From 6b1d68ada892ad0033a7aa83095e118305c7c2d9 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Fri, 6 Sep 2024 09:19:48 -0500 Subject: [PATCH 01/18] updated sg name --- security_group.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_group.tf b/security_group.tf index ede42d9..1ff91f5 100644 --- a/security_group.tf +++ b/security_group.tf @@ -9,7 +9,7 @@ resource "aws_security_group" "rds" { description = "Security group for RDS in ${var.name}" vpc_id = aws_vpc.this.id tags = { - "Name" = "${var.name}-sg" + "Name" = "${var.name}-rds-sg" } # checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" # This security group is attached to the Amazon ElastiCache Serverless resource From 76402c1a01bccbb8be09fd9780859e9aa8d853b7 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Fri, 6 Sep 2024 12:03:26 -0500 Subject: [PATCH 02/18] added kms key policy and removed encryption from rds managed password --- kms.tf | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---- rds.tf | 14 +++++------ 2 files changed, 78 insertions(+), 11 deletions(-) diff --git a/kms.tf b/kms.tf index 930a29f..857ec25 100644 --- a/kms.tf +++ b/kms.tf @@ -1,12 +1,79 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key -resource "aws_kms_key" "encryption_secret" { +resource "aws_kms_key" "encryption_rds" { enable_key_rotation = true description = "Key to encrypt secret" deletion_window_in_days = 7 #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias -resource "aws_kms_alias" "encryption_secret" { - name = "alias/${var.name}" - target_key_id = aws_kms_key.encryption_secret.key_id +resource "aws_kms_alias" "encryption_rds" { + name = "alias/${var.name}-kms" + target_key_id = aws_kms_key.encryption_rds.key_id +} +data "aws_iam_policy_document" "encryption_rds_policy" { + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = [ + # "kms:*" + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:TagResource", + "kms:UntagResource" + ] + resources = [aws_kms_key.encryption_rds.arn] + } + + statement { + sid = "Allow RDS to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["rds.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant" + ] + resources = [aws_kms_key.encryption_rds.arn] + } + statement { + sid = "Allow Secrets Manager to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["secretsmanager.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant" + ] + resources = [aws_kms_key.encryption_rds.arn] + } +} +resource "aws_kms_key_policy" "encryption_rds" { + key_id = aws_kms_key.encryption_rds.id + policy = data.aws_iam_policy_document.encryption_rds_policy.json } \ No newline at end of file diff --git a/rds.tf b/rds.tf index 24a729a..d8a6773 100644 --- a/rds.tf +++ b/rds.tf @@ -33,13 +33,13 @@ resource "aws_db_instance" "postgresql" { # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" deletion_protection = false #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" - copy_tags_to_snapshot = true - performance_insights_enabled = true - manage_master_user_password = true - master_user_secret_kms_key_id = aws_kms_key.encryption_secret.arn - # master_user_secret_kms_key_id = aws_kms_key.example.arn - # kms_key_id = aws_kms_key.example.arn - # performance_insights_kms_key_id = aws_kms_key.example.arn + copy_tags_to_snapshot = true + manage_master_user_password = true + # master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn + kms_key_id = aws_kms_key.encryption_rds.arn + # performance_insights_enabled = true + # performance_insights_kms_key_id = aws_kms_key.encryption_rds.arn + # performance_insights_retention_period = 31 ca_cert_identifier = "rds-ca-rsa2048-g1" apply_immediately = true } \ No newline at end of file From e686fb9f67ff29904e0a395660635106f135c338 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Sat, 7 Sep 2024 20:32:51 -0500 Subject: [PATCH 03/18] #16 added encryption to ssm parameter resource --- kms.tf | 27 ++++++++++++++++++++++++++- ssm_parameter.tf | 7 ++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/kms.tf b/kms.tf index 857ec25..cf8bd49 100644 --- a/kms.tf +++ b/kms.tf @@ -19,7 +19,6 @@ data "aws_iam_policy_document" "encryption_rds_policy" { identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } actions = [ - # "kms:*" "kms:Create*", "kms:Describe*", "kms:Enable*", @@ -72,6 +71,32 @@ data "aws_iam_policy_document" "encryption_rds_policy" { ] resources = [aws_kms_key.encryption_rds.arn] } + statement { + sid = "Allow SSM to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["ssm.