Get modsec config from moj-modsec-rules repo. (#680)

* Get modsec config from moj-modsec-rules repo. * Update namespace
ministryofjustice · Aug 29, 2024 · 2073302 · 2073302
1 parent 8a0609d
commit 2073302
Show file tree

Hide file tree

Showing 6 changed files with 138 additions and 13 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -12,6 +12,9 @@ on:
       ips_formatted:
         required: true
         type: string
+      modsec_config:
+        required: true
+        type: string
 
 jobs:
   deploy_environment:
@@ -98,17 +101,28 @@ jobs:
 
           export IPS_FORMATTED_BASE64
 
+          ## - - - - - - - - - - -
+          ## Modsec config
+          ## - - - - - - - - - - -
+
+          export MODSEC_CONFIG=$(
+            echo -n "${{ inputs.modsec_config }}" | 
+            openssl enc -aes-256-cbc -pbkdf2 -base64 -d -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" |
+            base64 --decode
+          );
 
           ## - - - - - - - - - - -
           ## Perform find/replace
           ## - - - - - - - - - - -
 
+          ## Only replace $MODSEC_CONFIG fromn ingress.tpl.yml
+
+          < "$TPL_PATH"/ingress.tpl.yml envsubst '${MODSEC_CONFIG}' > "$TPL_PATH"/ingress.yaml
           < "$TPL_PATH"/secret.tpl.yml envsubst > "$TPL_PATH"/secret.yaml
           < "$TPL_PATH"/deployment.tpl.yml envsubst > "$TPL_PATH"/deployment.yaml
           
           ## Remove template files before apply
-          rm "$TPL_PATH"/secret.tpl.yml
-          rm "$TPL_PATH"/deployment.tpl.yml
+          rm "$TPL_PATH"/*.tpl.yml
 
       - name: "Authenticate to the cluster"
         env:

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -24,46 +24,56 @@ jobs:
     uses: ./.github/workflows/ip-ranges-configure.yml
     secrets: inherit
 
+  modsec_config:
+    name: "Modsec"
+    if: github.event.ref == 'refs/heads/develop'
+    uses: ./.github/workflows/modsec-config.yml
+    secrets: inherit
+
   deploy_dev:
     name: "Development"
     if: github.event.ref == 'refs/heads/develop'
     uses: ./.github/workflows/deploy.yml
-    needs: [image, get_ip_ranges]
+    needs: [image, get_ip_ranges, modsec_config]
     with:
       environment: development
       registry: ${{ needs.image.outputs.registry }}
       ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
+      modsec_config: ${{ needs.modsec_config.outputs.development }}
     secrets: inherit
 
   deploy_staging:
     name: "Staging"
-    needs: [image, deploy_dev, get_ip_ranges]
+    needs: [image, deploy_dev, get_ip_ranges, modsec_config]
     if: github.event.ref == 'refs/heads/develop'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: staging
       registry: ${{ needs.image.outputs.registry }}
       ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
+      modsec_config: ${{ needs.modsec_config.outputs.staging }}
     secrets: inherit
 
   deploy_demo:
     name: "Demo"
-    needs: [image, deploy_dev, get_ip_ranges]
+    needs: [image, deploy_dev, get_ip_ranges, modsec_config]
     if: github.event.ref == 'refs/heads/develop'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: demo
       registry: ${{ needs.image.outputs.registry }}
       ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
+      modsec_config: ${{ needs.modsec_config.outputs.demo }}
     secrets: inherit
 
