aws-react-elasticsearch-terraform's People
Contributors
Stargazers
Watchers
aws-react-elasticsearch-terraform's Issues
Pass Elasticache host as environment variable to Lambda
Add TypeScript
Bunch of security issues
Cool project :)
Ran Cloudrail on the TF code (disclaimer: I'm from Indeni), quite a number of issues to resolve:
Rule: Ensure all used default security groups of every VPC restrict all traffic
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_nat_gateway.gw_1] (09-network.tf:182)
Violating Resource: [sg-pseudo-88a77cd7-250b-474f-b27a-357f77993d74] (Not found in TF)
Evidence:
VPC aws_vpc.demo
| aws_nat_gateway.gw_1 uses ENI eni-pseudo-f615169d-ed45-4fe5-9d70-320c8aa510e8
| The ENI is secured by default Security group sg-pseudo-88a77cd7-250b-474f-b27a-357f77993d74 and allows all traffic
-----------------------------------------------
Rule: Ensure Elasticsearch Domains being created are set to be encrypted at rest
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Violating Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Evidence:
ElasticSearch Domain
| ElasticSearch Domain aws_elasticsearch_domain.es
| is not set to use encrypt at rest
-----------------------------------------------
Rule: Ensure Elasticsearch domains being created are set to be encrypted node-to-node
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Violating Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Evidence:
ElasticSearch Domain
| ElasticSearch Domain aws_elasticsearch_domain.es
| is not set to use encrypt node-to-node
-----------------------------------------------
Rule: Ensure target groups are not using HTTP
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_lb_target_group.staging.arn] (Not found in TF)
Violating Resource: [aws_lb_target_group.staging] (10-loadbalancer.tf:24)
Evidence:
Load Balancer
| The Load Balancer Target Group aws_lb_target_group.staging is set to use HTTP with its targets
| This exposes traffic between the load balancer and its targets
-----------------------------------------------
Rule: Ensure ALB is using HTTPS and not HTTP
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_lb_listener.https_forward] (10-loadbalancer.tf:13)
Violating Resource: [aws_lb_listener.https_forward] (10-loadbalancer.tf:13)
Evidence:
Load Balancer Listener
| aws_lb_listener.https_forward Load Balancer Listener is configured to use protocol HTTP on port: 80
-----------------------------------------------
Rule: Ensure VPC Endpoint for S3 is enabled in all VPCs
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Violating Resource: [aws_vpc.vpc] (09-network.tf:1)
Evidence:
The VPC
| aws_vpc.vpc in region us-east-1 is in use but not leveraging S3 Endpoint Gateway
- Exposed Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Violating Resource: [aws_vpc.vpc] (09-network.tf:1)
Evidence:
The VPC
| aws_vpc.vpc in region us-east-1 is in use but not leveraging S3 Endpoint Gateway
-----------------------------------------------
Rule: Ensure S3 buckets are set to be encrypted at rest
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Violating Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Evidence:
| The S3 Bucket aws_s3_bucket.node_app is not set to be encrypted at rest
- Exposed Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Violating Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Evidence:
| The S3 Bucket aws_s3_bucket.upload is not set to be encrypted at rest
-----------------------------------------------
Rule: Ensure S3 buckets have versioning enabled
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Violating Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Evidence:
| The S3 Bucket aws_s3_bucket.node_app does not have versioning enabled
- Exposed Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Violating Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Evidence:
| The S3 Bucket aws_s3_bucket.upload does not have versioning enabled
-----------------------------------------------
Rule: Ensure Cloudwatch Log Groups being created are set to be encrypted at rest using KMS CMK
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_cloudwatch_log_group.app] (12-cloudwatchlogs.tf:1)
Violating Resource: [aws_cloudwatch_log_group.app] (12-cloudwatchlogs.tf:1)
Evidence:
| The CloudWatch Logs Group aws_cloudwatch_log_group.app is set to use encrypt at rest but it is not using CMKs
-----------------------------------------------
Rule: Ensure CodeBuild projects are set to be encrypted at rest with customer-managed CMK
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_codebuild_project.app] (06-codebuild.tf:1)
Violating Resource: [aws_codebuild_project.app] (06-codebuild.tf:1)
Evidence:
| The CodeBuild project aws_codebuild_project.app is not set to use encryption at rest with customer-managed CMK
