banyansecurity / terraform-aws-banyan-accesstier Goto Github PK
View Code? Open in Web Editor NEWTerraform module to create an Access Tier in AWS for Banyan Security customers
License: Apache License 2.0
Terraform module to create an Access Tier in AWS for Banyan Security customers
License: Apache License 2.0
Setting var.redirect_http_to_https
doesn't add
It would be nice if this module had this since the cloudformation template has this.
After PRs are merged, it would be nice to rerun terraform-docs
latest 0.12
version to keep all inputs up to date.
Proposal
var.security_group_tags
var.autoscaling_group_tags
var.lb_tags
var.target_group_tags
Examples that use this system
var.tags
but also has var.vpc_tags
, var.intra_subnet_tags
, var.customer_gateway_tags
, etc.var.tags
but also has var.atlantis_security_group_tags
, var.alb_http_security_group_tags
, var.alb_https_security_group_tags
, etc.When refresh token is passed as a sensitive variable from terraform cloud, terraform is throwing the following error - refer to the screenshot below.
output "conf" { value = aws_launch_configuration.conf description = "The
aws_launch_configuration.confresource" }
above block is causing the error. I checked the source.
`resource aws_launch_configuration "conf" {
name_prefix = "${var.name_prefix}-accesstier-conf-"
image_id = var.ami_id != "" ? var.ami_id : data.aws_ami.default_ami.id
instance_type = var.instance_type
key_name = var.ssh_key_name
.....
.....
.....
user_data = join("", concat([
"./install ${var.refresh_token} ${var.cluster_name} \n",
`
So when this aws_launch_configuration is trying to output the values, it seems to throw the error.
banyan instances were flagged for IMDSv2 check. Need adding configuration in the launch configuration to enabled IMDSv2
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}
Currently, the AWS Security Group autogenerated by the Terraform module allows unrestricted egress traffic.
Unrestricted egress traffic represents a security risk to any organization, as it enables sending unwanted traffic out to the Internet. If a compromise of the Access Tier host occurs, attackers could exploit this misconfiguration in order to communicate with malicious external servers and exfiltrate information, among others. On top of that, unrestricted egress traffic goes against security best practices and compliance standards such as PCI DSS, HIPAA or NIST SP 800-53.
According to the Banyan Access Tier network configuration guide, required outbound traffic is limited to:
{ccname}.console.banyanops.com
) to obtain a one-time-key required for installation when using automated bootstrapping.{orgname}.trust.banyanops.com
) in order to authenticate OIDC JWT tokens used for web access.Considering the aforementioned, I'd like to request any module changes required to enable outbound traffic filtering.
Incorporate production tuning guidance from https://docs.banyanops.com/docs/banyan-components/netagent/tuning/.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.