defenseunicorns / delivery-aws-iac Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
delivery-aws-iac's People
Contributors
![narwhal-bot[bot] avatar](https://avatars.githubusercontent.com/in/382791?v=4 "narwhal-bot[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Stargazers
Watchers
delivery-aws-iac's Issues
Create Production Ready KMS Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for encrypting S3 buckets and SOPS encryption
Update this repo to use the new remote tfstate-backend module
Now that https://github.com/defenseunicorns/terraform-aws-tfstate-backend exists, we should use it rather than the one that is present in this repo
Verify sensitive = true from base modules up through root module
If a base / upstream module that we are consuming flags an output as sensitive, we should flag it as sensitive in each of the parent vars / outputs
Lockdown EKS Add-Ons Security Group
edit: Implement EKS Blueprints production security group recommendations
edit 2: How does this impact all the BB and mission app things (seems like we could define it for knowns but it could get complicated for unknowns)
Build Zarf package to execute terraform
- Deploy iac with zarf / export package variables
- https://github.com/defenseunicorns/iac/blob/main/examples/zarf-complete-example/zarf.yaml
- Deploy base IaC (VPC, bastion, Loki S3 bucket and EKS) via Zarf
- Instantiate / bootstrap EKS cluster with BB Core + KC + podinfo using zarf
- https://github.com/defenseunicorns/zarf-package-big-bang/blob/development/zarf.yaml
- Deploy BB Core + KeyCloak + authsvc + podinfo
- Deploy RDS database / figure out how to use Zarf to write db secret to be consumed by KC
Update README's and add docs
Enlist sentient being to do this
Update Node groups with BB optimized values
Configure EKS nodegroups in complete-example min.tf with minimum requirements to run a medium BB deployment
- Expose eks-nodegroup settings in the complete-example main.tf / add necessary vars for these lines
- Determine if SSO needs dedicated nodes
- Adjust node group settings for BB Core + KC + podinfo needs
Zarf-complete-example not working
Currently need a clean way to pass in tf vars from zarf to IaC
Add security stage for a PR pipeline
Looking at
- tfsec an open-source tool that checks Terraform templates for security vulnerabilities and compliance issues
- checkov a tool for scanning infrastructure-as-code (IaC) files for security and compliance issues
- terrascan a tool for scanning Terraform templates for security and compliance issues
- terraform-security-automation a collection of scripts and tools for automating the security review of Terraform templates
Add logging for bastion when accessing it via ssh over ssm
When utilizing ssh or sshuttle over SSM, logs are not currently being captured.
- Identify minimum logs needed
- ensure those logs are being shipped to the appropriate logging bucket
Automated code quality gate
As a developer of this repo, I want an automated pipeline to validate my code during the PR process, so that I am only merging code that meets our quality standards.
AC:
- An automated pipeline runs
pre-commit run -aand fails if pre-commit find any issues.
Notes:
- Pre-commit is a nice way to do this since it will automatically run all the different things that we care about, like
terraform fmt,tflint,tfsec, etc, along with around a dozen other hooks that ensure cleanliness in the codebase.