-----------------------------------------------
Rule: Ensure use of ECR repository policy, and no action wildcards are being used
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_ecr_repository.app] (02-ecr.tf:1)
Violating Resource: [aws_ecr_repository.app] (02-ecr.tf:1)
Evidence:
| There is no resource policy or no statements attached to aws_ecr_repository.app
-----------------------------------------------
Rule: Ensure use of S3 bucket policy, and no action wildcards are being used
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Violating Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Evidence:
| There is no resource policy or no statements attached to aws_s3_bucket.node_app
- Exposed Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Violating Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Evidence:
| There is no resource policy or no statements attached to aws_s3_bucket.upload
-----------------------------------------------
Rule: Ensure use of API Gateway endpoint policy, and no action wildcards are being used
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_api_gateway_rest_api.app] (15-api-gateway.tf:1)
Violating Resource: [aws_api_gateway_rest_api.app] (15-api-gateway.tf:1)
Evidence:
| There is no resource policy or no statements attached to aws_api_gateway_rest_api.app
-----------------------------------------------
Rule: Ensure use of Elasticsearch Service domain policy, and no action wildcards are being used
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Violating Resource: [stag-elk-domain policy] (Not found in TF)
Evidence:
| The policy attached to the ElasticSearch Domain aws_elasticsearch_domain.es is using wildcard action es:*, and principal AWS: *, without any condition
-----------------------------------------------
Rule: Enforce use of HTTPS in S3 bucket policy
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Violating Resource: [aws_s3_bucket.node_app] (05-s3.tf:1)
Evidence:
| The S3 Bucket aws_s3_bucket.node_app does not have a policy with the aws:SecureTransport condition
- Exposed Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Violating Resource: [aws_s3_bucket.upload] (05-s3.tf:7)
Evidence:
| The S3 Bucket aws_s3_bucket.upload does not have a policy with the aws:SecureTransport condition
-----------------------------------------------
Rule: Ensure CloudWatch log groups have a retention policy
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_cloudwatch_log_group.app] (12-cloudwatchlogs.tf:1)
Violating Resource: [aws_cloudwatch_log_group.app] (12-cloudwatchlogs.tf:1)
Evidence:
| The CloudWatch Logs Group aws_cloudwatch_log_group.app does not have a retention policy set
-----------------------------------------------
Rule: Ensure use of Lambda function policy, and no action wildcards are being used
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_lambda_function.process_s3_upload] (13-lambda.tf:63)
Violating Resource: [aws_lambda_function.process_s3_upload] (13-lambda.tf:63)
Evidence:
| There is no resource policy or no statements attached to aws_lambda_function.process_s3_upload
-----------------------------------------------
Rule: Ensure all security groups and rules have a description detailing the rule
- 3 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_security_group.ecs_tasks] (09-network.tf:65)
Violating Resource: [aws_security_group.ecs_tasks] (09-network.tf:65)
Evidence:
| The Security group aws_security_group.ecs_tasks does not have a description for the ingress rule of 0.0.0.0/0 for ports 3001:3001 using protocol tcp
- Exposed Resource: [aws_security_group.es] (14-elasticsearch.tf:1)
Violating Resource: [aws_security_group.es] (14-elasticsearch.tf:1)
Evidence:
| The Security group aws_security_group.es does not have a description for the ingress rule of 10.0.0.0/16 for ports 0:65535 using protocol -1
- Exposed Resource: [aws_security_group.lb] (09-network.tf:45)
Violating Resource: [aws_security_group.lb] (09-network.tf:45)
Evidence:
| The Security group aws_security_group.lb does not have a description for the ingress rule of 0.0.0.0/0 for ports 80:80 using protocol tcp
-----------------------------------------------
Rule: Ensure each Lambda function has a non-infinite log retention
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_lambda_function.process_s3_upload] (13-lambda.tf:63)
Violating Resource: [aws_lambda_function.process_s3_upload] (13-lambda.tf:63)
Evidence:
| Upon creation, Lambda Function aws_lambda_function.process_s3_upload will have a log group generated automatically with its retention set to Never Expire
- Exposed Resource: [aws_lambda_function.process_es] (13-lambda.tf:1)
Violating Resource: [aws_lambda_function.process_es] (13-lambda.tf:1)
Evidence:
| Upon creation, Lambda Function aws_lambda_function.process_es will have a log group generated automatically with its retention set to Never Expire
-----------------------------------------------
Rule: Ensure IAM policies pass Access Analyzer policy validation without WARNING and SUGGESTION issues
- 4 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role.process_s3_upload] (13-lambda.tf:117)
Violating Resource: [aws_iam_role.process_s3_upload] (13-lambda.tf:117)
Evidence:
Line 10, Col 13:
| Add a value to the empty string in the Sid element
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value
- Exposed Resource: [aws_iam_role.process_es] (13-lambda.tf:35)
Violating Resource: [aws_iam_role.process_es] (13-lambda.tf:35)
Evidence:
Line 10, Col 13:
| Add a value to the empty string in the Sid element
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value
- Exposed Resource: [aws_iam_role.ecs_task_execution_role] (11-task-role.tf:15)
Violating Resource: [aws_iam_role.ecs_task_execution_role] (11-task-role.tf:15)
Evidence:
Line 5, Col 13:
| Add a value to the empty string in the Sid element
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value
- Exposed Resource: [aws_iam_role.apig] (16-api-gateway-role.tf:1)
Violating Resource: [aws_iam_role.apig] (16-api-gateway-role.tf:1)
Evidence:
Line 10, Col 13:
| Add a value to the empty string in the Sid element
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value
-----------------------------------------------
Rule: Ensure IAM policies pass Access Analyzer policy validation without SECURITY and ERROR issues
- 3 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role_policy.process_s3_lambda] (13-lambda.tf:136)
Violating Resource: [aws_iam_role_policy.process_s3_lambda] (13-lambda.tf:136)
Evidence:
Line 1, Col 0:
| Fix the JSON syntax error at index 0 line 1 column 0
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-json-syntax-error
- Exposed Resource: [aws_iam_role_policy.codepipeline_policy] (04-codepipeline-role.tf:21)
Violating Resource: [aws_iam_role_policy.codepipeline_policy] (04-codepipeline-role.tf:21)
Evidence:
Line 13, Col 8:
| Resource ARNs must include at least 6 fields and include the following structure: arn:partition:service:region:account:resource
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-field
Line 14, Col 8:
| Resource ARNs must include at least 6 fields and include the following structure: arn:partition:service:region:account:resource
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-field
Line 24, Col 8:
| Resource ARNs must include at least 6 fields and include the following structure: arn:partition:service:region:account:resource
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-field
Line 29, Col 16:
| Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources
| We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource
- Exposed Resource: [aws_iam_role_policy.codebuild_policy] (07-codebuild-role.tf:20)
Violating Resource: [aws_iam_role_policy.codebuild_policy] (07-codebuild-role.tf:20)
Evidence:
Line 40, Col 14:
| Resource ARNs must include at least 6 fields and include the following structure: arn:partition:service:region:account:resource
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-field
-----------------------------------------------
Rule: Ensure Elasticsearch Domain enforces HTTPS
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Violating Resource: [aws_elasticsearch_domain.es] (14-elasticsearch.tf:23)
Evidence:
| This rule evaluated aws_elasticsearch_domain.es's configuration
Happy to open a PR and resolve these if you'd like.
Remove dead code on TypeScript Redux scaffolding
Integrate S3 with Elasticsearch; load data
Add two DNS A records to point domain to Cloudfront distributions
Change Elasticsearch engine to T3
Trim down client
Add Elasticsearch to Lambda
Reduce ES node from 3 to 1; only 1 availability zone required
Create a simple client
Add Elasticsearch domain
Create Lambda function which indexes todo's data
- Create Lambda function; add function inside of ES VPC
- Add S3 upload event trigger to Lamdba function; listens to upload of
.csvfiles todatafolder
Reference documentation:
- Elasticsearch client to index document https://github.com/elastic/elasticsearch-js#quick-start
- Lambda S3 event trigger: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html
- Lambda reads file from S3: https://stackoverflow.com/questions/27299139/read-file-from-aws-s3-bucket-using-node-fs
- Stackoverflow: https://stackoverflow.com/questions/7431268/how-to-read-data-from-csv-file-using-javascript
Update Readme to include DockerHubPassword secret
Perhaps use Nginx to serve the app?
Add architecture diagram
Index document
Add API Gateway Lambda proxy integration to processElasticsearch Lambda function
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.