Merge pull request #62 from maiconrocha/main

tbulding · web-flow · commit d86fa97124ac · 2023-10-19T10:21:34.000-05:00
Update Module
diff --git a/README.md b/README.md
@@ -133,12 +133,10 @@ No modules.
 | <a name="input_ami_regions_kms_key"></a> [ami\_regions\_kms\_key](#input\_ami\_regions\_kms\_key) | (Optional) A list of AWS Regions to share the AMI with and also target KMS Key in each region | `map(string)` | `{}` | no |
 | <a name="input_attach_custom_policy"></a> [attach\_custom\_policy](#input\_attach\_custom\_policy) | (Required) Attach custom policy to the EC2 Instance Profile, if true, ARN of the custom policy needs to be specified on the variable custom\_policy\_arn | `bool` | `false` | no |
 | <a name="input_build_component_arn"></a> [build\_component\_arn](#input\_build\_component\_arn) | (Required) List of ARNs for the Build EC2 Image Builder Build Components | `list(string)` | `[]` | no |
-| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | (Optional) Create security group for EC2 Image Builder instances | `bool` | `true` | no |
+| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | (Optional) Create security group for EC2 Image Builder instances. Please note this security group will be created with default egress rule to 0.0.0.0/0 CIDR Block. In case you want to have a more restrict set of rules, please provide your own security group id on security\_group\_ids variable | `bool` | `true` | no |
 | <a name="input_custom_policy_arn"></a> [custom\_policy\_arn](#input\_custom\_policy\_arn) | (Optional) ARN of the custom policy to be attached to the EC2 Instance Profile | `string` | `null` | no |
 | <a name="input_imagebuilder_image_recipe_kms_key_arn"></a> [imagebuilder\_image\_recipe\_kms\_key\_arn](#input\_imagebuilder\_image\_recipe\_kms\_key\_arn) | (Required) KMS Key ARN(CMK) for encrypting Imagebuilder Image Recipe Block Device Mapping | `string` | `null` | no |
 | <a name="input_instance_key_pair"></a> [instance\_key\_pair](#input\_instance\_key\_pair) | (Optional) EC2 key pair to add to the default user on the builder(In case existent EC2 Key Pair is provided) | `string` | `null` | no |
-| <a name="input_instance_metadata_http_put_hop_limit"></a> [instance\_metadata\_http\_put\_hop\_limit](#input\_instance\_metadata\_http\_put\_hop\_limit) | The number of hops that an instance can traverse to reach its metadata. | `number` | `null` | no |
-| <a name="input_instance_metadata_http_tokens"></a> [instance\_metadata\_http\_tokens](#input\_instance\_metadata\_http\_tokens) | (Optional) Whether a signed token is required for instance metadata retrieval requests. Valid values: required, optional. | `string` | `"optional"` | no |
 | <a name="input_instance_types"></a> [instance\_types](#input\_instance\_types) | (Optional) Instance type for the EC2 Image Builder Instances. <br>Will be set by default to c5.large. Please check the AWS Pricing for more information about the instance types. | `list(string)` | <pre>[<br>  "c5.large"<br>]</pre> | no |
 | <a name="input_managed_components"></a> [managed\_components](#input\_managed\_components) | (Optional) Specify the name and version of the AWS managed components that are going to be part of the image recipe | <pre>list(object({<br>    name    = string,<br>    version = string<br>  }))</pre> | `[]` | no |
 | <a name="input_recipe_version"></a> [recipe\_version](#input\_recipe\_version) | (Required) The semantic version of the image recipe. This version follows the semantic version syntax. e.g.: 0.0.1 | `string` | `"0.0.1"` | no |
diff --git a/examples/.DS_Store b/examples/.DS_Store
diff --git a/examples/windows/.DS_Store b/examples/windows/.DS_Store
diff --git a/examples/windows/main.tf b/examples/windows/main.tf
@@ -26,27 +26,27 @@ locals {
 
