Support existing VPCs

.checkov.yml

@@ -0,0 +1,7 @@
+quiet: true
+skip-framework:
+  - github_actions
+  - dockerfile
+skip-path:
+  - region-build/modules/terraform-aws-eventbridge
+  - region-build/modules/terraform-aws-ecs

.github/workflows/checkov.yml

@@ -6,6 +6,7 @@ on:
   pull_request:
     branches: 
       - main
+      - dev
     paths:
       - "**.tf"
 
@@ -35,8 +36,8 @@ jobs:
       - name: Checkov GitHub Action
         uses: bridgecrewio/[email protected]
         with:
-          # This will add both a CLI output to the console and create a results.sarif file
-          quiet: true
+          directory: .
+          config_file: .checkov.yml
 
       # - name: Upload SARIF file
       #   uses: github/codeql-action/upload-sarif@v2

README.md

@@ -196,6 +196,7 @@ To deploy Aviatrix Platform HA with an existing Controller, perform the followin
 | avx_password                     |                                         | The Aviatrix Controller admin password. WARNING: The password will be viewable in the container's environment variables. It is recommended to store the password in an SSM parameter and to not use `avx_password` for production deployments. |
 | avx_password_ssm_path            | /aviatrix/controller/password           | The path to the Aviatrix password. Only applicable if `avx_password` is not specified.                                                                                                                                                         |
 | avx_password_ssm_region          | us-east-1                               | The region the password parameter is in. Only applicable if `avx_password` is not specified.                                                                                                                                                   |
+| cft_stack_name                   | aviatrix-controlplane                   | The name of the CloudFormation stack. Only applies when `ha_distribution` is "basic".                                                                                                                                                          |
 | configure_waf                    | false                                   | Whether AWS WAF is enabled for the Controller access.                                                                                                                                                                                          |
 | controller_ami_id                | ""                                      | The Aviatrix Controller AMI ID                                                                                                                                                                                                                 |
 | controller_ha_enabled            | true                                    | Whether HA is enabled for the Controller. Set to `false` to temporarily disable HA                                                                                                                                                             |
@@ -212,7 +213,7 @@ To deploy Aviatrix Platform HA with an existing Controller, perform the followin
 | copilot_incoming_syslog_cidr     | CoPilot Syslog (UDP port 5000) access   | CoPilot allowed CIDRs for Syslog acccess                                                                                                                                                                                                       |
 | copilot_instance_type            | t3.2xlarge                              | CoPilot instance size                                                                                                                                                                                                                          |
 | copilot_name                     |                                         | Name of CoPilot                                                                                                                                                                                                                                |
-| copilot_root_volume_size         | 25GB                                    | Root volume disk size for CoPilot                                                                                                                                                                                                              |
+| copilot_root_volume_size         | 30GB                                    | Root volume disk size for CoPilot                                                                                                                                                                                                              |
 | copilot_root_volume_type         | gp3                                     | Root volume type for CoPilot                                                                                                                                                                                                                   |
 | copilot_type                     | Copilot                                 | Type of billing, can be 'Copilot' or 'CopilotARM'                                                                                                                                                                                              |
 | copilot_username                 |                                         | CoPilot account username. See Prerequisites above for more information                                                                                                                                                                         |

aviatrix-controller-iam-roles/main.tf

@@ -41,6 +41,7 @@ resource "aws_iam_role" "aviatrix-role-app" {
 }
 
 data "aws_iam_policy_document" "aviatrix-assume-role-policy" {
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions - AVXIT-7597
   statement {
     actions = [
       "sts:AssumeRole",