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = [aws_kms_key.encryption_rds.arn] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [data.aws_caller_identity.current.account_id] + } + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["ssm.${data.aws_region.current.name}.amazonaws.com"] + } + } } resource "aws_kms_key_policy" "encryption_rds" { key_id = aws_kms_key.encryption_rds.id diff --git a/ssm_parameter.tf b/ssm_parameter.tf index c3ae8e4..f725dec 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -1,8 +1,9 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter resource "aws_ssm_parameter" "rds_secret_arn" { - name = "/${var.name}/rds-password-arn" - type = "SecureString" - value = aws_db_instance.postgresql.master_user_secret[0].secret_arn + name = "/${var.name}/rds-password-arn" + type = "SecureString" + key_id = aws_kms_key.encryption_rds.id + value = aws_db_instance.postgresql.master_user_secret[0].secret_arn } #Create a policy to read from the specific parameter store #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy From 1cd309950200492a2b9bc59ac07a08a493c6900e Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Sat, 7 Sep 2024 20:39:15 -0500 Subject: [PATCH 04/18] #16 corrected reference --- kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms.tf b/kms.tf index cf8bd49..0adc789 100644 --- a/kms.tf +++ b/kms.tf @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "encryption_rds_policy" { condition { test = "StringEquals" variable = "kms:ViaService" - values = ["ssm.${data.aws_region.current.name}.amazonaws.com"] + values = ["ssm.${var.region}.amazonaws.com"] } } } From fa0d4ad87ec1970a82d8fbdedbeb11ab06af6e8e Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 14:14:29 -0500 Subject: [PATCH 05/18] changes for #15 and #16 --- kms.tf | 8 ++++++-- rds.tf | 35 +++++++++++++++++------------------ 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/kms.tf b/kms.tf index 0adc789..875f0d2 100644 --- a/kms.tf +++ b/kms.tf @@ -19,8 +19,12 @@ data "aws_iam_policy_document" "encryption_rds_policy" { identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", "kms:Create*", - "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", @@ -71,7 +75,7 @@ data "aws_iam_policy_document" "encryption_rds_policy" { ] resources = [aws_kms_key.encryption_rds.arn] } - statement { + statement { sid = "Allow SSM to use the key" effect = "Allow" principals { diff --git a/rds.tf b/rds.tf index d8a6773..0d65abf 100644 --- a/rds.tf +++ b/rds.tf @@ -11,14 +11,13 @@ resource "aws_db_parameter_group" "postgres" { } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "postgresql" { - allocated_storage = 100 - storage_type = "gp3" - engine = "postgres" - engine_version = "16.3" - instance_class = "db.t3.large" - identifier = var.name - username = "postgres" - # password = aws_secretsmanager_secret_version.secure_one_version.secret_string + allocated_storage = 100 + storage_type = "gp3" + engine = "postgres" + engine_version = "16.3" + instance_class = "db.t3.large" + identifier = var.name + username = "postgres" skip_final_snapshot = true # Change to false if you want a final snapshot db_subnet_group_name = aws_db_subnet_group.rds.id storage_encrypted = true @@ -31,15 +30,15 @@ resource "aws_db_instance" "postgresql" { # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" #monitoring_interval = 5 # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" - deletion_protection = false + deletion_protection = true #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" - copy_tags_to_snapshot = true - manage_master_user_password = true - # master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn - kms_key_id = aws_kms_key.encryption_rds.arn - # performance_insights_enabled = true - # performance_insights_kms_key_id = aws_kms_key.encryption_rds.arn - # performance_insights_retention_period = 31 - ca_cert_identifier = "rds-ca-rsa2048-g1" - apply_immediately = true + copy_tags_to_snapshot = true + manage_master_user_password = true + master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn + kms_key_id = aws_kms_key.encryption_rds.arn + performance_insights_enabled = true + performance_insights_retention_period = 31 + performance_insights_kms_key_id = aws_kms_key.encryption_rds.arn + ca_cert_identifier = "rds-ca-rsa2048-g1" + apply_immediately = true } \ No newline at end of file From 354cbe1136850ca7a07605063ab5482473759507 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 14:37:36 -0500 Subject: [PATCH 06/18] checkov fixes --- kms.tf | 1 - security_group.tf | 2 -- 2 files changed, 3 deletions(-) diff --git a/kms.tf b/kms.tf index 875f0d2..582bd62 100644 --- a/kms.tf +++ b/kms.tf @@ -3,7 +3,6 @@ resource "aws_kms_key" "encryption_rds" { enable_key_rotation = true description = "Key to encrypt secret" deletion_window_in_days = 7 - #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias resource "aws_kms_alias" "encryption_rds" { diff --git a/security_group.tf b/security_group.tf index 1ff91f5..0d44e33 100644 --- a/security_group.tf +++ b/security_group.tf @@ -11,8 +11,6 @@ resource "aws_security_group" "rds" { tags = { "Name" = "${var.name}-rds-sg" } - # checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" - # This security group is attached to the Amazon ElastiCache Serverless resource } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule resource "aws_security_group_rule" "ingress_rds_sg" { From b77a7ccc7dd94870da88f1b57548ac438c07392b Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 15:35:54 -0500 Subject: [PATCH 07/18] fix for CKV2_AWS_69. Using default parameter group --- rds.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/rds.tf b/rds.tf index 0d65abf..560816f 100644 --- a/rds.tf +++ b/rds.tf @@ -4,11 +4,6 @@ resource "aws_db_subnet_group" "rds" { subnet_ids = [for subnet in aws_subnet.db : subnet.id] } -#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group -resource "aws_db_parameter_group" "postgres" { - name = var.name - family = "postgres16" -} #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "postgresql" { allocated_storage = 100 @@ -21,7 +16,7 @@ resource "aws_db_instance" "postgresql" { skip_final_snapshot = true # Change to false if you want a final snapshot db_subnet_group_name = aws_db_subnet_group.rds.id storage_encrypted = true - parameter_group_name = aws_db_parameter_group.postgres.name + parameter_group_name = "default.postgres16" multi_az = true vpc_security_group_ids = [aws_security_group.rds.id] auto_minor_version_upgrade = true From ce4fb112445ffcd52175f29346b50a2144f617fe Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 15:43:08 -0500 Subject: [PATCH 08/18] fix for CKV2_AWS_27 --- rds.tf | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/rds.tf b/rds.tf index 560816f..dcf6842 100644 --- a/rds.tf +++ b/rds.tf @@ -4,6 +4,27 @@ resource "aws_db_subnet_group" "rds" { subnet_ids = [for subnet in aws_subnet.db : subnet.id] } +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group +resource "aws_db_parameter_group" "postgres" { + name = var.name + family = "postgres16" + parameter { + name = "log_statement" + value = "all" + } + parameter { + name = "log_min_duration_statement" + value = "1" + } + parameter { + name = "rds.forcs_ssl" + value = "1" + } + parameter { + name = "ssl" + value = "1" + } +} #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "postgresql" { allocated_storage = 100 @@ -16,7 +37,7 @@ resource "aws_db_instance" "postgresql" { skip_final_snapshot = true # Change to false if you want a final snapshot db_subnet_group_name = aws_db_subnet_group.rds.id storage_encrypted = true - parameter_group_name = "default.postgres16" + parameter_group_name = aws_db_parameter_group.postgres.name #"default.postgres16" multi_az = true vpc_security_group_ids = [aws_security_group.rds.id] auto_minor_version_upgrade = true From c1d73bb690839883dc9b2157f4e3cfdfa3f30c8e Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 15:45:54 -0500 Subject: [PATCH 09/18] fix for CKV2_AWS_69 --- rds.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds.tf b/rds.tf index dcf6842..c12fdb4 100644 --- a/rds.tf +++ b/rds.tf @@ -17,7 +17,7 @@ resource "aws_db_parameter_group" "postgres" { value = "1" } parameter { - name = "rds.forcs_ssl" + name = "rds.force_ssl" value = "1" } parameter { From 3ddad90689e3d3b1e7bed16753afe61dbda5b24e Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 15:49:11 -0500 Subject: [PATCH 10/18] fix for CKV_AWS_118 --- rds.