Почетна Преглед Помоћ
Регистрација Пријавите се
AFS
/
xdr-terraform-modules
2
0
Креирај огранак 0
Датотеке Дискусије 0 Захтеви за спајање 0 Вики
Преглед изворни кода

Updates ELB tfsec invalid headers and minor formatting

Load balancers should drop invalid headers - Application load balancer is not set to drop invalid headers.

ID               - aws-elb-drop-invalid-headers
Severity     - High
Impact       - Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Resolution - Set drop_invalid_header_fields to true

tfsec finding - https://aquasecurity.github.io/tfsec/v1.26.0/checks/aws/elb/drop-invalid-headers/ - Passing unknown or invalid headers through to the target poses a potential risk of compromise.

AWS - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

tag 5.1.6
Jeremy Cooper [AFS MBP] пре 3 година
родитељ
02134ac6d9
комит
f798743f8b
2 измењених фајлова са 39 додато и 13 уклоњено
Подељен поглед Покажи статистику Diff
  1. 20 8
      base/customer_portal/elb.tf
  2. 19 5
      base/vault/elb.tf

+ 20 - 8
base/customer_portal/elb.tf
Прегледај датотеку 

@@ -3,10 +3,12 @@
 
 # LOAD BALANCER FOR PORTAL
 
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "aws_alb" "portal" {
 
-  name            = "portal-alb-${var.environment}"
 
-  security_groups = [aws_security_group.customer_portal_alb.id, ]
 
-  internal        = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
 
-  subnets         = var.public_subnets
 
+  name                       = "portal-alb-${var.environment}"
 
+  security_groups            = [aws_security_group.customer_portal_alb.id, ]
 
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
 
+  subnets                    = var.public_subnets
 
+  load_balancer_type         = "application"
 
+  drop_invalid_header_fields = true
 
 
   tags = merge(local.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })
 
 
@@ -95,18 +97,21 @@ module "public_dns_record" {
 
   }
 
 }
 
 
-#------------------------------------
 
-# Security Group
 
-#------------------------------------
 
-
 
+#----------------------------------------------------------------------------
 
+# ALB Security Group
 
+#----------------------------------------------------------------------------
 
 resource "aws_security_group" "customer_portal_alb" {
 
   name        = "customer_portal_alb_inbound_sg"
 
   description = "Allow Customer Portal ALB HTTP Traffic Inbound"
 
   vpc_id      = var.vpc_id
 
 }
 
 
+#----------------------------------------------------------------------------
 
+# INGRESS
 
+#----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "customer_portal_alb_https" {
 
   protocol          = "tcp"
 
+  description       = "Portal - Allow 443 from any"
 
   type              = "ingress"
 
   from_port         = 443
 
   to_port           = 443
 
@@ -117,6 +122,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https" {
 
 #Allow viewing of test portal from home. We don't want world to view test portal.
 
 resource "aws_security_group_rule" "customer_portal_alb_https_test" {
 
   protocol          = "tcp"
 
+  description       = "Portal - Allow 443 from strictly XDR Engineers staticly assigned address"
 
   type              = "ingress"
 
   from_port         = 443
 
   to_port           = 443
 
@@ -127,6 +133,7 @@ resource "aws_security_group_rule" "customer_portal_alb_https_test" {
 
 ## Needed for HTTPs redirect
 
 resource "aws_security_group_rule" "customer_portal_alb_http" {
 
   protocol          = "tcp"
 
+  description       = "Portal - 80 redirect to 443"
 
   type              = "ingress"
 
   from_port         = 80
 
   to_port           = 80
 
@@ -138,6 +145,7 @@ resource "aws_security_group_rule" "customer_portal_alb_http" {
 
 resource "aws_security_group_rule" "customer_portal_sensu_check" {
 
   count             = var.environment == "test" ? 1 : 0
 
   protocol          = "tcp"
 
+  description       = "Portal - Allow Sensu Check from proxy in test on 443"
 
   type              = "ingress"
 
   from_port         = 443
 
   to_port           = 443
 
@@ -145,8 +153,12 @@ resource "aws_security_group_rule" "customer_portal_sensu_check" {
 
   cidr_blocks       = ["${var.proxy_public_ip}/32", ]
 
 }
 
 
+#----------------------------------------------------------------------------
 
+# EGRESS
 
+#----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "customer_portal_alb" {
 
   protocol                 = "tcp"
 
+  description              = "Portal - Allow 443 to any"
 
   type                     = "egress"
 
   from_port                = 443
 
   to_port                  = 443

+ 19 - 5
base/vault/elb.tf
Прегледај датотеку 

@@ -1,8 +1,13 @@
 
+#----------------------------------------------------------------------------
 
+# INTERNAL LB
 
+#----------------------------------------------------------------------------
 
 resource "aws_alb" "vault" {
 
-  name            = "vault-alb-${var.environment}"
 
-  security_groups = [aws_security_group.vault_ALB_server.id]
 
-  internal        = true
 
-  subnets         = var.subnets
 
+  name                       = "vault-alb-${var.environment}"
 
+  security_groups            = [aws_security_group.vault_ALB_server.id]
 
+  internal                   = true
 
+  subnets                    = var.subnets
 
+  load_balancer_type         = "application"
 
+  drop_invalid_header_fields = true
 
 
 
   access_logs {
 
@@ -73,6 +78,9 @@ resource "aws_alb_listener" "vault_https" {
 
 #   }
 
 # }
 
 
+#----------
 
+# DNS Entry
 
+#----------
 
 #DNS Alias for the LB ( the CNAME was required. an Alias did NOT work due to aws/bug. )
 
 resource "aws_route53_record" "vault_internal" {
 
   zone_id  = var.dns_info["private"]["zone_id"]
 
@@ -86,13 +94,16 @@ resource "aws_route53_record" "vault_internal" {
 
 #----------------------------------------------------------------------------
 
 # Vault ALB Security Group
 
 #----------------------------------------------------------------------------
 
-
 
 resource "aws_security_group" "vault_ALB_server" {
 
   vpc_id = var.vpc_id
 
   name   = "vault-alb-sg"
 
+  description = "ALB for Vault"
 
   tags   = merge(local.standard_tags, var.tags)
 
 }
 
 
+#----------------------------------------------------------------------------
 
+# INGRESS
 
+#----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "vault_server_from_vpc" {
 
   type              = "ingress"
 
   from_port         = 443
 
@@ -103,6 +114,9 @@ resource "aws_security_group_rule" "vault_server_from_vpc" {
 
   security_group_id = aws_security_group.vault_ALB_server.id
 
 }
 
 
+#----------------------------------------------------------------------------
 
+# EGRESS
 
+#----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "alb_to_vault_server" {
 
   type                     = "egress"
 
   from_port                = 443