlRv8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10/go.mod h1:TsxON4fEZXyrKY+D+3d2gSTyJkGORexIYab9PTf56DA= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14 h1:rhT0h8cSV5ZNZWy67Eqe3OQTFGRu9xwgyFsuGeIXmGQ= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.14/go.mod h1:CLEjbx0xH3ptihCb1l0XlrqoGfWD9xU0na47/s7fR/s= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 h1:kznaW4f81mNMlREkU9w3jUuJvU5g/KsqDV43ab7Rp6s= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.12/go.mod h1:bZy9r8e0/s0P7BSDHgMLXK2KvdyRRBIQ2blKlvLt0IU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 h1:mUwIpAvILeKFnRx4h1dEgGEFGuV8KJ3pEScZWVFYuZA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11/go.mod h1:JDJtD+b8HNVv71axz8+S5492KM8wTzHRFpMKQbPlYxw= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 h1:g9d+TOsu3ac7SgmY2dUf1qMgu/uJVTlQ4VCbH6hRxSw= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.10/go.mod h1:WZfNmntu92HO44MVZAubQaz3qCuIdeOdog2sADfU6hU= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= diff --git a/terraform/environments/bootstrap/delegate-access/backend.tf b/terraform/environments/bootstrap/delegate-access/backend.tf index 1d1ffb178..4394f95a0 100644 --- a/terraform/environments/bootstrap/delegate-access/backend.tf +++ b/terraform/environments/bootstrap/delegate-access/backend.tf @@ -1,7 +1,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/bootstrap/member-bootstrap/backend.tf b/terraform/environments/bootstrap/member-bootstrap/backend.tf index f92d08bee..85345d4cd 100644 --- a/terraform/environments/bootstrap/member-bootstrap/backend.tf +++ b/terraform/environments/bootstrap/member-bootstrap/backend.tf @@ -1,7 +1,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf index ca9337d79..7c9b3bb5b 100644 --- a/terraform/environments/bootstrap/member-bootstrap/iam.tf +++ b/terraform/environments/bootstrap/member-bootstrap/iam.tf @@ -804,19 +804,35 @@ data "aws_iam_policy_document" "oidc_assume_role_member" { } statement { - sid = "AllowOIDCReadState" - effect = "Allow" - resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*", "arn:aws:s3:::modernisation-platform-terraform-state/"] - actions = ["s3:Get*", - "s3:List*"] + sid = "AllowOIDCReadState" + effect = "Allow" + resources = [ + "arn:aws:s3:::modernisation-platform-terraform-state/*", + "arn:aws:s3:::modernisation-platform-terraform-state/" + ] + actions = [ + "s3:Get*", + "s3:List*" + ] } statement { sid = "AllowOIDCWriteState" effect = "Allow" resources = ["arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*"] - actions = ["s3:PutObject", - "s3:PutObjectAcl"] + actions = [ + "s3:PutObject", + "s3:PutObjectAcl" + ] + } + + statement { + sid = "AllowOIDCDeleteLock" + effect = "Allow" + resources = ["arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*.tflock"] + actions = [ + "s3:DeleteObject" + ] } } diff --git a/terraform/environments/bootstrap/secure-baselines/backend.tf b/terraform/environments/bootstrap/secure-baselines/backend.tf index df0969e50..2e57c86e0 100644 --- a/terraform/environments/bootstrap/secure-baselines/backend.tf +++ b/terraform/environments/bootstrap/secure-baselines/backend.tf @@ -1,7 +1,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/bootstrap/single-sign-on/backend.tf b/terraform/environments/bootstrap/single-sign-on/backend.tf index 109c0f74d..5dd93b079 100644 --- a/terraform/environments/bootstrap/single-sign-on/backend.tf +++ b/terraform/environments/bootstrap/single-sign-on/backend.tf @@ -1,7 +1,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/core-logging/logging.tf b/terraform/environments/core-logging/logging.tf index 8a5205341..806e53557 100644 --- a/terraform/environments/core-logging/logging.tf +++ b/terraform/environments/core-logging/logging.tf @@ -25,4 +25,4 @@ resource "aws_route53_resolver_query_log_config_association" "core_logging" { for_each = local.is-production ? local.vpc_rlq_associations : {} resolver_query_log_config_id = each.value.rlq_id resource_id = each.value.vpc_id -} +} \ No