defenseunicorns / delivery-aws-iac Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for encrypting S3 buckets and SOPS encryption
Now that https://github.com/defenseunicorns/terraform-aws-tfstate-backend exists, we should use it rather than the one that is present in this repo
If a base / upstream module that we are consuming flags an output as sensitive, we should flag it as sensitive in each of the parent vars / outputs
edit: Implement EKS Blueprints production security group recommendations
edit 2: How does this impact all the BB and mission app things (seems like we could define it for knowns but it could get complicated for unknowns)
Enlist sentient being to do this
Configure EKS nodegroups in complete-example min.tf with minimum requirements to run a medium BB deployment
Currently need a clean way to pass in tf vars from zarf to IaC
Looking at
When utilizing ssh or sshuttle over SSM, logs are not currently being captured.
As a developer of this repo, I want an automated pipeline to validate my code during the PR process, so that I am only merging code that meets our quality standards.
AC:
pre-commit run -a
and fails if pre-commit find any issues.Notes:
terraform fmt
, tflint
, tfsec
, etc, along with around a dozen other hooks that ensure cleanliness in the codebase.edit: Implement EKS Blueprints production IAM policy recommendations
Add conditional Terraform policy that can be assigned to bastion role
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Existing tflint errors:
\e[0m\e[32mCommand 'tflint --init' successfully done:\e[0m
\e[0m\e[33mTFLint in examples/complete-example/:\e[0m
12 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 5:
5: Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 48:
48: username = "${var.aws_admin_1_username}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 53:
53: username = "${var.aws_admin_2_username}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: data "aws_eks_cluster_auth" "this" is declared but not used (terraform_unused_declarations)
on providers.tf line 2:
2: data "aws_eks_cluster_auth" "this" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on providers.tf line 14:
14: provider "aws" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "kubernetes" in "required_providers" (terraform_required_providers)
on providers.tf line 19:
19: provider "kubernetes" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "helm" in "required_providers" (terraform_required_providers)
on providers.tf line 29:
29: provider "helm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: variable "aws_profile" is declared but not used (terraform_unused_declarations)
on variables.tf line 19:
19: variable "aws_profile" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_group" is declared but not used (terraform_unused_declarations)
on variables.tf line 48:
48: variable "create_database_subnet_group" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_route_table" is declared but not used (terraform_unused_declarations)
on variables.tf line 54:
54: variable "create_database_subnet_route_table" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "assign_public_ip" is declared but not used (terraform_unused_declarations)
on variables.tf line 84:
84: variable "assign_public_ip" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in examples/tf-state-backend/:\e[0m
2 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on main.tf line 5:
5: data "aws_partition" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
\e[0m\e[33mTFLint in modules/bastion/:\e[0m
28 issue(s) found:
Warning: local.root_volume_config is declared but not used (terraform_unused_declarations)
on locals.tf line 32:
32: root_volume_config = {
33: volume_type = "gp3"
34: volume_size = "20"
35: encrypted = true
36: }
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_region" "current" is declared but not used (terraform_unused_declarations)
on main.tf line 3:
3: data "aws_region" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: List items should be accessed using square brackets (terraform_deprecated_index)
on main.tf line 37:
37: vpc_security_group_ids = length(local.security_group_configs) > 0 ? aws_security_group.sg.*.id : var.security_group_ids
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_index.md
Warning: Missing version constraint for provider "tls" in "required_providers" (terraform_required_providers)
on main.tf line 60:
60: resource "tls_private_key" "bastion_key" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "cloudinit" in "required_providers" (terraform_required_providers)
on main.tf line 185:
185: data "cloudinit_config" "config" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: List items should be accessed using square brackets (terraform_deprecated_index)
on output.tf line 21:
21: value = length(local.security_group_configs) > 0 ? aws_security_group.sg.*.id : var.security_group_ids
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_index.md
Warning: variable "ec2_key_name" is declared but not used (terraform_unused_declarations)
on variables.tf line 56:
56: variable "ec2_key_name" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "requires_eip" is declared but not used (terraform_unused_declarations)
on variables.tf line 80:
80: variable "requires_eip" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "user_data" is declared but not used (terraform_unused_declarations)
on variables.tf line 86:
86: variable "user_data" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "role_name" is declared but not used (terraform_unused_declarations)
on variables.tf line 92:
92: variable "role_name" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "acl" is declared but not used (terraform_unused_declarations)
on variables.tf line 172:
172: variable "acl" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "versioning_enabled" is declared but not used (terraform_unused_declarations)
on variables.tf line 190:
190: variable "versioning_enabled" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "force_destroy" is declared but not used (terraform_unused_declarations)
on variables.tf line 196:
196: variable "force_destroy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "logging" is declared but not used (terraform_unused_declarations)
on variables.tf line 202:
202: variable "logging" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "bucket_public_access_block" is declared but not used (terraform_unused_declarations)
on variables.tf line 220:
220: variable "bucket_public_access_block" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `ssh_user` variable has no type (terraform_typed_variables)
on variables.tf line 230:
230: variable "ssh_user" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: `enable_hourly_cron_updates` variable has no type (terraform_typed_variables)
on variables.tf line 234:
234: variable "enable_hourly_cron_updates" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "enable_hourly_cron_updates" is declared but not used (terraform_unused_declarations)
on variables.tf line 234:
234: variable "enable_hourly_cron_updates" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `keys_update_frequency` variable has no type (terraform_typed_variables)
on variables.tf line 238:
238: variable "keys_update_frequency" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "keys_update_frequency" is declared but not used (terraform_unused_declarations)
on variables.tf line 238:
238: variable "keys_update_frequency" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `user_data_file` variable has no type (terraform_typed_variables)
on variables.tf line 242:
242: variable "user_data_file" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "user_data_file" is declared but not used (terraform_unused_declarations)
on variables.tf line 242:
242: variable "user_data_file" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `additional_user_data_script` variable has no type (terraform_typed_variables)
on variables.tf line 246:
246: variable "additional_user_data_script" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "ssh_public_key_names" is declared but not used (terraform_unused_declarations)
on variables.tf line 250:
250: variable "ssh_public_key_names" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `cluster_sops_policy_arn` variable has no type (terraform_typed_variables)
on variables.tf line 255:
255: variable "cluster_sops_policy_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: `ssmkey_arn` variable has no type (terraform_typed_variables)
on variables.tf line 277:
277: variable "ssmkey_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "ssmkey_arn" is declared but not used (terraform_unused_declarations)
on variables.tf line 277:
277: variable "ssmkey_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "vpc_endpoints_enabled" is declared but not used (terraform_unused_declarations)
on variables.tf line 324:
324: variable "vpc_endpoints_enabled" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/eks/:\e[0m
5 issue(s) found:
Warning: local.azs is declared but not used (terraform_unused_declarations)
on locals.tf line 5:
5: azs = slice(data.aws_availability_zones.available.names, 0, 3)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_eks_cluster_auth" "this" is declared but not used (terraform_unused_declarations)
on main.tf line 1:
1: data "aws_eks_cluster_auth" "this" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 322:
322: "AWS": ${var.cluster_kms_key_additional_admin_arns == [] ? "[]" : jsonencode(var.cluster_kms_key_additional_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: variable "public_subnet_ids" is declared but not used (terraform_unused_declarations)
on variables.tf line 26:
26: variable "public_subnet_ids" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "aws_account" is declared but not used (terraform_unused_declarations)
on variables.tf line 37:
37: variable "aws_account" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/rds/:\e[0m
2 issue(s) found:
Warning: variable "db_vpc_security_group_ids" is declared but not used (terraform_unused_declarations)
on variables.tf line 13:
13: variable "db_vpc_security_group_ids" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_db_subnet_group" is declared but not used (terraform_unused_declarations)
on variables.tf line 85:
85: variable "create_db_subnet_group" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/s3-irsa/:\e[0m
1 issue(s) found:
Warning: local.name is declared but not used (terraform_unused_declarations)
on main.tf line 2:
2: name = basename(path.cwd)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/sops/:\e[0m
2 issue(s) found:
Warning: local.name is declared but not used (terraform_unused_declarations)
on main.tf line 2:
2: name = basename(path.cwd)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/tfstate-backend/:\e[0m
9 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: local.role_name is declared but not used (terraform_unused_declarations)
on locals.tf line 2:
2: role_name = "${var.bucket_prefix}-role"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: local.bucket_prefix is declared but not used (terraform_unused_declarations)
on locals.tf line 3:
3: bucket_prefix = var.bucket_prefix
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_partition" "current" is declared but not used (terraform_unused_declarations)
on main.tf line 1:
1: data "aws_partition" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on main.tf line 66:
66: resource "aws_s3_bucket_policy" "backend_bucket" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 76:
76: "AWS": ${var.cluster_key_admin_arns == [] ? "[]" : jsonencode(var.cluster_key_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 95:
95: "AWS": ${var.cluster_key_admin_arns == [] ? "[]" : jsonencode(var.cluster_key_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "permissions_boundary" is declared but not used (terraform_unused_declarations)
on variables.tf line 28:
28: variable "permissions_boundary" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/vpc/:\e[0m
4 issue(s) found:
Warning: data "aws_iam_policy_document" "dynamodb_endpoint_policy" is declared but not used (terraform_unused_declarations)
on main.tf line 196:
196: data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_iam_policy_document" "generic_endpoint_policy" is declared but not used (terraform_unused_declarations)
on main.tf line 216:
216: data "aws_iam_policy_document" "generic_endpoint_policy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_route_table" is declared but not used (terraform_unused_declarations)
on variables.tf line 39:
39: variable "create_database_subnet_route_table" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Now that the complete
example exists and is tested in a CI pipeline, we need to expand on it. Right now it has a setup for an "insecure mode" which does managed nodegroups, default tenancy, and turns on the public endpoint for the eks cluster. We need to add a "secure mode" which does self-managed nodegroups, dedicated tenancy, and turns off the public endpoint for the eks cluster.
Acceptance Criteria:
terraform apply -var-file=fixtures.common.tfvars -var-file=fixtures.secure.tfvars
complete-self-managed-nodegroup
examplecomplete-self-managed-nodegroup
example has been deletedNotes:
-target
to target specifically the vpc and the bastion, then use sshuttle to tunnel through the bastion and run terraform apply
againlooking to move a lot of the user_data things into ec2 image builder and create a conditional for the remaining specifics
The windows module capabilities is probably outside the scope of UDS (edge case). Need to validate this assumption and adjust the issue accordingly.
If outside the scope of UDS, separate tf module will be created / maintained.
If it falls within scope, we need to determine if we can reuse the module for both use cases or if we need to create a separate module.
user_data
When doing a terraform apply
or terraform destroy
-target=module.eks, there are no issues with the way we have the outputs; however, if you try to do an apply or destroy without a target there is an error stating the output cannot be an empty tuple for the nodegroups that are not being utilized (self-managed or managed depending on what is being provisioned).
Looking at
Allows us to take advantage of new features and reduces maintenance
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for encrypting S3 buckets and SOPS encryption
Building STIG-compliant amis for EKS
Related Issues:
FIPS EKS AMI issue
FIPS Bottlerocket issue
Edit: EC2 image builder is inconsistent for things in the user_data and if we're going to do something custom, we may want to consider packer.
Definition of Done:
this is not direction, just a conversation starter
If 2 people run terraform apply
using the same variables, name conflicts will occur. For example, If 2 people use bastion_name = "my-bastion"
in the same aws account, IAM policies such as "my-bastion-s3-readonly" (and a bunch of others) will have name conflicts.
This is likely to happen as we introduce automated testing. I'm surprised it hasn't already just from people reusing the same example tfvars files in the same account.
We could append some UUID to every resource name/id. We do this for certain things already by applying what looks to be a datetime stamp, but we don't currently do that everywhere.
The variable eks_k8s_version
(wherever it appears, whether in the eks module or the examples) should validate the value that the user uses, for 2 reasons:
As a unicorn engineer responsible for AWS infrastructure, I need the ability to deploy the infrastructure in a repeatable/consumable way that is secure, compliant and authorized.