cloudformation/aws_ha.yaml

@@ -791,10 +791,18 @@ Resources:
       Type: String
       Value: "DR Loadbalancer DNS name - currently NA"
   S3StateAndSoftware:
+    #checkov:skip=CKV_AWS_56: Ensure S3 bucket has RestrictPublicBuckets enabled - AVXIT-7589
+    #checkov:skip=CKV_AWS_55: Ensure S3 bucket has ignore public ACLs enabled - AVXIT-7590
+    #checkov:skip=CKV_AWS_21: Ensure the S3 bucket has versioning enabled - AVXIT-7591
+    #checkov:skip=CKV_AWS_54: Ensure S3 bucket has block public policy enabled - AVXIT-7592
+    #checkov:skip=CKV_AWS_53: Ensure S3 bucket has block public ACLs enabled - AVXIT-7593
+    #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled - AVXIT-7594
     Type: AWS::S3::Bucket
     Properties:
       BucketName: !Sub '${AWS::StackName}-${AWS::AccountId}-avx-platform-ha-tfs'
   Adminrole:
+    #checkov:skip=CKV_AWS_62: Ensure no IAM policies that allow full "*-*" administrative privileges are not created - AVXIT-7587
+    #checkov:skip=CKV_AWS_63: Ensure no IAM policies documents allow "*" as a statement's actions - AVXIT-7588
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Sub '${AWS::StackName}-${AWS::Region}-AvxPlatformHA-codebuild'
@@ -892,6 +900,11 @@ Resources:
       CoPilotExistingIp: !Ref CoPilotExistingIp
       CoPilotExistingDrIp: !Ref CoPilotExistingDrIp
   AviatrixPlatformInitTriggerPoint:
+    #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit - AVXIT-7582
+    #checkov:skip=CKV_AWS_363: Ensure Lambda Runtime is not deprecated - AVXIT-7583
+    #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable - AVXIT-7584
+    #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) - AVXIT-7585
+    #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC - AVXIT-7586
     Type: 'AWS::Lambda::Function'
     Properties:
       Description: Aviatrix Platform HA - Trigger the Codebuild project with the user parameters from CFN

main.tf

@@ -417,6 +417,11 @@ resource "aws_iam_role_policy_attachment" "ecs-task-execution-attach-policy" {
 }
 
 resource "aws_s3_bucket" "backup" {
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled - AVXIT-7605
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled - AVXIT-7607
+  #checkov:skip=CKV_AWS_21: Ensure all data stored in the S3 bucket have versioning enabled - AVXIT-7609
+  #checkov:skip=CKV_AWS_145: Ensure that S3 buckets are encrypted with KMS by default - AVXIT-7610
+  #checkov:skip=CKV2_AWS_6: Ensure that S3 bucket has a Public Access block - AVXIT-7611
   provider      = aws.s3_region
   count         = var.ha_distribution == "basic" ? 0 : var.use_existing_s3 ? 0 : 1
   bucket_prefix = var.s3_backup_bucket
@@ -514,18 +519,19 @@ resource "aws_route53_record" "avx_primary" {
 # Basic deployment
 
 resource "aws_cloudformation_stack" "cft" {
+  # checkov:skip=CKV_AWS_124: Ensure that CloudFormation stacks are sending event notifications to an SNS topic - AVXIT-7528
   count = var.ha_distribution == "basic" ? 1 : 0
 
-  name         = "aviatrix-controlplane"
-  template_url = "https://s3.us-east-1.amazonaws.com/avx-cloudformation-templates/avx_controlplane_prod.template"
+  name         = var.cft_stack_name
+  template_url = var.use_existing_vpc ? "https://s3.us-east-1.amazonaws.com/avx-cloudformation-templates/avx_controlplane_existing_vpc_prod.template" : "https://s3.us-east-1.amazonaws.com/avx-cloudformation-templates/avx_controlplane_prod.template"
 
