[#155] Address tfsec warnings

nimblehq · Apr 20, 2023 · 40b5523 · 40b5523
1 parent b0f8243
commit 40b5523
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 3 deletions.
diff --git a/skeleton/aws/modules/alb/main.tf b/skeleton/aws/modules/alb/main.tf
@@ -1,3 +1,4 @@
+# tfsec:ignore:aws-elb-alb-not-public
 resource "aws_lb" "main" {
   name               = "${var.namespace}-alb"
   internal           = false
@@ -6,6 +7,7 @@ resource "aws_lb" "main" {
   security_groups    = var.security_group_ids
 
   enable_deletion_protection = true
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "${var.namespace}-alb-log"
@@ -42,6 +44,7 @@ resource "aws_lb_target_group" "target_group" {
   }
 }
 
+# tfsec:ignore:aws-elb-http-not-used
 resource "aws_lb_listener" "app_http" {
   load_balancer_arn = aws_lb.main.arn
   port              = "80"

diff --git a/skeleton/aws/modules/bastion/main.tf b/skeleton/aws/modules/bastion/main.tf
@@ -1,3 +1,4 @@
+# tfsec:ignore:aws-ec2-no-public-ip
 resource "aws_launch_configuration" "bastion_instance" {
   name_prefix                 = "${var.namespace}-bastion-"
   image_id                    = var.image_id
@@ -9,6 +10,14 @@ resource "aws_launch_configuration" "bastion_instance" {
   lifecycle {
     create_before_destroy = true
   }
+
+  metadata_options {
+    http_tokens = "required"
+  }
+
+  root_block_device {
+    encrypted = true
+  }
 }
 
 resource "aws_autoscaling_group" "bastion_instance" {

diff --git a/skeleton/aws/modules/cloudwatch/main.tf b/skeleton/aws/modules/cloudwatch/main.tf
@@ -1,3 +1,4 @@
+# tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "main" {
   name              = "awslogs-${var.namespace}-log-group"
   retention_in_days = var.log_retention_in_days

diff --git a/skeleton/aws/modules/ecr/main.tf b/skeleton/aws/modules/ecr/main.tf
@@ -1,5 +1,10 @@
+# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key
 resource "aws_ecr_repository" "main" {
   name = var.namespace
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 locals {

diff --git a/skeleton/aws/modules/ecs/main.tf b/skeleton/aws/modules/ecs/main.tf
@@ -84,6 +84,11 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_ssm_policy" {
 
 resource "aws_ecs_cluster" "main" {
   name = "${var.namespace}-ecs-cluster"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
 }
 
 resource "aws_ecs_task_definition" "main" {

diff --git a/skeleton/aws/modules/s3/main.tf b/skeleton/aws/modules/s3/main.tf
@@ -1,14 +1,24 @@
 data "aws_elb_service_account" "elb_service_account" {}
 
+# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption
 resource "aws_s3_bucket" "alb_log" {
-  bucket = "${var.namespace}-alb-log"
+  bucket        = "${var.namespace}-alb-log"
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_acl" "alb_log_bucket_acl" {
   bucket = aws_s3_bucket.alb_log.id
   acl    = "private"
 }
 
+resource "aws_s3_bucket_public_access_block" "alb_log" {
+  bucket                  = aws_s3_bucket.alb_log.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 locals {
   aws_s3_bucket_policy = {
     Version = "2012-10-17"

diff --git a/skeleton/aws/modules/security_group/main.tf b/skeleton/aws/modules/security_group/main.tf
@@ -9,31 +9,37 @@ resource "aws_security_group" "alb" {
   }
 }
 
+# tfsec:ignore:aws-ec2-no-public-ingress-sgr
 resource "aws_security_group_rule" "alb_ingress_https" {
   type              = "ingress"
   security_group_id = aws_security_group.alb.id
   protocol          = "tcp"
   from_port         = 443
   to_port           = 443
   cidr_blocks       = ["0.0.0.0/0"]
+  description       = "From HTTPS to ALB"
 }
 
+# tfsec:ignore:aws-ec2-no-public-ingress-sgr
 resource "aws_security_group_rule" "alb_ingress_http" {
   type              = "ingress"
   security_group_id = aws_security_group.alb.id
   protocol          = "tcp"
   from_port         = 80
   to_port           = 80
   cidr_blocks       = ["0.0.0.0/0"]
+  description       = "From HTTP to ALB"
 }
 
+# tfsec:ignore:aws-ec2-no-public-egress-sgr
 resource "aws_security_group_rule" "alb_egress" {
   type              = "egress"
   security_group_id = aws_security_group.alb.id
   protocol          = "tcp"
   from_port         = var.app_port
   to_port           = var.app_port
   cidr_blocks       = ["0.0.0.0/0"]
+  description       = "From ALB to Apps"
 }
 
 // RDS
@@ -54,6 +60,7 @@ resource "aws_security_group_rule" "rds_ingress_app_fargate" {
   to_port                  = 5432
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.ecs_fargate.id
+  description              = "From RDS to App"
 }
 
 resource "aws_security_group_rule" "rds_ingress_bastion" {
@@ -63,6 +70,7 @@ resource "aws_security_group_rule" "rds_ingress_bastion" {
   to_port                  = 5432
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.bastion.id
+  description              = "From Bastion to RDS"
 }
 
 // ECS
@@ -83,6 +91,7 @@ resource "aws_security_group_rule" "ecs_fargate_ingress_alb" {
   from_port                = var.app_port
   to_port                  = var.app_port
   source_security_group_id = aws_security_group.alb.id
+  description              = "From ALB to app"
 }
 
 resource "aws_security_group_rule" "ecs_fargate_ingress_private" {
@@ -92,21 +101,25 @@ resource "aws_security_group_rule" "ecs_fargate_ingress_private" {
   from_port         = 0
   to_port           = 65535
   cidr_blocks       = var.private_subnets_cidr_blocks
+  description       = "From internal VPC to app"
 }
 
+# tfsec:ignore:aws-ec2-no-public-egress-sgr
 resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" {
   type              = "egress"
   security_group_id = aws_security_group.ecs_fargate.id
   protocol          = "-1"
   from_port         = 0
   to_port           = 0
   cidr_blocks       = ["0.0.0.0/0"]
+  description       = "From app to everywhere"
 }
 
 // Bastion Host
 resource "aws_security_group" "bastion" {
-  name   = "${var.namespace}-bastion"
-  vpc_id = var.vpc_id
+  name        = "${var.namespace}-bastion"
+  description = "Bastion Security Group"
+  vpc_id      = var.vpc_id
 
   tags = {
     Name = "${var.namespace}-bastion-sg"
@@ -130,4 +143,5 @@ resource "aws_security_group_rule" "bastion_egress_rds" {
   to_port                  = 5432
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.rds.id
+  description              = "Bastion egress RDS"
 }
diff --git a/skeleton/aws/modules/vpc/main.tf b/skeleton/aws/modules/vpc/main.tf
@@ -1,5 +1,6 @@
 data "aws_availability_zones" "available" {}
 
+# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.0.0"