newline at end of file diff --git a/terraform/environments/core-logging/r53_logs.tf b/terraform/environments/core-logging/r53_logs.tf index 8169c9d63..038f9c6f6 100644 --- a/terraform/environments/core-logging/r53_logs.tf +++ b/terraform/environments/core-logging/r53_logs.tf @@ -90,3 +90,91 @@ data "aws_iam_policy_document" "r53_resolver_logs_kms" { } } } + +resource "aws_cloudwatch_log_metric_filter" "r53_dns_firewall_metric_filter" { + name = "r53-dns-firewall-matches" + log_group_name = aws_cloudwatch_log_group.r53_resolver_logs.name + + pattern = "{ ($.firewall_rule_action = \"BLOCK\" || $.firewall_rule_action = \"ALERT\") }" + metric_transformation { + name = "r53-dns-firewall-matches" + namespace = "R53DNSFirewall" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "r53_dns_firewall_alarm" { + alarm_name = "r53-dns-firewall-matches" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.r53_dns_firewall_metric_filter.metric_transformation[0].name + namespace = aws_cloudwatch_log_metric_filter.r53_dns_firewall_metric_filter.metric_transformation[0].namespace + period = "60" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.r53_dns_firewall.arn] + tags = local.tags +} + +resource "aws_sns_topic" "r53_dns_firewall" { + name = "r53-dns-firewall-sns-topic" + kms_master_key_id = aws_kms_key.r53_dns_firewall.key_id + tags = local.tags +} + +resource "aws_kms_key" "r53_dns_firewall" { + description = "KMS key for DNS Firewall SNS Topic Encryption" + enable_key_rotation = true + policy = data.aws_iam_policy_document.r53_dns_firewall_kms_policy.json + tags = local.tags +} + +resource "aws_kms_alias" "r53_dns_firewall" { + name_prefix = "alias/r53-dns-firewall-sns-encryption" + target_key_id = aws_kms_key.r53_dns_firewall.key_id +} + +data "aws_iam_policy_document" "r53_dns_firewall_kms_policy" { + # checkov:skip=CKV_AWS_111: "policy is directly related to the resource" + # checkov:skip=CKV_AWS_109: "policy is directly related to the resource" + # checkov:skip=CKV_AWS_356: "policy is directly related to the resource" + statement { + sid = "Allow SNS/Cloudwatch services to use the KMS key" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = [ + "*" + ] + principals { + type = "Service" + identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "logs.amazonaws.com"] + } + } + + statement { + sid = "Allow account to manage key" + effect = "Allow" + actions = [ + "kms:*" + ] + resources = [ + "*" + ] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} +module "pagerduty_r53_dns_firewall" { + depends_on = [aws_sns_topic.r53_dns_firewall] + source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4" # v2.0.0 + sns_topics = [aws_sns_topic.r53_dns_firewall.name] + pagerduty_integration_key = local.pagerduty_integration_keys["core_alerts_cloudwatch"] +} diff --git a/terraform/environments/core-sandbox/backend.tf b/terraform/environments/core-sandbox/backend.tf index 4b0062d15..47d36cf28 100644 --- a/terraform/environments/core-sandbox/backend.tf +++ b/terraform/environments/core-sandbox/backend.tf @@ -2,7 +2,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/core-vpc/logging.tf b/terraform/environments/core-vpc/logging.tf index 5702ab2fb..4ed7421fb 100644 --- a/terraform/environments/core-vpc/logging.tf +++ b/terraform/environments/core-vpc/logging.tf @@ -11,6 +11,9 @@ locals { } } ]...) + vpc_cloudwatch_rlq_associations = { + for key, value in local.vpc_rlq_associations : key => value if can(regex("cloudwatch", key)) + } } data "aws_route53_resolver_query_log_config" "core_logging" { @@ -22,7 +25,7 @@ data "aws_route53_resolver_query_log_config" "core_logging" { } resource "aws_route53_resolver_query_log_config_association" "core_logging" { - for_each = local.is-production ? local.vpc_rlq_associations : {} + for_each = local.is-production ? local.vpc_rlq_associations : local.vpc_cloudwatch_rlq_associations resolver_query_log_config_id = each.value.rlq_id resource_id = each.value.vpc_id -} +} \ No newline at end of file diff --git