Terraform module that produces an S3 website plus supporting infrastructure for CD
License: Other
Yay I found a secret. I'll take what I can get any day.
AWS CloudFront requires full access to the CloudFront logging bucket for canonical ID: c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0
Try adding tfsec in the CI workflow and a tfsec badge on the README
Set provider to update to Terraform 1.0
Should create a content sync IAM user and save the credentials in a GitHub secret, somehow. Maybe create the GitHub repo secrets for the bucket and IAM user API keys.
Result 1
[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.main_site' does not have logging enabled.
/github/workspace/main.tf:26-68
23 | }
24 |
25 | # S3 bucket for website, public hosting
26 | resource "aws_s3_bucket" "main_site" {
27 | bucket = random_uuid.random_bucket_name.result
28 | # region = var.site_region
29 |
30 | policy = <<EOF
31 | {
32 | "Id": "bucket_policy_site",
33 | "Version": "2012-10-17",
34 | "Statement": [
35 | {
36 | "Sid": "s3_bucket_policy_website",
37 | "Action": [
38 | "s3:GetObject"
39 | ],
40 | "Effect": "Allow",
41 | "Resource": "arn:aws:s3:::${random_uuid.random_bucket_name.result}/*",
42 | "Principal": {
43 | "AWS":"*"
44 | },
45 | "Condition": {
46 | "StringEquals": {
47 | "aws:UserAgent": "${random_password.random_site_secret.result}"
48 | }
49 | }
50 | }
51 | ]
52 | }
53 | EOF
54 |
55 |
56 | website {
57 | index_document = var.root_page_object
58 | error_document = var.error_page_object
59 | }
60 |
61 | versioning {
62 | enabled = var.content_bucket_versioning
63 | }
64 |
65 | # tags {
66 | # }
67 | # force_destroy = true
68 | }
69 |
70 | resource "aws_s3_bucket_public_access_block" "content_bucket_block" {
71 | bucket = aws_s3_bucket.main_site.id
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
Result 2
[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' does not have logging enabled.
/github/workspace/main.tf:81-94
78 |
79 |
80 | # S3 bucket for www redirect (optional)
81 | resource "aws_s3_bucket" "site_www_redirect" {
82 | count = var.create_www_redirect_bucket == true ? 1 : 0
83 | bucket = "www.${random_uuid.random_bucket_name.result}"
84 | # region = var.site_region
85 | acl = "private"
86 |
87 | website {
88 | redirect_all_requests_to = var.site_tld
89 | }
90 |
91 | tags = {
92 | Website-redirect = var.site_tld
93 | }
94 | }
95 |
96 | # S3 bucket for CloudFront logging
97 |
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
Result 3
[AWS077][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' does not have versioning enabled
/github/workspace/main.tf:100-115
97 |
98 | data "aws_canonical_user_id" "current" {}
99 |
100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
101 | bucket = "${var.site_tld}-cloudfront-logs"
102 | # region = var.site_region
103 | # acl = "private"
104 | grant {
105 | id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
106 | type = "CanonicalUser"
107 | permissions = ["FULL_CONTROL"]
108 | }
109 |
110 | grant {
111 | id = data.aws_canonical_user_id.current.id
112 | type = "CanonicalUser"
113 | permissions = ["FULL_CONTROL"]
114 | }
115 | }
116 |
117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
118 | bucket = aws_s3_bucket.site_cloudfront_logs.id
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
Result 4
[AWS021][�[0m�[31mERROR�[39m�[0m] Resource 'aws_cloudfront_distribution.site_cloudfront_distribution' defines outdated SSL/TLS policies (not using TLSv1.2_2021)
/github/workspace/main.tf:180
177 | viewer_certificate {
178 | acm_certificate_arn = var.acm_site_certificate_arn
179 | ssl_support_method = "sni-only"
180 | minimum_protocol_version = "TLSv1.2_2019"
181 | }
182 |
183 | restrictions {
Impact: Outdated SSL policies increase exposure to known vulnerabilites
Resolution: Use the most modern TLS/SSL policies available
More Info:
Result 5
[AWS045][�[0m�[33mWARNING�[39m�[0m] Resource 'aws_cloudfront_distribution.site_cloudfront_distribution' does not have a WAF in front of it.
