[IAC-1866] CIS AWS v1.4 migration guide #512
Conversation
marinalimeira
requested review from
eak12913,
josh-padnick,
oredavids and
tsmit291
as code owners
|
✔️ Deploy Preview for keen-clarke-470db9 ready! 🔨 Explore the source changes: 63bc2f7 🔍 Inspect the deploy log: https://app.netlify.com/sites/keen-clarke-470db9/deploys/6144698f75e8fb00076374f7 😎 Browse the preview: https://deploy-preview-512--keen-clarke-470db9.netlify.app |
Co-authored-by: Rob Morgan <robbym@gmail.com>
Co-authored-by: Rob Morgan <robbym@gmail.com>
There was a problem hiding this comment.
This looks really good so far! I've got pretty much 2 main notes, and everything else is really a NIT & safe to ignore:
- I think in 1 place we mention that we've fixed a bug on top of the CIS 1.4 changes. I think this is good info, but probably to me it makes more sense that this lives in the release notes. We could alternatively have a section to mention explicitly what we've done in addition to CIS 1.4 within this migration guide. Thoughts?
- We've no way to indicate that the migration guide finsihes after the Macie section. We could add a "summary" section reminding users about the previous versions of this guide (we've already got this, but maybe it could live at the end of the guide); or we could also use just a simple final sentence, e.g.:
Woop! You're all done. Thanks for following this guide, please reach out to us if you've got any questions or feedback and we're happy to respond!
These notes are just my personal observations. Let me know what your thoughts are @marinalimeira @infraredgirl @robmorgan
Co-authored-by: Ana Krivokapić <ana@gruntwork.io>
|
A couple of issues I've spotted with the current state of the PR - curious to hear everyone's thoughts:
|
Ah, I missed this message. Totally agreed! I moved the sections earlier. @infraredgirl I am running the Macie manual steps and it mentions that:
The default for this variable is false, so I couldn't see a bucket created by macie. This applies for the
The default for this variable is also false. This applies for the We can update these instructions by:
What do you think? |
Good point! Assuming that the |
Oh, that's great! I hadn't checked the latest changes, and was here to update it exactly in the way both of you have done already! Nicee!! |
|
Here's a couple of thoughts:
|
…io.github.io into cis-14-migration
robmorgan
changed the title
|
Ready for review. |
Also, simplify Macie configuration changes.
| 1. https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.23.0[v0.23.0]: Refactored the | ||
| SecurityHub module to remove a Python script that managed invitations between the AWS accounts. It's necessary to run a | ||
| state migration to manage the invitations with Terraform. | ||
| 2. https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.24.0[v0.24.0]: This release introduces MFA Delete. You will need to follow the migration guide to ensure all S3 buckets are properly secured. Note: It is unlikely you will need to perform this step on the AWS root account as they typically don't contain S3 buckets. Please ensure you migrate all other AWS accounts. |
There was a problem hiding this comment.
NIT: If you use account-baseline-root, you'll likely have the Terraform state bucket in root.
| Changes in recommendations (both additions and removals) are listed below. You can think of these as a "diff" | ||
| between versions 1.3.0 and 1.4.0. |
There was a problem hiding this comment.
NIT: to see the diff between versions 1.2.0 and 1.3.0, check out our guide (link).
| The account baseline modules had three breaking changes between versions v0.22.0 and v0.27.0. We must manually run | ||
| these migration steps before updating the module versions. |
There was a problem hiding this comment.
NIT: this phrasing could be a bit misleading. I think what you want users to do is:
- Bump the version numbers everywhere to
v0.27.0or above. - Run the state migrations below.
- Run
plan. - You should see diffs (...).
- If all looks good, run
apply.