AC:
Scope:
VPCs, subnets, NAT gwys, TGWs
EKS, self-managed workers
Loki Buckets / Dynamodb table
Keycloak Database
Rt 53 entries
EC2 Gitlab Runner
Bastion
Notes:
Edit: removed mission apps, Rt 53 entries & EC2 GL runner from AC as these are more implementation-specific items and not core UDS things
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for loki logging
pending upstream containerd issue
EKS configs need to be exposed in order for the module to be extensible
By default, EKS ships with it's own VPC-CNI, but it currently doesn't support K8s NetworkPolicy resources. For this EKS module, let's make sure that K8s NetPols can be implemented and enforced. This Github issue recommends Calico or Security Groups for Pods, but each of those comes with its own pros/cons.
Existing tfsec
errors:
Results #1-2 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/main.tf:103
────────────────────────────────────────────────────────────────────────────────
78 resource "aws_security_group" "sg" {
..
103 [ cidr_blocks = egress.value.cidr_blocks
...
107 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/main.tf:78-107 (aws_security_group.sg[0]) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #3-6 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:182
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
182 [ cidr_blocks = try(each.value.cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:32-58 (module.eks) 4 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:183
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
183 [ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #8-9 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:103
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
78 resource "aws_security_group" "sg" {
..
103 [ cidr_blocks = egress.value.cidr_blocks
...
107 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #10 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:674
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
662 resource "aws_network_acl_rule" "public_inbound" {
...
674 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ("-1")
...
677 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #11 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:675
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
662 resource "aws_network_acl_rule" "public_inbound" {
...
675 [ cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
677 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #12 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:691
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
679 resource "aws_network_acl_rule" "public_outbound" {
...
691 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ("-1")
...
694 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #13 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:725
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
713 resource "aws_network_acl_rule" "private_inbound" {
...
725 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ("-1")
...
728 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #14 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:726
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
713 resource "aws_network_acl_rule" "private_inbound" {
...
726 [ cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
728 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #15 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:742
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
730 resource "aws_network_acl_rule" "private_outbound" {
...
742 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ("-1")
...
745 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #16 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:878
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
866 resource "aws_network_acl_rule" "database_inbound" {
...
878 [ protocol = var.database_inbound_acl_rules[count.index]["protocol"] ("-1")
...
881 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #17 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:879
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
866 resource "aws_network_acl_rule" "database_inbound" {
...
879 [ cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
881 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #18 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:895
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
883 resource "aws_network_acl_rule" "database_outbound" {
...
895 [ protocol = var.database_outbound_acl_rules[count.index]["protocol"] ("-1")
...
898 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Results #19-22 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:182
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
182 [ cidr_blocks = try(each.value.cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:18-265 (module.eks_blueprints) 4 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #23 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:183
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
183 [ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #24-25 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:181-198
────────────────────────────────────────────────────────────────────────────────
179 resource "aws_iam_policy" "s3_readonly_policy" {
180 name = "${local.bucket_prefix}-s3-readonly"
181 ┌ policy = <<EOF
182 │ {
183 │ "Version": "2012-10-17",
184 │ "Statement": [
185 │ {
186 │ "Effect": "Allow",
187 └ "Action": [
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:179-199 (aws_iam_policy.s3_readonly_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #26-27 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:54-57
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
54 ┌ resources = [
55 │ aws_s3_bucket.session_logs_bucket.arn,
56 │ "${aws_s3_bucket.session_logs_bucket.arn}/*",
57 └ ]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #28-29 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:84
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
84 [ resources = ["*"]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #30 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
19 data "aws_iam_policy_document" "irsa_policy" {
..
29 [ resources = ["*"]
..
31 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #31 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
52 data "aws_iam_policy_document" "cluster_autoscaler" {
..
71 [ resources = ["*"]
..
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #32-33 HIGH IAM policy document uses wildcarded action 's3:*Object' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3-irsa/main.tf:49
────────────────────────────────────────────────────────────────────────────────
43 data "aws_iam_policy_document" "irsa_policy" {
..
49 [ actions = ["s3:*Object"]
..
73 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #34-35 HIGH IAM policy document uses sensitive action 's3:*Object' on wildcarded resource '0fafd38f-b626-442d-9d4d-27dfe819b50b/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3-irsa/main.tf:50
────────────────────────────────────────────────────────────────────────────────
43 data "aws_iam_policy_document" "irsa_policy" {
..
