Security updates (#21)

nickdala · web-flow · commit c78a28a82e18 · 2024-09-26T08:26:12.000-04:00
* remove zone assignment in PostgreSQL Terraform

* Managed identity PostgreSQL

* front door rate limiting

* jumpbox SSH Microsoft Entra ID

* add ssh files to gitignore
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,6 +6,7 @@
 			"VARIANT": "jammy"
 		}
 	},
+	"postStartCommand": "./.devcontainer/scripts/onCreateCommand.sh",
 	"remoteUser": "vscode",
 	"containerEnv": {
 		"M2": "/home/vscode" // required because the java feature is not setting this correctly
diff --git a/.devcontainer/scripts/onCreateCommand.sh b/.devcontainer/scripts/onCreateCommand.sh
@@ -0,0 +1,3 @@
+set -x
+
+az extension add --name serviceconnector-passwordless --upgrade
diff --git a/.gitignore b/.gitignore
@@ -49,4 +49,8 @@ application-dev.properties
 *.terraform.lock.hcl
 .terraform/
 *.tfplan
-.DS_Store
+.DS_Store
+
+# Azure CLI configuration
+az_ssh_config/
+ssh-config
diff --git a/apps/contoso-fiber/pom.xml b/apps/contoso-fiber/pom.xml
@@ -52,6 +52,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
         </dependency>
+        <dependency>
+			<groupId>com.azure.spring</groupId>
+			<artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId>
+		</dependency>
         <dependency>
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>
@@ -142,6 +146,11 @@
             <artifactId>spring-cloud-azure-starter-storage-blob</artifactId>
         </dependency>
 
+        <dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+		</dependency>
+
     </dependencies>
 
     <build>
diff --git a/infra/scripts/front-door-route-approval.sh b/infra/scripts/front-door-route-approval.sh
diff --git a/infra/scripts/setup-service-connector.sh b/infra/scripts/setup-service-connector.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+source_id=$1
+target_id=$2
+
+random_string=$RANDOM
+connection_name=postgresql_${RANDOM}
+
+az webapp connection create postgres-flexible --connection ${connection_name} --source-id ${source_id} --target-id ${target_id} --client-type springBoot --system-identity
diff --git a/infra/shared/terraform/modules/app-service/main.tf b/infra/shared/terraform/modules/app-service/main.tf
@@ -104,10 +104,6 @@ resource "azurerm_linux_web_app" "application" {
     APPINSIGHTS_INSTRUMENTATIONKEY = var.app_insights_instrumentation_key
     ApplicationInsightsAgent_EXTENSION_VERSION = "~3"
 
-    DATABASE_URL      = var.contoso_webapp_options.postgresql_database_url
-    DATABASE_USERNAME = var.contoso_webapp_options.postgresql_database_user
-    DATABASE_PASSWORD = var.contoso_webapp_options.postgresql_database_password
-
     AZURE_ACTIVE_DIRECTORY_CREDENTIAL_CLIENT_ID     = var.contoso_webapp_options.contoso_active_directory_client_id
     AZURE_ACTIVE_DIRECTORY_CREDENTIAL_CLIENT_SECRET = var.contoso_webapp_options.contoso_active_directory_client_secret
     AZURE_ACTIVE_DIRECTORY_TENANT_ID                = var.contoso_webapp_options.contoso_active_directory_tenant_id
diff --git a/infra/shared/terraform/modules/app-service/variables.tf b/infra/shared/terraform/modules/app-service/variables.tf
@@ -70,10 +70,6 @@ variable "contoso_webapp_options" {
     contoso_active_directory_client_id      = string
     contoso_active_directory_client_secret  = string
 
-    postgresql_database_url       = string
-    postgresql_database_user      = string
-    postgresql_database_password  = string
-
     redis_host_name               = string
     redis_port                    = number
     redis_password                = string
diff --git a/infra/shared/terraform/modules/cache/main.tf b/infra/shared/terraform/modules/cache/main.tf
@@ -75,28 +75,14 @@ resource "azurerm_monitor_diagnostic_setting" "redis_diagnostic" {
 
