From f79a1857bc62c706c3e81b2eb154e939c459a1d4 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 14:13:47 -0800 Subject: [PATCH 01/16] Add VPC flow logs option --- modules/networking/main.tf | 3 ++- modules/networking/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 6f2a628b1..7c7163817 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -20,6 +20,7 @@ module "vpc" { elasticache_subnets = var.create_elasticache_subnet ? var.elasticache_subnet_cidrs : [] enable_dns_hostnames = true enable_dns_support = true + enable_vpc_flow_logs = var.enable_vpc_flow_logs enable_nat_gateway = true enable_vpn_gateway = var.enable_vpn_gateway manage_default_security_group = true @@ -46,4 +47,4 @@ resource "aws_vpc_endpoint" "clickhouse" { vpc_endpoint_type = "Interface" subnet_ids = module.vpc.private_subnets private_dns_enabled = true -} +} \ No newline at end of file diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index 639c35c1a..8bf08c17d 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -45,6 +45,12 @@ variable "create_elasticache_subnet" { default = false } +variable "enable_vpc_flow_logs" { + description = "Whether to enable VPC Flow Logs" + type = bool + default = false +} + variable "enable_vpn_gateway" { type = bool description = "(Optional) Should be true if you want to create a new VPN Gateway resource and attach it to the VPC." From 89736d118a766d680bf1cfcaa8f8f28eb9701c38 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 14:19:41 -0800 Subject: [PATCH 02/16] feat: Add VPC flow logs option --- modules/networking/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index 8bf08c17d..969d19c7e 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -46,7 +46,7 @@ variable "create_elasticache_subnet" { } variable "enable_vpc_flow_logs" { - description = "Whether to enable VPC Flow Logs" + description = "Controls whether VPC Flow Logs are enabled" type = bool default = false } From 843a17e5aed0c27badb09a9d73cd572bbaec2c34 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 14:45:50 -0800 Subject: [PATCH 03/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- modules/networking/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 7c7163817..07cd3f910 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -20,7 +20,7 @@ module "vpc" { elasticache_subnets = var.create_elasticache_subnet ? var.elasticache_subnet_cidrs : [] enable_dns_hostnames = true enable_dns_support = true - enable_vpc_flow_logs = var.enable_vpc_flow_logs + enable_flow_logs = var.enable_flow_logs enable_nat_gateway = true enable_vpn_gateway = var.enable_vpn_gateway manage_default_security_group = true diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index 969d19c7e..2b2ceff52 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -45,7 +45,7 @@ variable "create_elasticache_subnet" { default = false } -variable "enable_vpc_flow_logs" { +variable "enable_flow_logs" { description = "Controls whether VPC Flow Logs are enabled" type = bool default = false From a16516ceeecc042145e4018b99e49fefa59e86d5 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 14:48:07 -0800 Subject: [PATCH 04/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- modules/networking/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 07cd3f910..b05414cb7 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -20,7 +20,7 @@ module "vpc" { elasticache_subnets = var.create_elasticache_subnet ? var.elasticache_subnet_cidrs : [] enable_dns_hostnames = true enable_dns_support = true - enable_flow_logs = var.enable_flow_logs + enable_flow_log = var.enable_flow_log enable_nat_gateway = true enable_vpn_gateway = var.enable_vpn_gateway manage_default_security_group = true diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index 2b2ceff52..741303c40 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -45,7 +45,7 @@ variable "create_elasticache_subnet" { default = false } -variable "enable_flow_logs" { +variable "enable_flow_log" { description = "Controls whether VPC Flow Logs are enabled" type = bool default = false From 589aed0ff275b026c8b23e9d0d6522d3f08ba615 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 15:46:15 -0800 Subject: [PATCH 05/16] feat: Add VPC flow logs option --- main.tf | 1 + variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/main.tf b/main.tf index 5ff039233..16dd50fd9 100644 --- a/main.tf +++ b/main.tf @@ -46,6 +46,7 @@ module "networking" { source = "./modules/networking" namespace = var.namespace create_vpc = var.create_vpc + enable_flow_log = var.enable_flow_log cidr = var.network_cidr private_subnet_cidrs = var.network_private_subnet_cidrs diff --git a/variables.tf b/variables.tf index 4345ab909..5e80ee6fb 100644 --- a/variables.tf +++ b/variables.tf @@ -214,6 +214,12 @@ variable "create_vpc" { default = true } +variable "enable_flow_log" { + description = "Controls whether VPC Flow Logs are enabled" + type = bool + default = false +} + variable "network_id" { default = "" description = "The identity of the VPC in which resources will be deployed." From f8ef8144411ebb851ee01d7c049a0e878b9fec17 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 15:47:06 -0800 Subject: [PATCH 06/16] feat: Add VPC flow logs option --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 16dd50fd9..b750e3095 100644 --- a/main.tf +++ b/main.tf @@ -43,9 +43,9 @@ locals { } module "networking" { - source = "./modules/networking" - namespace = var.namespace - create_vpc = var.create_vpc + source = "./modules/networking" + namespace = var.namespace + create_vpc = var.create_vpc enable_flow_log = var.enable_flow_log cidr = var.network_cidr From 0e4f1c74c63f65a506462a98049ebc99969f2415 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 21:18:25 -0800 Subject: [PATCH 07/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 17 +++++++++++++++-- modules/networking/variables.tf | 12 ++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index b05414cb7..1ba9468fe 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -20,7 +20,6 @@ module "vpc" { elasticache_subnets = var.create_elasticache_subnet ? var.elasticache_subnet_cidrs : [] enable_dns_hostnames = true enable_dns_support = true - enable_flow_log = var.enable_flow_log enable_nat_gateway = true enable_vpn_gateway = var.enable_vpn_gateway manage_default_security_group = true @@ -40,11 +39,25 @@ module "vpc" { } resource "aws_vpc_endpoint" "clickhouse" { - count = var.create_vpc && var.clickhouse_endpoint_service_id != "" ? 1 : 0 + count = var.create_vpc && var.clickhouse_endpoint_service_id vpc_id = module.vpc.vpc_id service_name = var.clickhouse_endpoint_service_id vpc_endpoint_type = "Interface" subnet_ids = module.vpc.private_subnets private_dns_enabled = true +} + +# VPC FLow Logs +resource "aws_flow_log" "vpc_flow_logs" { + count = var.create_vpc && var.enable_flow_log != "" ? 1 : 0 + + log_destination = aws_s3_bucket.flow_log.arn + log_destination_type = "s3" + traffic_type = "REJECT" + vpc_id = module.vpc.vpc_id +} + +resource "aws_s3_bucket" "flow_log" { + bucket = "vpc-logs" } \ No newline at end of file diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index 741303c40..5a7ae58c5 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -45,12 +45,6 @@ variable "create_elasticache_subnet" { default = false } -variable "enable_flow_log" { - description = "Controls whether VPC Flow Logs are enabled" - type = bool - default = false -} - variable "enable_vpn_gateway" { type = bool description = "(Optional) Should be true if you want to create a new VPN Gateway resource and attach it to the VPC." @@ -74,3 +68,9 @@ variable "clickhouse_endpoint_service_id" { type = string default = "" } + +variable "enable_flow_log" { + description = "Controls whether VPC Flow Logs are enabled" + type = bool + default = false +} \ No newline at end of file From efcd2e4f25522814441e36cc0e0d81d89696725b Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 21:25:20 -0800 Subject: [PATCH 08/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 1ba9468fe..2ab381613 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -50,7 +50,7 @@ resource "aws_vpc_endpoint" "clickhouse" { # VPC FLow Logs resource "aws_flow_log" "vpc_flow_logs" { - count = var.create_vpc && var.enable_flow_log != "" ? 