feat: enable file scanning on Vault S3 bucket #611

craigzour · 2024-02-29T15:21:46Z

Summary | Résumé

Enable file scanning on Vault S3 bucket

github-actions · 2024-02-29T15:22:06Z

⚠ Terrform update available

Terraform: 1.7.4 (using 1.6.6)
Terragrunt: 0.55.10 (using 0.54.8)

github-actions · 2024-02-29T15:26:56Z

Staging: secrets

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

⚠️ Warning: resources will be destroyed by this change!

Plan: 1 to add, 0 to change, 1 to destroy

Show summary

CHANGE	NAME
recreate	`aws_secretsmanager_secret_version.notify_callback_bearer_token`

Show plan

Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_secretsmanager_secret_version.notify_callback_bearer_token must be replaced
-/+ resource "aws_secretsmanager_secret_version" "notify_callback_bearer_token" {
      ~ arn            = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs" -> (known after apply)
      ~ id             = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs|4A43D97C-2937-4E91-A924-ADF60955E459" -> (known after apply)
      ~ secret_string  = (sensitive value) # forces replacement
      ~ version_id     = "4A43D97C-2937-4E91-A924-ADF60955E459" -> (known after apply)
      ~ version_stages = [
          - "AWSPREVIOUS",
        ] -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.freshdesk_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_callback_bearer_token"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.recaptcha_secret"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.token_secret"]

24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions

github-actions · 2024-02-29T15:27:51Z

Staging: file_scanning

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 9 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`module.vault_scan_object.aws_iam_policy.scan_files[0]`
	`module.vault_scan_object.aws_iam_role.scan_files[0]`
	`module.vault_scan_object.aws_iam_role_policy_attachment.scan_files[0]`
	`module.vault_scan_object.aws_kms_alias.s3_scan_object_queue`
	`module.vault_scan_object.aws_kms_key.s3_scan_object_queue`
	`module.vault_scan_object.aws_s3_bucket_notification.s3_scan_object[0]`
	`module.vault_scan_object.aws_s3_bucket_policy.upload_bucket[0]`
	`module.vault_scan_object.aws_sqs_queue.s3_scan_object`
	`module.vault_scan_object.aws_sqs_queue_policy.s3_scan_object`

Show plan

Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.vault_scan_object.data.aws_iam_policy_document.limit_tagging[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "limit_tagging" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:DeleteObjectTagging",
              + "s3:DeleteObjectVersionTagging",
              + "s3:PutObjectTagging",
              + "s3:PutObjectVersionTagging",
            ]
          + effect    = "Deny"
          + resources = [
              + "arn:aws:s3:::forms-staging-vault-file-storage/*",
            ]

          + condition {
              + test     = "StringNotLike"
              + values   = [
                  + (known after apply),
                ]
              + variable = "aws:PrincipalArn"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "s3:PutObjectTagging",
              + "s3:PutObjectVersionTagging",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::forms-staging-vault-file-storage/*",
            ]

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.vault_scan_object.data.aws_iam_policy_document.s3_scan_object will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "s3_scan_object" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "sqs:SendMessage",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "S3sendToSQS"

          + condition {
              + test     = "ArnEquals"
              + values   = [
                  + "arn:aws:s3:::forms-staging-vault-file-storage",
                ]
              + variable = "aws:SourceArn"
            }

          + principals {
              + identifiers = [
                  + "s3.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
      + statement {
          + actions   = [
              + "sqs:DeleteMessage",
              + "sqs:GetQueueAttributes",
              + "sqs:ReceiveMessage",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "LambdaTriggerFromSQS"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::127893201980:role/s3-scan-object",
                ]
              + type        = "AWS"
            }
        }
    }

  # module.vault_scan_object.data.aws_iam_policy_document.scan_files_download[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "scan_files_download" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetBucketLocation",
              + "s3:GetObject",
              + "s3:GetObjectTagging",
              + "s3:GetObjectVersion",
              + "s3:GetObjectVersionTagging",
              + "s3:ListBucket",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::forms-staging-vault-file-storage",
              + "arn:aws:s3:::forms-staging-vault-file-storage/*",
            ]

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.vault_scan_object.data.aws_iam_policy_document.upload_bucket[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "upload_bucket" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + source_policy_documents = [
          + (known after apply),
          + (known after apply),
        ]
    }

  # module.vault_scan_object.aws_iam_policy.scan_files[0] will be created
  + resource "aws_iam_policy" "scan_files" {
      + arn         = (known after apply)
      + id          = (known after apply)
      + name        = "ScanFilesGetObjects"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:PutObjectVersionTagging",
                          + "s3:PutObjectTagging",
                          + "s3:ListBucket",
                          + "s3:GetObjectVersionTagging",
                          + "s3:GetObjectVersion",
                          + "s3:GetObjectTagging",
                          + "s3:GetObject",
                          + "s3:GetBucketLocation",
                          + "s3:DeleteObjectVersionTagging",
                          + "s3:DeleteObjectTagging",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::forms-staging-vault-file-storage/*",
                          + "arn:aws:s3:::forms-staging-vault-file-storage",
                        ]
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags        = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + tags_all    = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
    }

