Escaped git revert blackhole

Author: Mike Saintcross

LICENSE

@@ -11,4 +11,5 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

README.md

@@ -1,32 +1,34 @@
 # Terraform EC2 Image Builder Container Hardening Pipeline summary
 
-Creates and manages EC2 Image Builder Container resources. Specifically this pipeline builds an Amazon Linux 2 Baseline Container using Docker with RHEL 7 STIG Version 3 Release 7 hardening applied, along with a few other configurations. See recipes.tf for more details.
+Terraform modules build an [EC2 Image Builder Pipeline](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) with an [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/) Baseline Container Recipe, which is used to deploy a [Docker](https://docs.docker.com/) based Amazon Linux 2 Container Image that has been hardened according to RHEL 7 STIG Version 3 Release 7 - Medium. See the "[STIG-Build-Linux-Medium version 2022.2.1](https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-stig.html#linux-os-stig)" section in Linux STIG Components for details. This is commonly referred to as a "Golden" container image.
 
-Test.
+The build includes two [Cloudwatch Event Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html). One which triggers the start of the Container Image pipeline based on an [Inspector Finding](https://docs.aws.amazon.com/inspector/latest/user/findings-managing.html) of "High" or "Critical" so that insecure images are replaced, if Inspector and [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html) ["Enhanced Scanning"](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html) are both enabled. The other Event Rule sends notifications to an SQS Queue after a successful Container Image push to the ECR Repository, to better enable consumption of new container images.
 
 ## Prerequisites
 
-* Terraform v.15+. Download and setup Terraform. Refer to the official Terraform instructions to get started.
-* AWS CLI installed for setting your AWS Credentials for Local Deployment.
-* An AWS Account to deploy the infrastructure within.
-* Git (if provisioning from a local machine).
-* A role within the AWS account that you are able create AWS resources with
-* Ensure the .tfvars file has all variables defined or define all variables at “Terraform Apply” time
+* Terraform v.15+. [Download](https://www.terraform.io/downloads.html) and setup Terraform. Refer to the official Terraform [instructions](https://learn.hashicorp.com/collections/terraform/aws-get-started) to get started.
+* [AWS CLI installed](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-install.html) for setting your AWS Credentials for Local Deployment.
+* [An AWS Account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) to deploy the infrastructure within.
+* [Git](https://git-scm.com/) (if provisioning from a local machine).
+* A [role](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjllPaT-LD8AhXsFFkFHd4PBEsQFnoECA8QAQ&url=https%3A%2F%2Fdocs.aws.amazon.com%2FIAM%2Flatest%2FUserGuide%2Fid_roles.html&usg=AOvVaw2x3qPB3Ld00_O0zMSxCNNi) within the AWS account that you are able create AWS resources with
+* Ensure the [.tfvars](https://developer.hashicorp.com/terraform/tutorials/configuration-language/variables) file has all variables defined or define all variables at "Terraform Apply" time
 
 ## Target technology stack  
 
-* S3 Bucket for the Pipeline Component Files
-* ECR
-* 1 VPC, 1 Public and 1 Private subnet, Route tables, a NAT Gateway, and an Internet Gateway
+* Two [S3 Buckets](https://aws.amazon.com/s3/), 1 for the Pipeline [Component](https://docs.aws.amazon.com/imagebuilder/latest/userguide/create-component-console.html) Files and 1 for Server Access and VPC Flow logs
+* An ECR [Repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html)
+* A [VPC](https://aws.amazon.com/vpc/), a Public and Private [subnet](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html), [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html), a [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html), and an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html)
 * An EC2 Image Builder Pipeline, Recipe, and Components
-* 1 Container Image
-* 1 KMS Key for Image Encryption
-* A Cloudwatch Event Rule which triggers the start of the pipeline based on an Inspector2 Finding of “High”
-* This pattern creates 29 AWS Resources total.
+* A Container Image
+* A [KMS Key](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiC5J339rD8AhV-F1kFHSp_CCEQFnoECA8QAQ&url=https%3A%2F%2Faws.amazon.com%2Fkms%2F&usg=AOvVaw3RCXPeRLWlWbJyXWU3HNGF) for Image Encryption
+* An SQS Queue
+* Four roles, one for the EC2 Image Builder Pipeline to execute as, one instance profile for EC2 Image Builder, and one for EventBridge Rules, and one for VPC Flow Log collection.
+* Two Cloudwatch Event Rules,  one which triggers the start of the pipeline based on an Inspector Finding of "High" or "Critical," and one which sends notifications to an SQS Queue for a successful Image push to the ECR Repository
+* This pattern creates 43 AWS Resources total
 