 module "ec2-image-builder" {
   #  source                = "aws-ia/ec2-image-builder/aws"
-  source                = "../.."
-  name                  = local.name
-  aws_region            = local.aws_region
-  vpc_id                = module.vpc.vpc_id
-  subnet_id             = module.vpc.private_subnets[0]
-  source_cidr           = [local.vpc_cidr] #["<ENTER your IP here to access EC2 Image Builder Instances through RDP or SSH>]"
-  create_security_group = true
-  instance_types        = ["c5.large"]
-  instance_key_pair     = aws_key_pair.imagebuilder.key_name
-  source_ami_name       = "Windows_Server-2022-English-Core-Base-*"
-  ami_name              = "Windows 2022 core AMI"
-  ami_description       = "Windows 2022 core AMI provided by AWS"
-  recipe_version        = "0.0.1"
-  build_component_arn   = [aws_imagebuilder_component.win2022build.arn]
-  test_component_arn    = [aws_imagebuilder_component.win2022test.arn]
-  s3_bucket_name        = aws_s3_bucket.ec2_image_builder_components.id
-  attach_custom_policy  = true
-  custom_policy_arn     = aws_iam_policy.policy.arn
-  platform              = "Windows"
-  imagebuilder_image_recipe_kms_key_arn = aws_kms_key.imagebuilder_image_recipe_kms_key.arn 
-  tags                  = local.tags
+  source                                = "../.."
+  name                                  = local.name
+  aws_region                            = local.aws_region
+  vpc_id                                = module.vpc.vpc_id
+  subnet_id                             = module.vpc.private_subnets[0]
+  source_cidr                           = [local.vpc_cidr] #["<ENTER your IP here to access EC2 Image Builder Instances through RDP or SSH>]"
+  create_security_group                 = true
+  instance_types                        = ["c5.large"]
+  instance_key_pair                     = aws_key_pair.imagebuilder.key_name
+  source_ami_name                       = "Windows_Server-2022-English-Core-Base-*"
+  ami_name                              = "Windows 2022 core AMI"
+  ami_description                       = "Windows 2022 core AMI provided by AWS"
+  recipe_version                        = "0.0.1"
+  build_component_arn                   = [aws_imagebuilder_component.win2022build.arn]
+  test_component_arn                    = [aws_imagebuilder_component.win2022test.arn]
+  s3_bucket_name                        = aws_s3_bucket.ec2_image_builder_components.id
+  attach_custom_policy                  = true
+  custom_policy_arn                     = aws_iam_policy.policy.arn
+  platform                              = "Windows"
+  imagebuilder_image_recipe_kms_key_arn = aws_kms_key.imagebuilder_image_recipe_kms_key.arn
+  tags                                  = local.tags
 
   managed_components = [{
     name    = "powershell-windows",
@@ -196,7 +196,19 @@ resource "aws_s3_bucket_policy" "bucket_policy" {
         "${aws_s3_bucket.ec2_image_builder_components.arn}",
         "${aws_s3_bucket.ec2_image_builder_components.arn}/*"
       ]
-    }
+    },
+    {
+  "Sid": "Deny non-HTTPS access",
+  "Effect": "Deny",
+  "Principal": "*",
+  "Action": [ "s3:*" ],
+  "Resource": "${aws_s3_bucket.ec2_image_builder_components.arn}/*",
+  "Condition": {
+    "Bool": {
+      "aws:SecureTransport": "false"
+            }
+      }
+  }
   ]
 }
 EOF
diff --git a/main.tf b/main.tf
@@ -143,21 +143,6 @@ data "aws_iam_policy_document" "aws_policy" {
     resources = ["arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole"]
   }
 
-  statement {
-    effect = "Allow"
-    #checkov:skip=CKV_AWS_111:The policy must allow *
-    #checkov:skip=CKV_AWS_290:The policy must allow *
-    #checkov:skip=CKV_AWS_355:The policy must allow *
-    actions = [
-      "ec2messages:GetMessages",
-      "ec2:MetadataHttpEndpoint",
-      "ec2:MetadataHttpPutResponseHopLimit",
-      "ec2:MetadataHttpTokens",
-      "ssm:SendCommand"
-    ]
-    resources = ["*"]
-  }
-
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -175,8 +160,8 @@ resource "aws_imagebuilder_infrastructure_configuration" "imagebuilder_infrastru
   subnet_id          = var.subnet_id
 
   instance_metadata_options {
-    http_tokens                 = var.instance_metadata_http_tokens
-    http_put_response_hop_limit = var.instance_metadata_http_put_hop_limit
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 2
   }
 
   terminate_instance_on_failure = var.terminate_on_failure
diff --git a/variables.tf b/variables.tf
@@ -154,26 +154,14 @@ variable "imagebuilder_image_recipe_kms_key_arn" {
   type        = string
 }
 
-variable "instance_metadata_http_put_hop_limit" {
-  default     = null
-  description = "The number of hops that an instance can traverse to reach its metadata."
-  type        = number
-}
-
-variable "instance_metadata_http_tokens" {
-  default     = "optional"
-  description = "(Optional) Whether a signed token is required for instance metadata retrieval requests. Valid values: required, optional."
-  type        = string
-}
-
 variable "terminate_on_failure" {
   default     = true
   description = "(Optional) Change to false if you want to connect to a builder for debugging after failure"
   type        = bool
 }
 
 variable "create_security_group" {
-  description = "(Optional) Create security group for EC2 Image Builder instances"
+  description = "(Optional) Create security group for EC2 Image Builder instances. Please note this security group will be created with default egress rule to 0.0.0.0/0 CIDR Block. In case you want to have a more restrict set of rules, please provide your own security group id on security_group_ids variable"
   type        = bool
   default     = true
 }
