3 rokov pred · 8992a63562
--- a/base/teleport-single-instance/dynamo.tf
+++ b/base/teleport-single-instance/dynamo.tf
@@ -145,6 +145,7 @@ resource "aws_dynamodb_table" "locks" {
 
				   }
			
 
				 
			
 
				   #checkov:skip=CKV_AWS_28:No need for PiTR here
			
 
				+  #tfsec:ignore:aws-dynamodb-enable-recovery
			
 
				   point_in_time_recovery {
			
 
				     enabled = false
			
 
				   }
			
--- a/base/teleport-single-instance/employee_ips.tf
+++ b/base/teleport-single-instance/employee_ips.tf
@@ -0,0 +1 @@
 
				+../../variables/employee_ips.tf
			
--- a/base/teleport-single-instance/main.tf
+++ b/base/teleport-single-instance/main.tf
@@ -36,6 +36,11 @@ resource "aws_instance" "instance" {
 
				   monitoring                           = false
			
 
				   iam_instance_profile                 = aws_iam_instance_profile.teleport.name
			
 
				 
			
 
				+  metadata_options {
			
 
				+    http_endpoint = "enabled"
			
 
				+    http_tokens   = "optional" # tfsec:ignore:aws-ec2-enforce-http-token-imds salt s3 sources require optional tokens; see https://github.com/saltstack/salt/issues/60668
			
 
				+  }
			
 
				+
			
 
				   ami = local.ami_map[local.ami_selection]
			
 
				   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
			
 
				   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
			
--- a/base/teleport-single-instance/s3.tf
+++ b/base/teleport-single-instance/s3.tf
@@ -51,6 +51,13 @@ resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_acce
 
				   restrict_public_buckets = true
			
 
				 }
			
 
				 
			
 
				+# Versioning prevents accidental deletion of records
			
 
				+resource "aws_s3_bucket_versioning" "storage" {
			
 
				+  bucket = aws_s3_bucket.storage.id
			
 
				+  versioning_configuration {
			
 
				+    status = "Enabled"
			
 
				+  }
			
 
				+}
			
 
				 
			
 
				 //AWS Provider outdated arguments <4.4.0
			
 
				 /*resource "aws_s3_bucket" "storage" {
			
@@ -77,4 +84,4 @@ resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_acce
 
				     }
			
 
				   }
			
 
				 }
			
 
				-*/
			
 
				+*/
			
--- a/base/teleport-single-instance/waf.tf
+++ b/base/teleport-single-instance/waf.tf
@@ -0,0 +1,70 @@
 
				+module "waf" {
			
 
				+  source = "../../submodules/wafv2"
			
 
				+
			
 
				+  # Custom to resource
			
 
				+  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted
			
 
				+  admin_ips              = concat(local.zscalar_ips, local.admin_ips)
			
 
				+  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
			
 
				+  resource_arn           = aws_alb.external.arn
			
 
				+  fqdns = [ # first entry in list will be the WAF name
			
 
				+    "${var.instance_name}.${var.dns_info["public"]["zone"]}"
			
 
				+    # example, to add additional valid hostnames
			
 
				+    #    keys(module.public_dns_record_cust-auth-elb.forward),
			
 
				+  ]
			
 
				+
			
 
				+  # Set to 'false' to set as 'count only'
			
 
				+  block_settings = {
			
 
				+    default                               = false, # Default action. False = count
			
 
				+    custom                                = false, # XDR Custom Rules. False = count
			
 
				+    admin                                 = false, # /admin folder
			
 
				+    AWSManagedRulesCommonRuleSet          = false,
			
 
				+    AWSManagedRulesAmazonIpReputationList = false,
			
 
				+    AWSManagedRulesKnownBadInputsRuleSet  = false,
			
 
				+    AWSManagedRulesSQLiRuleSet            = false,
			
 
				+    AWSManagedRulesLinuxRuleSet           = false,
			
 
				+    AWSManagedRulesUnixRuleSet            = false,
			
 
				+  }
			
 
				+
			
 
				+  excluded_rules_AWSManagedRulesSQLiRuleSet = [
			
 
				+  ]
			
 
				+
			
 
				+  excluded_rules_AWSManagedRulesUnixRuleSet = [
			
 
				+  ]
			
 
				+
			
 
				+  excluded_rules_AWSManagedRulesCommonRuleSet = [
			
 
				+    "SizeRestrictions_BODY",
			
 
				+  ]
			
 
				+
			
 
				+  # These are passed through and should be the same for module
			
 
				+  tags           = merge(local.standard_tags, var.tags)
			
 
				+  aws_partition  = var.aws_partition
			
 
				+  aws_region     = var.aws_region
			
 
				+  aws_account_id = var.aws_account_id
			
 
				+}
			
 
				+
			
 
				+# Example: If you want to attach the WAF to an additional ALB
			
 
				+#
			
 
				+# Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
			
 
				+# using the commented section below, if the need arises.
			
 
				+
			
 
				+#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
			
 
				+#  resource_arn = aws_lb.searchhead-auth-alb.arn
			
 
				+#  web_acl_arn  = module.waf.web_acl_id
			
 
				+#}
			
 
				+
			
 
				+# Example: If you want a second WAF, that should be straightforward
			
 
				+#module "waf-auth" {
			
 
				+#  source = "../../../submodules/wafv2"
			
 
				+#
			
 
				+#  # Custom to resource
			
 
				+#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
			
 
				+#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
			
 
				+#  resource_arn = aws_lb.searchhead-auth-alb.arn
			
 
				+#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
			
 
				+#
			
 
				+#  # These are passed through and should be the same for module
			
 
				+#  tags = merge(local.standard_tags, var.tags)
			
 
				+#  aws_partition = var.aws_partition
			
 
				+#  aws_region = var.aws_region
			
 
				+#  aws_account_id = var.aws_account_id
			
 
				+#}