mikeoleary / f5-sca-securitystack Goto Github PK

The following resource(s) failed to create: [LambdaReplaceRoute].

add a test stage to the pipeline that uses cfn-lint to validate the cloud formation templates.

The AWS HA sync script does not sync sub-folders. An internal bug is filed.

If Security Groups on mgmt IP addresses are locked down to an IP range, Lambda functions that access devices to query for Active/Standby status will fail, as will functions for actions such as installing the HA iApp.

While these functions would ideally go away or be done by another tool, we may also be able to edit them to use private VPC access using the method below:

https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-vpcconfig.html

When selecting Enterprise compliance the BIG-IP builds fail.

To set up an app successfully after deploying the architecture as it stands today, you will need to add a few missing routes manually in AWS. This should be part of the CFT deployment of VPCs.

1. A route to the app's VPC (by default 10.1.0.0/16 for AppVPC and 10.2.0.0/16 for Fargate VPC) is required, at minimum, on the "Inside" subnet that is attached to the TGW. To be able to use the bastion host to SSH to an app server in this subnet, the same route will be required in the Mgmt Subnet.

2. For return traffic from the AppVPC or Fargate VPC to the VDSS, the route tables in remote VPC's (currently called app-main-rt and fargate-main-rt) must also be updated so that VDSS CIDR range points at TGW.

CFT fails a rollback or deletes because the BIG-IP deployment's S3 buckets still have content in them.

This is something we decided in a status meeting at end of August. We can add a parameter so that users can deploy the VDSS only, or we can stand up additional VPC's and applications to protect.

The CFTs do not export the output value for the management elastic IP addresses. We need a way to programmatically find the IPs.

aws cloudformation list-exports --query 'Exports[?contains(Name, cody-sca-test)]|[?contains(Name, BIGIP)].[Value]'

Hey there! I noticed some possible problems in some code in this repo. A quick summary of a few of them is below, but let me know if you're interested in seeing a full report or talking about cloud security in general.

severity: serious

filename: ./JumpHost/template.json

line number(s): [241]

resource(s):

Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration

severity: warning

filename: ./VPC/aws-scca-vdss-stack-singleAZ.json

line number(s): [140]

resource(s):

EC2 Subnet should not have MapPublicIpOnLaunch set to true

severity: warning

filename: ./VPC/aws-scca-vdss-stack-singleAZ.template.json

line number(s): [122]

resource(s):

EC2 Subnet should not have MapPublicIpOnLaunch set to true

severity: warning

filename: ./VPC/route-table-update-post-EC2-builds.json

line number(s): [163]

resource(s):

IAM role should not allow * resource on its permissions policy

severity: warning

filename: ./JumpHost/template.json

line number(s): [241]

resource(s):

Security Groups found with ingress cidr that is not /32

severity: warning

filename: ./JumpHost/template.json

line number(s): [241]

resource(s):

Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB

severity: warning

filename: ./JumpHost/template.json

line number(s): [241]

resource(s):

Security Groups found ingress with port range instead of just a single port

We use TMSH commands to implement a forwarding VIP that allows traffic to egress the stack and go out to Internet.

We can convert this to an AS3 declaration which does not need to be edited at time of deployment, since the VIP will always be 0.0.0.0/0

Create a pipeline to deploy CFTs into a public S3 bucket.

We'll need this for each branch as well.

Create required PPT to help enable the field on SCA.

Error occurred while GetObject. S3 Error Code: PermanentRedirect. S3 Error Message: The bucket is in this region: us-east-1. Please use this region to retry the request (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: de815452-0681-4a57-9d19-e81fbc66b219)

Current CFTs have linting errors and warnings. Address these issues so the pipeline can successfully depend upon cfn-lint.

Determine the required module for each tier and enable the corresponding BIG-IP modules.

We would like this to be parameterized.

Tier-1 (DMZ): LTM, AFM + IPI
Tier-2 (Inspection): AFM + IPS
Tier-3 (App): LTM, ASM, APM

Should this be via TMSH or via Declarative Onboarding (DO).

the embedded lambda functions use Python 2.7 which will go end of support Dec 31st.

I am pretty sure this is leftover from when we were converting from YAML and the AWS team's start on this:

1. file in question is: "/VCP/aws-scca-vdss-stack-singleAZ.template.json" - I believe this can be deleted but we should test.

