Merge branch 'master' into BFD-3723

CMSgov · Nov 26, 2024 · b70ed60 · b70ed60
2 parents b21543a + 2ddc3b3
commit b70ed60
Show file tree

Hide file tree

Showing 13 changed files with 125 additions and 106 deletions.
diff --git a/ops/packer/scripts/platinum/03-install-security-updates.sh b/ops/packer/scripts/platinum/03-install-security-updates.sh
@@ -2,3 +2,6 @@
 
 # Apply security patches
 sudo yum update-minimal --security -y
+
+# Aggressively reconfigure grub configuration
+sudo grub2-mkconfig -o /boot/grub2/grub.cfg
diff --git a/ops/terraform/env/mgmt/README.md b/ops/terraform/env/mgmt/README.md
@@ -44,10 +44,12 @@ The management or `mgmt` environment is home to some higher-order resources that
 | [aws_iam_group_policy_attachment.app_engineers_ec2_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_group_policy_attachment.app_engineers_s3_integration_tests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_group_policy_attachment.app_engineers_vpc_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_instance_profile.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
 | [aws_iam_policy.bfd_ssm_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.code_artifact_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.code_artifact_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.github_actions_ci_ops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.github_actions_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.github_actions_s3its](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -57,13 +59,13 @@ The management or `mgmt` environment is home to some higher-order resources that
 | [aws_iam_policy.jenkins_permission_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.jenkins_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.packer_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.packer_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.packer_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.rda_ec2_instance_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.rda_ssm_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_integration_tests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cloudbees](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_kms_alias.data_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_alias.data_keys_alt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.data_keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -157,7 +159,7 @@ The management or `mgmt` environment is home to some higher-order resources that
 | [aws_ssm_parameter.bcda_aws_account_number](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cbc_aws_account_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cpm_aws_account_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
-| [aws_ssm_parameters_by_path.common_sensitive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
+| [aws_ssm_parameters_by_path.params](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
 | [aws_ssm_parameters_by_path.sensitive_quicksight_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
 | [aws_vpc.internal_r53_hz_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |

diff --git a/ops/terraform/env/mgmt/iam.tf b/ops/terraform/env/mgmt/iam.tf
@@ -1,90 +1,25 @@
-#TODO: Determine if the bfd-packages sees continued use
-resource "aws_iam_policy" "packer_s3" {
-  description = "packer S3 Policy"
-  name        = "bfd-${local.env}-packer-s3"
+resource "aws_iam_policy" "ec2_instance_tags_ro" {
+  description = "Global EC2 Instances and Tags RO Policy"
+  name        = "bfd-${local.env}-ec2-instance-tags-ro"
   path        = "/"
   policy      = <<-POLICY
 {
+  "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "EC2InstanceTagsRO",
       "Action": [
-        "s3:GetObjectAcl",
-        "s3:GetObject",
-        "s3:GetObjectVersionAcl",
-        "s3:GetObjectTagging",
-        "s3:ListBucket",
-        "s3:GetObjectVersion"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "arn:aws:s3:::bfd-packages/*",
-        "arn:aws:s3:::bfd-packages"
-      ],
-      "Sid": "BFDProfile"
-    }
-  ],
-  "Version": "2012-10-17"
-}
-POLICY
-
-}
-
-resource "aws_iam_policy" "packer_ssm" {
-  description = "Policy granting permission for bfd-packer profiled instances to access some common SSM hierarchies"
-  name        = "bfd-${local.env}-packer-ssm"
-  path        = "/"
-  policy      = <<-POLICY
-{
-  "Statement": [
-    {
-      "Action": [
-        "ssm:GetParametersByPath",
-        "ssm:GetParameters",
-        "ssm:GetParameter"
+        "ec2:DescribeTags",
+        "ec2:DescribeInstances"
       ],
       "Effect": "Allow",
-      "Resource": [
-        %{for env in local.established_envs~}
-        "arn:aws:ssm:us-east-1:${local.account_id}:parameter/bfd/${env}/common/*",
-        %{endfor~}
-        "arn:aws:ssm:us-east-1:${local.account_id}:parameter/bfd/${local.env}/common/*"
-      ],
-      "Sid": "BFDProfile"
+      "Resource": "*"
     }
-  ],
-  "Version": "2012-10-17"
+  ]
 }
 POLICY
 }
 
