Final assessment edits #1

.github/workflows/IaC_Sec_checks.yml

@@ -4,13 +4,9 @@ permissions: read-all
 
 on:
   pull_request:
-    types: [opened, reopened]
+    types: [opened, reopened, synchronize, edited]
+
 
-  push:
-    branches:
-      - 'final-assessment'
-    paths:
-      - 'src/final-assessment/**'
 
 
 
@@ -27,19 +23,22 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+
 
       - name: Check if pull request is opened/reopened
         id: pr_status
         uses: octokit/[email protected]
         with:
-          route: GET /repos/RunCor399/Terraform-IaCSec/pulls/${{ github.event.pull_request.number }}
+          route: GET /repos/RunCor399/Terraform-IaCSec/pulls/${{ github.event.number }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkov GitHub Action
         uses: bridgecrewio/checkov-action@v12
-        if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }}
+        #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }}
+
         with:
+          #check: 'LOW,MEDIUM,HIGH,CRITICAL'
           output_format: cli,sarif
           output_file_path: console,results.sarif
 
@@ -49,5 +48,5 @@ jobs:
         if: success() || failure()
         with:
           sarif_file: results.sarif
-          ref: ${{ github.head_ref }}
-          sha: ${{ github.sha }}
+          ref: "refs/pull/${{ github.event.pull_request.number }}/merge"
+          sha: ${{ github.event.pull_request.head.sha }}

.gitignore

@@ -33,3 +33,6 @@ override.tf.json
 *.env
 **/secrets.tf
 
+**IaCSec/iacsec-assessment.md
+
+

src/final-assessment/IaCSec/Azure_Observability/aks.tf

@@ -0,0 +1,53 @@
+
+
+resource "azurerm_kubernetes_cluster" "aks_cluster" {
+    name = "aks-cluster"
+    location = var.observability_rg.location
+    resource_group_name = var.observability_rg.name
+    sku_tier = "Free"
+    local_account_disabled = true
+    api_server_authorized_ip_ranges = "0.0.0.0/0"
+    private_cluster_enabled = true
+
+    default_node_pool {
+        name           = "default"
+        node_count     = 1
+        vm_size        = "standard_d2_v2"
+        max_pods       = 51
+    }
+
+// Add role assignment for azure user
+    identity {
+        type = "SystemAssigned"
+    }
+
+    # Uses Azure AD to authenticate users to K8s, refer to: https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal
+    # azure_active_directory_role_based_access_control {
+    #   managed = true
+    #   // it should be a group id, i've used my own object id
+    #   admin_group_object_ids = ["9bd70693-8b50-432a-8876-a8096e9fb4b6"]
+    #   azure_rbac_enabled = true
+    # }
+
+    network_profile {
+      network_plugin = "azure"
+    }
+
+    http_application_routing_enabled = true
+
+    oms_agent {
+      log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+    }
+
+    linux_profile {
+      admin_username = "adminuser"
+      ssh_key {
+        key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuE9WgQR2C4zPDRLDoMiSgqbsdXjgPFT5YkJFAmnyBO9oIoosAe/s2MBZkasz3IcW3/yrH8r8y4c7UTkAu1dzv+CJNS7Axcg2PNXUdTdZCZp0WHgeLMtlzLHWZRFltVP9wHuM3n206IyJ2iSm3sY8ZfViHWoo6bjHb0cOYL/+vEk7Chvces0gUwHTSTKFuX68x1iWRKTgxqQRSS7yz3wZqB+OxAVLvt7fHGV6nWDGVHsErXXFU7QKUvZQ//cKu1U/dMED3JWKWJEthHqCFOgPQ4PWc0kRe5l6CF+NrzfPKJT8cN9XcNj6kOUu2dMMQx3px6Mr5VjV/0xNQmmoZm0M2YCaq3mbpQEM7fO4xCKJRAlKai/q12N0/DCC4t1CxUhqhyvwiL/O1drOqhFEmsB7Yg+/FiynFjZqvt78RE3gP7t7xmBVRckDSRWTbTQqaLMNryuu6+gEXamOF0pPNCpmSPizCRd1t3D/x13IFHjVqzF9QbGRg0dYcV55izrHvatxRcggfEdBH1DTtuwWV3LftueNeXplRRUcq2MTF1SJQkHhnPzezLwQr9pGVKSFT2QjS5q67MAfK7gC7tSqoT6SVhRd4LFtH2spubLqZnLAN/OBK/atbJn3LVTxKFDd23eDTrwH7R20FUkyNmDYvDvRudlZDGQFs76msZtvcKZgb2Q== runcor3@LAPTOP-36GVQ98F"
+      }
+    }
+
+    dns_prefix = "observability-aks"
+
+    depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace,
+                  azurerm_resource_group.observability_rg]
+}