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds.tf b/rds.tf index c12fdb4..6235feb 100644 --- a/rds.tf +++ b/rds.tf @@ -44,7 +44,7 @@ resource "aws_db_instance" "postgresql" { #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" - #monitoring_interval = 5 + monitoring_interval = 10 # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" deletion_protection = true #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" From c30c118e505fe040d04905bc8d46c88527a30afb Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 15:54:13 -0500 Subject: [PATCH 11/18] fix for CKV_AWS_161 --- rds.tf | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/rds.tf b/rds.tf index 6235feb..fb1846f 100644 --- a/rds.tf +++ b/rds.tf @@ -27,27 +27,29 @@ resource "aws_db_parameter_group" "postgres" { } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "postgresql" { - allocated_storage = 100 - storage_type = "gp3" - engine = "postgres" - engine_version = "16.3" - instance_class = "db.t3.large" - identifier = var.name - username = "postgres" - skip_final_snapshot = true # Change to false if you want a final snapshot - db_subnet_group_name = aws_db_subnet_group.rds.id - storage_encrypted = true - parameter_group_name = aws_db_parameter_group.postgres.name #"default.postgres16" - multi_az = true - vpc_security_group_ids = [aws_security_group.rds.id] + allocated_storage = 100 + storage_type = "gp3" + engine = "postgres" + engine_version = "16.3" + instance_class = "db.t3.large" + identifier = var.name + username = "postgres" + skip_final_snapshot = true # Change to false if you want a final snapshot + db_subnet_group_name = aws_db_subnet_group.rds.id + storage_encrypted = true + parameter_group_name = aws_db_parameter_group.postgres.name + multi_az = true + vpc_security_group_ids = [aws_security_group.rds.id] + iam_database_authentication_enabled = true + #checkov: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled" auto_minor_version_upgrade = true - #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" + #checkov: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] - # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" + #checkov: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" monitoring_interval = 10 - # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" + #checkov: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" deletion_protection = true - #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" + #checkov: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" copy_tags_to_snapshot = true manage_master_user_password = true master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn From f6137eaccdca5ebfd550ae3f293da29995d440c8 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 11 Sep 2024 16:25:53 -0500 Subject: [PATCH 12/18] add enhanced monitoring #18 --- rds.tf | 5 +---- rds_iam_role.tf | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 rds_iam_role.tf diff --git a/rds.tf b/rds.tf index fb1846f..c443bd3 100644 --- a/rds.tf +++ b/rds.tf @@ -20,10 +20,6 @@ resource "aws_db_parameter_group" "postgres" { name = "rds.force_ssl" value = "1" } - parameter { - name = "ssl" - value = "1" - } } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "postgresql" { @@ -47,6 +43,7 @@ resource "aws_db_instance" "postgresql" { enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] #checkov: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" monitoring_interval = 10 + monitoring_role_arn = aws_iam_role.rds_monitoring_role.arn #checkov: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" deletion_protection = true #checkov: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" diff --git a/rds_iam_role.tf b/rds_iam_role.tf new file mode 100644 index 0000000..d14776f --- /dev/null +++ b/rds_iam_role.tf @@ -0,0 +1,22 @@ +##https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +resource "aws_iam_role" "rds_monitoring_role" { + name = "${var.name}-rds-monitoring-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "monitoring.rds.amazonaws.com" + } + } + ] + }) +} +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +resource "aws_iam_role_policy_attachment" "managed_rds_monitoring_policy_attachement" { + role = aws_iam_role.rds_monitoring_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" +} \ No newline at end of file From f4cad08cad4309d4e6d0f5d61fe05e4a33c2c6d1 