diff --git a/ops/packer/scripts/platinum/03-install-security-updates.sh b/ops/packer/scripts/platinum/03-install-security-updates.sh index 3f60af49f8..4295a47c57 100644 --- a/ops/packer/scripts/platinum/03-install-security-updates.sh +++ b/ops/packer/scripts/platinum/03-install-security-updates.sh @@ -2,3 +2,6 @@ # Apply security patches sudo yum update-minimal --security -y + +# Aggressively reconfigure grub configuration +sudo grub2-mkconfig -o /boot/grub2/grub.cfg diff --git a/ops/terraform/env/mgmt/README.md b/ops/terraform/env/mgmt/README.md index cb524e2747..e96add77d0 100644 --- a/ops/terraform/env/mgmt/README.md +++ b/ops/terraform/env/mgmt/README.md @@ -44,10 +44,12 @@ The management or `mgmt` environment is home to some higher-order resources that | [aws_iam_group_policy_attachment.app_engineers_ec2_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | | [aws_iam_group_policy_attachment.app_engineers_s3_integration_tests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | | [aws_iam_group_policy_attachment.app_engineers_vpc_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_instance_profile.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | | [aws_iam_policy.bfd_ssm_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.code_artifact_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.code_artifact_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.github_actions_ci_ops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.github_actions_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.github_actions_s3its](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -57,13 +59,13 @@ The management or `mgmt` environment is home to some higher-order resources that | [aws_iam_policy.jenkins_permission_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.jenkins_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.packer_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.packer_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.packer_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.rda_ec2_instance_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.rda_ssm_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.s3_integration_tests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.cloudbees](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_kms_alias.data_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_alias.data_keys_alt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.data_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | @@ -157,7 +159,7 @@ The management or `mgmt` environment is home to some higher-order resources that | [aws_ssm_parameter.bcda_aws_account_number](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_ssm_parameter.cbc_aws_account_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_ssm_parameter.cpm_aws_account_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | -| [aws_ssm_parameters_by_path.common_sensitive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source | +| [aws_ssm_parameters_by_path.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source | | [aws_ssm_parameters_by_path.sensitive_quicksight_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source | | [aws_vpc.internal_r53_hz_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | diff --git a/ops/terraform/env/mgmt/iam.tf b/ops/terraform/env/mgmt/iam.tf index 5c5e291745..0152112562 100644 --- a/ops/terraform/env/mgmt/iam.tf +++ b/ops/terraform/env/mgmt/iam.tf @@ -1,90 +1,25 @@ -#TODO: Determine if the bfd-packages sees continued use -resource "aws_iam_policy" "packer_s3" { - description = "packer S3 Policy" - name = "bfd-${local.env}-packer-s3" +resource "aws_iam_policy" "ec2_instance_tags_ro" { + description = "Global EC2 Instances and Tags RO Policy" + name = "bfd-${local.env}-ec2-instance-tags-ro" path = "/" policy = <<-POLICY { + "Version": "2012-10-17", "Statement": [ { + "Sid": "EC2InstanceTagsRO", "Action": [ - "s3:GetObjectAcl", - "s3:GetObject", - "s3:GetObjectVersionAcl", - "s3:GetObjectTagging", - "s3:ListBucket", - "s3:GetObjectVersion" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::bfd-packages/*", - "arn:aws:s3:::bfd-packages" - ], - "Sid": "BFDProfile" - } - ], - "Version": "2012-10-17" -} -POLICY - -} - -resource "aws_iam_policy" "packer_ssm" { - description = "Policy granting permission for bfd-packer profiled instances to access some common SSM hierarchies" - name = "bfd-${local.env}-packer-ssm" - path = "/" - policy = <<-POLICY -{ - "Statement": [ - { - "Action": [ - "ssm:GetParametersByPath", - "ssm:GetParameters", - "ssm:GetParameter" + "ec2:DescribeTags", + "ec2:DescribeInstances" ], "Effect": "Allow", - "Resource": [ - %{for env in local.established_envs~} - "arn:aws:ssm:us-east-1:${local.account_id}:parameter/bfd/${env}/common/*", - %{endfor~} - "arn:aws:ssm:us-east-1:${local.account_id}:parameter/bfd/${local.env}/common/*" - ], - "Sid": "BFDProfile" + "Resource": "*" } - ], - "Version": "2012-10-17" + ] } POLICY } -resource "aws_iam_policy" "packer_kms" { - description = "Policy granting permission for bfd-packer profiled instances to decrypt using mgmt and established environment KMS keys" - name = "bfd-${local.env}-packer-kms" - path = "/" - policy = jsonencode( - { - "Statement" : [ - { - "Action" : ["kms:Decrypt"], - "Effect" : "Allow", - "Resource" : concat( - [ - "${local.bfd_insights_kms_key_id}", - "${local.kms_key_id}", - "${local.tf_state_kms_key_id}", - "${local.test_kms_key_id}", - "${local.prod_sbx_kms_key_id}", - "${local.prod_kms_key_id}" - ], - local.all_kms_config_key_arns - ) - } - ], - "Version" : "2012-10-17" - } - ) -} - resource "aws_iam_policy" "code_artifact_rw" { description = "CodeArtifact read/write permissions" name = "bfd-${local.env}-codeartifact-rw" diff --git a/ops/terraform/env/mgmt/packer-iam.tf b/ops/terraform/env/mgmt/packer-iam.tf new file mode 100644 index 0000000000..892b95639c --- /dev/null +++ b/ops/terraform/env/mgmt/packer-iam.tf @@ -0,0 +1,88 @@ +resource "aws_iam_policy" "packer_ssm" { + description = "Policy granting permission for bfd-packer profiled instances to access some common SSM hierarchies" + name = "bfd-${local.env}-packer-ssm" + path = "/" + policy = <<-POLICY +{ + "Statement": [ + { + "Action": [ + "ssm:GetParametersByPath", + "ssm:GetParameters", + "ssm:GetParameter" + ], + "Effect": "Allow", + "Resource": [ + %{for env in local.established_envs~} + "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/${env}/common/*", + %{endfor~} + "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/${local.env}/common/*" + ], + "Sid": "BFDProfile" + } + ], + "Version": "2012-10-17" +} +POLICY +} + +resource "aws_iam_policy" "packer_kms" { + description = "Policy granting permission for bfd-packer profiled instances to decrypt using mgmt and established environment KMS keys" + name = "bfd-${local.env}-packer-kms" + path = "/" + policy = jsonencode( + { + "Statement" : [ + { + "Action" : ["kms:Decrypt"], + "Effect" : "Allow", + "Resource" : concat( + [ + local.bfd_insights_kms_key_id, + local.kms_key_id, + local.tf_state_kms_key_id, + local.test_kms_key_id, + local.prod_sbx_kms_key_id, + local.prod_kms_key_id + ], + local.all_kms_config_key_arns + ) + } + ], + "Version" : "2012-10-17" + } + ) +} + +resource "aws_iam_role" "packer" { + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "Allows EC2 instances to call AWS services on your behalf." + force_detach_policies = false + managed_policy_arns = [ + aws_iam_policy.packer_ssm.arn, + aws_iam_policy.packer_kms.arn, + aws_iam_policy.ec2_instance_tags_ro.arn, + ] + max_session_duration = 3600 + name = "bfd-packer" + path = "/" +} + +resource "aws_iam_instance_profile" "packer" { + name = aws_iam_role.packer.name + role = aws_iam_role.packer.name + path = "/" +} diff --git a/ops/terraform/services/migrator/README.md b/ops/terraform/services/migrator/README.md index 200fc13bec..11cc835c76 100644 --- a/ops/terraform/services/migrator/README.md +++ b/ops/terraform/services/migrator/README.md @@ -76,6 +76,7 @@ In addition to the [Requirements (below)](#requirements) below, an included [ext | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy.cloudwatch_agent_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.cloudwatch_agent_xray_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_key_pair.