bridgecrewio · XD-JoeBlack · Aug 18, 2025 · Aug 18, 2025 · Aug 18, 2025 · Aug 26, 2025
diff --git a/.github/workflows/cortex.yaml b/.github/workflows/cortex.yaml
@@ -0,0 +1,53 @@
+
+name: Cortex CLI Code Scan
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  CORTEX_API_KEY: ${{secrets.CORTEX_API_KEY}}
+  CORTEX_API_KEY_ID: ${{secrets.CORTEX_API_KEY_ID}}
+  CORTEX_API_URL: https://api-cloud-lab.xdr.tw.paloaltonetworks.com
+
+jobs:
+  cortex-code-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v2
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: 22
+
+    - name: Verify Node.js Version
+      run: node -v
+
+    - name: Download cortexcli
+      run: |
+        set -x
+        crtx_resp=$(curl "${CORTEX_API_URL}/public_api/v1/unified-cli/releases/download-link?os=linux&architecture=amd64" \
+          -H "x-xdr-auth-id: ${CORTEX_API_KEY_ID}" \
+          -H "Authorization: ${CORTEX_API_KEY}")
+        crtx_url=$(echo $crtx_resp | jq -r ".signed_url")
+        curl -o cortexcli $crtx_url
+        chmod +x cortexcli
+        ./cortexcli --version
+
+    - name: Run Cortex CLI Code Scan
+      run: |
+        ./cortexcli \
+          --api-base-url "${CORTEX_API_URL}" \
+          --api-key "${CORTEX_API_KEY}" \
+          --api-key-id "${CORTEX_API_KEY_ID}" \
+          code scan \
+          --directory "${{github.workspace}}" \
+          --repo-id "${{github.repository}}" \
+          --branch "${{github.ref_name}}" \
+          --source "GITHUB_ACTIONS" \
+          --create-repo-if-missing
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,4 @@
+{
+    "cortexCloud.apiKeyId": "5",
+    "cortexCloud.platformURL": "https://api-cloud-lab.xdr.tw.paloaltonetworks.com"
+}
diff --git a/packages/sub/pom.xml b/packages/sub/pom.xml
@@ -23,7 +23,7 @@
 		<maven.compiler.source>1.7</maven.compiler.source>
 		<maven.compiler.target>1.7</maven.compiler.target>
    		<cloud.function.context.version>3.1.0</cloud.function.context.version>
-    		<log4j.version>2.14.0</log4j.version>
+    		<log4j.version>2.12.4</log4j.version>
   	</properties>
 
   	<dependencies>

diff --git a/terraform/aws/db-app.tf b/terraform/aws/db-app.tf
@@ -203,26 +203,56 @@ EOF
   })
 }
 
+variable "app_bucket_name" {
+  type = string
+  # e.g., "my-lab-bucket-123"
+}
+
+variable "app_bucket_prefix" {
+  type    = string
+  default = ""              # e.g., "uploads/"
+}
+
+locals {
+  app_bucket_arn = "arn:aws:s3:::${var.app_bucket_name}"
+}
+
 resource "aws_iam_role_policy" "ec2policy" {
-  name = "${local.resource_prefix.value}-policy"
   role = aws_iam_role.ec2role.id
 
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:*",
-        "ec2:*",
-        "rds:*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
+  policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      # 1) Minimal read-only for EC2/RDS (Describe calls)
+      {
+        Sid      = "ReadOnlyDescribe"
+        Effect   = "Allow"
+        Action   = ["ec2:DescribeInstances", "rds:DescribeDBInstances"]
+        Resource = "*"
+      },
+
+      # 2) Read objects from only one prefix in one bucket
+      {
+        Sid      = "ReadFromAppBucket"
+        Effect   = "Allow"
+        Action   = ["s3:GetObject"]
+        Resource = "${local.app_bucket_arn}/${var.app_bucket_prefix}*"
+      },
+
+      # 3) (Optional) Allow listing keys on the bucket, scoped to that prefix
+      {
+        Sid      = "ListAppBucket"
+        Effect   = "Allow"
+        Action   = ["s3:ListBucket"]
+        Resource = local.app_bucket_arn            # bucket only (no /*)
+        Condition = {
+          StringLike = {
+            "s3:prefix" = ["${var.app_bucket_prefix}*"]
+          }
+        }
+      }
+    ]
+  })
 }
 
