Merge branch 'main' into chandra-demo

.github/workflows/aks.yml

@@ -1,4 +1,5 @@
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
   pull_request:
@@ -58,12 +59,22 @@ jobs:
         - name: Update Registry URL
           run: |
             sed -i.bak 's/pcgithub.azurecr.io/${{ secrets.REGISTRY_LOGIN_SERVER }}/' aks-deployment.yml
+        - name: Set up deployment environment variables
+          run: |
+            kustomize create --resources aks-deployment.yml,aks-serviceaccount.yaml
+            kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env","value":[{"name":"BLOB_ENDPOINT","value":"'"${{secrets.BLOB_ENDPOINT}}"'"},{"name":"CONTAINER_NAME","value":"'"${{secrets.CONTAINER_NAME}}"'"}]}]' --group apps
+            if [ -n "${{ secrets.AWI_CLIENTID }}" ]
+            then
+              kustomize edit add patch --kind ServiceAccount --patch '[{"op":"add","path":"/metadata/annotations","value":{"azure.workload.identity/client-id":"'"${{secrets.AWI_CLIENTID}}"'"}}]'
+              kustomize edit add patch --kind Deployment --patch '[{"op":"add","path":"/spec/template/spec/serviceAccountName","value":"workload-identity-sa"}]' --group apps
+            fi
+            kustomize build . -o aks-deployment-kustomized.yml
         - name: Deploy to AKS
           id: deploy-aks
           uses: Azure/k8s-deploy@v4
           with:
             namespace: 'default'
             manifests: |
-              aks-deployment.yml
+              aks-deployment-kustomized.yml
             images: '${{ secrets.REGISTRY_LOGIN_SERVER }}/pythonserver:${{ github.sha }}'
             annotate-namespace: 'false'

.github/workflows/ec2.yml

@@ -1,5 +1,6 @@
 name: EC2 deployment
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
     paths:

.github/workflows/eks.yml

@@ -1,4 +1,5 @@
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
   pull_request:
@@ -43,7 +44,7 @@ jobs:
         ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
         ECR_REPOSITORY: ${{ secrets.REPO_NAME }}
         IMAGE_TAG: ${{ github.sha }}
-      uses: PaloAltoNetworks/prisma-cloud-scan@v1
+      uses: PaloAltoNetworks/prisma-cloud-scan@v1.4.0
       with:
         pcc_console_url: ${{ secrets.PCC_CONSOLE_URL }}
         pcc_user: ${{ secrets.PCC_USER }}
@@ -76,6 +77,7 @@ jobs:
       run: |-
         kustomize create --resources eks-deployment.yml
         kustomize edit set image "demo-image-name=${{ steps.login-ecr.outputs.registry }}/${{ secrets.REPO_NAME }}:${{ github.sha }}"
+        kustomize edit add patch --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env","value":[{"name":"S3_BUCKET_NAME","value":"'"${{secrets.S3_BUCKET_NAME}}"'"}]}]' --group apps
         cat kustomization.yaml
         kustomize build . | kubectl apply -f -
         kubectl get pods -o wide

.github/workflows/gcp-cloudrun.yml

@@ -1,4 +1,5 @@
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
     paths:

.github/workflows/gke.yml

@@ -1,4 +1,5 @@
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
   pull_request:

.github/workflows/lambda.yml

@@ -1,4 +1,5 @@
 on:
+  workflow_dispatch:
   push:
     branches: [ main ]
     paths:

.gitignore

@@ -1 +1,2 @@
 .external_modules/
+.DS_Store

IaC/AKS/aks.tf

@@ -4,26 +4,30 @@ resource "random_string" "password" {
   special = false
 }
 
-provider "azurerm" {
-  #version = "=1.38.0"
+data "azurerm_subscription" "configured" {
   subscription_id = var.subscription_id
-  tenant_id       = var.tenant_id
-  features {}
 }
 