   deploy_production:
     name: "Production"
-    needs: [image, deploy_staging, get_ip_ranges]
+    needs: [image, deploy_staging, get_ip_ranges, modsec_config]
     if: github.event.ref == 'refs/heads/develop'
     uses: ./.github/workflows/deploy.yml
     with:
       environment: production
       registry: ${{ needs.image.outputs.registry }}
       ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
+      modsec_config: ${{ needs.modsec_config.outputs.production }}
     secrets: inherit
diff --git a/.github/workflows/modsec-config.yml b/.github/workflows/modsec-config.yml
@@ -0,0 +1,105 @@
+name: "Get Modsec config."
+
+on:
+  workflow_call:
+    outputs:
+      development:
+        description: "Modsec Config. for Development"
+        value: ${{ jobs.modsec.outputs.development }}
+      demo:
+        description: "Modsec Config. for Demo"
+        value: ${{ jobs.modsec.outputs.demo }}
+      staging:
+        description: "Modsec Config. for Staging"
+        value: ${{ jobs.modsec.outputs.staging }}
+      production:
+        description: "Modsec Config. for Production"
+        value: ${{ jobs.modsec.outputs.production }}
+
+jobs:
+  modsec:
+    name: "Build"
+    runs-on: ubuntu-latest
+    outputs:
+      development: ${{ steps.config.outputs.development }}
+      demo: ${{ steps.config.outputs.demo }}
+      staging: ${{ steps.config.outputs.staging }}
+      production: ${{ steps.config.outputs.production }}
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+        with:
+          repository: 'ministryofjustice/moj-modsec-rules'
+          # This is a fine-grained PAT, it's scoped to the moj-modsec private repository with 2 permissions: 
+          # Content: Read-only.
+          # Metadata: Read-only.
+          token: ${{ secrets.MOJ_MODSEC_RO_PAT }}
+
+      - name: "Get, format & encrypt"
+        id: config
+        shell: bash
+        run: |
+          # Ensure we have an encryption key.
+          if [ -z "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" ];then
+            echo "WORKFLOW_ENCRYPTION_KEY is not set."
+            exit 1
+          fi
+
+
+          # Install yq package from snap.
+          sudo snap install yq
+
+
+          # - Get the config from the helper script.
+          # - Base64 encode to preserve line breaks.
+          # - Encode it with `WORKFLOW_ENCRYPTION_KEY` (e.g. generate with `openssl rand -base64 4096`).
+
+          DEVELOPMENT=$(
+            ./scripts/get-modsec-config.sh --namespace=intranet --env=development --indent=6 --file=data/php-wordpress.yml | 
+            base64 -w 0 | 
+            openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" -e -base64
+          );
+
+          DEMO=$(
+            ./scripts/get-modsec-config.sh --namespace=intranet --env=demo --indent=6 --file=data/php-wordpress.yml | 
+            base64 -w 0 | 
+            openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" -e -base64
+          );
+
+          STAGING=$(
+            ./scripts/get-modsec-config.sh --namespace=intranet --env=staging --indent=6 --file=data/php-wordpress.yml | 
+            base64 -w 0 | 
+            openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" -e -base64
+          );
+
+          PRODUCTION=$(
+            ./scripts/get-modsec-config.sh --namespace=intranet --env=production --indent=6 --file=data/php-wordpress.yml | 
+            base64 -w 0 | 
+            openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.WORKFLOW_ENCRYPTION_KEY }}" -e -base64
+          );
+
+
+          # Set the multi line variables as an outputs.
+          {
+              echo "development<<EOF"
+              echo "$DEVELOPMENT"
+              echo EOF
+          } >> "$GITHUB_OUTPUT"
+
+          {
+              echo "demo<<EOF"
+              echo "$DEMO"
+              echo EOF
+          } >> "$GITHUB_OUTPUT"
+
+          {
+              echo "staging<<EOF"
+              echo "$STAGING"
+              echo EOF
+          } >> "$GITHUB_OUTPUT"
+
+          {
+              echo "production<<EOF"
+              echo "$PRODUCTION"
+              echo EOF
+          } >> "$GITHUB_OUTPUT"
diff --git a/deploy/demo/ingress.yml → deploy/demo/ingress.tpl.yml b/deploy/demo/ingress.yml → deploy/demo/ingress.tpl.yml
@@ -7,10 +7,8 @@ metadata:
     external-dns.alpha.kubernetes.io/set-identifier: intranet-demo-ingress-intranet-demo-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
-    nginx.ingress.kubernetes.io/modsecurity-snippet: |
-      SecRuleEngine On
-      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
-      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
+    nginx.ingress.kubernetes.io/modsecurity-snippet:  |
+      ${MODSEC_CONFIG}
     nginx.ingress.kubernetes.io/auth-type: basic
     nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Demo User | Authentication Required'

diff --git a/deploy/development/ingress.yml → deploy/development/ingress.tpl.yml b/deploy/development/ingress.yml → deploy/development/ingress.tpl.yml
@@ -8,9 +8,7 @@ metadata:
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |
-      SecRuleEngine On
-      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
-      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
+      ${MODSEC_CONFIG}
     nginx.ingress.kubernetes.io/auth-type: basic
     nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Development Access | Authentication Required'

diff --git a/deploy/staging/ingress.yml → deploy/staging/ingress.tpl.yml b/deploy/staging/ingress.yml → deploy/staging/ingress.tpl.yml