From 11f7fae93c98d8403cb083ed7e0329c7f9016032 Mon Sep 17 00:00:00 2001 From: Marina Limeira Date: Fri, 3 Mar 2023 21:11:18 +0100 Subject: [PATCH] Fixes on the guide --- ...ve-infrastructure-is-cis-v1.4-compliant.md | 88 ++++++++++++++++-- ...runtwork-infrastructure-as-code-library.md | 14 ++- ...p-3-update-the-account-baseline-modules.md | 3 +- .../step-4-verify-the-code-changes.md | 6 ++ ...ve-infrastructure-is-cis-v1.4-compliant.md | 90 +++++++++++++++++-- ...runtwork-infrastructure-as-code-library.md | 16 +++- ...p-3-update-the-account-baseline-modules.md | 5 +- .../step-4-verify-the-code-changes.md | 8 +- 8 files changed, 204 insertions(+), 26 deletions(-) diff --git a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md index b17b631f2a..2b48573a13 100644 --- a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md +++ b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md @@ -32,14 +32,27 @@ Next install the AWS plugin with Steampipe: steampipe plugin install aws ``` -## 1.2 Configure Steampipe with AWS credentials +## 1.2 Configure Steampipe to analyze all regions + +The file `~/.steampipe/config/aws.spc`, that is created by Steampipe, needs to be updated to analyze all regions, +by adding `regions = ["*"]`. Otherwise, multi-regions resouces, like AWS Config, IAM Access Analyzer will fail in the check: + +```hcl +connection "aws" { + plugin = "aws" + + # You may connect to one or more regions. If `regions` is not specified, + # Steampipe will use a single default region using the same resolution + # order as the AWS CLI: + # 1. The `AWS_DEFAULT_REGION` or `AWS_REGION` environment variable + # 2. The region specified in the active profile (`AWS_PROFILE` or default) + regions = ["*"] # <- Update this line + + # ... other existing config +} +``` -The [Steampipe AWS plugin](https://hub.steampipe.io/plugins/turbot/aws) supports a range of options for granting -Steampipe access to your AWS accounts. -In order for the compliance checks to work correctly, you need to: -- Configure [multi-region connections](https://hub.steampipe.io/plugins/turbot/aws#multi-region-connections) so that Steampipe can access to all the regions you are using -- Configure [multi-account connections](https://hub.steampipe.io/plugins/turbot/aws#multi-account-connections) so that Steampipe can access all the accounts you are using ## 1.3 Clone the Steampipe AWS Compliance Mod @@ -74,8 +87,69 @@ aws-vault exec dev -- aws iam generate-credential-report aws-vault exec dev -- steampipe check aws_compliance.benchmark.cis_v140 ``` +### In case not all checks pass + +:::caution + +If you have failing checks, then there are manual steps necessary to your infrastructure achieve CIS compliance. + +::: + +After deploying a CIS Reference Architecture, there are steps that unfortunately can't be automated. See the [Manual steps](/guides/build-it-yourself/achieve-compliance/deployment-walkthrough/manual-steps) page, with step-by-step instructions +to achieve complience. + + +:::note + +If you Reference Architecture was deployed before February 9th 2023, there are two extra steps that need to be followed: + +::: + +#### Enable `ap-northeast-3` at your `multi_region_common.hcl` + +Add `ap-northeast-3` to the `opt_in_regions` local variable in `multi_region_common.hcl`. + +```hcl title=multi_region_common.hcl +# ---------------------------------------------------------------------------------------------------------------- +# MULTIREGION CONVENIENCE LOCALS +# The following locals are used for constructing multi region provider configurations for the underlying module. +# ---------------------------------------------------------------------------------------------------------------- +locals { + # Creates resources in the specified regions. The best practice is to enable multiregion modules in all enabled + # regions in your AWS account. To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws + # ec2 describe-regions. + opt_in_regions = [ + ... + "ap-northeast-3" + ] + + # ... other vars omitted for brevity ... +``` + +There is a new region `me-central-1`, that you will need to add in the `multi_region_common.hcl` after doing the version updates. + +### Enable AWS Organizations metrics filter + +If the `4.15` recommendation is also failing, it's because the filter is still not created in the account. So