EKS Refactor - Review IAM policy for EKS
edit: Implement EKS Blueprints production IAM policy recommendations
Credential Bastion to provision infra
Add conditional Terraform policy that can be assigned to bastion role
Create Production Ready EKS Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Enable dedicated tenancy officially
add iam policy module
- build iam tf module
- migrate terraform iam policy from bastion module
Enable `tflint` pre-commit hook
Existing tflint errors:
\e[0m\e[32mCommand 'tflint --init' successfully done:\e[0m
\e[0m\e[33mTFLint in examples/complete-example/:\e[0m
12 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 5:
5: Blueprint = "${replace(basename(path.cwd), "_", "-")}" # tag names based on the directory name
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 48:
48: username = "${var.aws_admin_1_username}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on main.tf line 53:
53: username = "${var.aws_admin_2_username}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_interpolation.md
Warning: data "aws_eks_cluster_auth" "this" is declared but not used (terraform_unused_declarations)
on providers.tf line 2:
2: data "aws_eks_cluster_auth" "this" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on providers.tf line 14:
14: provider "aws" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "kubernetes" in "required_providers" (terraform_required_providers)
on providers.tf line 19:
19: provider "kubernetes" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "helm" in "required_providers" (terraform_required_providers)
on providers.tf line 29:
29: provider "helm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: variable "aws_profile" is declared but not used (terraform_unused_declarations)
on variables.tf line 19:
19: variable "aws_profile" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_group" is declared but not used (terraform_unused_declarations)
on variables.tf line 48:
48: variable "create_database_subnet_group" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_route_table" is declared but not used (terraform_unused_declarations)
on variables.tf line 54:
54: variable "create_database_subnet_route_table" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "assign_public_ip" is declared but not used (terraform_unused_declarations)
on variables.tf line 84:
84: variable "assign_public_ip" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in examples/tf-state-backend/:\e[0m
2 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on main.tf line 5:
5: data "aws_partition" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
\e[0m\e[33mTFLint in modules/bastion/:\e[0m
28 issue(s) found:
Warning: local.root_volume_config is declared but not used (terraform_unused_declarations)
on locals.tf line 32:
32: root_volume_config = {
33: volume_type = "gp3"
34: volume_size = "20"
35: encrypted = true
36: }
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_region" "current" is declared but not used (terraform_unused_declarations)
on main.tf line 3:
3: data "aws_region" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: List items should be accessed using square brackets (terraform_deprecated_index)
on main.tf line 37:
37: vpc_security_group_ids = length(local.security_group_configs) > 0 ? aws_security_group.sg.*.id : var.security_group_ids
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_index.md
Warning: Missing version constraint for provider "tls" in "required_providers" (terraform_required_providers)
on main.tf line 60:
60: resource "tls_private_key" "bastion_key" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "cloudinit" in "required_providers" (terraform_required_providers)
on main.tf line 185:
185: data "cloudinit_config" "config" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: List items should be accessed using square brackets (terraform_deprecated_index)
on output.tf line 21:
21: value = length(local.security_group_configs) > 0 ? aws_security_group.sg.*.id : var.security_group_ids
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_deprecated_index.md
Warning: variable "ec2_key_name" is declared but not used (terraform_unused_declarations)
on variables.tf line 56:
56: variable "ec2_key_name" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "requires_eip" is declared but not used (terraform_unused_declarations)
on variables.tf line 80:
80: variable "requires_eip" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "user_data" is declared but not used (terraform_unused_declarations)
on variables.tf line 86:
86: variable "user_data" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "role_name" is declared but not used (terraform_unused_declarations)
on variables.tf line 92:
92: variable "role_name" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "acl" is declared but not used (terraform_unused_declarations)
on variables.tf line 172:
172: variable "acl" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "versioning_enabled" is declared but not used (terraform_unused_declarations)
on variables.tf line 190:
190: variable "versioning_enabled" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "force_destroy" is declared but not used (terraform_unused_declarations)
on variables.tf line 196:
196: variable "force_destroy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "logging" is declared but not used (terraform_unused_declarations)
on variables.tf line 202:
202: variable "logging" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "bucket_public_access_block" is declared but not used (terraform_unused_declarations)
on variables.tf line 220:
220: variable "bucket_public_access_block" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `ssh_user` variable has no type (terraform_typed_variables)
on variables.tf line 230:
230: variable "ssh_user" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: `enable_hourly_cron_updates` variable has no type (terraform_typed_variables)
on variables.tf line 234:
234: variable "enable_hourly_cron_updates" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "enable_hourly_cron_updates" is declared but not used (terraform_unused_declarations)
on variables.tf line 234:
234: variable "enable_hourly_cron_updates" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `keys_update_frequency` variable has no type (terraform_typed_variables)
on variables.tf line 238:
238: variable "keys_update_frequency" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "keys_update_frequency" is declared but not used (terraform_unused_declarations)
