Merge pull request #333 from mdr-engineering/hotfix/ftd_na_GHEOnlyFromSelectedIPs

Allows access to GHE only from Trusted IPs and zScalar

base/aws_client_vpn/vpn.tf

@@ -38,8 +38,6 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
   # Possible required with zscalar?
   transport_protocol = "udp"
 
-  tags = merge(var.standard_tags, var.tags)
-}
 
 resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
   count = local.redundancy_count

base/github/securitygroups-load-balancers.tf

@@ -1,6 +1,36 @@
 #----------------------------------------------------------------
 # SG for the external ELB
 #----------------------------------------------------------------
+locals {
+  # from https://config.zscaler.com/zscalergov.net/cenr
+  zscalar_cidrs = [
+    "165.225.3.0/24",
+    "136.226.10.0/23",
+    "136.226.12.0/23",
+    "136.226.14.0/23",
+    "165.225.46.0/24",
+    "136.226.6.0/23",
+    "136.226.4.0/23",
+    "136.226.8.0/23",
+    "136.226.22.0/24",
+    "165.225.48.0/24",
+    "136.226.18.0/23",
+    "136.226.16.0/23",
+    "136.226.20.0/23",
+  ]
+  salt_masters = [
+    "18.253.198.129/32", # Salt Master Prod - proxy
+    "18.253.73.251/32", # salt master prod
+    "18.252.61.81/32", # Salt master dev - proxy
+    "18.253.226.199/32", # salt aster dev
+  ]
+  # Locking down sources on 2021-12-10 due to log4j vulnerability
+  #allowed_sources = local.zscalar_cidrs
+  #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs)
+  allowed_sources = concat(local.zscalar_cidrs, var.trusted_ips, local.salt_masters)
+  #allowed_sources = [ "0.0.0.0/0" ]
+}
+
 resource "aws_security_group" "ghe_elb_external" {
   name_prefix = "ghe_elb_external"
   tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
@@ -11,7 +41,7 @@ resource "aws_security_group" "ghe_elb_external" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 22
   to_port                  = 22
   protocol                 = "tcp"
@@ -21,7 +51,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -31,7 +61,7 @@ resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
 resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
   security_group_id        = aws_security_group.ghe_elb_external.id
   type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
+  cidr_blocks              = local.allowed_sources
   from_port                = 443
   to_port                  = 444
   protocol                 = "tcp"

submodules/wafv2/waf.tf

@@ -40,9 +40,9 @@ resource "aws_wafv2_ip_set" "allowed" {
 }
 
 resource "aws_wafv2_rule_group" "xdr_custom_rules" {
-  name = "${local.waf_name}_xdr_custom_rules_rev2" # update name when updating
+  name = "${local.waf_name}_xdr_custom_rules_rev3" # update name when updating
   scope    = "REGIONAL"
-  capacity = 50
+  capacity = 60
 
   # Note, there is visibilty config for the group and for the rule
   visibility_config {
@@ -84,73 +84,129 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 #    }
   }
 
-  rule {
-    name = "Block_log4j_Exploit_20211210"
-    action {
-      block {}
-    }
-    priority = 110
-
-    #rule_label {
-    #  name = "xdr_custom:log4j"
-    #}
-
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "Block_Log4j_exploit_20211210"
-      sampled_requests_enabled   = true
-    }
-
-    statement {
-      or_statement {
-        statement {
-          byte_match_statement {
-            field_to_match {
-              single_header {
-                name = "user-agent"
-              }
-            }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:ldap://"
-            text_transformation {
-              priority = 2
-              type     = "LOWERCASE"
-            }
-          }
-        }
-        statement {
-          byte_match_statement {
-            field_to_match {
-              single_header {
-                name = "user-agent"
-              }
-            }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:rmi:"
-            text_transformation {
-              priority = 2
-              type     = "LOWERCASE"
-            }
-          }
-        }
-        statement {
-          byte_match_statement {
-            field_to_match {
-              single_header {
-                name = "user-agent"
-              }
-            }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:dns:"
-            text_transformation {
-              priority = 2
-              type     = "LOWERCASE"
-            }
-          }
-        }
-      }  
-    }
-  }
+#  rule {
+#    name = "Block_log4j_Exploit_20211210"
+#    action {
+#      block {}
+#    }
+#    priority = 110
+#
+#    #rule_label {
+#    #  name = "xdr_custom:log4j"
+#    #}
+#
+#    visibility_config {
+#      cloudwatch_metrics_enabled = true
+#      metric_name                = "Block_Log4j_exploit_20211210"
+#      sampled_requests_enabled   = true
+#    }
+#
+#    statement {
+#      or_statement {
+#        statement {
+#          byte_match_statement {
+#            field_to_match {
+#              single_header {
+#                name = "user-agent"
+#              }
+#            }
+#            positional_constraint = "STARTS_WITH"
+#            search_string = "$${jndi:" # ldap://"
+#
+#            text_transformation {
+#              priority = 1
+#              type     = "BASE64_DECODE"
+#            }
+#
+#            #text_transformation {
+#            #  priority = 3
+#            #  type     = "HEX_DECODE"
+#            #}
+#
+#            text_transformation {
+#              priority = 5
+#              type     = "LOWERCASE"
+#            }
+#          }
+#        }
+#
+##        statement {
+##          byte_match_statement {
+##            field_to_match {
+##              method {}
+##            }
+##            positional_constraint = "STARTS_WITH"
+##            search_string = "$${jndi:" # ldap://"
+##
+##            text_transformation {
+##              priority = 1
+##              type     = "BASE64_DECODE"
+##            }
+##
+##            text_transformation {
+##              priority = 3
+##              type     = "HEX_DECODE"
+##            }
+##
+##            text_transformation {
+##              priority = 5
+##              type     = "LOWERCASE"
+##            }
+##          }
+##        }
+##
+##        statement {
+##          byte_match_statement {
+##            field_to_match {
+##              query_string {}
+##            }
+##            positional_constraint = "CONTAINS"
+##            search_string = "$${jndi:" # ldap://"
+##
+##            text_transformation {
+##              priority = 1
+##              type     = "BASE64_DECODE"
+##            }
+##
+##            #text_transformation {
+##            #  priority = 3
+##            #  type     = "HEX_DECODE"
+##            #}
+##
+##            text_transformation {
+##              priority = 5
+##              type     = "LOWERCASE"
+##            }
+##          }
+##        }
+#
+#        statement {
+#          byte_match_statement {
+#            field_to_match {
+#              uri_path {}
+#            }
+#            positional_constraint = "CONTAINS"
+#            search_string = "$${jndi:" # ldap://"
+#
+#            text_transformation {
+#              priority = 1
+#              type     = "BASE64_DECODE"
+#            }
+#
+#            #text_transformation {
+#            #  priority = 3
+#            #  type     = "HEX_DECODE"
+#            #}
+#
+#            text_transformation {
+#              priority = 5
+#              type     = "LOWERCASE"
+#            }
+#          }
+#        }
+#      }  
+#    }
+#  }
   # Add additional custom rules here
 
   lifecycle {