src/final-assessment/IaCSec/Azure_Observability/grafana.tf

@@ -0,0 +1,46 @@
+data "azurerm_subscription" "primary" {}
+
+
+resource "azurerm_dashboard_grafana" "grafana-dashboard" {
+  name                              = var.grafana-dashboard.name
+  resource_group_name               = var.observability_rg.name
+  location                          = var.grafana-dashboard.location
+
+  auto_generated_domain_name_label_scope = "TenantReuse"
+  public_network_access_enabled = true
+  api_key_enabled = false
+  deterministic_outbound_ip_enabled = false
+  zone_redundancy_enabled = false
+
+  sku = "Standard"
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  depends_on = [azurerm_resource_group.observability_rg]
+}
+
+
+// Works, evaluate how to remove hardcoded principal id (probably the commented line is enough)
+resource "azurerm_role_assignment" "grafana-reader-role-assignment" {
+  #name = "monitoring-reader-role-assignment"
+  scope = data.azurerm_subscription.primary.id
+  principal_id = azurerm_dashboard_grafana.grafana-dashboard.identity[0].principal_id
+  #principal_id = "84edb984-ec6d-46ab-b236-83d3185ee2ad"
+  role_definition_name = "Monitoring Reader"
+} 
+
+
+data "azuread_user" "ad_user" {
+  #user_principal_name = "[email protected]"
+  user_principal_name = "ma.colotti_reply.it#EXT#@francescoborgognihotmailit.onmicrosoft.com"
+}
+
+// "Grafana Admin" role should work, principal Id should be my own account
+resource "azurerm_role_assignment" "grafana-admin-role-assignment" {
+ # name = "monitoring-admin-role-assignment"
+  scope = azurerm_dashboard_grafana.grafana-dashboard.id
+  principal_id = data.azuread_user.ad_user.id
+  role_definition_name = "Grafana Admin"
+}

src/final-assessment/IaCSec/Azure_Observability/log_analytics.tf

@@ -0,0 +1,9 @@
+
+resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
+    name = var.log-analytics-workspace.name
+    location = var.log-analytics-workspace.location
+    resource_group_name = var.observability_rg.name
+    sku = "PerGB2018"
+
+    depends_on = [azurerm_resource_group.observability_rg]
+}

src/final-assessment/IaCSec/Azure_Observability/main.tf

@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.52.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.15.0"
+    }
+  }
+
+  backend "azurerm" {
+    resource_group_name = "terraform-rg"
+    storage_account_name = "terraformbackendmanuel"
+    container_name = "tfstate"
+    key = "terraform.tfstate_observability"
+  }
+}
+
+
+provider "azurerm" {
+  subscription_id = var.credentials["subscription_id"]
+  client_id       = var.credentials["client_id"]
+  client_secret   = var.azure_sp_key
+  tenant_id       = var.credentials["tenant_id"]
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+
+resource "azurerm_resource_group" "observability_rg" {
+  name = var.observability_rg.name
+  location = var.observability_rg.location
+}

src/final-assessment/IaCSec/Azure_Observability/variables.tf

@@ -0,0 +1,37 @@
+variable "azure_sp_key" {}
+
+variable "credentials" {
+  description = "Azure Service Provider Credentials"
+  type        = map(string)
+  default = {
+    subscription_id = "945fc713-dc5d-4ba6-9b6b-2f1fb2225b19"
+    tenant_id       = "c5179d57-9fa0-4d70-bf82-c3e49fc377d9"
+    client_id       = "8267d52d-29b9-4a06-ac44-1c6743c8b010"
+  }
+}
+
+
+variable "observability_rg" {
+  description = "Observavility Resource Group"
+  type        = map(string)
+  default = {
+    name     = "observability_rg"
+    location = "westeurope"
+  }
+}
+
+variable "log-analytics-workspace" {
+    type = map(string)
+    default = {
+        name = "log-analytics-workspace"
+        location = "westeurope"
+    }
+}
+
+variable "grafana-dashboard" {
+    type = map(string)
+    default = {
+        name = "grafana-dashboard"
+        location = "westeurope"
+    }
+}

src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml

@@ -0,0 +1,82 @@
+# Load Balancer Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: db-external
+spec:
+  type: LoadBalancer
+  selector:
+    app: db-connector
+  ports:
+  - name: db-connector
+    port: 8888
+    targetPort: 8888
+---
+# Internal Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: db-connector
+spec:
+  type: ClusterIP
+  selector:
+    app: db-connector
+  ports:
+  - name: custom-port
+    port: 8888
+    targetPort: 8888
+---
+# Spring App Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: db-connector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: db-connector
+      role: default-deployment
+  template:
+    metadata:
+      labels:
+        app: db-connector
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: db-connector
+          #checkov:skip=CKV_K8S_43:No image digest
+          #checkov:skip=CKV_K8S_14:No image tag
+          image: runcor3/db_connector:latest
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsUser: 20000
+            runAsGroup: {{.Value}}
+            capabilities:
+              drop:
+                - ALL
+          livenessProbe:
+            exec:
+              command:
+                - cat
+                - /tmp/healthy
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 15
+            timeoutSeconds: 1
+          ports:
+            - containerPort: 8888
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/sh", "-c"]
+                args: ["export KUBE_TOKEN=/var/run/secrets/kubernetes.io/serviceaccount/token"]
+
+