-data "azurerm_subscription" "configured" {
-  subscription_id = var.subscription_id
+data "azurerm_kubernetes_cluster" "aks_cluster" {
+  name                = azurerm_kubernetes_cluster.aks_cluster.name
+  resource_group_name = azurerm_kubernetes_cluster.aks_cluster.resource_group_name
 }
 
 resource "azurerm_kubernetes_cluster" "aks_cluster" {
   # checkov:skip=CKV_AZURE_115: Private Cluster would not work with GH actions
   # checkov:skip=CKV_AZURE_117: Disks are already encrypted at rest with Azure manged keys, which is sufficient for a demo cluster
   # checkov:skip=CKV_AZURE_4: No need for cluster telemetry (performance/availability) for a demo cluster
   # checkov:skip=CKV_AZURE_6: Cannot use trusted networks because of 200 IP limit with GH actions
-  name                = "${var.prefix}-${random_string.password.result}"
-  location            = var.region
-  resource_group_name = var.create_requirements ? azurerm_resource_group.rg[0].name : var.resource_group_name
-  dns_prefix          = "${var.prefix}-${random_string.password.result}"
+  name                      = "${var.prefix}-${random_string.password.result}"
+  location                  = var.region
+  resource_group_name       = var.create_requirements ? azurerm_resource_group.rg[0].name : var.resource_group_name
+  dns_prefix                = "${var.prefix}-${random_string.password.result}"
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+  automatic_channel_upgrade = "stable"
+  depends_on = [
+    azurerm_resource_provider_registration.ewip
+  ]
 
   default_node_pool {
     name                = "poolone"
@@ -62,6 +66,30 @@ resource "azurerm_kubernetes_cluster" "aks_cluster" {
   }
 }
 
+resource "azurerm_resource_provider_registration" "ewip" {
+  name = "Microsoft.ContainerService"
+
+  feature {
+    name       = "EnableWorkloadIdentityPreview"
+    registered = true
+  }
+}
+
+resource "azurerm_user_assigned_identity" "cnappdemo" {
+  name                = "${var.prefix}-wlid"
+  resource_group_name = var.create_requirements ? azurerm_resource_group.rg[0].name : var.resource_group_name
+  location            = var.region
+}
+
+resource "azurerm_federated_identity_credential" "cnappdemo" {
+  name                = "${var.prefix}-wlid"
+  resource_group_name = azurerm_user_assigned_identity.cnappdemo.resource_group_name
+  issuer              = azurerm_kubernetes_cluster.aks_cluster.oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.cnappdemo.id
+  audience            = ["api://AzureADTokenExchange"]
+  subject             = "system:serviceaccount:default:workload-identity-sa"
+}
+
 resource "azurerm_role_assignment" "admin_aks_rbac" {
   role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin"
   principal_id         = data.azuread_client_config.current.object_id

IaC/AKS/argocd.tf

@@ -1,10 +1,13 @@
+data "azurerm_subscription" "current" {}
+
 resource "null_resource" "run_provisioner" {
   count = var.run_provisioner ? 1 : 0
   provisioner "local-exec" {
     environment = {
       CSP                      = "AZURE",
       AZURE_AKS_NAME           = azurerm_kubernetes_cluster.aks_cluster.name,
       AZURE_RG                 = azurerm_kubernetes_cluster.aks_cluster.resource_group_name,
+      AZURE_SUB_ID             = data.azurerm_subscription.current.subscription_id,
       ARGOCD_GITOPS_REPOSITORY = var.argocd_git_repo,
       GITHUB_TOKEN             = var.gh_token,
       PCC_USER                 = var.pcc_user,

IaC/AKS/gh.tf

@@ -56,3 +56,27 @@ resource "github_actions_secret" "cluster_name" {
   # checkov:skip=CKV_SECRET_6: not a secret
   plaintext_value = azurerm_kubernetes_cluster.aks_cluster.name
 }
+
+resource "github_actions_secret" "blob_endpoint" {
+  count       = var.create_requirements && var.create_storage ? 1 : 0
+  repository  = var.gh_repo
+  secret_name = "BLOB_ENDPOINT"
+  # checkov:skip=CKV_SECRET_6: not a secret
+  plaintext_value = azurerm_storage_account.storage_acc[0].primary_blob_endpoint
+}
+
+resource "github_actions_secret" "container_name" {
+  count       = var.create_requirements && var.create_storage ? 1 : 0
+  repository  = var.gh_repo
+  secret_name = "CONTAINER_NAME"
+  # checkov:skip=CKV_SECRET_6: not a secret
+  plaintext_value = azurerm_storage_container.storage_container[0].name
+}
+
+resource "github_actions_secret" "awi_clientid" {
+  count       = var.create_requirements ? 1 : 0
+  repository  = var.gh_repo
+  secret_name = "AWI_CLIENTID"
+  # checkov:skip=CKV_SECRET_6: not a secret
+  plaintext_value = azurerm_user_assigned_identity.cnappdemo.client_id
+}