/github/workspace/main.tf:127-188
124 | }
125 |
126 | # CloudFront distribution
127 | resource "aws_cloudfront_distribution" "site_cloudfront_distribution" {
128 | origin {
129 | domain_name = aws_s3_bucket.main_site.website_endpoint
130 | origin_id = "origin-bucket-${random_uuid.random_bucket_name.result}"
131 |
132 | custom_origin_config {
133 | origin_protocol_policy = "http-only"
134 | http_port = "80"
135 | https_port = "443"
136 | origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
137 | }
138 |
139 | custom_header {
140 | name = "User-Agent"
141 | value = random_password.random_site_secret.result
142 | }
143 | }
144 |
145 | logging_config {
146 | include_cookies = var.log_include_cookies
147 | bucket = aws_s3_bucket.site_cloudfront_logs.bucket_domain_name
148 | prefix = "${local.site_tld_shortname}-"
149 | }
150 |
151 | enabled = true
152 | default_root_object = var.root_page_object
153 | aliases = [var.site_tld, "www.${var.site_tld}"]
154 | price_class = var.cloudfront_price_class
155 | retain_on_delete = true
156 |
157 | default_cache_behavior {
158 | allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
159 | cached_methods = ["GET", "HEAD"]
160 | target_origin_id = "origin-bucket-${random_uuid.random_bucket_name.result}"
161 |
162 | forwarded_values {
163 | query_string = true
164 |
165 | cookies {
166 | forward = "none"
167 | }
168 | }
169 |
170 | viewer_protocol_policy = "redirect-to-https"
171 | compress = true
172 | min_ttl = 0
173 | default_ttl = 3600
174 | max_ttl = 86400
175 | }
176 |
177 | viewer_certificate {
178 | acm_certificate_arn = var.acm_site_certificate_arn
179 | ssl_support_method = "sni-only"
180 | minimum_protocol_version = "TLSv1.2_2019"
181 | }
182 |
183 | restrictions {
184 | geo_restriction {
185 | restriction_type = "none"
186 | }
187 | }
188 | }
189 |
190 | # DNS entry pointing to public site - optional
191 |
Impact: Complex web application attacks can more easily be performed without a WAF
Resolution: Enable WAF for the CloudFront distribution
More Info:
Result 6
[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.main_site' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:26-68
23 | }
24 |
25 | # S3 bucket for website, public hosting
26 | resource "aws_s3_bucket" "main_site" {
27 | bucket = random_uuid.random_bucket_name.result
28 | # region = var.site_region
29 |
30 | policy = <<EOF
31 | {
32 | "Id": "bucket_policy_site",
33 | "Version": "2012-10-17",
34 | "Statement": [
35 | {
36 | "Sid": "s3_bucket_policy_website",
37 | "Action": [
38 | "s3:GetObject"
39 | ],
40 | "Effect": "Allow",
41 | "Resource": "arn:aws:s3:::${random_uuid.random_bucket_name.result}/*",
42 | "Principal": {
43 | "AWS":"*"
44 | },
45 | "Condition": {
46 | "StringEquals": {
47 | "aws:UserAgent": "${random_password.random_site_secret.result}"
48 | }
49 | }
50 | }
51 | ]
52 | }
53 | EOF
54 |
55 |
56 | website {
57 | index_document = var.root_page_object
58 | error_document = var.error_page_object
59 | }
60 |
61 | versioning {
62 | enabled = var.content_bucket_versioning
63 | }
64 |
65 | # tags {
66 | # }
67 | # force_destroy = true
68 | }
69 |
70 | resource "aws_s3_bucket_public_access_block" "content_bucket_block" {
71 | bucket = aws_s3_bucket.main_site.id
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
Result 7
[AWS075][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket_public_access_block.content_bucket_block' sets restrict_public_buckets explicitly to false
/github/workspace/main.tf:76
73 | block_public_acls = true
74 | block_public_policy = true
75 | ignore_public_acls = true
76 | restrict_public_buckets = false bool: false
77 | }
78 |
79 |
Impact: Public buckets can be accessed by anyone
Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)
More Info:
Result 8
[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:81-94
78 |
79 |
80 | # S3 bucket for www redirect (optional)
81 | resource "aws_s3_bucket" "site_www_redirect" {
82 | count = var.create_www_redirect_bucket == true ? 1 : 0
83 | bucket = "www.${random_uuid.random_bucket_name.result}"
84 | # region = var.site_region
85 | acl = "private"
86 |
87 | website {
88 | redirect_all_requests_to = var.site_tld
89 | }
90 |
91 | tags = {
92 | Website-redirect = var.site_tld
93 | }
94 | }
95 |
96 | # S3 bucket for CloudFront logging
97 |
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
Result 9
[AWS077][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' does not have versioning enabled
/github/workspace/main.tf:81-94
78 |
79 |
80 | # S3 bucket for www redirect (optional)
81 | resource "aws_s3_bucket" "site_www_redirect" {
82 | count = var.create_www_redirect_bucket == true ? 1 : 0
83 | bucket = "www.${random_uuid.random_bucket_name.result}"
84 | # region = var.site_region
85 | acl = "private"
86 |
87 | website {
88 | redirect_all_requests_to = var.site_tld
89 | }
90 |
91 | tags = {
92 | Website-redirect = var.site_tld
93 | }
94 | }
95 |
96 | # S3 bucket for CloudFront logging
97 |
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
Result 10
[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' does not have logging enabled.
/github/workspace/main.tf:100-115
97 |
98 | data "aws_canonical_user_id" "current" {}
99 |
100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
101 | bucket = "${var.site_tld}-cloudfront-logs"
102 | # region = var.site_region
103 | # acl = "private"
104 | grant {
105 | id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
106 | type = "CanonicalUser"
107 | permissions = ["FULL_CONTROL"]
108 | }
109 |
110 | grant {
111 | id = data.aws_canonical_user_id.current.id
112 | type = "CanonicalUser"
113 | permissions = ["FULL_CONTROL"]
114 | }
115 | }
116 |
117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
118 | bucket = aws_s3_bucket.site_cloudfront_logs.id
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
Result 11
[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:100-115
97 |
98 | data "aws_canonical_user_id" "current" {}
99 |
100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
101 | bucket = "${var.site_tld}-cloudfront-logs"
102 | # region = var.site_region
103 | # acl = "private"
104 | grant {
105 | id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
106 | type = "CanonicalUser"
107 | permissions = ["FULL_CONTROL"]
108 | }
109 |
110 | grant {
111 | id = data.aws_canonical_user_id.current.id
112 | type = "CanonicalUser"
113 | permissions = ["FULL_CONTROL"]
114 | }
115 | }
116 |
117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
118 | bucket = aws_s3_bucket.site_cloudfront_logs.id
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
disk i/o 3.095124ms
parsing HCL 14.1µs
evaluating values 430.403µs
running checks 777.406µs
files loaded 4
blocks 36
evaluated blocks 36
modules 0
module blocks 0
ignored checks 0
11 potential problems detected.
Should create a content sync bucket public access block
It'd be nice to auto-generate the changelog on release.
The content bucket might benefit from content versioning.
Tie the CodePipeline to the SNS topic for notifications.
Looks like Terraform's AWS provider doesn't provide a way to do this with the codecommit resource. You can only create a trigger, which doesn't do the task.
In testing #84 it became apparent that doing a full block on the content bucket for public access would also block CloudFront. Need to turn off: Block public and cross-account access to buckets and objects through any public bucket or access point policies
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.