You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
🧪 No relevant tests
🔒 Security concerns
Sensitive information exposure: The rabbitmq_password and usernames are marked as sensitive but are still being output. This could lead to accidental exposure if access controls are not properly enforced. Additionally, ensure that the IAM role and policy for CloudWatch logging are scoped to the minimum permissions required to avoid privilege escalation risks.
The random_password.rabbitmq_password.result is directly used in multiple places, including outputs and user configurations. Ensure that this sensitive data is securely handled and not inadvertently exposed.
resource"random_password""rabbitmq_password" {
length=15special=true# Includes special charactersoverride_special="!@#$%^&*()-_=+[]{}<>:?"
}
variable"private_subnet_cidrs" {
default=["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
}
resource"aws_mq_broker""rabbitmq_broker_primary" {
broker_name="auto-drive-rabbitmq-broker-primary"engine_type="RabbitMQ"engine_version=var.rabbitmq_versionhost_instance_type=var.rabbitmq_instance_type# t3.micro is the smallest instance type available for Amazon MQ, use mq.m5.large for productionsecurity_groups=[aws_security_group.rabbitmq_broker_primary.id]
deployment_mode="ACTIVE_STANDBY_MULTI_AZ"storage_type="ebs"apply_immediately=truesubnet_ids=module.vpc.private_subnets# Use private subnets from VPC modulepublicly_accessible=falseencryption_options {
use_aws_owned_key=falsekms_key_id=aws_kms_key.mq_kms_key.arn
}
logs {
general=trueaudit=false
}
maintenance_window_start_time {
day_of_week="Sunday"time_of_day="03:00"time_zone="UTC"
}
user {
username=var.rabbitmq_usernamepassword=random_password.rabbitmq_password.result
}
user {
username=var.rabbitmq_replication_usernamepassword=random_password.rabbitmq_password.resultreplication_user=true
}
tags={
Environment ="Production"
Application ="AutoDrive"
}
}
resource"aws_mq_broker""rabbitmq_broker_secondary" {
broker_name="auto-drive-rabbitmq-broker-secondary"engine_type="RabbitMQ"engine_version=var.rabbitmq_versionhost_instance_type=var.rabbitmq_instance_type# t3.micro is the smallest instance type available for Amazon MQ, use mq.m5.large for productionsecurity_groups=[aws_security_group.rabbitmq_broker_secondary.id]
deployment_mode="ACTIVE_STANDBY_MULTI_AZ"storage_type="ebs"apply_immediately=truedata_replication_mode="CRDR"data_replication_primary_broker_arn=aws_mq_broker.rabbitmq_broker_primary.arnsubnet_ids=module.vpc.private_subnets# Use private subnets from VPC modulepublicly_accessible=falseencryption_options {
use_aws_owned_key=falsekms_key_id=aws_kms_key.mq_kms_key.arn
}
logs {
general=trueaudit=false
}
maintenance_window_start_time {
day_of_week="Sunday"time_of_day="04:00"time_zone="UTC"
}
user {
username=var.rabbitmq_usernamepassword=random_password.rabbitmq_password.result
}
user {
username=var.rabbitmq_replication_usernamepassword=random_password.rabbitmq_password.resultreplication_user=true
}
tags={
Environment ="Production"
Application ="AutoDrive"
}
}
# Security Group for RabbitMQ Primary Brokerresource"aws_security_group""rabbitmq_broker_primary" {
name="rabbitmq-primary-sg"description="Security group for RabbitMQ primary broker"vpc_id=module.vpc.vpc_idingress {
from_port=5671to_port=5671protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
ingress {
from_port=5672to_port=5672protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
egress {
from_port=0to_port=0protocol="-1"cidr_blocks=["0.0.0.0/0"]
}
tags={
Name ="rabbitmq-primary-sg"
}
}
# Security Group for RabbitMQ Secondary Brokerresource"aws_security_group""rabbitmq_broker_secondary" {
name="rabbitmq-secondary-sg"description="Security group for RabbitMQ secondary broker"vpc_id=module.vpc.vpc_idingress {
from_port=5671to_port=5671protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
ingress {
from_port=5672to_port=5672protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
egress {
from_port=0to_port=0protocol="-1"cidr_blocks=["0.0.0.0/0"]
}
tags={
Name ="rabbitmq-secondary-sg"
}
}
# KMS Key for Encryptionresource"aws_kms_key""mq_kms_key" {
description="KMS key for RabbitMQ encryption"enable_key_rotation=truedeletion_window_in_days=30
}
resource"aws_kms_alias""mq_kms_alias" {
name="alias/rabbitmq-broker-key"target_key_id=aws_kms_key.mq_kms_key.id
}
# IAM Role for CloudWatch Loggingresource"aws_iam_role""mq_cloudwatch_role" {
name="mq-cloudwatch-logs-role"assume_role_policy=<<EOF{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}EOF
}
resource"aws_iam_policy""mq_cloudwatch_policy" {
name="mq-cloudwatch-logs-policy"description="Policy for allowing Amazon MQ to write logs to CloudWatch"policy=<<EOF{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" } ]}EOF
}
resource"aws_iam_role_policy_attachment""mq_cloudwatch_attach" {
role=aws_iam_role.mq_cloudwatch_role.namepolicy_arn=aws_iam_policy.mq_cloudwatch_policy.arn
}
The security groups for RabbitMQ brokers allow ingress traffic on ports 5671 and 5672 from all private subnets. Verify that this configuration aligns with the intended security posture and does not introduce vulnerabilities.