 data "aws_ami" "amazon-linux-2" {

diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf
@@ -1,22 +1,46 @@
-resource "aws_instance" "web_host" {
-  # ec2 have plain text secrets in user data
-  ami           = "${var.ami}"
-  instance_type = "t2.nano"
-
-  vpc_security_group_ids = [
-  "${aws_security_group.web-node.id}"]
-  subnet_id = "${aws_subnet.web_subnet.id}"
-  user_data = <<EOF
-#! /bin/bash
-sudo apt-get update
-sudo apt-get install -y apache2
-sudo systemctl start apache2
-sudo systemctl enable apache2
-export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
-export AWS_SECRET_ACCESS_KEY=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
-export AWS_DEFAULT_REGION=us-west-2
-echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
-EOF
+ resource "aws_instance" "web_host" {
+   ami           = "${var.ami}"
+   instance_type = "t2.nano"
+
+   vpc_security_group_ids = [
+   "${aws_security_group.web-node.id}"]
+   subnet_id = "${aws_subnet.web_subnet.id}"
+   iam_instance_profile = "${aws_iam_instance_profile.web_profile.name}" 
+-  user_data = <<-EOF
+-  metadata_options {
+-  http_endpoint = "enabled"
+-  http_tokens   = "required"   # IMDSv2 only
+-}
+-
+-root_block_device {
+-  encrypted   = true
+-  kms_key_id  = aws_kms_key.ebs.arn
+-  volume_type = "gp3"
+-  # volume_size = 8 # optional
+-}
+-#!/bin/bash
++  # ✅ IMDSv2 – required tokens
++  metadata_options {
++    http_endpoint = "enabled"
++    http_tokens   = "required"
++  }
++
++  # ✅ Encrypted root volume (uses AWS-managed EBS key unless you define a CMK)
++  root_block_device {
++    encrypted   = true
++    volume_type = "gp3"
++    # kms_key_id  = aws_kms_key.ebs.arn  # only if you actually defined this key
++    # volume_size = 8
++  }
++
++  user_data = <<-EOF
++#!/bin/bash
+ apt-get update -y
+ apt-get install -y apache2
+ systemctl enable --now apache2
+ echo "<h1>Deployed via Terraform</h1>" > /var/www/html/index.html
+ EOF
+
   tags = merge({
     Name = "${local.resource_prefix.value}-ec2"
     }, {
@@ -34,7 +58,8 @@ EOF
 resource "aws_ebs_volume" "web_host_storage" {
   # unencrypted volume
   availability_zone = "${var.region}a"
-  #encrypted         = false  # Setting this causes the volume to be recreated on apply 
+  #encrypted         = true
+  kms_key_id = aws_kms_key.ebs.arn
   size = 1
   tags = merge({
     Name = "${local.resource_prefix.value}-ebs"
@@ -87,13 +112,6 @@ resource "aws_security_group" "web-node" {
     cidr_blocks = [
     "0.0.0.0/0"]
   }
-  ingress {
-    from_port = 22
-    to_port   = 22
-    protocol  = "tcp"
-    cidr_blocks = [
-    "0.0.0.0/0"]
-  }
   egress {
     from_port = 0
     to_port   = 0

diff --git a/terraform/aws/elb.tf b/terraform/aws/elb.tf
@@ -3,12 +3,12 @@ resource "aws_elb" "weblb" {
   name = "weblb-terraform-elb"
 
   listener {
-    instance_port     = 8000
-    instance_protocol = "http"
-    lb_port           = 80
-    lb_protocol       = "http"
-  }
-
+  lb_port            = 443
+  lb_protocol        = "https"
+  instance_port      = 8000
+  instance_protocol  = "http"
+  ssl_certificate_id = var.acm_certificate_arn
+}
   health_check {
     healthy_threshold   = 2
     unhealthy_threshold = 2
@@ -37,4 +37,4 @@ resource "aws_elb" "weblb" {
     git_repo             = "terragoat"
     yor_trace            = "b4a83ce9-9a45-43b4-b6d9-1783c282f702"
   })
-}
+}
diff --git a/terraform/aws/kms.tf b/terraform/aws/kms.tf
@@ -1,6 +1,11 @@
-resource "aws_kms_key" "logs_key" {
-  # key does not have rotation enabled
-  description = "${local.resource_prefix.value}-logs bucket key"
+resource "aws_kms_key" "ebs" {
+  description         = "${local.resource_prefix.value}-ebs-kms"
+  enable_key_rotation = true
+  tags = {
+    Name = "${local.resource_prefix.value}-ebs-kms"
+  }
+}
+
 