on variables.tf line 238:
238: variable "keys_update_frequency" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `user_data_file` variable has no type (terraform_typed_variables)
on variables.tf line 242:
242: variable "user_data_file" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "user_data_file" is declared but not used (terraform_unused_declarations)
on variables.tf line 242:
242: variable "user_data_file" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `additional_user_data_script` variable has no type (terraform_typed_variables)
on variables.tf line 246:
246: variable "additional_user_data_script" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "ssh_public_key_names" is declared but not used (terraform_unused_declarations)
on variables.tf line 250:
250: variable "ssh_public_key_names" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: `cluster_sops_policy_arn` variable has no type (terraform_typed_variables)
on variables.tf line 255:
255: variable "cluster_sops_policy_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: `ssmkey_arn` variable has no type (terraform_typed_variables)
on variables.tf line 277:
277: variable "ssmkey_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_typed_variables.md
Warning: variable "ssmkey_arn" is declared but not used (terraform_unused_declarations)
on variables.tf line 277:
277: variable "ssmkey_arn" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "vpc_endpoints_enabled" is declared but not used (terraform_unused_declarations)
on variables.tf line 324:
324: variable "vpc_endpoints_enabled" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/eks/:\e[0m
5 issue(s) found:
Warning: local.azs is declared but not used (terraform_unused_declarations)
on locals.tf line 5:
5: azs = slice(data.aws_availability_zones.available.names, 0, 3)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_eks_cluster_auth" "this" is declared but not used (terraform_unused_declarations)
on main.tf line 1:
1: data "aws_eks_cluster_auth" "this" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 322:
322: "AWS": ${var.cluster_kms_key_additional_admin_arns == [] ? "[]" : jsonencode(var.cluster_kms_key_additional_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: variable "public_subnet_ids" is declared but not used (terraform_unused_declarations)
on variables.tf line 26:
26: variable "public_subnet_ids" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "aws_account" is declared but not used (terraform_unused_declarations)
on variables.tf line 37:
37: variable "aws_account" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/rds/:\e[0m
2 issue(s) found:
Warning: variable "db_vpc_security_group_ids" is declared but not used (terraform_unused_declarations)
on variables.tf line 13:
13: variable "db_vpc_security_group_ids" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_db_subnet_group" is declared but not used (terraform_unused_declarations)
on variables.tf line 85:
85: variable "create_db_subnet_group" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/s3-irsa/:\e[0m
1 issue(s) found:
Warning: local.name is declared but not used (terraform_unused_declarations)
on main.tf line 2:
2: name = basename(path.cwd)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/sops/:\e[0m
2 issue(s) found:
Warning: local.name is declared but not used (terraform_unused_declarations)
on main.tf line 2:
2: name = basename(path.cwd)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/tfstate-backend/:\e[0m
9 issue(s) found:
Warning: terraform "required_version" attribute is required (terraform_required_version)
on line 0:
(source code not available)
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_version.md
Warning: local.role_name is declared but not used (terraform_unused_declarations)
on locals.tf line 2:
2: role_name = "${var.bucket_prefix}-role"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: local.bucket_prefix is declared but not used (terraform_unused_declarations)
on locals.tf line 3:
3: bucket_prefix = var.bucket_prefix
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_partition" "current" is declared but not used (terraform_unused_declarations)
on main.tf line 1:
1: data "aws_partition" "current" {}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)
on main.tf line 66:
66: resource "aws_s3_bucket_policy" "backend_bucket" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_required_providers.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 76:
76: "AWS": ${var.cluster_key_admin_arns == [] ? "[]" : jsonencode(var.cluster_key_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: Comparing a collection with an empty list is invalid. To detect an empty collection, check its length. (terraform_empty_list_equality)
on main.tf line 95:
95: "AWS": ${var.cluster_key_admin_arns == [] ? "[]" : jsonencode(var.cluster_key_admin_arns)}
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_empty_list_equality.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "permissions_boundary" is declared but not used (terraform_unused_declarations)
on variables.tf line 28:
28: variable "permissions_boundary" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
\e[0m\e[33mTFLint in modules/vpc/:\e[0m
4 issue(s) found:
Warning: data "aws_iam_policy_document" "dynamodb_endpoint_policy" is declared but not used (terraform_unused_declarations)
on main.tf line 196:
196: data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: data "aws_iam_policy_document" "generic_endpoint_policy" is declared but not used (terraform_unused_declarations)
on main.tf line 216:
216: data "aws_iam_policy_document" "generic_endpoint_policy" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "region" is declared but not used (terraform_unused_declarations)
on variables.tf line 1:
1: variable "region" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Warning: variable "create_database_subnet_route_table" is declared but not used (terraform_unused_declarations)
on variables.tf line 39:
39: variable "create_database_subnet_route_table" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.2/docs/rules/terraform_unused_declarations.md
Add "secure mode" to the complete example
Now that the complete example exists and is tested in a CI pipeline, we need to expand on it. Right now it has a setup for an "insecure mode" which does managed nodegroups, default tenancy, and turns on the public endpoint for the eks cluster. We need to add a "secure mode" which does self-managed nodegroups, dedicated tenancy, and turns off the public endpoint for the eks cluster.
