Skip to content

v0.4.3

Latest
Latest
Compare
Choose a tag to compare
@fgogolli fgogolli released this 07 Feb 09:59
· 14 commits to main since this release
v0.4.3
ed69077
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's changed

This release fixes all the relevant security issues in the current code base, as detected by cfn_lint, trivy, checkov and ScoutSuite.

Terraform State:

Encrypt and secure init_grid state and Lambda buckets.
Limit the scope of KMS Key policy for State Buckets.
Remove AccessControls and use BucketPolicy to keep the bucket private.
Configure all Makefiles to use encrypted S3 Buckets for TF State, non-root Dockerfiles, fix HTCGRID_ECR_REPO, name CloudFormation stack outputs, and support updating existing init_grid stack.
Improve init_grid Makefile to handle initial and deletion cases better.
Add support for cleaning up S3 object versions and standardize bucket variable naming.

HTC Grid Containers:

Configure all Dockerfiles to run non-root containers and fix builds.
Configure all HTC K8S resources to run with runAsNonRoot, default seccompProfile, and disabled allowPrivilegeEscalation.
Rename components, add readOnlyFileSystem and seccomp profile to HTC Agent, fix and cleanup code.
Remove file system write dependencies for the agent.
Harden K8S manifests and enforce further chekov rules.
Configure Grafana Ingress to drop invalid HTTP Header fields.

HTC Grid Control Plane:

Configure CMK KMS Key encryption for VPC Flow Logs, ECR Repositories, SQS, DynamoDB, S3, EKS Cluster, EKS MNG EBS Volumes, and all CloudWatch Logs.
Add encrypted CloudWatch Logging for API Gateway.
Create S3 via TF Module, add encryption support for S3 Data Plane in the agent, fix AWS partition, and DNS Suffix usage.
Simplify code and move all lambdas and auth to the control_plane.
Configure and consolidate least-privilege permissions on KMS, Lambda, and Agent IAM policies.
Add KMS Decrypt and GenerateDataKey permissions to Lambda and Agent permissions.
Move installation of jq onto lambda images and fix the bootstrap script.
Convert EC Redis to a single replica cluster mode and add encryption.
Add AUTH for ElastiCache Redis Cluster.
Enable XRay tracing for Lambda functions and adjust Redis config.
Add an explicit ASG Service Linked Role declaration to enable KMS support for ASG EBS Volumes.
Handle cases where AWSServiceRoleForAutoScaling already exists.
Add S3 and SQS Resource Policies to enforce HTTPS and create separate CMK KMS Keys for DLQs per each SQS Queue.
Configure the DLQs to be used with the respective SQS Queues and fix naming/references.
Add security group and ACL controls where possible.
Configure securityContext for OpenAPI.

General:

Add GitHub workflows for cfn_lint, trivy, and checkov.
Standardize, fix, and simplify tests.
Standardize the naming of TF resources.
Fix docs and random_password to align with pipelines.
Add auto deploy & destroy stages for images.
Change all Copyright notices to reflect the current year (2024).

Cloud9:

Fix Cloud9 deployment script to target correct instances.
Fix Cloud9 bootstrap race condition and adjust to WS.
Force a reinstall at bootstrap time to fix virtualenv issues.
Add support for specifying a Git repo/branch for HTCGridSource.
Remove Admin role from KMS Admins as it doesn't exist in WS.

Full Changelog: v0.4.2...v0.4.3

Assets 2
Loading