   deletion_window_in_days = 7
   tags = {

diff --git a/terraform/aws/lambda.tf b/terraform/aws/lambda.tf
@@ -1,59 +1,9 @@
-resource "aws_iam_role" "iam_for_lambda" {
-  name = "${local.resource_prefix.value}-analysis-lambda"
-
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-  tags = {
-    git_commit           = "e6d83b21346fe85d4fe28b16c0b2f1e0662eb1d7"
-    git_file             = "terraform/aws/lambda.tf"
-    git_last_modified_at = "2023-04-27 12:47:51"
-    git_last_modified_by = "nadler@paloaltonetworks.com"
-    git_modifiers        = "nadler/nimrodkor"
-    git_org              = "bridgecrewio"
-    git_repo             = "terragoat"
-    yor_trace            = "93cfa6f9-a257-40c3-b7dc-3c3686929734"
-  }
-}
-
-resource "aws_lambda_function" "analysis_lambda" {
-  # lambda have plain text secrets in environment variables
-  filename      = "resources/lambda_function_payload.zip"
-  function_name = "${local.resource_prefix.value}-analysis"
-  role          = "${aws_iam_role.iam_for_lambda.arn}"
-  handler       = "exports.test"
-
-  source_code_hash = "${filebase64sha256("resources/lambda_function_payload.zip")}"
-
-  runtime = "nodejs12.x"
-
-  environment {
-    variables = {
-      access_key = "AKIAIOSFODNN7EXAMPLE"
-      secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-    }
-  }
-  tags = {
-    git_commit           = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542"
-    git_file             = "terraform/aws/lambda.tf"
-    git_last_modified_at = "2021-05-02 10:06:10"
-    git_last_modified_by = "nimrodkor@users.noreply.github.com"
-    git_modifiers        = "nimrodkor"
-    git_org              = "bridgecrewio"
-    git_repo             = "terragoat"
-    yor_trace            = "f7d8bc47-e5d9-4b09-9d8f-e7b9724d826e"
-  }
-}
+ resource "aws_lambda_function" "analysis_lambda" {
+   filename      = "resources/lambda_function_payload.zip"
+   function_name = "${local.resource_prefix.value}-analysis"
+   role          = "${aws_iam_role.iam_for_lambda.arn}"
+   handler       = "exports.test"
+
+   source_code_hash = "${filebase64sha256("resources/lambda_function_payload.zip")}"
+
+-  runtime = "nodejs12.x"
diff --git a/terraform/aws/providers.tf b/terraform/aws/providers.tf
@@ -1,18 +1,7 @@
-
-provider "aws" {
-  profile = var.profile
-  region  = var.region
-}
-
-provider "aws" {
-  alias      = "plain_text_access_keys_provider"
-  region     = "us-west-1"
-  access_key = "AKIAIOSFODNN7EXAMPLE"
-  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-}
-
-terraform {
-  backend "s3" {
-    encrypt = true
-  }
-}
+--- a/terraform/aws/providers.tf
++++ b/terraform/aws/providers.tf
+@@
+ provider "aws" {
+   profile = var.profile
+   region  = var.region
+ }
diff --git a/terraform/aws/terraform.tfvars b/terraform/aws/terraform.tfvars
@@ -0,0 +1,2 @@
+app_bucket_name   = "my-lab-bucket-123"
+app_bucket_prefix = "uploads/"
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -0,0 +1 @@
+variable "acm_certificate_arn" { description = "ACM certificate ARN for the web ELB HTTPS listener"; type = string }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		app_bucket_name = "my-lab-bucket-123"
		app_bucket_prefix = "uploads/"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		variable "acm_certificate_arn" { description = "ACM certificate ARN for the web ELB HTTPS listener"; type = string }