in the +files `_envcommon/landingzone/account-baseline-app/account-baseline-app-base.hcl` and `security/_global/account-baseline/terragrunt.hcl`, +Add this a variable: + +```hcl +inputs = { + # ... other variables above + + cloudtrail_benchmark_alarm_enable_organizations_filters = true +} +``` + +Run `terragrunt apply` in each account to create the new metric filter. + +If the check is still not working, the release [v0.44.1](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.44.1) +of the CIS Service Catalog contains a fix for the filter match Steampipe's query. In the next steps you will update +the versions of CIS Service Catalog (and some other services) to the latest, so it will be fixed. + ## Next steps If you've confirmed that your live infrastructure is compliant with the CIS AWS Foundations Benchmark v1.4 then you're ready to move to [step 2](step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md) and update your -references to the Gruntwork Infrastructure as Code Library. Otherwise, if some checks are failing you should check the [Manual steps](/guides/build-it-yourself/achieve-compliance/deployment-walkthrough/manual-steps) section, that contains extra steps to achieve CIS compliance. +references to the Gruntwork Infrastructure as Code Library. diff --git a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md index 2065fe4d37..38709a36da 100644 --- a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md +++ b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md @@ -184,16 +184,16 @@ Access Token with `repo` and `org` scope and set the environment variable `G export GITHUB_OAUTH_TOKEN="" ``` -Next, in your terminal navigate to the directory with your CIS `infrastructure-live` code and run Patcher’s `upgrade cis` command: +Next, in your terminal navigate to the directory with your CIS `infrastructure-live` code and run Patcher’s `upgrade cis` command once on each environment (dev, prod, stage, security etc): ```bash cd +cd dev patcher upgrade cis ``` -Patcher will then scan your current directory and its subdirectories, looking for the files containing Terraform or Terragrunt -dependencies. +Patcher will then scan your current directory and its subdirectories, looking for the files containing Terraform or Terragrunt dependencies. #### Analysis of module usage @@ -234,10 +234,18 @@ You must run the migration scripts. Failing to do so will result in data loss. ::: When Patcher completes successfully it provides a list migration scripts that need to be run before proceeding. +In order to see the full path of the new scripts, run `git status`, and they will appear as a new file. ![Screenshot of Patcher's summary.](/img/guides/stay-up-to-date/cis-1.5.0/patcher-summary.png) +Example: + +```bash +cd us-west-2/dev/data-stores/rds/ +aws-vault exec dev -- ./01_state_mv_rds_database.sh +``` + ### Next Steps :::caution diff --git a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md index 4aa18db5bc..5d732d20e1 100644 --- a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md +++ b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md @@ -47,4 +47,5 @@ For Terraform, follow the migration guide in [the migration guide of the release If you have successfully completed step 3.1 then you should now move to [step 4](step-4-verify-the-code-changes) in order to verify the changes that have been made. We strongly recommend that you verify the changes that have been -made before executing `terraform/terragrunt apply`. +made _before_ executing `terraform/terragrunt apply`. + diff --git a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md index 00e82f9cae..f0f31a1d62 100644 --- a/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md +++ b/_docs-sources/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md @@ -106,5 +106,11 @@ When applying the changes manually, you can run `terragrunt run-all apply` insid security, shared etc), and waiting them to successful update before applying the changes before the next one, e.g. wait for `dev` to successfully finish before applying `prod`. +Example of using Terragrunt, after running Patcher in the `dev` folder: +``` +aws-vault exec dev -- terragrunt run-all init +aws-vault exec dev -- terragrunt run-all apply +``` + After the changes have been applied we recommend you complete [step 