-resource "aws_iam_policy" "packer_kms" {
-  description = "Policy granting permission for bfd-packer profiled instances to decrypt using mgmt and established environment KMS keys"
-  name        = "bfd-${local.env}-packer-kms"
-  path        = "/"
-  policy = jsonencode(
-    {
-      "Statement" : [
-        {
-          "Action" : ["kms:Decrypt"],
-          "Effect" : "Allow",
-          "Resource" : concat(
-            [
-              "${local.bfd_insights_kms_key_id}",
-              "${local.kms_key_id}",
-              "${local.tf_state_kms_key_id}",
-              "${local.test_kms_key_id}",
-              "${local.prod_sbx_kms_key_id}",
-              "${local.prod_kms_key_id}"
-            ],
-            local.all_kms_config_key_arns
-          )
-        }
-      ],
-      "Version" : "2012-10-17"
-    }
-  )
-}
-
 resource "aws_iam_policy" "code_artifact_rw" {
   description = "CodeArtifact read/write permissions"
   name        = "bfd-${local.env}-codeartifact-rw"

diff --git a/ops/terraform/env/mgmt/packer-iam.tf b/ops/terraform/env/mgmt/packer-iam.tf
@@ -0,0 +1,88 @@
+resource "aws_iam_policy" "packer_ssm" {
+  description = "Policy granting permission for bfd-packer profiled instances to access some common SSM hierarchies"
+  name        = "bfd-${local.env}-packer-ssm"
+  path        = "/"
+  policy      = <<-POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "ssm:GetParametersByPath",
+        "ssm:GetParameters",
+        "ssm:GetParameter"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        %{for env in local.established_envs~}
+        "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/${env}/common/*",
+        %{endfor~}
+        "arn:aws:ssm:${local.region}:${local.account_id}:parameter/bfd/${local.env}/common/*"
+      ],
+      "Sid": "BFDProfile"
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}
+
+resource "aws_iam_policy" "packer_kms" {
+  description = "Policy granting permission for bfd-packer profiled instances to decrypt using mgmt and established environment KMS keys"
+  name        = "bfd-${local.env}-packer-kms"
+  path        = "/"
+  policy = jsonencode(
+    {
+      "Statement" : [
+        {
+          "Action" : ["kms:Decrypt"],
+          "Effect" : "Allow",
+          "Resource" : concat(
+            [
+              local.bfd_insights_kms_key_id,
+              local.kms_key_id,
+              local.tf_state_kms_key_id,
+              local.test_kms_key_id,
+              local.prod_sbx_kms_key_id,
+              local.prod_kms_key_id
+            ],
+            local.all_kms_config_key_arns
+          )
+        }
+      ],
+      "Version" : "2012-10-17"
+    }
+  )
+}
+
+resource "aws_iam_role" "packer" {
+  assume_role_policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = "sts:AssumeRole"
+          Effect = "Allow"
+          Principal = {
+            Service = "ec2.amazonaws.com"
+          }