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/key_pair) | data source | | [aws_kms_key.cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_kms_key.config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | diff --git a/ops/terraform/services/migrator/data-sources.tf b/ops/terraform/services/migrator/data-sources.tf index d485d624d4..f6b5436662 100644 --- a/ops/terraform/services/migrator/data-sources.tf +++ b/ops/terraform/services/migrator/data-sources.tf @@ -101,3 +101,7 @@ data "aws_ssm_parameters_by_path" "nonsensitive_common" { data "aws_ssm_parameters_by_path" "nonsensitive" { path = "/bfd/${local.env}/${local.service}/nonsensitive" } + +data "aws_iam_policy" "ec2_instance_tags_ro" { + name = "bfd-mgmt-ec2-instance-tags-ro" +} diff --git a/ops/terraform/services/migrator/iam.tf b/ops/terraform/services/migrator/iam.tf index a48b48987b..7b609f0b65 100644 --- a/ops/terraform/services/migrator/iam.tf +++ b/ops/terraform/services/migrator/iam.tf @@ -98,6 +98,7 @@ resource "aws_iam_role" "this" { data.aws_iam_policy.cloudwatch_agent_xray_policy.arn, aws_iam_policy.sqs.arn, aws_iam_policy.ssm.arn, + data.aws_iam_policy.ec2_instance_tags_ro.arn, ] } diff --git a/ops/terraform/services/pipeline/README.md b/ops/terraform/services/pipeline/README.md index a0a07d282f..4047284afa 100644 --- a/ops/terraform/services/pipeline/README.md +++ b/ops/terraform/services/pipeline/README.md @@ -77,6 +77,7 @@ | [aws_sns_topic_policy.s3_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | | [aws_ami.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_kms_key.cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_kms_key.config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_kms_key.mgmt_config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | diff --git a/ops/terraform/services/pipeline/data-sources.tf b/ops/terraform/services/pipeline/data-sources.tf index abb0e54874..7756425d32 100644 --- a/ops/terraform/services/pipeline/data-sources.tf +++ b/ops/terraform/services/pipeline/data-sources.tf @@ -137,3 +137,7 @@ data "aws_sns_topic" "bfd_notices_slack_alarm" { count = local.is_ephemeral_env ? 0 : 1 name = "bfd-${local.env}-cloudwatch-alarms-slack-bfd-notices" } + +data "aws_iam_policy" "ec2_instance_tags_ro" { + name = "bfd-mgmt-ec2-instance-tags-ro" +} diff --git a/ops/terraform/services/pipeline/iam.tf b/ops/terraform/services/pipeline/iam.tf index 72d824b2b3..e60851baa4 100644 --- a/ops/terraform/services/pipeline/iam.tf +++ b/ops/terraform/services/pipeline/iam.tf @@ -210,6 +210,7 @@ EOF "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + data.aws_iam_policy.ec2_instance_tags_ro.arn, ] max_session_duration = 3600 name = "bfd-${local.env}-bfd_${local.service}-role" diff --git a/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf b/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf index 38afb507c8..a881babd60 100644 --- a/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf +++ b/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf @@ -26,3 +26,7 @@ data "aws_iam_policy" "cloudwatch_agent_policy" { data "aws_iam_policy" "cloudwatch_xray_policy" { arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" } + +data "aws_iam_policy" "ec2_instance_tags_ro" { + name = "bfd-mgmt-ec2-instance-tags-ro" +} diff --git a/ops/terraform/services/server/modules/bfd_server_iam/main.tf b/ops/terraform/services/server/modules/bfd_server_iam/main.tf index 6d04c6647c..c3291361d8 100644 --- a/ops/terraform/services/server/modules/bfd_server_iam/main.tf +++ b/ops/terraform/services/server/modules/bfd_server_iam/main.tf @@ -213,3 +213,8 @@ resource "aws_iam_role_policy_attachment" "asg" { role = aws_iam_role.instance.id policy_arn = aws_iam_policy.asg.arn } + +resource "aws_iam_role_policy_attachment" "ec2_instance_tags_ro" { + role = aws_iam_role.instance.id + policy_arn = data.aws_iam_policy.ec2_instance_tags_ro.arn +}