# Security Group for RabbitMQ Primary Brokerresource"aws_security_group""rabbitmq_broker_primary" {
name="rabbitmq-primary-sg"description="Security group for RabbitMQ primary broker"vpc_id=module.vpc.vpc_idingress {
from_port=5671to_port=5671protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
ingress {
from_port=5672to_port=5672protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
egress {
from_port=0to_port=0protocol="-1"cidr_blocks=["0.0.0.0/0"]
}
tags={
Name ="rabbitmq-primary-sg"
}
}
# Security Group for RabbitMQ Secondary Brokerresource"aws_security_group""rabbitmq_broker_secondary" {
name="rabbitmq-secondary-sg"description="Security group for RabbitMQ secondary broker"vpc_id=module.vpc.vpc_idingress {
from_port=5671to_port=5671protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
ingress {
from_port=5672to_port=5672protocol="tcp"cidr_blocks=var.private_subnet_cidrs
}
egress {
from_port=0to_port=0protocol="-1"cidr_blocks=["0.0.0.0/0"]
}
tags={
Name ="rabbitmq-secondary-sg"
}
Sensitive information such as rabbitmq_password and usernames are being exposed as outputs. Confirm that these outputs are necessary and ensure proper access controls are in place.
Ensure that the random_password.rabbitmq_password.result is not reused for both the primary user and the replication user to avoid potential security risks and conflicts.
Why: Reusing the same password for both the primary user and the replication user poses a significant security risk. This suggestion addresses a critical issue by recommending the use of a separate password for the replication user, improving security and reducing potential conflicts.
9
Restrict outbound traffic in security groups
Restrict the egress rule in the security groups to only allow necessary outbound traffic instead of permitting all traffic to enhance security.
Why: Restricting outbound traffic enhances security by limiting unnecessary exposure. This suggestion provides a clear and actionable improvement to the security group configuration.
8
Prevent exposure of sensitive outputs
Avoid exposing sensitive outputs like rabbitmq_password in the outputs file, even if marked as sensitive, to reduce the risk of accidental exposure.
-output "rabbitmq_password" {- description = "RabbitMQ password"- value = random_password.rabbitmq_password.result- sensitive = true-}+# Avoid exposing sensitive outputs like passwords
Suggestion importance[1-10]: 7
Why: Avoiding the exposure of sensitive outputs, even when marked as sensitive, reduces the risk of accidental leaks. This suggestion improves security, but it could have been more impactful if it proposed an alternative way to handle the sensitive data.
7
General
Validate instance type for production readiness
Add a condition to validate that the var.rabbitmq_instance_type is set to a production-ready instance type for non-development environments to prevent performance issues.
-host_instance_type = var.rabbitmq_instance_type # t3.micro is the smallest instance type available for Amazon MQ, use mq.m5.large for production+host_instance_type = var.rabbitmq_instance_type+# Add validation logic to ensure production environments use mq.m5.large or higher
Suggestion importance[1-10]: 6
Why: Adding validation logic for the instance type ensures that production environments use a suitable instance type, preventing performance issues. However, the suggestion is not actionable as it does not provide specific implementation details.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Managed RabbitMQ with Amazon MQ with high-availability, replication and optimized EBS volume
PR Type
Enhancement
Description
Added high-availability RabbitMQ brokers using Amazon MQ with multi-AZ deployment.
Configured security groups, KMS encryption, and IAM roles for RabbitMQ.
Introduced new variables and outputs for RabbitMQ configuration and access.
Enabled logging and replication for RabbitMQ brokers.
Changes walkthrough 📝
broker.tf
Added RabbitMQ broker resources and configurationsauto-drive/broker.tf
outputs.tf
Added RabbitMQ broker-related outputsauto-drive/outputs.tf
variables.tf
Introduced RabbitMQ-related variablesauto-drive/variables.tf