5](step-5-check-your-live-infrastructure-is-cis-v1.5-compliant) and confirm that your infrastructure is now CIS AWS Foundations Benchmark v1.5.0 compliant. diff --git a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md index 58da94b3f6..fb72b31b26 100644 --- a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md +++ b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-1-check-your-live-infrastructure-is-cis-v1.4-compliant.md @@ -32,14 +32,27 @@ Next install the AWS plugin with Steampipe: steampipe plugin install aws ``` -## 1.2 Configure Steampipe with AWS credentials +## 1.2 Configure Steampipe to analyze all regions + +The file `~/.steampipe/config/aws.spc`, that is created by Steampipe, needs to be updated to analyze all regions, +by adding `regions = ["*"]`. Otherwise, multi-regions resouces, like AWS Config, IAM Access Analyzer will fail in the check: + +```hcl +connection "aws" { + plugin = "aws" + + # You may connect to one or more regions. If `regions` is not specified, + # Steampipe will use a single default region using the same resolution + # order as the AWS CLI: + # 1. The `AWS_DEFAULT_REGION` or `AWS_REGION` environment variable + # 2. The region specified in the active profile (`AWS_PROFILE` or default) + regions = ["*"] # <- Update this line + + # ... other existing config +} +``` -The [Steampipe AWS plugin](https://hub.steampipe.io/plugins/turbot/aws) supports a range of options for granting -Steampipe access to your AWS accounts. -In order for the compliance checks to work correctly, you need to: -- Configure [multi-region connections](https://hub.steampipe.io/plugins/turbot/aws#multi-region-connections) so that Steampipe can access to all the regions you are using -- Configure [multi-account connections](https://hub.steampipe.io/plugins/turbot/aws#multi-account-connections) so that Steampipe can access all the accounts you are using ## 1.3 Clone the Steampipe AWS Compliance Mod @@ -74,16 +87,77 @@ aws-vault exec dev -- aws iam generate-credential-report aws-vault exec dev -- steampipe check aws_compliance.benchmark.cis_v140 ``` +### In case not all checks pass + +:::caution + +If you have failing checks, then there are manual steps necessary to your infrastructure achieve CIS compliance. + +::: + +After deploying a CIS Reference Architecture, there are steps that unfortunately can't be automated. See the [Manual steps](/guides/build-it-yourself/achieve-compliance/deployment-walkthrough/manual-steps) page, with step-by-step instructions +to achieve complience. + + +:::note + +If you Reference Architecture was deployed before February 9th 2023, there are two extra steps that need to be followed: + +::: + +#### Enable `ap-northeast-3` at your `multi_region_common.hcl` + +Add `ap-northeast-3` to the `opt_in_regions` local variable in `multi_region_common.hcl`. + +```hcl title=multi_region_common.hcl +# ---------------------------------------------------------------------------------------------------------------- +# MULTIREGION CONVENIENCE LOCALS +# The following locals are used for constructing multi region provider configurations for the underlying module. +# ---------------------------------------------------------------------------------------------------------------- +locals { + # Creates resources in the specified regions. The best practice is to enable multiregion modules in all enabled + # regions in your AWS account. To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws + # ec2 describe-regions. + opt_in_regions = [ + ... + "ap-northeast-3" + ] + + # ... other vars omitted for brevity ... +``` + +There is a new region `me-central-1`, that you will need to add in the `multi_region_common.hcl` after doing the version updates. + +### Enable AWS Organizations metrics filter + +If the `4.15` recommendation is also failing, it's because the filter is still not created in the account. So in the +files `_envcommon/landingzone/account-baseline-app/account-baseline-app-base.hcl` and `security/_global/account-baseline/terragrunt.hcl`, +Add this a variable: + +```hcl +inputs = { + # ... other variables above + + cloudtrail_benchmark_alarm_enable_organizations_filters = true +} +``` + +Run `terragrunt apply` in each account to create the new metric filter. + +If the check is still not working, the release [v0.44.1](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.44.1) +of