Increasing security posture of HTC Grid by enforcing and fixing relevant encryption, authentication and RBAC issues

[fgogolli]

Description

This pull request fixes all the relevant security issues in the current code base, as detected by cfn_lint, trivy, checkov and ScoutSuite.

Terraform State:

• Encrypt and secure init_grid state and Lambda buckets.
• Limit the scope of KMS Key policy for State Buckets.
• Remove AccessControls and use BucketPolicy to keep the bucket private.
• Configure all Makefiles to use encrypted S3 Buckets for TF State, non-root Dockerfiles, fix HTCGRID_ECR_REPO, name CloudFormation stack outputs, and support updating existing init_grid stack.
• Improve init_grid Makefile to handle initial and deletion cases better.
• Add support for cleaning up S3 object versions and standardize bucket variable naming.

HTC Grid Containers:

• Configure all Dockerfiles to run non-root containers and fix builds.
• Configure all HTC K8S resources to run with runAsNonRoot, default seccompProfile, and disabled allowPrivilegeEscalation.
• Rename components, add readOnlyFileSystem and seccomp profile to HTC Agent, fix and cleanup code.
• Remove file system write dependencies for the agent.
• Harden K8S manifests and enforce further chekov rules.
• Configure Grafana Ingress to drop invalid HTTP Header fields.

HTC Grid Control Plane:

• Configure CMK KMS Key encryption for VPC Flow Logs, ECR Repositories, SQS, DynamoDB, S3, EKS Cluster, EKS MNG EBS Volumes, and all CloudWatch Logs.
• Add encrypted CloudWatch Logging for API Gateway.
• Create S3 via TF Module, add encryption support for S3 Data Plane in the agent, fix AWS partition, and DNS Suffix usage.
• Simplify code and move all lambdas and auth to the control_plane.
• Configure and consolidate least-privilege permissions on KMS, Lambda, and Agent IAM policies.
• Add KMS Decrypt and GenerateDataKey permissions to Lambda and Agent permissions.
• Move installation of jq onto lambda images and fix the bootstrap script.
• Convert EC Redis to a single replica cluster mode and add encryption.
• Add AUTH for ElastiCache Redis Cluster.
• Enable XRay tracing for Lambda functions and adjust Redis config.
• Add an explicit ASG Service Linked Role declaration to enable KMS support for ASG EBS Volumes.
• Handle cases where AWSServiceRoleForAutoScaling already exists.
• Add S3 and SQS Resource Policies to enforce HTTPS and create separate CMK KMS Keys for DLQs per each SQS Queue.
• Configure the DLQs to be used with the respective SQS Queues and fix naming/references.
• Add security group and ACL controls where possible.
• Configure securityContext for OpenAPI.

General:

• Add GitHub workflows for cfn_lint, trivy, and checkov.
• Standardize, fix, and simplify tests.
• Standardize the naming of TF resources.
• Fix docs and random_password to align with pipelines.
• Add auto deploy & destroy stages for images.

Cloud9:

• Fix Cloud9 deployment script to target correct instances.
• Fix Cloud9 bootstrap race condition and adjust to WS.
• Force a reinstall at bootstrap time to fix virtualenv issues.
• Add support for specifying a Git repo/branch for HTCGridSource.
• Remove Admin role from KMS Admins as it doesn't exist in WS.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/controlplane) and kind (e.g. kind/improvement)

BONUS POINTS checklist:

• Backfilled missing tests for code in same general area
• Refactored something and made the world a better place

[clementrey-dev]

Hello Flamur,

Thank you for your work.

I been running the happy path section (from my laptop) and I got error from multiple sections:

• REGION not set after different make command
• Mallformed policy during the deployment
• bucket not fully emptied during the cleaning process

Can you please take a look at this ?

[kirillsc]

lgtm

[kirillsc]

Looks good to me