   parameters = {
     AdminEmail                  = var.admin_email
     AllowedHttpsIngressIpParam  = var.incoming_ssl_cidr[0]
     CustomerId                  = var.avx_customer_id
-    VpcCidr                     = var.vpc_cidr
-    SubnetCidr                  = cidrsubnet(var.vpc_cidr, 24 - tonumber(split("/", var.vpc_cidr)[1]), 0)
-    SubnetAZ                    = "${var.region}a"
+    VpcCidr                     = var.use_existing_vpc ? null : var.vpc_cidr
+    SubnetCidr                  = var.use_existing_vpc ? null : cidrsubnet(var.vpc_cidr, 24 - tonumber(split("/", var.vpc_cidr)[1]), 0)
+    SubnetAZ                    = var.use_existing_vpc ? null : "${var.region}a"
     AdminPassword               = var.avx_password
     AdminPasswordConfirm        = var.avx_password
     HTTPProxy                   = ""
@@ -534,6 +540,8 @@ resource "aws_cloudformation_stack" "cft" {
     DataVolSize                 = var.copilot_default_data_volume_size < 100 ? 100 : var.copilot_default_data_volume_size
     ControllerInstanceTypeParam = var.instance_type
     CoPilotInstanceTypeParam    = var.copilot_instance_type
+    VpcParam                    = var.use_existing_vpc ? var.vpc : null
+    SubnetParam                 = var.use_existing_vpc ? var.subnet_ids[0] : null
   }
 
   capabilities = ["CAPABILITY_IAM"]
@@ -552,7 +560,7 @@ locals {
 }
 
 resource "null_resource" "delete_sg_script_basic" {
-  count = var.ha_distribution == "basic" ? 1 : 0
+  count = var.ha_distribution == "basic" && !var.use_existing_vpc ? 1 : 0
 
   triggers = {
     argument_delete_sg_basic = local.argument_delete_sg_basic

region-build/aws.tf

@@ -8,6 +8,8 @@ terraform {
 }
 
 resource "aws_vpc" "vpc" {
+  #checkov:skip=CKV2_AWS_11: Ensure VPC flow logging is enabled in all VPCs - AVXIT-7603
+  #checkov:skip=CKV2_AWS_12: Ensure the default security group of every VPC restricts all traffic - AVXIT-7604
   count      = var.use_existing_vpc ? 0 : 1
   cidr_block = var.vpc_cidr
   tags = {

region-build/copilot.tf

@@ -1,4 +1,6 @@
 resource "aws_launch_template" "avtx-copilot-cluster-main" {
+  # checkov:skip=CKV_AWS_79: Ensure Instance Metadata Service Version 1 is not enabled - AVXIT-7528
+  # checkov:skip=CKV_AWS_88: EC2 instance should not have public IP. - AVXIT-7529
   count       = var.copilot_deployment == "fault-tolerant" ? 1 : 0
   name        = "avtx-copilot-cluster-main"
   description = "Launch template for Aviatrix Copilot Cluster Main Node"
@@ -49,6 +51,8 @@ resource "aws_launch_template" "avtx-copilot-cluster-main" {
 
 
 resource "aws_launch_template" "avtx-copilot" {
+  # checkov:skip=CKV_AWS_88: EC2 instance should not have public IP. - AVXIT-7529
+  # checkov:skip=CKV_AWS_79: Ensure Instance Metadata Service Version 1 is not enabled - AVXIT-7530
   count       = var.copilot_deployment == "fault-tolerant" ? 0 : 1
   name        = "avtx-copilot"
   description = "Launch template for Aviatrix Copilot"
@@ -160,6 +164,8 @@ resource "aws_autoscaling_group" "avtx_copilot" {
 
 # Define a listener
 resource "aws_lb_listener" "avtx-copilot" {
+  #checkov:skip=CKV_AWS_2: Ensure ALB protocol is HTTPS - AVXIT-7532
+  #checkov:skip=CKV_AWS_103: Ensure that load balancer is using at least TLS 1.2 - AVXIT-7601
   load_balancer_arn = aws_lb.avtx-controller.arn
   port              = "8443"
   protocol          = var.load_balancer_type == "application" ? "HTTPS" : "TCP"
@@ -241,15 +247,18 @@ resource "aws_security_group_rule" "copilot_egress_rule" {
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.AviatrixCopilotSecurityGroup.id
+  description       = "Generated by Aviatrix deployment module - DO NOT DELETE"
 }
 