 ## Limitations 
 
-VPC Endpoints cannot be used, and therefore this solution creates VPC Infrastructure that includes a NAT Gateway and an Internet Gateway for internet connectivity from its private subnet. This is due to the bootstrap process by AWSTOE, which installs AWS CLI v2 from the internet.
+[VPC Endpoints](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) cannot be used, and therefore this solution creates VPC Infrastructure that includes a [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) and an Internet Gateway for internet connectivity from its private subnet. This is due to the bootstrap process by [AWSTOE](https://docs.aws.amazon.com/imagebuilder/latest/userguide/how-image-builder-works.html#ibhow-component-management), which installs AWS CLI v2 from the internet.
 
 ## Operating systems
 
@@ -54,36 +56,37 @@ This Pipeline only contains a recipe for Amazon Linux 2.
 ├── main.tf
 ├── outputs.tf
 ├── sec-groups.tf
+├── trigger-build.tf
 └── variables.tf
 ```
 
 ## Module details
 
-1. hardening-pipeline.tfvars contains the Terraform variables to be used at apply time
-2. pipeline.tf creates and manages an EC2 Image Builder pipeline in Terraform
-3. image.tf contains the definitions for the Base Image OS, this is where you can modify for a different base image pipeline.
-4. infr-config.tf and dist-config.tf  contain the resources for the minimum AWS infrastructure needed to spin up and distribute the image.
-5. components.tf contains an S3 upload resource to upload the contents of the /files directory, and where you can modularly add custom component YAML files as well.
-6. recipes.tf is where you can specific different mixtures of components to create a different container recipe.
-7. trigger-build.tf is an inspector2 finding based pipeline trigger.
-8. roles.tf contains the IAM policy definitions for the EC2 Instance Profile and Pipeline Deployment Role
-9. infra-network-config.tf contains the minimum VPC infrastructure to deploy the container image into
-10. /files contains the .yml files which are used to define the components used in components.tf
+1. `hardening-pipeline.tfvars` contains the Terraform variables to be used at apply time.
+2. `pipeline.tf` creates and manages an EC2 Image Builder pipeline in Terraform.
+3. `image.tf` contains the definitions for the Base Image OS, this is where you can modify for a different base image pipeline.
+4. `infr-config.tf` and `dist-config.tf`  contain the resources for the minimum AWS infrastructure needed to spin up and distribute the image.
+5. `components.tf` contains an S3 upload resource to upload the contents of the /files directory, and where you can modularly add custom component YAML files as well.
+6. `recipes.tf` is where you can specific different mixtures of components to create a different container recipe.
+7. `trigger-build.tf` contains the EventBridge rules and SQS queue resources.
+8. `roles.tf` contains the IAM policy definitions for the EC2 Instance Profile and Pipeline deployment role.
+9. `infra-network-config.tf` contains the minimum VPC infrastructure to deploy the container image into.
+10. `/files` is intended to contain the `.yml` files which are used to define any custom components used in components.tf.
 
 ## Target architecture
 ![Deployed Resources Architecture](container-harden.png)
 
 ## Automation and scale
 
-* This terraform module set is intended to be used at scale. Instead of deploying it locally, the Terraform modules can be used in a multi-account strategy environment, such as in an AWS Control Tower with Account Factory for Terraform environment. In that case, a backend state S3 bucket should be used for managing Terraform state files, instead of managing the configuration state locally.
+* This terraform module set is intended to be used at scale. Instead of deploying it locally, the Terraform modules can be used in a multi-account strategy environment, such as in an [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) with [Account Factory for Terraform](https://aws.amazon.com/blogs/aws/new-aws-control-tower-account-factory-for-terraform/) environment. In that case, a [backend state S3 bucket](https://developer.hashicorp.com/terraform/language/settings/backends/s3) should be used for managing Terraform state files, instead of managing the configuration state locally.
 
