[u] Ensure security contact information is registered (#4764, PR #4802)

DataBiosphere · Dec 16, 2022 · 0aa860a · 0aa860a
2 parents a44e67e + 701f813
commit 0aa860a
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 3 deletions.
diff --git a/UPGRADING.rst b/UPGRADING.rst
@@ -11,6 +11,16 @@ reverted. This is all fairly informal and loosely defined. Hopefully we won't
 have too many entries in this file.
 
 
+#4764 Ensure security contact information is registered
+=======================================================
+
+Operator
+~~~~~~~~
+
+Manually deploy the ``shared`` component of any main deployment just before
+pushing the merge commit to the GitLab instance in that deployment.
+
+
 #4692 Ensure IAM password policies have strong configurations
 =============================================================
 

diff --git a/deployments/dev.shared/environment.py b/deployments/dev.shared/environment.py
@@ -27,5 +27,12 @@ def env() -> Mapping[str, Optional[str]]:
     """
     return {
         'azul_terraform_component': 'shared',
-        'azul_aws_support_roles': json.dumps(['administrator', 'developer'])
+        'azul_aws_support_roles': json.dumps(['administrator', 'developer']),
+
+        'azul_security_contact': json.dumps({
+            'name': 'Hannes Schmidt',
+            'title': 'Tech lead',
+            'email_address': 'azul-group@ucsc.edu',
+            'phone_number': '831-454-8200'
+        }),
     }
diff --git a/environment.py b/environment.py
@@ -541,5 +541,14 @@ def env() -> Mapping[str, Optional[str]]:
         # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20
         #
         #
-        'azul_aws_support_roles': json.dumps([])
+        'azul_aws_support_roles': json.dumps([]),
+
+        # A dict containing the contact details of the AWS account alternate
+        # contact for security communications. The keys must include those
+        # required by the aws_account_alternate_contact Terraform resource,
+        # however should exclude the key alternate_contact_type.
+        #
+        # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact
+        #
+        'azul_security_contact': None,
     }
diff --git a/src/azul/__init__.py b/src/azul/__init__.py
@@ -1335,6 +1335,17 @@ def monitoring_topic_name(self):
     def cloudwatch_dashboard_template(self) -> str:
         return f'{config.project_root}/terraform/cloudwatch_dashboard.template.json'
 
+    @property
+    def security_contact(self) -> Optional[dict[str]]:
+        value = self.environ.get('azul_security_contact')
+        if value is None:
+            return None
+        else:
+            # FIXME: Eliminate local import
+            #        https://github.com/DataBiosphere/azul/issues/3133
+            import json
+            return json.loads(value)
+
 
 config: Config = Config()  # yes, the type hint does help PyCharm
 

diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -410,6 +410,18 @@
                 'password_reuse_prevention': 24,
                 'max_password_age': 90,
             }
-        }
+        },
+        **(
+            {
+                'aws_account_alternate_contact': {
+                    'security': {
+                        **config.security_contact,
+                        'alternate_contact_type': 'SECURITY'
+                    }
+                }
+            }
+            if config.security_contact else
+            {}
+        )
     }
 }))