IaC/AKS/main.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.31.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  subscription_id = var.subscription_id
+  tenant_id       = var.tenant_id
+  features {}
+  skip_provider_registration = true
+}

IaC/AKS/storage.tf

@@ -0,0 +1,36 @@
+resource "azurerm_storage_account" "storage_acc" {
+  # checkov:skip=CKV_AZURE_59: Public network access required for demo bucket
+  # checkov:skip=CKV2_AZURE_18: No CMK needed for demo bucket
+  # checkov:skip=CKV2_AZURE_1: No CMK needed for demo bucket
+  # checkov:skip=CKV_AZURE_33: No logging needed for demo bucket
+  count                    = var.create_storage ? 1 : 0
+  name                     = "${random_string.password.result}cnappdemo"
+  resource_group_name      = var.create_requirements ? azurerm_resource_group.rg[0].name : var.resource_group_name
+  account_replication_type = "LRS"
+  location                 = var.region
+  account_tier             = "Standard"
+  min_tls_version          = "TLS1_2"
+}
+
+resource "azurerm_storage_container" "storage_container" {
+  # checkov:skip=CKV_AZURE_34: Public access needed for demo purposes
+  # checkov:skip=CKV2_AZURE_21: No logging needed for demo bucket
+  count                 = var.create_storage ? 1 : 0
+  name                  = "${random_string.password.result}cnappdemo"
+  container_access_type = "blob"
+  storage_account_name  = azurerm_storage_account.storage_acc[0].name
+}
+
+resource "azurerm_role_assignment" "storage_blob_data_owner_user" {
+  count                = var.create_storage ? 1 : 0
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_client_config.current.object_id
+  scope                = azurerm_storage_account.storage_acc[0].id
+}
+
+resource "azurerm_role_assignment" "storage_blob_data_owner_pod" {
+  count                = var.create_storage ? 1 : 0
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azurerm_user_assigned_identity.cnappdemo.principal_id
+  scope                = azurerm_storage_account.storage_acc[0].id
+}

IaC/AKS/variables.tf

@@ -50,6 +50,12 @@ variable "create_acr" {
   default     = false
 }
 
+variable "create_storage" {
+  type        = bool
+  description = "Create Storage account instead of using names from vars."
+  default     = false
+}
+
 variable "acr_tags" {
   type    = map(any)
   default = null

IaC/EKS/argocd.tf

@@ -4,6 +4,7 @@ resource "null_resource" "run_provisioner" {
     environment = {
       CSP                      = "AWS",
       AWS_EKS_NAME             = module.eks.cluster_id,
+      AWS_EKS_VERSION          = module.eks.cluster_version,
       ARGOCD_GITOPS_REPOSITORY = var.argocd_git_repo,
       GITHUB_TOKEN             = var.gh_token,
       PCC_USER                 = var.pcc_user,

IaC/EKS/eks.tf

@@ -18,7 +18,7 @@ module "eks" {
   version = "~> 18.0"
 
   cluster_name    = local.cluster_name_full
-  cluster_version = "1.23"
+  cluster_version = var.cluster_version
 
   cluster_endpoint_private_access = true
   cluster_endpoint_public_access  = true
@@ -214,6 +214,7 @@ resource "helm_release" "aws_load_balancer_controller" {
   name       = "aws-load-balancer-controller"
   chart      = "aws-load-balancer-controller"
   repository = "https://aws.github.io/eks-charts"
+  version    = "1.5.3"
 
   namespace = "kube-system"
 