the CIS Service Catalog contains a fix for the filter match Steampipe's query. In the next steps you will update +the versions of CIS Service Catalog (and some other services) to the latest, so it will be fixed. + ## Next steps If you've confirmed that your live infrastructure is compliant with the CIS AWS Foundations Benchmark v1.4 then you're ready to move to [step 2](step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md) and update your -references to the Gruntwork Infrastructure as Code Library. Otherwise, if some checks are failing you should check the [Manual steps](/guides/build-it-yourself/achieve-compliance/deployment-walkthrough/manual-steps) section, that contains extra steps to achieve CIS compliance. +references to the Gruntwork Infrastructure as Code Library. diff --git a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md index a679d86db1..b368ba601c 100644 --- a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md +++ b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-2-update-references-to-the-gruntwork-infrastructure-as-code-library.md @@ -184,16 +184,16 @@ Access Token with `repo` and `org` scope and set the environment variable `G export GITHUB_OAUTH_TOKEN="" ``` -Next, in your terminal navigate to the directory with your CIS `infrastructure-live` code and run Patcher’s `upgrade cis` command: +Next, in your terminal navigate to the directory with your CIS `infrastructure-live` code and run Patcher’s `upgrade cis` command once on each environment (dev, prod, stage, security etc): ```bash cd +cd dev patcher upgrade cis ``` -Patcher will then scan your current directory and its subdirectories, looking for the files containing Terraform or Terragrunt -dependencies. +Patcher will then scan your current directory and its subdirectories, looking for the files containing Terraform or Terragrunt dependencies. #### Analysis of module usage @@ -234,10 +234,18 @@ You must run the migration scripts. Failing to do so will result in data loss. ::: When Patcher completes successfully it provides a list migration scripts that need to be run before proceeding. +In order to see the full path of the new scripts, run `git status`, and they will appear as a new file. ![Screenshot of Patcher's summary.](/img/guides/stay-up-to-date/cis-1.5.0/patcher-summary.png) +Example: + +```bash +cd us-west-2/dev/data-stores/rds/ +aws-vault exec dev -- ./01_state_mv_rds_database.sh +``` + ### Next Steps :::caution @@ -306,6 +314,6 @@ If you have successfully completed manually updating the modules to the minimum diff --git a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md index 73b41da4cb..60f08bf12f 100644 --- a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md +++ b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-3-update-the-account-baseline-modules.md @@ -47,12 +47,13 @@ For Terraform, follow the migration guide in [the migration guide of the release If you have successfully completed step 3.1 then you should now move to [step 4](step-4-verify-the-code-changes) in order to verify the changes that have been made. We strongly recommend that you verify the changes that have been -made before executing `terraform/terragrunt apply`. +made _before_ executing `terraform/terragrunt apply`. + diff --git a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md index fe84ca7314..a68002df85 100644 --- a/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md +++ b/docs/guides/stay-up-to-date/cis/cis-1.5.0/deployment-walkthrough/step-4-verify-the-code-changes.md @@ -106,6 +106,12 @@ When applying the changes manually, you can run `terragrunt run-all apply` insid security, shared etc), and waiting them to successful update before applying the changes before the next one, e.g. wait for `dev` to successfully finish before applying `prod`. +Example of using Terragrunt, after running Patcher in the `dev` folder: +``` +aws-vault exec dev -- terragrunt run-all init +aws-vault exec dev -- terragrunt run-all apply +``` + After the changes have been applied we recommend you complete [step 5](step-5-check-your-live-infrastructure-is-cis-v1.5-compliant) and confirm that your infrastructure is now CIS AWS Foundations Benchmark v1.5.0 compliant. @@ -113,6 +119,6 @@ and confirm that your infrastructure is now CIS AWS Foundations Benchmark v1.5.0