From 40b55235beb9171f5ac2f63f05002c51b02b3c4e Mon Sep 17 00:00:00 2001 From: Nihisil Date: Thu, 20 Apr 2023 15:53:37 +0700 Subject: [PATCH] [#155] Address tfsec warnings --- skeleton/aws/modules/alb/main.tf | 3 +++ skeleton/aws/modules/bastion/main.tf | 9 +++++++++ skeleton/aws/modules/cloudwatch/main.tf | 1 + skeleton/aws/modules/ecr/main.tf | 5 +++++ skeleton/aws/modules/ecs/main.tf | 5 +++++ skeleton/aws/modules/s3/main.tf | 12 +++++++++++- skeleton/aws/modules/security_group/main.tf | 18 ++++++++++++++++-- skeleton/aws/modules/vpc/main.tf | 1 + 8 files changed, 51 insertions(+), 3 deletions(-) diff --git a/skeleton/aws/modules/alb/main.tf b/skeleton/aws/modules/alb/main.tf index 7992e052..7afcd8af 100644 --- a/skeleton/aws/modules/alb/main.tf +++ b/skeleton/aws/modules/alb/main.tf @@ -1,3 +1,4 @@ +# tfsec:ignore:aws-elb-alb-not-public resource "aws_lb" "main" { name = "${var.namespace}-alb" internal = false @@ -6,6 +7,7 @@ resource "aws_lb" "main" { security_groups = var.security_group_ids enable_deletion_protection = true + drop_invalid_header_fields = true access_logs { bucket = "${var.namespace}-alb-log" @@ -42,6 +44,7 @@ resource "aws_lb_target_group" "target_group" { } } +# tfsec:ignore:aws-elb-http-not-used resource "aws_lb_listener" "app_http" { load_balancer_arn = aws_lb.main.arn port = "80" diff --git a/skeleton/aws/modules/bastion/main.tf b/skeleton/aws/modules/bastion/main.tf index 36986ed5..30722687 100644 --- a/skeleton/aws/modules/bastion/main.tf +++ b/skeleton/aws/modules/bastion/main.tf @@ -1,3 +1,4 @@ +# tfsec:ignore:aws-ec2-no-public-ip resource "aws_launch_configuration" "bastion_instance" { name_prefix = "${var.namespace}-bastion-" image_id = var.image_id @@ -9,6 +10,14 @@ resource "aws_launch_configuration" "bastion_instance" { lifecycle { create_before_destroy = true } + + metadata_options { + http_tokens = "required" + } + + root_block_device { + encrypted = true + } } resource "aws_autoscaling_group" "bastion_instance" { diff --git a/skeleton/aws/modules/cloudwatch/main.tf b/skeleton/aws/modules/cloudwatch/main.tf index 94f14de8..80413e1a 100644 --- a/skeleton/aws/modules/cloudwatch/main.tf +++ b/skeleton/aws/modules/cloudwatch/main.tf @@ -1,3 +1,4 @@ +# tfsec:ignore:aws-cloudwatch-log-group-customer-key resource "aws_cloudwatch_log_group" "main" { name = "awslogs-${var.namespace}-log-group" retention_in_days = var.log_retention_in_days diff --git a/skeleton/aws/modules/ecr/main.tf b/skeleton/aws/modules/ecr/main.tf index 7972b7db..871d7ebc 100644 --- a/skeleton/aws/modules/ecr/main.tf +++ b/skeleton/aws/modules/ecr/main.tf @@ -1,5 +1,10 @@ +# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key resource "aws_ecr_repository" "main" { name = var.namespace + + image_scanning_configuration { + scan_on_push = true + } } locals { diff --git a/skeleton/aws/modules/ecs/main.tf b/skeleton/aws/modules/ecs/main.tf index 78e46aae..d22c0c0f 100644 --- a/skeleton/aws/modules/ecs/main.tf +++ b/skeleton/aws/modules/ecs/main.tf @@ -84,6 +84,11 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_ssm_policy" { resource "aws_ecs_cluster" "main" { name = "${var.namespace}-ecs-cluster" + + setting { + name = "containerInsights" + value = "enabled" + } } resource "aws_ecs_task_definition" "main" { diff --git a/skeleton/aws/modules/s3/main.tf b/skeleton/aws/modules/s3/main.tf index 8fd5440d..7798b6ee 100644 --- a/skeleton/aws/modules/s3/main.tf +++ b/skeleton/aws/modules/s3/main.tf @@ -1,7 +1,9 @@ data "aws_elb_service_account" "elb_service_account" {} +# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption resource "aws_s3_bucket" "alb_log" { - bucket = "${var.namespace}-alb-log" + bucket = "${var.namespace}-alb-log" + force_destroy = true } resource "aws_s3_bucket_acl" "alb_log_bucket_acl" { @@ -9,6 +11,14 @@ resource "aws_s3_bucket_acl" "alb_log_bucket_acl" { acl = "private" } +resource "aws_s3_bucket_public_access_block" "alb_log" { + bucket = aws_s3_bucket.alb_log.