1 : 0 + count = var.create_vpc && var.enable_flow_log ? 1 : 0 log_destination = aws_s3_bucket.flow_log.arn log_destination_type = "s3" From 6220a90a9c9a4a00cf17021e7f350574ebcead92 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 21:31:48 -0800 Subject: [PATCH 09/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 2ab381613..ce8e13e17 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -39,7 +39,7 @@ module "vpc" { } resource "aws_vpc_endpoint" "clickhouse" { - count = var.create_vpc && var.clickhouse_endpoint_service_id + count = var.create_vpc && var.clickhouse_endpoint_service_id != "" ? 1 : 0 vpc_id = module.vpc.vpc_id service_name = var.clickhouse_endpoint_service_id From dba7ab8b6dd4fb9e74273f7a776694209d327d13 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 22:00:07 -0800 Subject: [PATCH 10/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index ce8e13e17..1a06cc706 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -39,7 +39,7 @@ module "vpc" { } resource "aws_vpc_endpoint" "clickhouse" { - count = var.create_vpc && var.clickhouse_endpoint_service_id != "" ? 1 : 0 + count = var.create_vpc && length(var.clickhouse_endpoint_service_id) > 0 ? 1 : 0 vpc_id = module.vpc.vpc_id service_name = var.clickhouse_endpoint_service_id @@ -59,5 +59,5 @@ resource "aws_flow_log" "vpc_flow_logs" { } resource "aws_s3_bucket" "flow_log" { - bucket = "vpc-logs" + bucket = "${var.namespace}-vpc-flow-logs" } \ No newline at end of file From b9bd02ea7e8be041831a02796f0bb0036e86313e Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Wed, 15 Jan 2025 23:59:10 -0800 Subject: [PATCH 11/16] feat: Add VPC flow logs option --- modules/file_storage/main.tf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf index 3afb858fa..16658e9ae 100644 --- a/modules/file_storage/main.tf +++ b/modules/file_storage/main.tf @@ -21,6 +21,32 @@ resource "aws_s3_bucket" "file_storage" { depends_on = [aws_sqs_queue.file_storage] } +# Apply an HTTPS-only bucket policy to each bucket +resource "aws_s3_bucket_policy" "https_only" { + bucket = aws_s3_bucket.file_storage.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "DenyHTTPRequests", + Effect = "Deny", + Principal = "*", + Action = "s3:*", + Resource = [ + "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}", + "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}/*" + ], + Condition = { + Bool = { + "aws:SecureTransport" = "false" + } + } + } + ] + }) +} + resource "aws_s3_bucket_acl" "file_storage" { depends_on = [aws_s3_bucket_ownership_controls.file_storage] From cdf69dca6542676589971b6b56b95012b4dd289f Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Thu, 16 Jan 2025 00:01:05 -0800 Subject: [PATCH 12/16] feat: Add VPC flow logs option --- modules/file_storage/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf index 16658e9ae..0596e8943 100644 --- a/modules/file_storage/main.tf +++ b/modules/file_storage/main.tf @@ -33,7 +33,7 @@ resource "aws_s3_bucket_policy" "https_only" { Effect = "Deny", Principal = "*", Action = "s3:*", - Resource = [ + Resource = [ "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}", "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}/*" ], From 7d253cf761347c80a8263fc37c7a65acf0567f2b Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Thu, 16 Jan 2025 09:15:07 -0800 Subject: [PATCH 13/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 1a06cc706..111d00e32 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -59,5 +59,7 @@ resource "aws_flow_log" "vpc_flow_logs" { } resource "aws_s3_bucket" "flow_log" { + count = var.create_vpc && var.enable_flow_log ? 