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+  description           = "Allows EC2 instances to call AWS services on your behalf."
+  force_detach_policies = false
+  managed_policy_arns = [
+    aws_iam_policy.packer_ssm.arn,
+    aws_iam_policy.packer_kms.arn,
+    aws_iam_policy.ec2_instance_tags_ro.arn,
+  ]
+  max_session_duration = 3600
+  name                 = "bfd-packer"
+  path                 = "/"
+}
+
+resource "aws_iam_instance_profile" "packer" {
+  name = aws_iam_role.packer.name
+  role = aws_iam_role.packer.name
+  path = "/"
+}
diff --git a/ops/terraform/services/base/values/prod-sbx.yaml b/ops/terraform/services/base/values/prod-sbx.yaml
@@ -699,36 +699,6 @@
   xRsAXUHSKEyIBJt4aSIEBaR01X3pxveAq0PyM5uR156thHJmIsVZFdRvHbotbuQL
   m2Xpzw==
   -----END CERTIFICATE-----
-/bfd/${env}/server/nonsensitive/client_certificates/prod_sbx_cms_pen_test: |-
-  -----BEGIN CERTIFICATE-----
-  MIIFAjCCAuqgAwIBAgIIJBgqj6NzvU4wDQYJKoZIhvcNAQEMBQAwHzEdMBsGA1UE
-  AxMUcHJvZC1zYnguYmZkLmNtcy5nb3YwHhcNMjMwODI4MTkyMjQ1WhcNMjUwODI3
-  MTkyMjQ1WjAfMR0wGwYDVQQDExRwcm9kLXNieC5iZmQuY21zLmdvdjCCAiIwDQYJ
-  KoZIhvcNAQEBBQADggIPADCCAgoCggIBAK15oNoNk5wf8K2EQyXHIDqVlYdCDSp6
-  yFzNShHg0krg+lUb714cfnKwzvNZrXHnRx2OFW6rDkgW2pkK1hwVhRgR5V73iDFv
-  RpH8YM6eVWyDRmDaMlzxcOqYWJbziKO5YOyG+HxXsZGnS6RPcudReq/n63Wk8n/r
-  uB8VvfplJpp/9gA/LQSuvUzqYSXWII+A23OWWn2sW5zlkuRxhXbvH0JJtOTYOQ25
-  AbIZH8cnK2eEhiRDk0IRibmLAdCIaBC8WX3HuzDE169uT+A7FD+tHG1EUFNzSqHp
-  qo2297vnKvk15a8m6B68OhYNEoS5a4YwqJ85dBMOtdMw6u5qnX+ki5BqMVuhOMFw
-  uBRuBBCxjOpjJuWlvIBlPreMIsFUqcK0ID6HTWG1N6eMMDGolgB0KIuw80hL54qR
-  hwGdjqmw+J3e9R3yz9UuUbMJ4HW78Net7+1fL9dp/bRnZzjJ9p9H3rO41qDxv3V+
-  yZt14y8lnJhBekF5KWketKk+s9p3snOrEYHd2Z6uwAj8eH83eomrQz0kfnkYAhVX
-  nd706gN933uL8/syA4H4j7DcyhFn9JOLSt8zeBLF2LaCJowplfQ2IqYTSO4QzVKr
-  SV4KoZCyFffz/D3cpRAy9VchSXIGlbiBoPkXEaceosHBHjrraUA3uqCVKiQViOTr
-  6Z6ZY5iLjjdpAgMBAAGjQjBAMB0GA1UdDgQWBBR/N36ZzQZOlmIoWMm1ra2fn8fb
-  ajAfBgNVHREEGDAWghRwcm9kLXNieC5iZmQuY21zLmdvdjANBgkqhkiG9w0BAQwF
-  AAOCAgEAOaWrQZ6b4VbLxrWz6TpiFlyfui5QioL2Ve8jOC8bLb8ZYgbYScVF5pTY
-  brLeNQmZ43+6v2ZfgeZCRgMcHWLox7uSAlnRAwQeKvP3KiqU+pxT0hqaV4r3vZni
-  f3Kij5LjUlK/vJ49DGOHdUvuPIrjsUh3eLw8mkUk0dkLUYI6EyYjipUKHTexviQ0
-  H2V6ZYuu9IOPF96US1r6m/dH/hAyRm8kIfIU60DhC8AGQEdM3Z3l0kvRkvZ8CXlt
-  OfUp15j3ZxXXT7WlG9c1bV7i86lfDm5t2BBrrRyEk35v0FyFw0+xooGo7V0CWyQN
-  yJV/LUerDZAFuUqS9pcYI75a3TOq9i+UfWQlzMFLd1QcyfYJ+IOno/esvTGiD/jT
-  6GLmcB76HoC4UmBcI00I97Vpduwktd41J+lHQHRyVBYdh6MwGbG2aw261QwNVmTi
-  hNn1y9ch2ZT0qWsvEGx+7QgXamvJiw6Bq7KwWeUkCpLtSidpjPOz2ezjBcROMryV
-  sfgOy2s4IOE3t9tCVW7aVItV3cQ71YWGQ/tCZ2sfj5vSfTR1Y8+6VLSiwCKuwwkV
-  SP78C17wM4j2wwu4onPRnX/XWqvYUz8rZ6YJRJr5p8xDGapP8tZ+y+wd38y25Vhy
-  g+2AidmcX9idL7kn/WCkINVMf2PItUDg950U5rkh5KPT5KQ/v7M=
-  -----END CERTIFICATE-----
 /bfd/${env}/server/nonsensitive/client_certificates/prod_sbx_bfd_cms_gov: |-
   -----BEGIN CERTIFICATE-----
   MIIFHzCCAwegAwIBAgIUQeny4GmZastRlDu71KLf2DUbTlkwDQYJKoZIhvcNAQEL