Acceptance Criteria:
- Complete example has "secure mode" which is accomplished via
terraform apply -var-file=fixtures.common.tfvars -var-file=fixtures.secure.tfvars - Complete example "secure mode" is on par with the existing
complete-self-managed-nodegroupexample - Secure mode uses self-managed nodegroups, dedicated instance tenancy, and turns off the eks cluster public endpoint
- Automated test for "secure mode" exists and is passing
- Documentation has been updated to give instructions on how to deploy secure mode
complete-self-managed-nodegroupexample has been deleted
Notes:
- Turning off the public endpoint for the eks cluster adds difficulty to this. If it is off connections to the cluster have to be tunneled through the bastion host. Two methods have been discussed around doing this:
- Starting out with the public endpoint turned on, running terraform apply on everything, then switching it to off and running terraform apply again
- Running terraform apply with
-targetto target specifically the vpc and the bastion, then use sshuttle to tunnel through the bastion and runterraform applyagain
Add a conditional flag for windows and linux user_data
looking to move a lot of the user_data things into ec2 image builder and create a conditional for the remaining specifics
The windows module capabilities is probably outside the scope of UDS (edge case). Need to validate this assumption and adjust the issue accordingly.
-
If outside the scope of UDS, separate tf module will be created / maintained.
-
If it falls within scope, we need to determine if we can reuse the module for both use cases or if we need to create a separate module.
- Primary reason for this discussion is that the cloud_init functionality is linux-specific and windows strictly uses
user_data
- Primary reason for this discussion is that the cloud_init functionality is linux-specific and windows strictly uses
EKS Output Issue
When doing a terraform apply or terraform destroy -target=module.eks, there are no issues with the way we have the outputs; however, if you try to do an apply or destroy without a target there is an error stating the output cannot be an empty tuple for the nodegroups that are not being utilized (self-managed or managed depending on what is being provisioned).
Add linting pipeline for PRs
Looking at
- tflint a linter for Terraform templates that helps enforce best practices and detect issues early in the development process
- terraform fmt as pre-commit
Consider switching to upstream bastion tf module
Allows us to take advantage of new features and reduces maintenance
Create Production Ready KMS Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for encrypting S3 buckets and SOPS encryption
ADR: Hardened EKS AMI
Building STIG-compliant amis for EKS
- Consider using Amazon Linux 2 CIS STIG ami & adding the EKS binaries
- Consider using bottlerocket AMI eventually
Related Issues:
FIPS EKS AMI issue
FIPS Bottlerocket issue
Edit: EC2 image builder is inconsistent for things in the user_data and if we're going to do something custom, we may want to consider packer.
Definition of Done:
- ADR decision has been recorded
Test n-2 EKS k8s versions with IaC
this is not direction, just a conversation starter
Use unique names for all resources
If 2 people run terraform apply using the same variables, name conflicts will occur. For example, If 2 people use bastion_name = "my-bastion" in the same aws account, IAM policies such as "my-bastion-s3-readonly" (and a bunch of others) will have name conflicts.
This is likely to happen as we introduce automated testing. I'm surprised it hasn't already just from people reusing the same example tfvars files in the same account.