50 [ resources = ["${module.s3_bucket.s3_bucket_arn}/*"]
..
73 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #36-38 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
19 data "aws_iam_policy_document" "irsa_policy" {
..
29 [ resources = ["*"]
..
31 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks)
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #39 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
52 data "aws_iam_policy_document" "cluster_autoscaler" {
..
71 [ resources = ["*"]
..
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #40 HIGH Cluster does not have secret encryption enabled.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/main.tf:14-63
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
14 ┌ resource "aws_eks_cluster" "this" {
15 │ count = local.create ? 1 : 0
16 │
17 │ name = var.cluster_name
18 │ role_arn = local.cluster_role
19 │ version = var.cluster_version
20 │ enabled_cluster_log_types = var.cluster_enabled_log_types
21 │
22 └ vpc_config {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-eks-encrypt-secrets
Impact EKS secrets could be read if compromised
Resolution Enable encryption of EKS secrets
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────
Results #41-42 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:181-198
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
179 resource "aws_iam_policy" "s3_readonly_policy" {
180 name = "${local.bucket_prefix}-s3-readonly"
181 ┌ policy = <<EOF
182 │ {
183 │ "Version": "2012-10-17",
184 │ "Statement": [
185 │ {
186 │ "Effect": "Allow",
187 └ "Action": [
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #43-44 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:54-57
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
54 ┌ resources = [
55 │ aws_s3_bucket.session_logs_bucket.arn,
56 │ "${aws_s3_bucket.session_logs_bucket.arn}/*",
57 └ ]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #45-46 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:84
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
84 [ resources = ["*"]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #47-49 HIGH Subnet associates public IP address. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:366
via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
359 resource "aws_subnet" "public" {
...
366 [ map_public_ip_on_launch = var.map_public_ip_on_launch (true)
...
382 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:13-27 (module.vpc) 3 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ip-subnet
Impact The instance is publicly accessible
Resolution Set the instance to not be publicly accessible
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────
Result #50 HIGH Subnet associates public IP address.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:366
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
359 resource "aws_subnet" "public" {
...
366 [ map_public_ip_on_launch = var.map_public_ip_on_launch (true)
...
382 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ip-subnet
Impact The instance is publicly accessible
Resolution Set the instance to not be publicly accessible
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────
Result #51 HIGH Cluster does not have secret encryption enabled.
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/main.tf:14-63
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
14 ┌ resource "aws_eks_cluster" "this" {
15 │ count = local.create ? 1 : 0
16 │
17 │ name = var.cluster_name
18 │ role_arn = local.cluster_role
19 │ version = var.cluster_version
20 │ enabled_cluster_log_types = var.cluster_enabled_log_types
21 │
22 └ vpc_config {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-eks-encrypt-secrets
Impact EKS secrets could be read if compromised
Resolution Enable encryption of EKS secrets
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────
Result #52 MEDIUM Instance has very low backup retention period.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:84
via git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/main.tf:69-149 (module.db_instance)
via modules/rds/main.tf:7-70 (module.db)
────────────────────────────────────────────────────────────────────────────────
32 resource "aws_db_instance" "this" {
..
84 [ backup_retention_period = var.backup_retention_period (1)
...