-* To deploy for scaled use, deploy the solution to one central account, such as “Shared Services/Common Services” from a Control Tower or Landing Zone account model and grant consumer accounts permission to access to the ECR Repo/KMS Key, see this blog post explaining the setup. For example, in an Account Vending Machine or Account Factory for Terraform, add permissions to each account baseline or account customization baseline to have access to that ECR Repo and Encryption key.
+* To deploy for scaled use, deploy the solution to one central account, such as "Shared Services/Common Services" from a Control Tower or Landing Zone account model and grant consumer accounts permission to access to the ECR Repo/KMS Key, see [this blog post](https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/) explaining the setup. For example, in an [Account Vending Machine](https://www.hashicorp.com/resources/terraform-landing-zones-for-self-service-multi-aws-at-eventbrite) or Account Factory for Terraform, add permissions to each account baseline or account customization baseline to have access to that ECR Repo and Encryption key.
 
-* This container image pipeline can be simply modified once deployed, using EC2 Image Builder features, such as the “Component” feature, which will allow easy packaging of more components into the Docker build.
+* This container image pipeline can be simply modified once deployed, using EC2 Image Builder features, such as the "Component" feature, which will allow easy packaging of more components into the Docker build.
 
 * The KMS Key used to encrypt the container image should be shared across accounts which the container image is intended to be used in
 
-* Support for other images can be added by simply duplicating this entire Terraform module, and modifying the recipes.tf attributes, parent_image = "amazonlinux:latest" to be another parent image type, and modifying the repository_name to point to an existing ECR repository. This will create another pipeline which deploys a different parent image type, but to your existing ECR repostiory.
+* Support for other images can be added by simply duplicating this entire Terraform module, and modifying the `recipes.tf` attributes, `parent_image = "amazonlinux:latest"` to be another parent image type, and modifying the repository_name to point to an existing ECR repository. This will create another pipeline which deploys a different parent image type, but to your existing ECR repostiory.
 
 ## Deployment steps
 
@@ -109,18 +112,24 @@ If you instead got command not found then install the AWS CLI
  Default region name: [us-east-1]: <Your desired region for deployment>
  Default output format [None]: <Your desired Output format>
 ```
-3. Clone the repository
+3. Clone the repository with HTTPS or SSH
+
+HTTPS
+``` shell
+git clone https://github.com/aws-samples/terraform-ec2-image-builder-container-hardening-pipeline.git
+```
+SSH
 ``` shell
-git clone https://gitlab.aws.dev/msaintcr/terraform-ec2-image-builder-container-hardening-pipeline.git
+git clone [email protected]:aws-samples/terraform-ec2-image-builder-container-hardening-pipeline.git
 ```
 4. Navigate to the directory containing this solution before running the commands below:
 ``` shell
 cd terraform-ec2-image-builder-container-hardening-pipeline
 ```
 
-5. Update variables in hardening-pipeline.tfvars to match your environment and your desired configuration. You cannot use provided variable values, the solution will not deploy.
+5. Update variables in hardening-pipeline.tfvars to match your environment and your desired configuration. You must provide your own `account_id`, however, you should modify the rest of the variables to fit your desired deployment.
 ``` json
-account_id     = "012345678900"
+account_id     = "<DEPLOYMENT-ACCOUNT-ID>"
 aws_region     = "us-east-1"
 vpc_name       = "example-hardening-pipeline-vpc"
 kms_key_alias = "image-builder-container-key"
@@ -140,21 +149,21 @@ terraform init && terraform validate && terraform apply -var-file *.tfvars -auto
 
 7. After successfully completion of your first Terraform apply, if provisioning locally, you should see this snippet in your local machine’s terminal:
 ``` shell
-Apply complete! Resources: 29 added, 0 changed, 0 destroyed.
+Apply complete! Resources: 43 added, 0 changed, 0 destroyed.
 ```
 
 ## Troubleshooting
 
-*When running Terraform apply or destroy commands from your local machine, you may encounter an error similar to the following:*
+When running Terraform apply or destroy commands from your local machine, you may encounter an error similar to the following:
 