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Mon, 16 Sep 2024 12:54:11 -0500 Subject: [PATCH 13/18] minor readability updates --- kms.tf | 3 +-- network.tf | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/kms.tf b/kms.tf index 582bd62..984db44 100644 --- a/kms.tf +++ b/kms.tf @@ -1,7 +1,7 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key resource "aws_kms_key" "encryption_rds" { enable_key_rotation = true - description = "Key to encrypt secret" + description = "Key to encrypt the ${var.name} resources." deletion_window_in_days = 7 } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias @@ -39,7 +39,6 @@ data "aws_iam_policy_document" "encryption_rds_policy" { ] resources = [aws_kms_key.encryption_rds.arn] } - statement { sid = "Allow RDS to use the key" effect = "Allow" diff --git a/network.tf b/network.tf index 335c408..bc65a64 100644 --- a/network.tf +++ b/network.tf @@ -1,4 +1,3 @@ - #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc resource "aws_vpc" "this" { #checkov:skip=CKV2_AWS_11: This is non prod and hence disabled. From 6dd0d232d50183a92ffab0eb7e181485f95b2844 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Mon, 16 Sep 2024 13:01:09 -0500 Subject: [PATCH 14/18] #19 updated ssm with rds endpoint --- ssm_parameter.tf | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/ssm_parameter.tf b/ssm_parameter.tf index f725dec..4de942e 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -1,16 +1,21 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter -resource "aws_ssm_parameter" "rds_secret_arn" { - name = "/${var.name}/rds-password-arn" +resource "aws_ssm_parameter" "rds_connection" { + name = "/${var.name}/rds-connection" type = "SecureString" key_id = aws_kms_key.encryption_rds.id - value = aws_db_instance.postgresql.master_user_secret[0].secret_arn + value = < Date: Mon, 16 Sep 2024 13:19:13 -0500 Subject: [PATCH 15/18] #19 added port number to the parameter list --- ssm_parameter.tf | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ssm_parameter.tf b/ssm_parameter.tf index 4de942e..7f8e29d 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -3,12 +3,11 @@ resource "aws_ssm_parameter" "rds_connection" { name = "/${var.name}/rds-connection" type = "SecureString" key_id = aws_kms_key.encryption_rds.id - value = < Date: Wed, 18 Sep 2024 05:59:11 -0500 Subject: [PATCH 16/18] #19 updated the IAM policy to decrypt using kms key --- ssm_parameter.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ssm_parameter.tf b/ssm_parameter.tf index 7f8e29d..d2428c6 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -27,6 +27,13 @@ resource "aws_iam_policy" "ssm_parameter_policy" { "ssm:GetParameter" ], Resource = [aws_ssm_parameter.rds_connection.arn] + }, + { + Effect = "Allow", + Action = [ + "kms:Decrypt" + ], + Resource = [aws_kms_key.encryption_rds.id] } ] }) From 6fc50dcac5b987d378472f6832d7688e97bfa016 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 18 Sep 2024 06:02:05 -0500 Subject: [PATCH 17/18] #19 readability --- ssm_parameter.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssm_parameter.tf b/ssm_parameter.tf index d2428c6..b1c451a 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -29,7 +29,7 @@ resource "aws_iam_policy" "ssm_parameter_policy" { Resource = [aws_ssm_parameter.rds_connection.arn] }, { - Effect = "Allow", + Effect = "Allow", Action = [ "kms:Decrypt" ], From 15868f9e0cc9829fc198745e6478eb708d287ddf Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Wed, 18 Sep 2024 06:49:58 -0500 Subject: [PATCH 18/18] Update with reference --- README.md | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5f55b59..a825aba 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,30 @@ [![License: Unlicense](https://img.shields.io/badge/license-Unlicense-white.svg)](https://choosealicense.com/licenses/unlicense/) [![GitHub pull-requests closed](https://img.shields.io/github/issues-pr-closed/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://GitHub.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/pull/) [![GitHub pull-requests](https://img.shields.io/github/issues-pr/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://GitHub.