   enabled_log {
     category_group = "audit"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   enabled_log {
     category_group = "allLogs"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   metric {
     category = "AllMetrics"
     enabled  = true
-    retention_policy {
-      enabled = false
-      days    = 0
-    }
   }
 }
diff --git a/infra/shared/terraform/modules/frontdoor/main.tf b/infra/shared/terraform/modules/frontdoor/main.tf
@@ -118,6 +118,24 @@ resource "azurerm_cdn_frontdoor_firewall_policy" "firewall_policy" {
   sku_name                          = azurerm_cdn_frontdoor_profile.front_door.sku_name
   enabled                           = true
   mode                              = "Prevention"
+
+  custom_rule {
+    name     = "RateLimitingRule"
+    priority = 100
+    type = "RateLimitRule"
+
+    match_condition {
+      match_variable = "RemoteAddr"
+      operator       = "IPMatch"
+      match_values = ["0.0.0.0/0"]
+      negation_condition = false
+    }
+  
+    rate_limit_duration_in_minutes = 1
+    rate_limit_threshold = 200
+
+    action = "Block"
+  }
 }
 
 resource "azurecaf_name" "front_door_security_policy_name" {
diff --git a/infra/shared/terraform/modules/key-vault/main.tf b/infra/shared/terraform/modules/key-vault/main.tf
@@ -87,28 +87,14 @@ resource "azurerm_monitor_diagnostic_setting" "key_vault_diagnostic" {
 
   enabled_log {
     category_group = "audit"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   enabled_log {
     category_group = "allLogs"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   metric {
     category = "AllMetrics"
     enabled  = true
-    retention_policy {
-      enabled = false
-      days    = 0
-    }
   }
 }
diff --git a/infra/shared/terraform/modules/postresql/main.tf b/infra/shared/terraform/modules/postresql/main.tf
@@ -7,29 +7,6 @@ terraform {
   }
 }
 
-# Quickstart: Use Terraform to create an Azure Database for MySQL - Flexible Server
-# https://docs.microsoft.com/azure/mysql/flexible-server/quickstart-create-terraform?tabs=azure-cli
-
-
-# Azure Private DNS provides a reliable, secure DNS service to manage and
-# resolve domain names in a virtual network without the need to add a custom DNS solution
-# https://docs.microsoft.com/azure/dns/private-dns-privatednszone
-resource "azurerm_private_dns_zone" "postgresql_database" {
-  count               = var.environment == "prod" ? 1 : 0
-  name                = "privatelink.${var.location}.postgres.database.azure.com"
-  resource_group_name = var.resource_group
-}
-
-# After you create a private DNS zone in Azure, you'll need to link a virtual network to it.
-# https://docs.microsoft.com/azure/dns/private-dns-virtual-network-links
-resource "azurerm_private_dns_zone_virtual_network_link" "postgresql_database" {
-  count                 = var.environment == "prod" ? 1 : 0
-  name                  = azurerm_private_dns_zone.postgresql_database[0].name
-  private_dns_zone_name = azurerm_private_dns_zone.postgresql_database[0].name
-  virtual_network_id    = var.virtual_network_id
-  resource_group_name   = var.resource_group
-}
-
 resource "azurecaf_name" "postgresql_server" {
   count         = var.environment == "prod" ? 1 : 0
   name          = var.application_name
@@ -52,8 +29,9 @@ resource "azurerm_postgresql_flexible_server" "postgresql_database" {
   sku_name                     = var.sku_name
   version                      = "16"
 
+  public_network_access_enabled = false
   delegated_subnet_id          = var.subnet_network_id
-  private_dns_zone_id          = azurerm_private_dns_zone.postgresql_database[0].id
+  private_dns_zone_id          = var.private_dns_zone_id
 
   geo_redundant_backup_enabled = false
 
@@ -89,8 +67,6 @@ resource "azurerm_postgresql_flexible_server" "postgresql_database" {
       high_availability.0.standby_availability_zone
     ]
   }
-
-  depends_on = [azurerm_private_dns_zone_virtual_network_link.postgresql_database]
 }
 
 # Configure Diagnostic Settings for PostgreSQL
@@ -102,29 +78,15 @@ resource "azurerm_monitor_diagnostic_setting" "postgresql_diagnostic" {
 
   enabled_log {
     category_group = "audit"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   enabled_log {
     category_group = "allLogs"
-
-    retention_policy {
-      days    = 0
-      enabled = false
-    }
   }
 
   metric {
     category = "AllMetrics"
     enabled  = true
-    retention_policy {
-      enabled = false
-      days    = 0
-    }
   }
 }
 