diff --git a/ops/terraform/services/migrator/README.md b/ops/terraform/services/migrator/README.md
@@ -76,6 +76,7 @@ In addition to the [Requirements (below)](#requirements) below, an included [ext
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.cloudwatch_agent_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.cloudwatch_agent_xray_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_key_pair.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/key_pair) | data source |
 | [aws_kms_key.cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_kms_key.config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |

diff --git a/ops/terraform/services/migrator/data-sources.tf b/ops/terraform/services/migrator/data-sources.tf
@@ -101,3 +101,7 @@ data "aws_ssm_parameters_by_path" "nonsensitive_common" {
 data "aws_ssm_parameters_by_path" "nonsensitive" {
   path = "/bfd/${local.env}/${local.service}/nonsensitive"
 }
+
+data "aws_iam_policy" "ec2_instance_tags_ro" {
+  name = "bfd-mgmt-ec2-instance-tags-ro"
+}
diff --git a/ops/terraform/services/migrator/iam.tf b/ops/terraform/services/migrator/iam.tf
@@ -98,6 +98,7 @@ resource "aws_iam_role" "this" {
     data.aws_iam_policy.cloudwatch_agent_xray_policy.arn,
     aws_iam_policy.sqs.arn,
     aws_iam_policy.ssm.arn,
+    data.aws_iam_policy.ec2_instance_tags_ro.arn,
   ]
 }
 

diff --git a/ops/terraform/services/pipeline/README.md b/ops/terraform/services/pipeline/README.md
@@ -77,6 +77,7 @@
 | [aws_sns_topic_policy.s3_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_ami.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.ec2_instance_tags_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_kms_key.cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_kms_key.config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_kms_key.mgmt_config_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |

diff --git a/ops/terraform/services/pipeline/data-sources.tf b/ops/terraform/services/pipeline/data-sources.tf
@@ -137,3 +137,7 @@ data "aws_sns_topic" "bfd_notices_slack_alarm" {
   count = local.is_ephemeral_env ? 0 : 1
   name  = "bfd-${local.env}-cloudwatch-alarms-slack-bfd-notices"
 }
+
+data "aws_iam_policy" "ec2_instance_tags_ro" {
+  name = "bfd-mgmt-ec2-instance-tags-ro"
+}
diff --git a/ops/terraform/services/pipeline/iam.tf b/ops/terraform/services/pipeline/iam.tf
@@ -210,6 +210,7 @@ EOF
     "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess",
     "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
     "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
+    data.aws_iam_policy.ec2_instance_tags_ro.arn,
   ]
   max_session_duration = 3600
   name                 = "bfd-${local.env}-bfd_${local.service}-role"

diff --git a/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf b/ops/terraform/services/server/modules/bfd_server_iam/data-sources.tf
@@ -26,3 +26,7 @@ data "aws_iam_policy" "cloudwatch_agent_policy" {
 data "aws_iam_policy" "cloudwatch_xray_policy" {
   arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
 }
+
+data "aws_iam_policy" "ec2_instance_tags_ro" {
+  name = "bfd-mgmt-ec2-instance-tags-ro"
+}
diff --git a/ops/terraform/services/server/modules/bfd_server_iam/main.tf b/ops/terraform/services/server/modules/bfd_server_iam/main.tf
@@ -213,3 +213,8 @@ resource "aws_iam_role_policy_attachment" "asg" {
   role       = aws_iam_role.instance.id
   policy_arn = aws_iam_policy.asg.arn
 }
+
+resource "aws_iam_role_policy_attachment" "ec2_instance_tags_ro" {
+  role       = aws_iam_role.instance.id
+  policy_arn = data.aws_iam_policy.ec2_instance_tags_ro.arn
+}