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + locals { aws_s3_bucket_policy = { Version = "2012-10-17" diff --git a/skeleton/aws/modules/security_group/main.tf b/skeleton/aws/modules/security_group/main.tf index 9da1cf6f..1c3dfd16 100644 --- a/skeleton/aws/modules/security_group/main.tf +++ b/skeleton/aws/modules/security_group/main.tf @@ -9,6 +9,7 @@ resource "aws_security_group" "alb" { } } +# tfsec:ignore:aws-ec2-no-public-ingress-sgr resource "aws_security_group_rule" "alb_ingress_https" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -16,8 +17,10 @@ resource "aws_security_group_rule" "alb_ingress_https" { from_port = 443 to_port = 443 cidr_blocks = ["0.0.0.0/0"] + description = "From HTTPS to ALB" } +# tfsec:ignore:aws-ec2-no-public-ingress-sgr resource "aws_security_group_rule" "alb_ingress_http" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -25,8 +28,10 @@ resource "aws_security_group_rule" "alb_ingress_http" { from_port = 80 to_port = 80 cidr_blocks = ["0.0.0.0/0"] + description = "From HTTP to ALB" } +# tfsec:ignore:aws-ec2-no-public-egress-sgr resource "aws_security_group_rule" "alb_egress" { type = "egress" security_group_id = aws_security_group.alb.id @@ -34,6 +39,7 @@ resource "aws_security_group_rule" "alb_egress" { from_port = var.app_port to_port = var.app_port cidr_blocks = ["0.0.0.0/0"] + description = "From ALB to Apps" } // RDS @@ -54,6 +60,7 @@ resource "aws_security_group_rule" "rds_ingress_app_fargate" { to_port = 5432 protocol = "tcp" source_security_group_id = aws_security_group.ecs_fargate.id + description = "From RDS to App" } resource "aws_security_group_rule" "rds_ingress_bastion" { @@ -63,6 +70,7 @@ resource "aws_security_group_rule" "rds_ingress_bastion" { to_port = 5432 protocol = "tcp" source_security_group_id = aws_security_group.bastion.id + description = "From Bastion to RDS" } // ECS @@ -83,6 +91,7 @@ resource "aws_security_group_rule" "ecs_fargate_ingress_alb" { from_port = var.app_port to_port = var.app_port source_security_group_id = aws_security_group.alb.id + description = "From ALB to app" } resource "aws_security_group_rule" "ecs_fargate_ingress_private" { @@ -92,8 +101,10 @@ resource "aws_security_group_rule" "ecs_fargate_ingress_private" { from_port = 0 to_port = 65535 cidr_blocks = var.private_subnets_cidr_blocks + description = "From internal VPC to app" } +# tfsec:ignore:aws-ec2-no-public-egress-sgr resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" { type = "egress" security_group_id = aws_security_group.ecs_fargate.id @@ -101,12 +112,14 @@ resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" { from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] + description = "From app to everywhere" } // Bastion Host resource "aws_security_group" "bastion" { - name = "${var.namespace}-bastion" - vpc_id = var.vpc_id + name = "${var.namespace}-bastion" + description = "Bastion Security Group" + vpc_id = var.vpc_id tags = { Name = "${var.namespace}-bastion-sg" @@ -130,4 +143,5 @@ resource "aws_security_group_rule" "bastion_egress_rds" { to_port = 5432 protocol = "tcp" source_security_group_id = aws_security_group.rds.id + description = "Bastion egress RDS" } diff --git a/skeleton/aws/modules/vpc/main.tf b/skeleton/aws/modules/vpc/main.tf index e8676604..4c7e4e5a 100644 --- a/skeleton/aws/modules/vpc/main.tf +++ b/skeleton/aws/modules/vpc/main.tf @@ -1,5 +1,6 @@ data "aws_availability_zones" "available" {} +# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.0.0"