 resource "aws_eip" "copilot_eip" {
+  #checkov:skip=CKV2_AWS_19: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances - AVXIT-7599
   count  = var.use_existing_copilot_eip ? 0 : 1
   domain = "vpc"
   tags   = local.common_tags
 }
 
 resource "aws_eip" "copilot_data_nodes_eips" {
+  #checkov:skip=CKV2_AWS_19: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances - AVXIT-7597
   count  = var.copilot_deployment == "fault-tolerant" ? var.use_existing_copilot_eip ? 0 : var.copilot_data_node_count : 0
   domain = "vpc"
   tags = merge(local.common_tags, {
@@ -260,6 +269,8 @@ resource "aws_eip" "copilot_data_nodes_eips" {
 
 
 module "data_nodes" {
+  #checkov:skip=CKV_AWS_135: Ensure that EC2 is EBS optimized - AVXIT-7613
+  #checkov:skip=CKV_AWS_126: Ensure that detailed monitoring is enabled for EC2 instances - AVXIT-7614
   count  = var.copilot_deployment == "fault-tolerant" ? var.copilot_data_node_count : 0
   source = "./modules/copilot-data-node"
 

region-build/lb.tf

@@ -1,4 +1,8 @@
 resource "aws_lb" "avtx-controller" {
+  #checkov:skip=CKV_AWS_150: Ensure that Load Balancer has deletion protection enabled - AVXIT-7569
+  #checkov:skip=CKV_AWS_91: Ensure the ELBv2 (Application/Network) has access logging enabled - AVXIT-7570
+  #checkov:skip=CKV_AWS_150: Ensure that Load Balancer has deletion protection enabled - AVXIT-7569
+  #checkov:skip=CKV_AWS_91: Ensure the ELBv2 (Application/Network) has access logging enabled - AVXIT-7570
   name                             = "${local.name_prefix}AviatrixControllerLB"
   internal                         = false
   load_balancer_type               = var.load_balancer_type
@@ -19,6 +23,8 @@ resource "aws_lb" "avtx-controller" {
 # Define a listener
 
 resource "aws_lb_listener" "avtx-ctrl" {
+  #checkov:skip=CKV_AWS_2: Ensure ALB protocol is HTTPS - AVXIT-7571
+  #checkov:skip=CKV_AWS_103: Ensure that load balancer is using at least TLS 1.2 - AVXIT-7600
   load_balancer_arn = aws_lb.avtx-controller.arn
   port              = "443"
   protocol          = var.load_balancer_type == "application" ? "HTTPS" : "TCP"

region-build/main.tf

@@ -348,6 +348,7 @@ resource "aws_ecs_task_definition" "task_def" {
 }
 
 resource "aws_eip" "controller_eip" {
+  #checkov:skip=CKV2_AWS_19: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances - AVXIT-7595
   count  = var.use_existing_eip ? 0 : 1
   domain = "vpc"
   tags   = merge(local.common_tags, tomap({ "Name" = "Avx-Controller" }))
@@ -380,9 +381,12 @@ resource "aws_security_group_rule" "egress_rule" {
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.AviatrixSecurityGroup.id
+  description       = "Generated by Aviatrix deployment module - DO NOT DELETE"
 }
 
 resource "aws_launch_template" "avtx-controller" {
+  #checkov:skip=CKV_AWS_79: Ensure Instance Metadata Service Version 1 is not enabled - AVXIT-7573
+  #checkov:skip=CKV_AWS_88: EC2 instance should not have public IP. - AVXIT-7574
   name        = "avtx-controller"
   description = "Launch template for Aviatrix Controller"
 
