Add init and account folders

.github/workflows/build-and-push-dev.yml

@@ -4,7 +4,8 @@ on:
   push:
     # this value should match any deployment branches configured for the target GitHub environment for https://github.com/CMSgov/security-hub-collector
     # https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches
-    branches: [main]
+    # branches: [main]  
+    branches: bharvey-collector # TODO REVERT
 
 jobs:
   build:

.github/workflows/validate.yml

@@ -11,22 +11,28 @@ jobs:
       uses: actions/checkout@v2
       with:
         fetch-depth: 0
+
     - name: setup go
       uses: actions/setup-go@v2
       with:
         go-version: 1.19
+
     - name: setup python
       uses: actions/setup-python@v2
+
     - name: pre-commit-cache
       uses: actions/cache@v2
       env:
         cache-name: pre-commit-dot-cache
       with:
         path: ~/.cache/pre-commit
         key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/.pre-commit-config.yaml') }}
+
     - name: run pre-commit
       uses: pre-commit/[email protected]
+
     - name: run go tests
       run: go test -v ./pkg/...
+
     - name: build the Docker image
       run: docker build . --file Dockerfile

.gitignore

@@ -1,3 +1,4 @@
 bin/
 dist/
 manual_test_team_map.json
+.terraform

README.md

@@ -67,7 +67,7 @@ Example usage:
 ```terraform
   module "security_hub_collector_ecr" {
     source = "github.com/CMSgov/security-hub-collector"
-    allowed_read_principals = local.allowed_read_principals
+    ecr_read_aws_accounts = local.ecr_read_aws_accounts
     scan_on_push = // optional, defaults to true
     tags = // optional, defaults to {}
     lifecycle_policy = // optional, defaults to "".  When empty, defaults to keep the last 500 images

terraform/dev/account/ecr.tf

@@ -0,0 +1,72 @@
+locals {
+  principal_arns = [for item in var.ecr_read_aws_accounts : format("arn:aws:iam::%s:root", item)]
+}
+
+resource "aws_ecr_repository" "this" {
+  name = "security-hub-collector"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "this" {
+  repository = aws_ecr_repository.this.name
+  policy     = <<EOF
+{
+  "rules": [
+    {
+      "action": {
+        "type": "expire"
+      },
+      "description": "Keep last 500 images",
+      "rulePriority": 10,
+      "selection": {
+        "countNumber": 500,
+        "countType": "imageCountMoreThan",
+        "tagStatus": "any"
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_ecr_repository_policy" "this" {
+  repository = aws_ecr_repository.this.name
+  policy     = data.aws_iam_policy_document.cross_account_readonly.json
+}
+
+data "aws_iam_policy_document" "cross_account_readonly" {
+  statement {
+    sid = "CrossAccountReadOnly"
+
+    effect = "Allow"
+
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetAuthorizationToken",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+    ]
+
+    principals {
+      identifiers = local.principal_arns
+      type        = "AWS"
+    }
+  }
+
+  statement {
+    sid = ""
+
+    effect = "Allow"
+
+    actions = ["ecr:GetAuthorizationToken"]
+
+    principals {
+      identifiers = local.principal_arns
+      type        = "AWS"
+    }
+  }
+}

terraform/dev/account/github-oidc.tf

@@ -0,0 +1,53 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_openid_connect_provider" "github_actions" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+module "iam_github_oidc_role_github_actions_runner" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+
+  name = "security-hub-collector-github-oidc"
+
+  path                     = "/delegatedadmin/developer/"
+  permissions_boundary_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/cms-cloud-admin/developer-boundary-policy"
+
+  subjects = [
+    "Enterprise-CMCS/mac-fc-security-hub-collector:*",
+  ]
+
+  policies = {
+    github_actions_runner = aws_iam_policy.github_actions_permissions.arn
+  }
+}
+
+data "aws_iam_policy_document" "github_actions_permissions" {
+  statement {
+    actions = [
+      "ecr:GetAuthorizationToken"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "ecr:CompleteLayerUpload",
+      "ecr:GetAuthorizationToken",
+      "ecr:UploadLayerPart",
+      "ecr:InitiateLayerUpload",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:PutImage",
+      "ecr:TagResource"
+    ]
+    resources = ["arn:aws:ecr:us-east-1:${data.aws_caller_identity.current.account_id}:repository/security-hub-collector"]
+  }
+}
+
+resource "aws_iam_policy" "github_actions_permissions" {
+  name        = "github-actions-permissions"
+  policy      = data.aws_iam_policy_document.github_actions_permissions.json
+  path        = "/delegatedadmin/developer/"
+  description = "Permissions for GitHub Actions OIDC"
+}
+

terraform/dev/account/terraform.tfvars

@@ -0,0 +1,4 @@
+ecr_read_aws_accounts = [
+  "666736308865", # MACPro DevSecOps/aws-cms-oit-iusg-acct222
+  "358534743481" # TODO remove
+]

terraform/dev/account/variables.tf

@@ -1,22 +1,4 @@
-variable "lifecycle_policy" {
-  type        = string
-  description = "ECR repository lifecycle policy document. Used to override the default policy."
-  default     = ""
-}
-
-variable "tags" {
-  type        = map(any)
-  description = "Additional tags to apply."
-  default     = {}
-}
-
-variable "scan_on_push" {
-  type        = bool
-  description = "Scan image on push to repo."
-  default     = true
-}
-
-variable "allowed_read_principals" {
+variable "ecr_read_aws_accounts" {
   type        = list(any)
-  description = "External principals that are allowed to read from the ECR repository"
+  description = "AWS accounts that are allowed to read from the ECR repository"
 }

terraform/dev/account/versions.tf

@@ -1,10 +1,33 @@
 terraform {
-  required_version = ">= 0.13"
+  required_version = "= 1.5.2"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~>5.30.0"
+    }
+  }
+  backend "s3" {
+    bucket         = "security-hub-collector-dev-tfstate"
+    key            = "account/state"
+    region         = "us-east-1"
+    dynamodb_table = "security-hub-collector-dev-lock-table"
+    encrypt        = true
+  }
+}
+
+provider "aws" {
+  allowed_account_ids = ["037370603820"]
+
+  default_tags {
+    tags = {
+      Maintainer  = "[email protected]"
+      Owner       = "[email protected]"
+      Environment = "dev"
+      Application = "mac-fc-security-hub-collector"
+      Business    = "MACBIS"
+      Automated   = "Terraform"
+      stack       = "dev"
     }
   }
 }