a/terraform/environments/main.tf b/terraform/environments/main.tf index 6699362f0..03925b809 100644 --- a/terraform/environments/main.tf +++ b/terraform/environments/main.tf @@ -1,7 +1,6 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" diff --git a/terraform/environments/sprinkler/iam.tf b/terraform/environments/sprinkler/iam.tf index 1ada63806..f1068ac36 100644 --- a/terraform/environments/sprinkler/iam.tf +++ b/terraform/environments/sprinkler/iam.tf @@ -23,7 +23,7 @@ data "aws_iam_policy_document" "oidc_deny_specific_actions" { sid = "AllowOIDCReadState" effect = "Allow" resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*", "arn:aws:s3:::modernisation-platform-terraform-state/"] - actions = ["s3:List*"] + actions = ["s3:List*"] } statement { @@ -41,7 +41,7 @@ data "aws_iam_policy_document" "oidc_deny_specific_actions" { } statement { - sid = "AllowOIDCRemoveLock" + sid = "AllowOIDCDeleteLock" effect = "Allow" resources = [ "arn:aws:s3:::modernisation-platform-terraform-state/single-sign-on/*.tflock", @@ -49,4 +49,4 @@ data "aws_iam_policy_document" "oidc_deny_specific_actions" { ] actions = ["s3:DeleteObject"] } -} \ No newline at end of file +} diff --git a/terraform/github/backend.tf b/terraform/github/backend.tf index 83e530abd..8a2bd447f 100644 --- a/terraform/github/backend.tf +++ b/terraform/github/backend.tf @@ -1,11 +1,11 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { - bucket = "modernisation-platform-terraform-state" - encrypt = true - key = "github/terraform.tfstate" - region = "eu-west-2" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "github/terraform.tfstate" + region = "eu-west-2" + use_lockfile = true } } diff --git a/terraform/github/testing-ci.tf b/terraform/github/testing-ci.tf index 5f6b42df6..65746fb38 100644 --- a/terraform/github/testing-ci.tf +++ b/terraform/github/testing-ci.tf @@ -30,11 +30,21 @@ data "aws_iam_policy_document" "testing_ci_policy" { "s3:PutObjectAcl", ] resources = [ + "arn:aws:s3:::modernisation-platform-terraform-state/*.tflock", "arn:aws:s3:::modernisation-platform-terraform-state/terraform.tfstate", "arn:aws:s3:::modernisation-platform-terraform-state/environments/members/testing/testing-test/terraform.tfstate" ] } + statement { + effect = "Allow" + actions = ["s3:DeleteObject"] + resources = [ + "arn:aws:s3:::modernisation-platform-terraform-state/*.tflock", + "arn:aws:s3:::modernisation-platform-terraform-state/environments/members/testing/testing-test/*.tflock" + ] + } + # Based on https://www.terraform.io/docs/language/settings/backends/s3.html#dynamodb-table-permissions statement { effect = "Allow" diff --git a/terraform/modernisation-platform-account/backend.tf b/terraform/modernisation-platform-account/backend.tf index 77f3c2318..11898fb22 100644 --- a/terraform/modernisation-platform-account/backend.tf +++ b/terraform/modernisation-platform-account/backend.tf @@ -3,11 +3,11 @@ terraform { # - S3 bucket name, which is created in s3.tf # - DynamoDB table name, which is created in dynamodb.tf backend "s3" { - acl = "bucket-owner-full-control" - bucket = "modernisation-platform-terraform-state" - dynamodb_table = "modernisation-platform-terraform-state-lock" - encrypt = true - key = "modernisation-platform-account/terraform.tfstate" - region = "eu-west-2" + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "modernisation-platform-account/terraform.tfstate" + region = "eu-west-2" + use_lockfile = true } } diff --git a/terraform/modernisation-platform-account/iam.tf b/terraform/modernisation-platform-account/iam.tf index 4117bb484..6d33bf7a3 100644 --- a/terraform/modernisation-platform-account/iam.tf +++ b/terraform/modernisation-platform-account/iam.tf @@ -67,11 +67,26 @@ data "aws_iam_policy_document" "collaborator_local_plan" { ] resources = [ + "arn:aws:s3:::modernisation-platform-terraform-state/*.tflock", "arn:aws:s3:::modernisation-platform-terraform-state/terraform.tfstate", "arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*", "arn:aws:s3:::modernisation-platform-terraform-state/environments/accounts/core-network-services/*", "arn:aws:s3:::modernisation-platform-terraform-state" ] + + condition { + test = "BoolIfExists" + variable = "aws:MultiFactorAuthPresent" + values = ["true"] + } + } + + statement { + sid = "TerraformStateAccessDeleteLock" + actions = ["s3:DeleteObject"] + + resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*.tflock"] + condition { test = "BoolIfExists" variable = "aws:MultiFactorAuthPresent" @@ -194,11 +209,9 @@ data "aws_iam_policy_document" "modernisation_account_terraform_state_role" { resources = ["arn:aws:dynamodb:eu-west-2:${data.aws_caller_identity.current.account_id}:table/modernisation-platform-terraform-state-lock"] } statement { - sid = "AllowS3AccessList" - effect = "Allow" - actions = [ - "s3:ListBucket", - ] + sid = "AllowS3AccessList" + effect = "Allow" + actions = ["s3:ListBucket"] resources = ["arn:aws:s3:::modernisation-platform-terraform-state"] } statement { @@ -315,8 +328,17 @@ data "aws_iam_policy_document" "oidc_assume_plan_role_member" { sid = "AllowOIDCReadState" effect = "Allow" resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*", "arn:aws:s3:::modernisation-platform-terraform-state/"] - actions = ["s3:Get*", - "s3:List*"] + actions = [ + "s3:Get*", + "s3:List*" + ] + } + + statement { + sid = "AllowOIDCDeleteLock" + effect = "Allow" + resources = ["arn:aws:s3:::modernisation-platform-terraform-state/*.tflock"] + actions = ["s3:DeleteObject"] } } diff --git a/terraform/modernisation-platform-account/s3.tf b/terraform/modernisation-platform-account/s3.tf index 84b4173e8..630a20fc2 100644 --- a/terraform/modernisation-platform-account/s3.tf +++ b/terraform/modernisation-platform-account/s3.tf @@ -426,7 +426,7 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" { } statement { - sid = "AllowSprinklerGithubActionRoleRemoveLock" + sid = "AllowSprinklerGithubActionRoleDeleteLock" effect = "Allow" actions = [ "s3:DeleteObject" diff --git a/terraform/pagerduty/backend.tf b/terraform/pagerduty/backend.tf index 140adde2e..b3a950385 100644 --- a/terraform/pagerduty/backend.tf +++ b/terraform/pagerduty/backend.tf @@ -1,11 +1,11 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in modernisation-platform-account/s3.tf - #checkov:skip=CKV_TF_3:Ensure state files are locked - temporarily suppressed pending issue #8789 backend "s3" { - bucket = "modernisation-platform-terraform-state" - encrypt = true - key = "pagerduty/terraform.tfstate" - region = "eu-west-2" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "pagerduty/terraform.tfstate" + region = "eu-west-2" + use_lockfile = true } } \ No newline at end of file diff --git a/terraform/single-sign-on/backend.tf b/terraform/single-sign-on/backend.tf index e16b53cb3..83ddd13f9 100644 --- a/terraform/single-sign-on/backend.tf +++ b/terraform/single-sign-on/backend.tf @@ -1,13 +1,12 @@ terraform { # `backend` blocks do not support variables, so the following are hard-coded here: # - S3 bucket name, which is created in terraform/modernisation-platform-account/s3.tf - backend "s3" { - acl = "bucket-owner-full-control" - bucket = "modernisation-platform-terraform-state" - encrypt = true - key = "single-sign-on/terraform.tfstate" - region = "eu-west-2" - use_lockfile = true + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "single-sign-on/terraform.tfstate" + region = "eu-west-2" + use_lockfile = true } -} \ No newline at end of file +} diff --git a/terraform/templates/modernisation-platform/backend.tf b/terraform/templates/modernisation-platform/backend.tf index 4bf18853a..4e3226400 100644 --- a/terraform/templates/modernisation-platform/backend.tf +++ b/terraform/templates/modernisation-platform/backend.tf @@ -10,5 +10,5 @@ terraform { region = "eu-west-2" use_lockfile = true workspace_key_prefix = "environments/accounts/$application_name" # This will store the object as environments/accounts/$application_name/${workspace}/terraform.tfstate - } + } }