Merge pull request #145 from Barts-Life-Science/dns-whitelist

Prevent data exfiltration by DNS tunneling or malicious DNS lookups

Author: TonyWildish-BH

core/terraform/dns-resolver/dns-whitelist.txt

@@ -0,0 +1,28 @@
+#
+# Add the domains to be whitelisted here.
+# Use an octothorpe to comment lines out.
+#
+# api.snapcraft.io
+# archive.ubuntu.com
+# azure.archive.ubuntu.com
+# cloud.r-project.org
+# azure.com
+# conda.anaconda.org
+# cran.r-project.org
+# docker.com
+# docker.io
+# download-ib01.fedoraproject.org
+# download.microsoft.com
+# download1.rstudio.org
+# files.pythonhosted.org
+# keyserver.ubuntu.com
+# microsoft.com
+# nhs.net
+# nhs.org
+# nhs.uk
+# packages.microsoft.com
+# pypi.org
+# repo.almalinux.org
+# repo.anaconda.com
+# security.ubuntu.com
+# snapcraftcontent.com

core/terraform/dns-resolver/locals.tf

@@ -0,0 +1,10 @@
+locals {
+  # This is not DRY! See the network module.
+  core_services_vnet_subnets         = cidrsubnets(var.core_address_space, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4)
+  dns_resolver_subnet_address_prefix = local.core_services_vnet_subnets[11] # .128 - .191
+
+  tre_core_tags = {
+    tre_id              = var.tre_id
+    tre_core_service_id = var.tre_id
+  }
+}

core/terraform/dns-resolver/main.tf

@@ -0,0 +1,9 @@
+terraform {
+  # In modules we should only specify the min version
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.8"
+    }
+  }
+}

core/terraform/dns-resolver/make-rules.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Generate a JSON object with the DNS rules for the private resolver
+#
+
+cd $(dirname $(realpath $0))
+
+resolver="8.8.8.8" # Google, is there a better choice?
+i=0
+
+echo "{"
+for domain in $(cat dns-whitelist.txt | sed -e 's%#.*$%%')
+do
+  echo "    \"rule_${i}\": \"{ \\\"address\\\": \\\"${resolver}\\\", \\\"domain\\\": \\\"${domain}.\\\" }\","
+  i=$(( i + 1 ))
+done
+
+echo "    \"sink\": \"{  \\\"address\\\": \\\"0.0.0.0\\\", \\\"domain\\\": \\\".\\\" }\""
+echo "}"

core/terraform/dns-resolver/network.tf

@@ -0,0 +1,27 @@
+# resource "azurerm_subnet" "dns-snet-inbound" {
+#   name                 = "dns-snet-inbound"
+#   resource_group_name = local.rg_name
+#   virtual_network_name = azurerm_virtual_network.dns-vnet.name
+#   address_prefixes     = [ local.core_services_vnet_subnets[11] ]
+#   delegation {
+#     name = "Microsoft.Network.dnsResolvers"
+#     service_delegation {
+#       actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+#       name    = "Microsoft.Network/dnsResolvers"
+#     }
+#   }
+# }
+
+resource "azurerm_subnet" "dns-snet-outbound" {
+  name                 = "AzurePrivateDnsResolverSubnet"
+  resource_group_name  = var.resource_group_name
+  virtual_network_name = var.core_vnet_name
+  address_prefixes     = [local.dns_resolver_subnet_address_prefix]
+  delegation {
+    name = "Microsoft.Network.dnsResolvers"
+    service_delegation {
+      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+      name    = "Microsoft.Network/dnsResolvers"
+    }
+  }
+}

core/terraform/dns-resolver/private-dns-resolver.tf

@@ -0,0 +1,13 @@
+resource "azurerm_private_dns_resolver" "dns-resolver" {
+  name                = "dns-resolver"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  virtual_network_id  = var.core_vnet_id
+}
+
+resource "azurerm_private_dns_resolver_outbound_endpoint" "dns-resolver-outbound" {
+  name                    = "dns-resolver-outbound-endpoint"
+  private_dns_resolver_id = azurerm_private_dns_resolver.dns-resolver.id
+  location                = azurerm_private_dns_resolver.dns-resolver.location
+  subnet_id               = azurerm_subnet.dns-snet-outbound.id
+}

core/terraform/dns-resolver/provider.tf

@@ -0,0 +1,14 @@
+# terraform {
+#   required_version = ">= 1.0.0"
+#   required_providers {
+#     azurerm = {
+#       source  = "hashicorp/azurerm"
+#       version = ">=3.0.0"
+#     }
+#   }
+# }
+
+# provider "azurerm" {
+#   features {}
+# }
+