@@ -150,7 +112,6 @@ resource "azurerm_postgresql_flexible_server" "dev_postresql_database" {
   version                       = "16"
   geo_redundant_backup_enabled  = false
   storage_mb                    = 32768
-  zone                          = 1
 
   authentication {
       active_directory_auth_enabled  = true
@@ -162,6 +123,12 @@ resource "azurerm_postgresql_flexible_server" "dev_postresql_database" {
       "environment"      = var.environment
       "application-name" = var.application_name
   }
+
+  lifecycle {
+    ignore_changes = [
+      zone,
+    ]
+  }
 }
 
 resource "azurerm_postgresql_flexible_server_firewall_rule" "dev_postresql_database_allow_access_rule" {
diff --git a/infra/shared/terraform/modules/postresql/outputs.tf b/infra/shared/terraform/modules/postresql/outputs.tf
@@ -27,3 +27,8 @@ output "dev_database_fqdn" {
   value       = length(azurerm_postgresql_flexible_server.dev_postresql_database) > 0 ? azurerm_postgresql_flexible_server.dev_postresql_database[0].fqdn : ""
   description = "The FQDN of the database"
 }
+
+output "dev_database_name" {
+  value       = length(azurerm_postgresql_flexible_server.dev_postresql_database) > 0 ? azurerm_postgresql_flexible_server.dev_postresql_database[0].name : ""
+  description = "The name of the database server"
+}
diff --git a/infra/shared/terraform/modules/postresql/variables.tf b/infra/shared/terraform/modules/postresql/variables.tf
@@ -65,4 +65,9 @@ variable "log_analytics_workspace_id" {
 variable "sku_name" {
   type    = string
   default = "B_Standard_B1ms"
+}
+
+variable "private_dns_zone_id" {
+  type        = string
+  description = "The id of the private dns zone"
 }
diff --git a/infra/shared/terraform/modules/vms/main.tf b/infra/shared/terraform/modules/vms/main.tf
@@ -20,6 +20,10 @@ resource "azurerm_linux_virtual_machine" "linux_vm" {
   disable_password_authentication = false
   size                            = var.size
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   network_interface_ids = [
     azurerm_network_interface.vm_nic.id
   ]
@@ -31,8 +35,8 @@ resource "azurerm_linux_virtual_machine" "linux_vm" {
 
   source_image_reference {
     publisher = "Canonical"
-    offer     = "UbuntuServer"
-    sku       = "18.04-LTS"
+    offer     = "0001-com-ubuntu-server-focal"
+    sku       = "20_04-lts-gen2"
     version   = "latest"
   }
 }
@@ -49,3 +53,18 @@ resource "azurerm_virtual_machine_extension" "vm_extension_linux" {
     }
 SETTINGS
 }
+
+resource "azurerm_virtual_machine_extension" "vm_extension_aad" {
+  name                 = "vm-aad-extension-linux"
+  virtual_machine_id   = azurerm_linux_virtual_machine.linux_vm.id
+  publisher            = "Microsoft.Azure.ActiveDirectory"
+  type                 = "AADSSHLoginForLinux"
+  type_handler_version = "1.0"
+  auto_upgrade_minor_version = true
+}
+
+resource "azurerm_role_assignment" "vm-admin-role" {
+  scope                = azurerm_linux_virtual_machine.linux_vm.id
+  role_definition_name = "Virtual Machine Administrator Login"
+  principal_id         = var.admin_principal_id
+}
diff --git a/infra/shared/terraform/modules/vms/variables.tf b/infra/shared/terraform/modules/vms/variables.tf
@@ -35,4 +35,8 @@ variable "subnet_id" {
 variable "size" {
   type    = string
   default = "Standard_B2ms"
-}
+}
+
+variable "admin_principal_id" {
+  type    = string
+}
diff --git a/infra/terraform/application.tf b/infra/terraform/application.tf
@@ -24,12 +24,9 @@ module "application" {
   public_network_access_enabled  = false
 
