Skip to content

Commit

Permalink
ALB deletion protection (#542)
Browse files Browse the repository at this point in the history
## Prevent ALB Deletion for security compliance and account for temporary test load balancers
Co-authored-by: Loren Yu <loren@navapbc.com>
  • Loading branch information
SammySteiner authored Jan 18, 2024
1 parent 7f43aaa commit a03da3b
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 5 deletions.
4 changes: 4 additions & 0 deletions infra/app/service/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ locals {

service_name = "${local.prefix}${module.app_config.app_name}-${var.environment_name}"

is_temporary = startswith(terraform.workspace, "t-")

# Include project name in bucket name since buckets need to be globally unique across AWS
bucket_name = "${local.prefix}${module.project_config.project_name}-${module.app_config.app_name}-${var.environment_name}"

Expand Down Expand Up @@ -123,6 +125,8 @@ module "service" {

aws_services_security_group_id = data.aws_security_groups.aws_services.ids[0]

is_temporary = local.is_temporary

db_vars = module.app_config.has_database ? {
security_group_ids = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
app_access_policy_arn = data.aws_iam_policy.app_db_access_policy[0].arn
Expand Down
7 changes: 3 additions & 4 deletions infra/modules/service/load-balancer.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,12 @@ resource "aws_lb" "alb" {
security_groups = [aws_security_group.alb.id]
subnets = var.public_subnet_ids

# checkov:skip=CKV_AWS_150:Allow deletion for automated tests
enable_deletion_protection = !var.is_temporary

# TODO(https://github.com/navapbc/template-infra/issues/163) Implement HTTPS
# checkov:skip=CKV2_AWS_20:Redirect HTTP to HTTPS as part of implementing HTTPS support

# TODO(https://github.com/navapbc/template-infra/issues/161) Prevent deletion protection
# checkov:skip=CKV_AWS_150:Allow deletion until we can automate deletion for automated tests
# enable_deletion_protection = true

# TODO(https://github.com/navapbc/template-infra/issues/165) Protect ALB with WAF
# checkov:skip=CKV2_AWS_28:Implement WAF in issue #165

Expand Down
5 changes: 5 additions & 0 deletions infra/modules/service/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -89,3 +89,8 @@ variable "extra_policies" {
type = map(string)
default = {}
}

variable "is_temporary" {
description = "Whether the service is meant to be spun up temporarily (e.g. for automated infra tests). This is used to disable deletion protection for the load balancer."
type = bool
}
3 changes: 2 additions & 1 deletion template-only-bin/destroy-app-service.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ BACKEND_CONFIG_FILE="dev.s3.tfbackend"

sed -i.bak 's/force_destroy = false/force_destroy = true/g' infra/modules/service/access-logs.tf
sed -i.bak 's/force_destroy = false/force_destroy = true/g' infra/modules/storage/main.tf
sed -i.bak 's/enable_deletion_protection = !var.is_temporary/enable_deletion_protection = false/g' infra/modules/service/load-balancer.tf

cd infra/app/service

terraform init -reconfigure -backend-config=$BACKEND_CONFIG_FILE

terraform apply -auto-approve -target="module.service.aws_s3_bucket.access_logs" -var="environment_name=dev"
terraform apply -auto-approve -target="module.service.aws_s3_bucket.access_logs" -target="module.service.aws_lb.alb" -var="environment_name=dev"

terraform destroy -auto-approve -var="environment_name=dev"

0 comments on commit a03da3b

Please sign in to comment.