core/terraform/dns-resolver/rules.tf

@@ -0,0 +1,20 @@
+data "external" "dns-rules" {
+  program = ["bash", "${path.module}/make-rules.sh"]
+}
+
+resource "azurerm_private_dns_resolver_forwarding_rule" "dns-rules" {
+  # This is how to do it in-situ, in which case you don't need the 'jsondecode' wrappers below
+  # for_each = tomap( {
+  #       net  = { domain = "net.", address = "8.8.8.8" },
+  #       sink = { domain = ".",    address = "0.0.0.0" }
+  # } )
+  for_each                  = data.external.dns-rules.result
+  name                      = "dns-rule-${each.key}"
+  dns_forwarding_ruleset_id = azurerm_private_dns_resolver_dns_forwarding_ruleset.dns-ruleset.id
+  domain_name               = jsondecode(each.value).domain
+  enabled                   = true
+  target_dns_servers {
+    ip_address = jsondecode(each.value).address
+    port       = 53
+  }
+}

core/terraform/dns-resolver/ruleset.tf

@@ -0,0 +1,6 @@
+resource "azurerm_private_dns_resolver_dns_forwarding_ruleset" "dns-ruleset" {
+  name                                       = "dns-ruleset"
+  resource_group_name                        = var.resource_group_name
+  location                                   = var.location
+  private_dns_resolver_outbound_endpoint_ids = [azurerm_private_dns_resolver_outbound_endpoint.dns-resolver-outbound.id]
+}

core/terraform/dns-resolver/variables.tf

@@ -0,0 +1,21 @@
+variable "tre_id" {
+  type = string
+}
+variable "location" {
+  type = string
+}
+variable "resource_group_name" {
+  type = string
+}
+variable "core_address_space" {
+  type = string
+}
+variable "arm_environment" {
+  type = string
+}
+variable "core_vnet_name" {
+  type = string
+}
+variable "core_vnet_id" {
+  type = string
+}

core/terraform/main.tf

@@ -88,6 +88,17 @@ module "network" {
   arm_environment     = var.arm_environment
 }
 
+module "dns-resolver" {
+  source              = "./dns-resolver"
+  tre_id              = var.tre_id
+  location            = var.location
+  resource_group_name = azurerm_resource_group.core.name
+  core_address_space  = var.core_address_space
+  arm_environment     = var.arm_environment
+  core_vnet_name      = module.network.core_vnet_name
+  core_vnet_id        = module.network.core_vnet_id
+}
+
 module "appgateway" {
   source                     = "./appgateway"
   tre_id                     = var.tre_id

core/terraform/network/locals.tf

@@ -19,7 +19,7 @@ locals {
   # .3
   resource_processor_subnet_address_prefix  = local.core_services_vnet_subnets[9]  # .0 - .63
   firewall_management_subnet_address_prefix = local.core_services_vnet_subnets[10] # .64 - .127
-  # FREE = local.core_services_vnet_subnets[11] # .128 - .191
+  # see the dns-resolver module = local.core_services_vnet_subnets[11] # .128 - .191
   # FREE = local.core_services_vnet_subnets[12] # .192 - .254
 
   tre_core_tags = {

core/terraform/network/outputs.tf

@@ -2,6 +2,10 @@ output "core_vnet_id" {
   value = azurerm_virtual_network.core.id
 }
 
+output "core_vnet_name" {
+  value = azurerm_virtual_network.core.name
+}
+
 output "bastion_subnet_id" {
   value = azurerm_subnet.bastion.id
 }

templates/workspace_services/azuresql/Dockerfile.tmpl

@@ -0,0 +1,15 @@
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM --platform=linux/amd64 debian:bullseye-slim
+
+# PORTER_INIT
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+# Git is required for terraform_azurerm_environment_configuration
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y git --no-install-recommends
+
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh

@@ -125,16 +125,6 @@ if [ "${SHARED_STORAGE_ACCESS}" -eq 1 ]; then
   # Change permissions on the credential file so only root can read or modify the password file.
   sudo chmod 600 "$smbCredentialFile"
 