2. file "/aws-quickstart-scca-transit-gateway-stack.json" - this should be moved under a folder. It is still referenced so we need to change the reference to it in the root template.

Create an AFM Policy in AS3 to demo protection of the Damn Vulnerable Web App.

Enable IPI in Tier-1 and IPS in Tier-2. We may need to create a policy and then export it to use via automation. This will need to be evaluated.

Enable Traffic Intelligence as well.

default bigip admin account still present we, should disable and use a new name.
this will impact scripts using this account.

At some point we broke deployment to GovCloud. This worked in GovCloud originally but on 9/26/19 Eric Chen attempted a deployment to GovCloud (east) and received an error that "S3 bucket did not exist"

When deploying SCCA quickstart to GovCloud [east] I am receiving the following error. I receive this error whether selecting 'Yes' or 'No' for deploy of demo apps.

Embedded stack arn:aws-us-gov:cloudformation:us-gov-east-1:577650884638:stack/f5-scca-gov-east-InstallLambda-JFKKJCDSJ9YO/c6ea7560-857a-11ea-8645-0ad2795c75fe was not successfully created: The following resource(s) failed to create: [HAiApp]._

Modify VPC template to create VPCs for the demo apps and correctly configure forwarding plane between them (TGW)

Create VISO (or other product) of the 3-tier architecture.

Currently the names of devices include the Tier name, which is either BIGIP 1 or 2.

This leads to confusion, since the names of both devices in a pair will start with "BIGIP1" in Tier 1, for example.

We should edit the templates to names Tiers with more appropriate names: ExternalTier and InternalTier. This should remove confusion.

Likewise for instances, "BIG-IP1" might be more easily known as "BIG-IP-Device1" for example.

Currently, 3x public IP's are assigned to the Internal Tier. 1 for each SelfIP, and 1 for the VIP.

This is inherited from the original CFT's from official F5 repo.

We can edit the template to conditionally apply EIP's to NICs, only in Tier 1.

Create a public S3 bucket to save CFTs into.

We can use AWS::CloudFormation::Interface within Metadata of template file to display this nicely for the user.

• group parameters and order them accordingly
• allow parameters to have natural English names when displayed via Cloudformation webUI.

We need to perform services discover on app deployments to avoid static entries and race conditions on tier1 and tier2 deployments

Looks like the AMI is hardcoded versus obtaining it from a query:

Template error: Unable to get mapping for AWSRegionAMIEC2::us-east-2::Ubuntu16

Today, the AS3 deployment for each tier is identical. Create a new AS3 deployment that targets the use case for tier-1 and tier-2.

We need to determine which BIG-IP is active so we can associate the correct IP address to the routing tables.

For the pipeline to move towards using artifacts versus just deploying the entire git repo into S3 we need to rename all templates that share the same name (like template.json)

See if it is possible to revoke the BIG-IP license tmsh revoke /sys license.

Initially I had used the JumpHost private IP to add a pool member in the Bigip. this is not required, since we are not going to protect the jump host IP address via the vdss stack.

So this can be removed, and the BIGIP stacks can be deployed in parallel with jump host (there will be no dependencies).

To help demo advance use cases, deploy an F5 demo application using AWS Fargate. Heath and @codygreen have done this in Terraform.

The same-net CFT does not install the AWS Advance HA iApp: f5.aws_advanced_ha.v1.4.0rc5.tmpl

The accross-az CFT does and can be used as a reference.

Invalid license causes BIG-IP deployment to fail. However, there is no way to tell this in the CFT output or events.

Currently, the DoD root certs are being copied to both devices. This is causing an error. Update the CFT to only deploy the certs to one of the BIG-IPs in the DSC.

create a test script that can ensure the CFT stacks were deployed and configured correctly.

This will allow the pipeline to ensure new commits to master did not break existing functionality.

switch the root template to ask for an SSHKey

since we can't use AS3, issue-1, use TMSH to configure the tier-1 and tier-2 apps and security policies.

use tmsh transactions with a tcl file

Create an ASM policy that can be imported by AS3 to demo protection of the Damn Vulnerable Web App (DVWA). include 14.1 features such as bot protection.