@@ -496,10 +500,12 @@ resource "aws_autoscaling_group" "avtx_ctrl" {
 }
 
 resource "aws_sqs_queue" "controller_updates_queue" {
+  #checkov:skip=CKV_AWS_27: Ensure all data stored in the SQS queue is encrypted - AVXIT-7575
   name = "controller-ha-updates-queue"
 }
 
 resource "aws_sns_topic" "controller_updates" {
+  #checkov:skip=CKV_AWS_26: Ensure all data stored in the SNS topic is encrypted - AVXIT-7576
   name = "controller-ha-updates"
 }
 
@@ -645,6 +651,8 @@ module "aviatrix_eventbridge" {
 }
 
 module "ecs_cluster" {
+  #checkov:skip=CKV_AWS_224: Ensure ECS Cluster logging is enabled and client to container communication uses CMK - AVXIT-7611
+  #checkov:skip=CKV_AWS_65: Ensure container insights are enabled on ECS cluster - AVXIT-7612
   source = "./modules/terraform-aws-ecs"
 
   cluster_name = "avx_platform_ha"
@@ -684,6 +692,7 @@ module "ecs_cluster" {
 }
 
 resource "aws_cloudwatch_log_group" "log_group" {
+  #checkov:skip=CKV_AWS_158: Ensure that CloudWatch Log Group is encrypted by KMS - AVXIT-7577
   name              = "/aws/ecs/avx_platform_ha"
   retention_in_days = 0
 

region-build/modules/copilot-data-node/copilot-data-node.tf

@@ -17,6 +17,7 @@ data "aws_subnet" "subnet" {
 }
 
 resource "aws_eip" "copilot_eip" {
+  #checkov:skip=CKV2_AWS_19: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances - AVXIT-7596
   domain = "vpc"
   tags = merge(var.tags, {
     Name = "${var.node_name}-data-${var.node_key}-eip"
@@ -30,6 +31,9 @@ resource "aws_eip_association" "eip_assoc" {
 }
 
 resource "aws_instance" "aviatrixcopilot" {
+  #checkov:skip=CKV_AWS_79: Ensure Instance Metadata Service Version 1 is not enabled - AVXIT-7578
+  #checkov:skip=CKV_AWS_8: Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted - AVXIT-7579
+  #checkov:skip=CKV2_AWS_41: Ensure an IAM role is attached to EC2 instance - AVXIT-7606
   ami               = var.ami_id
   instance_type     = var.instance_type
   key_name          = var.keypair
@@ -57,6 +61,9 @@ EOF
 }
 
 resource "aws_ebs_volume" "data" {
+  #checkov:skip=CKV_AWS_3: Ensure all data stored in the EBS is securely encrypted - AVXIT-7580
+  #checkov:skip=CKV_AWS_189: Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) - AVXIT-7581
+  #checkov:skip=CKV2_AWS_2: Ensure that only encrypted EBS volumes are attached to EC2 instances - AVXIT-7608
   availability_zone = data.aws_subnet.subnet.availability_zone
   size              = var.default_data_volume_size
   type              = var.default_data_volume_type
@@ -118,4 +125,5 @@ resource "aws_security_group_rule" "copilot_egress_rule" {
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = aws_security_group.AviatrixCopilotSecurityGroup.id
+  description       = "CoPilot Data Node ${var.node_key} Egress - DO NOT DELETE"
 }

region-build/modules/terraform-aws-eventbridge/iam.tf

@@ -173,6 +173,7 @@ resource "aws_iam_policy_attachment" "sqs" {
 #############
 
 data "aws_iam_policy_document" "ecs" {
+  #checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management / resource exposure without constraints
   count = local.create_role && var.attach_ecs_policy ? 1 : 0
 
   statement {

region-build/modules/terraform-aws-waf/waf.tf

@@ -1,4 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_acl" {
+  #checkov:skip=CKV2_AWS_31: Ensure WAF2 has a Logging Configuration - AVXIT-7602
   name        = var.alb_waf_name
   scope       = var.scope
   description = join(" ", ["Aviatrix MGMT", var.scope, "WAF"])