We could append some UUID to every resource name/id. We do this for certain things already by applying what looks to be a datetime stamp, but we don't currently do that everywhere.
Add a validation for `eks_k8s_version`
The variable eks_k8s_version (wherever it appears, whether in the eks module or the examples) should validate the value that the user uses, for 2 reasons:
- To reject invalid values
- To constrain to only versions that we support (currently only v1.23)
Limit the length of names
We need to limit the length of names, otherwise the user will get errors. This one that I got is particularly bad because it errored on destroy too which caused orphaned resources
Parent Epic: AWS + EKS + Big Bang Core + Keycloak IaC
As a unicorn engineer responsible for AWS infrastructure, I need the ability to deploy the infrastructure in a repeatable/consumable way that is secure, compliant and authorized.
AC:
- I have the ability to consume IaC modules to deploy AWS resources that includes a secure kubernetes cluster ready to accept zarf package deployments of Bigbang
and mission apps. - The modules have a robust automated CI pipeline
- The modules live in GitHub as public repos
Scope:
VPCs, subnets, NAT gwys, TGWs
EKS, self-managed workers
Loki Buckets / Dynamodb table
Keycloak Database
Rt 53 entries
EC2 Gitlab Runner
Bastion
Notes:
- Solution is intended to be repeatable, reusable, and consumable IaC modules that can be used in other environments instead of a one off solution.
Edit: removed mission apps, Rt 53 entries & EC2 GL runner from AC as these are more implementation-specific items and not core UDS things
Create Production Ready DynamoDB Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need for loki logging
Upgrade to EKS v1.26
pending upstream containerd issue
Variabilize EKS Configs
EKS configs need to be exposed in order for the module to be extensible
- Varibilize self-managed node group settings: https://github.com/defenseunicorns/iac/blob/main/modules/eks/main.tf#L97-L164
- Varibilize EKS Add-Ons: https://github.com/defenseunicorns/iac/blob/main/modules/eks/eks-addons.tf#L15-L44
moved the item below to its own issue
-
Allow use of managed node groups (currently not built for these). Toggling between managed / self-managed node groups will require conditionals in a few places.
Operationalize keycloak database configs in bb dependencies modules & example
Ensure we are supporting K8s NetPols
By default, EKS ships with it's own VPC-CNI, but it currently doesn't support K8s NetworkPolicy resources. For this EKS module, let's make sure that K8s NetPols can be implemented and enforced. This Github issue recommends Calico or Security Groups for Pods, but each of those comes with its own pros/cons.
Change EKS module to conform to EKS Blueprints direction
Enable `tfsec` pre-commit hook
Existing tfsec errors:
Results #1-2 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/main.tf:103
────────────────────────────────────────────────────────────────────────────────
78 resource "aws_security_group" "sg" {
..
103 [ cidr_blocks = egress.value.cidr_blocks
...
107 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/main.tf:78-107 (aws_security_group.sg[0]) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #3-6 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:182
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
182 [ cidr_blocks = try(each.value.cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:32-58 (module.eks) 4 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:183
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
183 [ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #8-9 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:103
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
78 resource "aws_security_group" "sg" {
..
103 [ cidr_blocks = egress.value.cidr_blocks
...
107 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #10 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:674
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
662 resource "aws_network_acl_rule" "public_inbound" {
...
674 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ("-1")
...
677 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #11 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:675
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
662 resource "aws_network_acl_rule" "public_inbound" {
...
675 [ cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
677 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #12 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:691
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
679 resource "aws_network_acl_rule" "public_outbound" {
...
691 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ("-1")
...
694 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #13 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:725
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
713 resource "aws_network_acl_rule" "private_inbound" {
...
725 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ("-1")
...
728 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #14 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:726
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
713 resource "aws_network_acl_rule" "private_inbound" {
...
726 [ cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
728 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #15 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:742
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
730 resource "aws_network_acl_rule" "private_outbound" {
...
742 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ("-1")
...
745 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #16 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:878
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
866 resource "aws_network_acl_rule" "database_inbound" {
...
878 [ protocol = var.database_inbound_acl_rules[count.index]["protocol"] ("-1")
...