 ``` json
 Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 123456a9-fbc1-40ed-b8d8-513d0133ba7f, api error InvalidClientTokenId: The security token included in the request is invalid.
 ```
 
 This error is due to the expiration of the security token for the credentials used in your local machine’s configuration.
 
-See “Set and View Configuration Settings” from the AWS Command Line Interface Documentation to resolve.
+See "[Set and View Configuration Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-methods)" from the AWS Command Line Interface Documentation to resolve.
 
 ## Author
 
-* Mike Saintcross [msaintcr@]([email protected])
+* Mike Saintcross [msaintcr@amazon.com](mailto:[email protected])

components.tf

@@ -1,15 +1,16 @@
 # Upload files to S3
 resource "aws_s3_bucket_object" "component_files" {
   depends_on = [
-    aws_s3_bucket.s3_pipeline_bucket
+    aws_s3_bucket.s3_pipeline_bucket,
+    aws_kms_key.this
   ]
 
   for_each = fileset(path.module, "files/**/*.yml")
 
-  bucket                 = var.aws_s3_ami_resources_bucket
-  key                    = each.value
-  source                 = "${path.module}/${each.value}"
-  server_side_encryption = "aws:kms"
+  bucket     = var.aws_s3_ami_resources_bucket
+  key        = each.value
+  source     = "${path.module}/${each.value}"
+  kms_key_id = aws_kms_key.this.id
 }
 
 # Add custom component resources below

container-harden.png

@@ -1,6 +1,6 @@
 resource "aws_ecr_repository" "hardening_pipeline_repo" {
   name                 = var.ecr_name
-  image_tag_mutability = "MUTABLE"
+  image_tag_mutability = "IMMUTABLE"
 
   encryption_configuration {
     encryption_type = "KMS"

dist-config.tf

@@ -1,6 +1,5 @@
 # Enter values for all of the following if you wish to avoid being prompted on each run.
-# You must specify an account_id
-account_id                   = "537229986333"
+account_id                   = "012345678900"
 aws_region                   = "us-east-1"
 vpc_name                     = "example-hardening-pipeline-vpc"
 kms_key_alias                = "image-builder-container-key"

hardening-pipeline.tfvars

@@ -9,6 +9,18 @@ resource "aws_vpc" "hardening_pipeline" {
     Name = "${var.vpc_name}"
   }
 }
+
+resource "aws_flow_log" "hardening_pipeline_flow" {
+  depends_on = [
+    aws_s3_bucket.s3_pipeline_logging_bucket_logs
+  ]
+  log_destination      = aws_s3_bucket.s3_pipeline_logging_bucket_logs.arn
+  log_destination_type = "s3"
+  traffic_type         = "ALL"
+  vpc_id               = aws_vpc.hardening_pipeline.id
+}
+
+# Map public IP on launch because we are creating an internet gateway
 resource "aws_subnet" "hardening_pipeline_public" {
   depends_on = [
     aws_vpc.hardening_pipeline
@@ -22,6 +34,7 @@ resource "aws_subnet" "hardening_pipeline_public" {
     Name = "${var.vpc_name}-public"
   }
 }
+
 resource "aws_subnet" "hardening_pipeline_private" {
   depends_on = [
     aws_vpc.hardening_pipeline,
@@ -36,6 +49,11 @@ resource "aws_subnet" "hardening_pipeline_private" {
     Name = "${var.vpc_name}-private"
   }
 }
+
+resource "aws_default_security_group" "hardening_pipeline_vpc_default" {
+  vpc_id = aws_vpc.hardening_pipeline.id
+}
+
 resource "aws_internet_gateway" "hardening_pipeline_igw" {
   depends_on = [
     aws_vpc.hardening_pipeline,