-#   # Configure autofs
-#   echo "$fileShareName -fstype=cifs,rw,dir_mode=0777,credentials=$smbCredentialFile :$smbPath" | sudo tee /etc/auto.fileshares > /dev/null
-#   echo "$mntRoot /etc/auto.fileshares --timeout=60" | sudo tee /etc/auto.master > /dev/null
-
-#   # Restart service to register changes
-#   sudo systemctl restart autofs
-
-#   # Autofs mounts when accessed for 60 seconds.  Folder created for constant visible mount
-#   sudo ln -s "$mntPath" "/$fileShareName"
-#   sudo mkdir -p $mntRoot
   echo "$smbPath $mntRoot cifs rw,vers=default,dir_mode=0777,file_mode=0777,uid=1000,gid=1000,credentials=$smbCredentialFile 0 0" | sudo tee -a /etc/fstab >/dev/null
   sudo mount $mntRoot
 fi
@@ -172,9 +162,9 @@ sudo update-alternatives --config x-www-browser
 
 # Prevent screen timeout
 echo "init_vm.sh: Preventing Timeout"
+sudo mkdir -p /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml
 sudo touch /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml
 sudo chmod 664 /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml
-sudo chown "${VM_USER}":"${VM_USER}" /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml
 sudo tee /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml << END
 <?xml version="1.0" encoding="UTF-8"?>
 <channel name="xfce4-screensaver" version="1.0">
@@ -187,6 +177,7 @@ sudo tee /home/"${VM_USER}"/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-scree
   </property>
 </ channel>
 END
+sudo chown -Rf "${VM_USER}":"${VM_USER}" /home/"${VM_USER}"/.config
 
 ## Cleanup
 echo "init_vm.sh: Cleanup"

templates/workspaces/base-adf/terraform/network/data.tf

@@ -93,6 +93,11 @@ data "azurerm_private_dns_zone" "postgres" {
   resource_group_name = local.core_resource_group_name
 }
 
+data "azurerm_private_dns_zone" "azuresql" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.database.windows.net"]
+  resource_group_name = local.core_resource_group_name
+}
+
 data "azurerm_public_ip" "app_gateway_ip" {
   name                = "pip-agw-${var.tre_id}"
   resource_group_name = local.core_resource_group_name

templates/workspaces/base-adf/terraform/network/dns-link.tf

@@ -0,0 +1,10 @@
+data "azurerm_private_dns_resolver_dns_forwarding_ruleset" "core-dns-ruleset" {
+  name                = "dns-ruleset"
+  resource_group_name = local.core_resource_group_name
+}
+
+resource "azurerm_private_dns_resolver_virtual_network_link" "dns-ws-link" {
+  name                      = "dns-ws-link-${local.workspace_resource_name_suffix}"
+  dns_forwarding_ruleset_id = data.azurerm_private_dns_resolver_dns_forwarding_ruleset.core-dns-ruleset.id
+  virtual_network_id        = azurerm_virtual_network.ws.id
+}

templates/workspaces/base-adf/terraform/network/network.tf

@@ -105,6 +105,6 @@ resource "azurerm_subnet_route_table_association" "rt_webapps_subnet_association
 }
 
 module "terraform_azurerm_environment_configuration" {
-  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
+  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.5.0"
   arm_environment = var.arm_environment
 }

templates/workspaces/base-adf/terraform/network/zone_links.tf

@@ -129,6 +129,16 @@ resource "azurerm_private_dns_zone_virtual_network_link" "postgreslink" {
   lifecycle { ignore_changes = [tags] }
 }
 
+resource "azurerm_private_dns_zone_virtual_network_link" "azuresqllink" {
+  name                  = "azuresqllink-${local.workspace_resource_name_suffix}"
+  resource_group_name   = local.core_resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.azuresql.name
+  virtual_network_id    = azurerm_virtual_network.ws.id
+  tags                  = var.tre_workspace_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
 resource "azurerm_private_dns_zone_virtual_network_link" "nexuslink" {
   name                  = "nexuslink-${local.workspace_resource_name_suffix}"
   resource_group_name   = local.core_resource_group_name

templates/workspaces/base/terraform/network/dns-link.tf

@@ -0,0 +1,10 @@
+data "azurerm_private_dns_resolver_dns_forwarding_ruleset" "core-dns-ruleset" {
+  name                = "dns-ruleset"
+  resource_group_name = local.core_resource_group_name
+}
+
+resource "azurerm_private_dns_resolver_virtual_network_link" "dns-ws-link" {
+  name                      = "dns-ws-link-${local.workspace_resource_name_suffix}"
+  dns_forwarding_ruleset_id = data.azurerm_private_dns_resolver_dns_forwarding_ruleset.core-dns-ruleset.id
+  virtual_network_id        = azurerm_virtual_network.ws.id
+}