   contoso_webapp_options = {
-     contoso_active_directory_tenant_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})"
+    contoso_active_directory_tenant_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})"
     contoso_active_directory_client_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})"
     contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})"
-    postgresql_database_url                = format("@Microsoft.KeyVault(SecretUri=%s)", module.secrets[0].secret_names["contoso-database-url"])
-    postgresql_database_user               = format("@Microsoft.KeyVault(SecretUri=%s)", module.secrets[0].secret_names["contoso-database-admin"])
-    postgresql_database_password           = format("@Microsoft.KeyVault(SecretUri=%s)", module.secrets[0].secret_names["contoso-database-admin-password"])
     redis_host_name                        = module.cache[0].cache_hostname
     redis_port                             = module.cache[0].cache_ssl_port
     redis_password                         = format("@Microsoft.KeyVault(SecretUri=%s)", module.secrets[0].secret_names["contoso-redis-password"])
@@ -66,9 +63,6 @@ module "secondary_application" {
     contoso_active_directory_tenant_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})"
     contoso_active_directory_client_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})"
     contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})"
-    postgresql_database_url                = format("@Microsoft.KeyVault(SecretUri=%s)", module.secondary_secrets[0].secret_names["secondary-contoso-database-url"])
-    postgresql_database_user               = format("@Microsoft.KeyVault(SecretUri=%s)", module.secondary_secrets[0].secret_names["secondary-contoso-database-admin"])
-    postgresql_database_password           = format("@Microsoft.KeyVault(SecretUri=%s)", module.secondary_secrets[0].secret_names["secondary-contoso-database-admin-password"])
     redis_host_name                        = module.secondary_cache[0].cache_hostname
     redis_port                             = module.secondary_cache[0].cache_ssl_port
     redis_password                         = format("@Microsoft.KeyVault(SecretUri=%s)", module.secondary_secrets[0].secret_names["secondary-contoso-redis-password"])
@@ -111,9 +105,6 @@ module "dev_application" {
     contoso_active_directory_tenant_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_application_tenant_id[0].id})"
     contoso_active_directory_client_id     = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_application_client_id[0].id})"
     contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_application_client_secret[0].id})"
-    postgresql_database_url                = format("@Microsoft.KeyVault(SecretUri=%s)", module.dev_secrets[0].secret_names["dev-contoso-database-url"])
-    postgresql_database_user               = format("@Microsoft.KeyVault(SecretUri=%s)", module.dev_secrets[0].secret_names["dev-contoso-database-admin"])
-    postgresql_database_password           = format("@Microsoft.KeyVault(SecretUri=%s)", module.dev_secrets[0].secret_names["dev-contoso-database-admin-password"])
     redis_host_name                        = module.dev_cache[0].cache_hostname
     redis_port                             = module.dev_cache[0].cache_ssl_port
     redis_password                         = format("@Microsoft.KeyVault(SecretUri=%s)", module.dev_secrets[0].secret_names["dev-contoso-redis-password"])
@@ -125,3 +116,21 @@ module "dev_application" {
 
   }
 }
+
+resource "null_resource" "dev_service_connector" {
+  count               = var.environment == "dev" ? 1 : 0
+
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
+  provisioner "local-exec" {
+    command = "bash ../scripts/setup-service-connector.sh ${module.dev_application[0].web_app_id} ${azurerm_postgresql_flexible_server_database.dev_postresql_database_db[0].id}"
+  }
+
+  depends_on = [
+    module.dev_application,
+    azurerm_postgresql_flexible_server_database.dev_postresql_database_db,
+    azurerm_postgresql_flexible_server_active_directory_administrator.dev-contoso-ad-admin
+  ]
+}
diff --git a/infra/terraform/database.tf b/infra/terraform/database.tf
diff --git a/infra/terraform/hub.tf b/infra/terraform/hub.tf
diff --git a/infra/terraform/jumphost.tf b/infra/terraform/jumphost.tf
diff --git a/infra/terraform/main.tf b/infra/terraform/main.tf
diff --git a/infra/terraform/outputs.tf b/infra/terraform/outputs.tf
diff --git a/pom.xml b/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`	`"VARIANT": "jammy"`
`7`	`7`	`}`
`8`	`8`	`},`
	`9`	`+ "postStartCommand": "./.devcontainer/scripts/onCreateCommand.sh",`
`9`	`10`	`"remoteUser": "vscode",`
`10`	`11`	`"containerEnv": {`
`11`	`12`	`"M2": "/home/vscode" // required because the java feature is not setting this correctly`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+set -x`
	`2`	`+`
	`3`	`+az extension add --name serviceconnector-passwordless --upgrade`