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/pull/) -[![GitHub issues-closed](https://img.shields.io/github/issues-closed/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/issues?q=is%3Aissue+is%3Aclosed) [![GitHub issues](https://img.shields.io/github/issues/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://GitHub.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/issues/) -# terraform-rds-secretsmanager-rotation-lambda \ No newline at end of file +[![GitHub issues-closed](https://img.shields.io/github/issues-closed/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/issues?q=is%3Aissue+is%3Aclosed) [![GitHub issues](https://img.shields.io/github/issues/kunduso/rds-secretsmanager-rotation-lambda-terraform)](https://GitHub.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/issues/) [![terraform-infra-provisioning](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/actions/workflows/terraform.yml/badge.svg?branch=main)](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/actions/workflows/terraform.yml) [![checkov-static-analysis-scan](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/actions/workflows/code-scan.yml/badge.svg?branch=main)](https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform/actions/workflows/code-scan.yml) +![Image](https://skdevops.files.wordpress.com/2024/09/101-image-0.png) +## Introduction +This repository contains the necessary Terraform configurations to deploy an Amazon RDS for PostgreSQL and all the supporting infrastructure components like Amazon VPC, Subnets, KMS keys, security group and IAM roles. Please refer to [Create Amazon RDS for PostgreSQL DB using Terraform and GitHub Actions](https://skundunotes.com/2024/09/18/create-amazon-rds-for-postgresql-db-using-terraform-and-github-actions/) for details. + +The repository utilizes **Bridgecrew Checkov** to scan the Terraform code for security vulnerabilities. For those interested in adding code scanning capabilities to their GitHub Actions pipeline, a guide is available at [Automate Terraform Configuration Scan with Checkov and GitHub Actions](https://skundunotes.com/2023/04/12/automate-terraform-configuration-scan-with-checkov-and-github-actions/). + +Infracost is employed to generate a cost estimate for building the architecture. To learn more about integrating Infracost estimates into a repository, refer to the note [Estimate AWS Cloud Resource Cost with Infracost, Terraform, and GitHub Actions](https://skundunotes.com/2023/07/17/estimate-aws-cloud-resource-cost-with-infracost-terraform-and-github-actions/). + +The provisioning process of the resources is automated using a GitHub Actions pipeline. Detailed information on this can be found in the note [CI/CD with Terraform and GitHub Actions to Deploy to AWS](https://skundunotes.com/2023/03/07/ci-cd-with-terraform-and-github-actions-to-deploy-to-aws/). + + +## Prerequisites +To ensure the code functions without errors, an OpenID Connect identity provider must be created in Amazon Identity and Access Management (IAM) with a trust relationship established with the GitHub repository. A detailed explanation with steps can be found [here.](https://skundunotes.com/2023/02/28/securely-integrate-aws-credentials-with-github-actions-using-openid-connect/) + +The `ARN` of the `IAM Role` is stored as a GitHub secret, which is referenced in the [`terraform.yml`](.github/workflows/terraform.yml) file. + +Additionally, since Infracost is used in this repository, the `INFRACOST_API_KEY` is also stored as a repository secret and is referenced in the GitHub Actions workflow file. The cost estimate process is managed using a GitHub Actions variable, `INFRACOST_SCAN_TYPE`, where the value is either `hcl_code` or `tf_plan`, depending on the type of scan desired. +
You can read about that at [Integrate Infracost with GitHub Actions.](http://skundunotes.com/2023/07/17/estimate-aws-cloud-resource-cost-with-infracost-terraform-and-github-actions/) +## Usage +Ensure that the policy attached to the IAM role whose credentials are being used in this configuration has permission to create and manage all the AWS Cloud resources that are included in this repository. + +If you want to check the pipeline logs, click on the **Build Badges** above the image in this ReadMe. + +## Contributing +If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome! + +## License +This code is released under the Unlicense License. See [LICENSE](LICENSE). \ No newline at end of file