Is that right? If so, considering clarifying that in the guide, and perhaps even showing a step-by-step example with one module. E.g.,
-
Here's module
fooat versionX:module "foo" { source = "...?ref=X" }
-
First, we update
footo versionY:module "foo" { source = "...?ref=Y" }
-
Now, three of the releases between
YandXrequired state migrations. You'd run those like this:terraform state mv <old> <new>
-
Now run
plan. You should see diffs (...). -
If all looks good, run
apply.
| Additionally, earlier versions of the account baseline modules did not set the following variables, so please ensure | ||
| that they exist. Here is https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/v0.27.0/examples/for-production/infrastructure-live/logs/_global/account-baseline/terragrunt.hcl#L281[an example] of what you might set the values to for the prod account. | ||
|
|
||
| - `var.config_central_account_id` | ||
| - `var.security_hub_associate_to_master_account_id` | ||
| - `var.config_opt_in_regions` | ||
| - `var.guardduty_opt_in_regions` | ||
| - `var.kms_cmk_opt_in_regions` | ||
| - `var.iam_access_analyzer_opt_in_regions` | ||
| - `var.ebs_opt_in_regions` | ||
| - `var.security_hub_opt_in_regions` | ||
| - `var.macie_opt_in_regions` |
There was a problem hiding this comment.
NIT: This also has a little room for confusion. By listing var.xxx, it could be misunderstood the user needs to add new variables to their code, whereas what you want is for them to set those params in the modules you're using. Perhaps the clearer way to show this is to put them in a code block that looks like you are setting the vars, along with an explanation of what value is needed?
E.g.,:
module "account_baseline" {
source = "..."
# Add these new input vars if you don't have them already:
# Set this to (explanation)
config_central_account_id = "..."
# Set this to (explanation)
security_hub_associate_to_master_account_id = "..."
}| - `var.security_hub_opt_in_regions` | ||
| - `var.macie_opt_in_regions` | ||
|
|
||
| Once you have completed the above migration steps, it is time to update each baseline module to at least version https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v0.27.0[v0.27.0] and run Terraform/Terragrunt apply. Typically this is done using the `source` parameter: |
There was a problem hiding this comment.
As per two comments above, this seems wrong; the state mv won't work properly unless you update to the new version first.
| git::git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/landingzone/account-baseline-root?ref=v0.27.0 | ||
| ---- | ||
|
|
||
| Now execute Terraform/Terragrunt `apply`. It should take approximately ~30 minutes to apply the account baseline |
There was a problem hiding this comment.
Why? What is it doing during those 30 min?
| macie_kms_key_users = ["arn:aws:iam::${local.accounts[local.account_name]}:root"] | ||
| macie_opt_in_regions = local.opt_in_regions | ||
|
|
||
| # The variable below for Amazon Macie needs to be manually maintained. Please ensure you change the defaults. |
There was a problem hiding this comment.
NIT: wrap the comment to avoid horizontal scrolling here and below.
|
|
||
| Enabling MFA Delete in your bucket adds another layer of security by requiring MFA in any request to delete a version or change the versioning state of the bucket. | ||
|
|
||
| The attribute `mfa_delete` is only used by Terraform to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete[reflect the current state of the bucket]. It is not possible to create a bucket if the `mfa_delete` is `true`, because it needs to be activated https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[using AWS CLI or the API]. |
There was a problem hiding this comment.
NIT: Add a sentence or two of context here first... Something like:
Unfortunately, the way AWS built the MFA delete feature is currently quite hard to use. Due to AWS API limitations, Terraform can't configure MFA delete on S3 buckets; you must first do it using the aws CLI, and then, after that, set mfa_delete = true in your Terraform code to reflect the update. Moreover, to enable MFA delete, you must authenticate as the root user of the AWS account that owns the bucket, and pass in a different MFA token value for every single bucket where you enable MFA delete. We've tried to make it as easy as we can, but due to how AWS built this feature, it is still quite tedious.
|
|
||
| 1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_add-key[Create access keys for the root user] | ||
| 1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa[Configure MFA for the root user] | ||
| 1. Create a bucket with `mfa_delete=false`. |
There was a problem hiding this comment.
NITs: We should specify which of our modules creates S3 buckets, and therefore, exposes this param. E.g., "If you're using private-s3-bucket or account-baseline-xxx, these all expose an mfa_delete param that should initially be set to false."
| to add support for specifying all buckets in a region. | ||
|
|
||
| [[known_issues]] | ||
| ==== Known Issues |
|
Thanks for the review! In the interest of getting this out the door, I'll merge this as-is, and open an issue to track the comments left here. |
|
Bug to track remaining issues: #644. |
Preview: https://deploy-preview-512--keen-clarke-470db9.netlify.app/guides/upgrades/how-to-update-to-cis-14/