  # module.vault_scan_object.aws_iam_role.scan_files[0] will be created
  + resource "aws_iam_role" "scan_files" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = [
                              + "arn:aws:iam::127893201980:role/scan-files-api",
                              + "arn:aws:iam::127893201980:role/s3-scan-object",
                            ]
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "ScanFilesGetObjects"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.vault_scan_object.aws_iam_role_policy_attachment.scan_files[0] will be created
  + resource "aws_iam_role_policy_attachment" "scan_files" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "ScanFilesGetObjects"
    }

  # module.vault_scan_object.aws_kms_alias.s3_scan_object_queue will be created
  + resource "aws_kms_alias" "s3_scan_object_queue" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/s3_scan_object_queue"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # module.vault_scan_object.aws_kms_key.s3_scan_object_queue will be created
  + resource "aws_kms_key" "s3_scan_object_queue" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "S3 scan objects KMS key for SQS queue encryption"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "kms:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::687401027353:root"
                        }
                      + Resource  = "*"
                    },
                  + {
                      + Action    = [
                          + "kms:GenerateDataKey*",
                          + "kms:Decrypt",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS     = "arn:aws:iam::127893201980:role/s3-scan-object"
                          + Service = "s3.amazonaws.com"
                        }
                      + Resource  = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + tags                               = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
    }

  # module.vault_scan_object.aws_s3_bucket_notification.s3_scan_object[0] will be created
  + resource "aws_s3_bucket_notification" "s3_scan_object" {
      + bucket      = "forms-staging-vault-file-storage"
      + eventbridge = false
      + id          = (known after apply)

      + queue {
          + events    = [
              + "s3:ObjectCreated:*",
            ]
          + id        = "ScanObjectCreated"
          + queue_arn = (known after apply)
        }
    }

  # module.vault_scan_object.aws_s3_bucket_policy.upload_bucket[0] will be created
  + resource "aws_s3_bucket_policy" "upload_bucket" {
      + bucket = "forms-staging-vault-file-storage"
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # module.vault_scan_object.aws_sqs_queue.s3_scan_object will be created
  + resource "aws_sqs_queue" "s3_scan_object" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = (known after apply)
      + kms_master_key_id                 = (known after apply)
      + max_message_size                  = 262144
      + message_retention_seconds         = 345600
      + name                              = "s3-scan-object"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = (known after apply)
      + tags                              = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + tags_all                          = {
          + "CostCentre" = "forms-platform-staging"
          + "Terraform"  = "true"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 300
    }

  # module.vault_scan_object.aws_sqs_queue_policy.s3_scan_object will be created
  + resource "aws_sqs_queue_policy" "s3_scan_object" {
      + id        = (known after apply)
      + policy    = (known after apply)
      + queue_url = (known after apply)
    }

Plan: 9 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

github-actions · 2024-02-29T15:39:16Z

Staging: lambdas

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`aws_lambda_function.vault_integrity`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_lambda_function.vault_integrity will be updated in-place
  ~ resource "aws_lambda_function" "vault_integrity" {
        id                             = "Vault_Data_Integrity_Check"
      ~ last_modified                  = "2024-02-22T13:56:36.000+0000" -> (known after apply)
      ~ source_code_hash               = "PD5RmSEVjAYMZc1lvfSSn6O3RadR+J09hCPKVbQS/+g=" -> "TowbMcppnki+0a5fq50Oral3CqleiwGw7U1igvFz0Ws="
        tags                           = {}
        # (24 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -...

feat: enable file scanning on Vault S3 bucket

a34e3d2

craigzour self-assigned this Feb 29, 2024

craigzour mentioned this pull request Feb 29, 2024

feat: enable file scanning for both Staging and Production environments on GC Forms cds-snc/scan-files#872

Merged

craigzour requested a review from patheard February 29, 2024 15:36

patheard approved these changes Feb 29, 2024

View reviewed changes

craigzour merged commit a44318c into develop Feb 29, 2024
4 checks passed

craigzour deleted the feature/plug-file-upload-content-scanning branch February 29, 2024 15:49

sre-read-write bot mentioned this pull request Feb 28, 2024

chore: GCForms release v3.7.0 #610

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: enable file scanning on Vault S3 bucket #611

feat: enable file scanning on Vault S3 bucket #611

craigzour commented Feb 29, 2024 •

edited

Loading

github-actions bot commented Feb 29, 2024

github-actions bot commented Feb 29, 2024

github-actions bot commented Feb 29, 2024

github-actions bot commented Feb 29, 2024

feat: enable file scanning on Vault S3 bucket #611

feat: enable file scanning on Vault S3 bucket #611

Conversation

craigzour commented Feb 29, 2024 • edited Loading

Summary | Résumé

github-actions bot commented Feb 29, 2024

⚠ Terrform update available

github-actions bot commented Feb 29, 2024

Staging: secrets

github-actions bot commented Feb 29, 2024

Staging: file_scanning

github-actions bot commented Feb 29, 2024

Staging: lambdas

craigzour commented Feb 29, 2024 •

edited

Loading