IaC/EKS/gh.tf

@@ -17,3 +17,10 @@ resource "github_actions_secret" "ecr_repo_name" {
   secret_name     = "REPO_NAME"
   plaintext_value = var.ecr_repo_name
 }
+
+resource "github_actions_secret" "s3_bucket_name" {
+  repository  = var.gh_repo
+  secret_name = "S3_BUCKET_NAME"
+  # checkov:skip=CKV_SECRET_6: not a secret
+  plaintext_value = var.s3_bucket_name
+}

IaC/EKS/s3.tf

@@ -0,0 +1,54 @@
+resource "aws_s3_bucket" "s3b" {
+  # checkov:skip=CKV2_AWS_6: Public access blocks not needed for a demo bucket
+  # checkov:skip=CKV_AWS_145: KMS not needed for a demo bucket
+  # checkov:skip=CKV_AWS_18: Access logging not deeded for a demo bucket
+  # checkov:skip=CKV_AWS_144: Region cross-replication not needed for a demo bucket
+  # checkov:skip=CKV_AWS_21: Versioning not needed for a demo bucket
+  bucket = var.s3_bucket_name
+}
+
+resource "aws_s3_bucket_public_access_block" "pab" {
+  # checkov:skip=CKV_AWS_55: Public access ACL needed for demo purposes.
+  # checkov:skip=CKV_AWS_54: Public access ACL needed for demo purposes.
+  # checkov:skip=CKV_AWS_53: Public access ACL needed for demo purposes.
+  bucket = aws_s3_bucket.s3b.bucket
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "allow_upload" {
+  bucket = aws_s3_bucket.s3b.bucket
+  policy = data.aws_iam_policy_document.allow_upload.json
+}
+
+data "aws_iam_policy_document" "allow_upload" {
+  statement {
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListMultipartUploadParts",
+      "s3:PutObject",
+      "s3:PutObjectAcl"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = [module.eks.eks_managed_node_groups.one.iam_role_arn]
+    }
+    resources = [
+      aws_s3_bucket.s3b.arn,
+      "${aws_s3_bucket.s3b.arn}/*"
+    ]
+  }
+}
+
+resource "aws_s3_bucket_ownership_controls" "object_writer" {
+  bucket = aws_s3_bucket.s3b.bucket
+
+  rule {
+    object_ownership = "ObjectWriter"
+  }
+}

IaC/EKS/variables.tf

@@ -65,3 +65,12 @@ variable "pcc_console" {
   type    = string
   default = null
 }
+
+variable "s3_bucket_name" {
+  type = string
+}
+
+variable "cluster_version" {
+  type    = string
+  default = "1.23"
+}

IaC/GKE/requirements.tf

@@ -15,6 +15,20 @@ resource "google_compute_subnetwork" "subnet" {
   }
 }
 
+resource "google_compute_router" "router" {
+  count   = var.create_requirements ? 1 : 0
+  name    = "${var.prefix}-router"
+  network = google_compute_network.vpc[0].id
+}
+
+resource "google_compute_router_nat" "nat" {
+  count                              = var.create_requirements ? 1 : 0
+  name                               = "${var.prefix}-nat"
+  router                             = google_compute_router.router[0].name
+  nat_ip_allocate_option             = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+}
+
 resource "google_service_account" "service_account" {
   count      = var.create_requirements ? 1 : 0
   account_id = "${var.prefix}-githubaction"

README.md

@@ -83,7 +83,7 @@ __**Vulnerability policies are used as example here. Can be used with compliance
 2. Set WAAS rules to protect your applications from real time attacks.
 >We have unrealistic example in wild.py but any imported module can be the bad actor. Requirements.txt scan of code security should have caught it realistically.
 3. Observe the event and alerts to keep track on production application health.
->Use tools like nuclei to simulate attacks --> nuclei -u http://<API Endpoint>/ -t nuclei-templates/f/
+>Use tools like nuclei to simulate attacks --> nuclei -u http://<API Endpoint>/ -t nuclei-templates/f/ (more info : https://medium.com/@cyb_detective/using-nuclei-for-osint-5-minute-basic-guide-f8764424902b )
 
 ![Runtime policy - PC](img/runtime_policy.png "Runtime policy - PC")
 ![Runtime audit - PC](img/runtime_audit_pc.png "Runtime audit - PC")