1 : 0 + bucket = "${var.namespace}-vpc-flow-logs" } \ No newline at end of file From eb1938ee7146494e79765bca472700cc3011accb Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Thu, 16 Jan 2025 09:31:08 -0800 Subject: [PATCH 14/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 111d00e32..9b9c51963 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -60,6 +60,6 @@ resource "aws_flow_log" "vpc_flow_logs" { resource "aws_s3_bucket" "flow_log" { count = var.create_vpc && var.enable_flow_log ? 1 : 0 - + bucket = "${var.namespace}-vpc-flow-logs" } \ No newline at end of file From 1ab24ccae8460b912ab660f34171987e72d4c581 Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Thu, 16 Jan 2025 09:41:08 -0800 Subject: [PATCH 15/16] feat: Add VPC flow logs option --- modules/networking/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 9b9c51963..2e0fad341 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -52,7 +52,7 @@ resource "aws_vpc_endpoint" "clickhouse" { resource "aws_flow_log" "vpc_flow_logs" { count = var.create_vpc && var.enable_flow_log ? 1 : 0 - log_destination = aws_s3_bucket.flow_log.arn + log_destination = aws_s3_bucket.flow_log[0].arn log_destination_type = "s3" traffic_type = "REJECT" vpc_id = module.vpc.vpc_id From 9efed7aafc2cdc4147168e75fe5d8e6ee47618cc Mon Sep 17 00:00:00 2001 From: Shiva Ramamurthi Date: Thu, 16 Jan 2025 11:32:38 -0800 Subject: [PATCH 16/16] feat: Add VPC flow logs option + s3 https-only policy --- main.tf | 13 +++++++------ modules/file_storage/main.tf | 1 + modules/file_storage/variables.tf | 6 ++++++ variables.tf | 12 ++++++++++++ 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index b750e3095..eadaac2da 100644 --- a/main.tf +++ b/main.tf @@ -29,12 +29,13 @@ locals { } module "file_storage" { - source = "./modules/file_storage" - namespace = var.namespace - create_queue = !local.use_internal_queue - sse_algorithm = "aws:kms" - kms_key_arn = local.s3_kms_key_arn - deletion_protection = var.deletion_protection + source = "./modules/file_storage" + namespace = var.namespace + create_queue = !local.use_internal_queue + sse_algorithm = "aws:kms" + kms_key_arn = local.s3_kms_key_arn + deletion_protection = var.deletion_protection + enable_s3_https_only = var.enable_s3_https_only } locals { diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf index 0596e8943..1cbb62643 100644 --- a/modules/file_storage/main.tf +++ b/modules/file_storage/main.tf @@ -23,6 +23,7 @@ resource "aws_s3_bucket" "file_storage" { # Apply an HTTPS-only bucket policy to each bucket resource "aws_s3_bucket_policy" "https_only" { + count = var.enable_s3_https_only ? 1 : 0 bucket = aws_s3_bucket.file_storage.id policy = jsonencode({ diff --git a/modules/file_storage/variables.tf b/modules/file_storage/variables.tf index cea54945c..9fa1a051f 100644 --- a/modules/file_storage/variables.tf +++ b/modules/file_storage/variables.tf @@ -32,3 +32,9 @@ variable "create_queue_policy" { type = bool default = true } + +variable "enable_s3_https_only" { + description = "Controls whether HTTPS-only is enabled for s3 buckets" + type = bool + default = false +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 5e80ee6fb..7cd309d39 100644 --- a/variables.tf +++ b/variables.tf @@ -443,6 +443,17 @@ variable "eks_addon_metrics_server_version" { default = "v0.7.2-eksbuild.1" } +########################################## +# Bucket Policy # +########################################## +# This setting will ensure that s3 bucket objects will reject HTTP traffic with a 403 +# and will only accept HTTPS traffic +variable "enable_s3_https_only" { + description = "Controls whether HTTPS-only is enabled for s3 buckets" + type = bool + default = false +} + ########################################## # External Bucket # ########################################## @@ -546,3 +557,4 @@ variable "kubernetes_cluster_oidc_issuer_url" { description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`" default = "" } +