881 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Result #17 CRITICAL Network ACL rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:879
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
866 resource "aws_network_acl_rule" "database_inbound" {
...
879 [ cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
...
881 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-acl
Impact The ports are exposed for ingressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────
Result #18 CRITICAL Network ACL rule allows access using ALL ports.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:895
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
883 resource "aws_network_acl_rule" "database_outbound" {
...
895 [ protocol = var.database_outbound_acl_rules[count.index]["protocol"] ("-1")
...
898 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-excessive-port-access
Impact All ports exposed for egressing data
Resolution Set specific allowed ports
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────
Results #19-22 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:182
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
182 [ cidr_blocks = try(each.value.cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:18-265 (module.eks_blueprints) 4 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Result #23 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:183
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
170 resource "aws_security_group_rule" "node" {
...
183 [ ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
...
190 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────
Results #24-25 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:181-198
────────────────────────────────────────────────────────────────────────────────
179 resource "aws_iam_policy" "s3_readonly_policy" {
180 name = "${local.bucket_prefix}-s3-readonly"
181 ┌ policy = <<EOF
182 │ {
183 │ "Version": "2012-10-17",
184 │ "Statement": [
185 │ {
186 │ "Effect": "Allow",
187 └ "Action": [
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:179-199 (aws_iam_policy.s3_readonly_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #26-27 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:54-57
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
54 ┌ resources = [
55 │ aws_s3_bucket.session_logs_bucket.arn,
56 │ "${aws_s3_bucket.session_logs_bucket.arn}/*",
57 └ ]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #28-29 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/bastion/iam.tf:84
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
84 [ resources = ["*"]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #30 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
19 data "aws_iam_policy_document" "irsa_policy" {
..
29 [ resources = ["*"]
..
31 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #31 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
52 data "aws_iam_policy_document" "cluster_autoscaler" {
..
71 [ resources = ["*"]
..
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #32-33 HIGH IAM policy document uses wildcarded action 's3:*Object' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3-irsa/main.tf:49
────────────────────────────────────────────────────────────────────────────────
43 data "aws_iam_policy_document" "irsa_policy" {
..
49 [ actions = ["s3:*Object"]
..
73 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #34-35 HIGH IAM policy document uses sensitive action 's3:*Object' on wildcarded resource '0fafd38f-b626-442d-9d4d-27dfe819b50b/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3-irsa/main.tf:50
────────────────────────────────────────────────────────────────────────────────
43 data "aws_iam_policy_document" "irsa_policy" {
..
50 [ resources = ["${module.s3_bucket.s3_bucket_arn}/*"]
..
73 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #36-38 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
19 data "aws_iam_policy_document" "irsa_policy" {
..
29 [ resources = ["*"]
..
31 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks)
- git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #39 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
52 data "aws_iam_policy_document" "cluster_autoscaler" {
..
71 [ resources = ["*"]
..
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Result #40 HIGH Cluster does not have secret encryption enabled.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/main.tf:14-63
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
14 ┌ resource "aws_eks_cluster" "this" {
15 │ count = local.create ? 1 : 0
16 │
17 │ name = var.cluster_name
18 │ role_arn = local.cluster_role
19 │ version = var.cluster_version
20 │ enabled_cluster_log_types = var.cluster_enabled_log_types
21 │
22 └ vpc_config {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-eks-encrypt-secrets
Impact EKS secrets could be read if compromised
Resolution Enable encryption of EKS secrets
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────
Results #41-42 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:181-198
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
179 resource "aws_iam_policy" "s3_readonly_policy" {
180 name = "${local.bucket_prefix}-s3-readonly"
181 ┌ policy = <<EOF
182 │ {
183 │ "Version": "2012-10-17",
184 │ "Statement": [
185 │ {
186 │ "Effect": "Allow",
187 └ "Action": [
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #43-44 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:54-57
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
54 ┌ resources = [
55 │ aws_s3_bucket.session_logs_bucket.arn,
56 │ "${aws_s3_bucket.session_logs_bucket.arn}/*",
57 └ ]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #45-46 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:84
via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
41 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
..