130 }
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-specify-backup-retention
Impact Potential loss of data and short opportunity for recovery
Resolution Explicitly set the retention period to greater than the default
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/specify-backup-retention/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────
Result #53 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:94
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f"): open /var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f/git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0177
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────
Result #54 MEDIUM VPC Flow Logs is not enabled for VPC
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:20-43
via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
20 ┌ resource "aws_vpc" "this" {
21 │ count = local.create_vpc ? 1 : 0
22 │
23 │ cidr_block = var.use_ipam_pool ? null : var.cidr
24 │ ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
25 │ ipv4_netmask_length = var.ipv4_netmask_length
26 │
27 │ assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
28 └ ipv6_cidr_block = var.ipv6_cidr
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
Resolution Enable flow logs for VPC
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────
Result #55 MEDIUM VPC Flow Logs is not enabled for VPC
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:20-43
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
20 ┌ resource "aws_vpc" "this" {
21 │ count = local.create_vpc ? 1 : 0
22 │
23 │ cidr_block = var.use_ipam_pool ? null : var.cidr
24 │ ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
25 │ ipv4_netmask_length = var.ipv4_netmask_length
26 │
27 │ assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
28 └ ipv6_cidr_block = var.ipv6_cidr
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
Resolution Enable flow logs for VPC
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────
Result #56 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Result #57 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
Result #58 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Result #59 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
Results #60-61 MEDIUM Bucket does not have logging enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/main.tf:18-27
via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
- terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Results #62-63 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/main.tf:18-27
via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
- terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
timings
──────────────────────────────────────────
disk i/o 17.05977ms
parsing 2.772075126s
adaptation 21.309777ms
checks 97.643864ms
total 2.908088537s
counts
──────────────────────────────────────────
modules downloaded 0
modules processed 79
blocks processed 4219
files read 361
results
──────────────────────────────────────────
passed 426
ignored 4
critical 23
high 28
medium 12
low 0
426 passed, 4 ignored, 63 potential problem(s) detected.
Context: Kubevirt needs virtualization enabled on Kubernetes nodes, AWS does not support virtualization on normal EC2 instances. Possibly only supported on Bare metal.
Tenancy variables (in the Bastion module and EKS module) only work when the value is default
or dedicated
. We should add a validation that checks that the value is only one of those two values, otherwise it should fail.
Configure these inputs in the root module, expose the variables in our EKS module and configure the values opposite of their defaults
https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/variables.tf#L114-L124
Now that pre-commit is run as part of the pipeline, we should have docs in the contributor guide on how to run it locally.
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need this for storing logs from Loki
Details TBD
https://developer.hashicorp.com/terraform/language/settings/backends/kubernetes
This issue is to create an ADR to help frame the options we have for terraform state, as well as, help provide tangible examples that will help inform a potential common UDS pattern instantiation and recovery operations in connected, semi-connected and airgapped environments.
Related / complimentary work: the KV pair methodology that @wirewc is working
Option 1: Use S3 tf state backend (could be copied into the cluster via a k8s cron job)
Option 2: Use local tf state (can be copied to a k8s PV via EC2 cron job)
Option 3: Use k8s tf state backend & k8s cron job to backup to S3
I'm a maintainer of this repo. I'm submitting this on behalf of Defense Unicorns leadership, who want to ensure that the money we spend in our dev/test AWS account(s) is being spent well.
Periodically (frequency TBD), automatically destroy all resources in our dev/test AWS account that aren't specifically identified as being permanent resources.
This is needed because we frequently get orphaned resources in our AWS account. A big part of what we do is making rapid changes to Terraform code. We test those changes frequently, and when tests fail, there is a chance that the resources don't get cleaned up properly.
According to the billing console, the stuff that is running in the account right now is costing about $100 per day. I don't believe we have any tests actively running in the account right now, so the likelihood is that most of that $100 per day is from orphaned resources that haven't been cleaned up yet.
The impact is, that we continue to "light dollar bills on fire", or we force members of the team to continue to manually go through and delete resources, which is labor intensive and prone to mistakes.
Original description:
My session token expired in the middle of an apply and I lost the terraform state. I'm now going through and having to delete hundreds of things manually.
The AWS account we are using doesn't have anything permanent in it. We should set up the ability to nuke all resources in the account (with perhaps just a few exceptions, like the GitHub Actions auth provider and role)
https://github.com/rebuy-de/aws-nuke works well for this kind of thing.
The use of managed node groups is currently not enabled in the EKS module. A consumer of this repo should be able to select either managed or self-managed node groups easily.
Current workflow uploads pub ssh keys to S3, pulls those files in via an ec2 aws user data cron job and exposes port 22 on a bastion in a public subnet to specified public admin IPs.
The following approach would allow for using IAM creds to auth with SSM which will also provide 2FA for ssh / sshuttle access. This would alleviate the need to upload our pub ssh keys and pub IPs in terraform for bastion access, as well as, reduce threat surface area of the enclave.
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
Looking at
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.