84 [ resources = ["*"]
..
99 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────
Results #47-49 HIGH Subnet associates public IP address. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:366
via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
359 resource "aws_subnet" "public" {
...
366 [ map_public_ip_on_launch = var.map_public_ip_on_launch (true)
...
382 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:13-27 (module.vpc) 3 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ip-subnet
Impact The instance is publicly accessible
Resolution Set the instance to not be publicly accessible
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────
Result #50 HIGH Subnet associates public IP address.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:366
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
359 resource "aws_subnet" "public" {
...
366 [ map_public_ip_on_launch = var.map_public_ip_on_launch (true)
...
382 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ip-subnet
Impact The instance is publicly accessible
Resolution Set the instance to not be publicly accessible
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────
Result #51 HIGH Cluster does not have secret encryption enabled.
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/main.tf:14-63
via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
14 ┌ resource "aws_eks_cluster" "this" {
15 │ count = local.create ? 1 : 0
16 │
17 │ name = var.cluster_name
18 │ role_arn = local.cluster_role
19 │ version = var.cluster_version
20 │ enabled_cluster_log_types = var.cluster_enabled_log_types
21 │
22 └ vpc_config {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-eks-encrypt-secrets
Impact EKS secrets could be read if compromised
Resolution Enable encryption of EKS secrets
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────
Result #52 MEDIUM Instance has very low backup retention period.
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:84
via git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/main.tf:69-149 (module.db_instance)
via modules/rds/main.tf:7-70 (module.db)
────────────────────────────────────────────────────────────────────────────────
32 resource "aws_db_instance" "this" {
..
84 [ backup_retention_period = var.backup_retention_period (1)
...
130 }
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-specify-backup-retention
Impact Potential loss of data and short opportunity for recovery
Resolution Explicitly set the retention period to greater than the default
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/specify-backup-retention/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────
Result #53 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:94
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f"): open /var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f/git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0177
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────
Result #54 MEDIUM VPC Flow Logs is not enabled for VPC
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:20-43
via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
20 ┌ resource "aws_vpc" "this" {
21 │ count = local.create_vpc ? 1 : 0
22 │
23 │ cidr_block = var.use_ipam_pool ? null : var.cidr
24 │ ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
25 │ ipv4_netmask_length = var.ipv4_netmask_length
26 │
27 │ assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
28 └ ipv6_cidr_block = var.ipv6_cidr
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
Resolution Enable flow logs for VPC
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────
Result #55 MEDIUM VPC Flow Logs is not enabled for VPC
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:20-43
via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
20 ┌ resource "aws_vpc" "this" {
21 │ count = local.create_vpc ? 1 : 0
22 │
23 │ cidr_block = var.use_ipam_pool ? null : var.cidr
24 │ ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
25 │ ipv4_netmask_length = var.ipv4_netmask_length
26 │
27 │ assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
28 └ ipv6_cidr_block = var.ipv6_cidr
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
Resolution Enable flow logs for VPC
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────
Result #56 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Result #57 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
Result #58 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Result #59 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
Results #60-61 MEDIUM Bucket does not have logging enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/main.tf:18-27
via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
- terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────
Results #62-63 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
terraform-aws-modules/s3-bucket/aws/main.tf:18-27
via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
18 resource "aws_s3_bucket" "this" {
19 count = local.create_bucket ? 1 : 0
20
21 bucket = var.bucket
22 bucket_prefix = var.bucket_prefix
23
24 force_destroy = var.force_destroy
25 object_lock_enabled = var.object_lock_enabled
26 tags = var.tags
27 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes
- terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
- terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification
More Information
- https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────
timings
──────────────────────────────────────────
disk i/o 17.05977ms
parsing 2.772075126s
adaptation 21.309777ms
checks 97.643864ms
total 2.908088537s
counts
──────────────────────────────────────────
modules downloaded 0
modules processed 79
blocks processed 4219
files read 361
results
──────────────────────────────────────────
passed 426
ignored 4
critical 23
high 28
medium 12
low 0
426 passed, 4 ignored, 63 potential problem(s) detected.
Investigate Delta required to support Hypervisor with EKS IaC
Context: Kubevirt needs virtualization enabled on Kubernetes nodes, AWS does not support virtualization on normal EC2 instances. Possibly only supported on Bare metal.
Add validation to tenancy variables
Tenancy variables (in the Bastion module and EKS module) only work when the value is default or dedicated. We should add a validation that checks that the value is only one of those two values, otherwise it should fail.
Make EKS cluster endpoint private
Configure these inputs in the root module, expose the variables in our EKS module and configure the values opposite of their defaults
https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/variables.tf#L114-L124
Add stuff about running pre-commit locally to contributor guide
Now that pre-commit is run as part of the pipeline, we should have docs in the contributor guide on how to run it locally.
Add EC2 image builder for STIG'd linux & windows ami's
Create Production Ready VPC/Networking Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Create Production Ready S3 Module
This may be done, just making issues for each of the components we need for defenseunicorns/stack#1
Need this for storing logs from Loki
Add vSphere IaC modules
Details TBD
ADR: Create k8s backend for terraform
https://developer.hashicorp.com/terraform/language/settings/backends/kubernetes
This issue is to create an ADR to help frame the options we have for terraform state, as well as, help provide tangible examples that will help inform a potential common UDS pattern instantiation and recovery operations in connected, semi-connected and airgapped environments.
Related / complimentary work: the KV pair methodology that @wirewc is working
Option 1: Use S3 tf state backend (could be copied into the cluster via a k8s cron job)
Option 2: Use local tf state (can be copied to a k8s PV via EC2 cron job)
Option 3: Use k8s tf state backend & k8s cron job to backup to S3
Build IaC for Azure or GCP to support Kubevirt
Periodically destroy all dev/test AWS resources
Persona
I'm a maintainer of this repo. I'm submitting this on behalf of Defense Unicorns leadership, who want to ensure that the money we spend in our dev/test AWS account(s) is being spent well.
Description
Periodically (frequency TBD), automatically destroy all resources in our dev/test AWS account that aren't specifically identified as being permanent resources.
Use Case
This is needed because we frequently get orphaned resources in our AWS account. A big part of what we do is making rapid changes to Terraform code. We test those changes frequently, and when tests fail, there is a chance that the resources don't get cleaned up properly.
Impact
According to the billing console, the stuff that is running in the account right now is costing about $100 per day. I don't believe we have any tests actively running in the account right now, so the likelihood is that most of that $100 per day is from orphaned resources that haven't been cleaned up yet.
The impact is, that we continue to "light dollar bills on fire", or we force members of the team to continue to manually go through and delete resources, which is labor intensive and prone to mistakes.
Completion
- All resources that have not been identified as permanent in our dev/test account are automatically destroyed periodically (frequency and time of deletion TBD)
- The mechanism for causing the deletions is declarative and implemented as code
Additional Context
Original description:
My session token expired in the middle of an apply and I lost the terraform state. I'm now going through and having to delete hundreds of things manually.
The AWS account we are using doesn't have anything permanent in it. We should set up the ability to nuke all resources in the account (with perhaps just a few exceptions, like the GitHub Actions auth provider and role)
https://github.com/rebuy-de/aws-nuke works well for this kind of thing.
Add Managed nodegroup option / example
The use of managed node groups is currently not enabled in the EKS module. A consumer of this repo should be able to select either managed or self-managed node groups easily.
Explore options for bastion access
Current workflow uploads pub ssh keys to S3, pulls those files in via an ec2 aws user data cron job and exposes port 22 on a bastion in a public subnet to specified public admin IPs.
The following approach would allow for using IAM creds to auth with SSM which will also provide 2FA for ssh / sshuttle access. This would alleviate the need to upload our pub ssh keys and pub IPs in terraform for bastion access, as well as, reduce threat surface area of the enclave.
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
- configure ssh access via IAM auth / SSM
- test sshuttle performance
Add Testing pipeline for PRs
Looking at
- terratest allows you to write automated tests for your templates
- terraform-testing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.