update terraform latest version and fix naming issue #44

mamrajyadav · 2023-09-11T15:24:42Z

what

added terraform latest version and add version.tf in all examples.
add tag in github workflow.
fix tflint warnings.
add locals in examples.
fix s3 naming issue

_example/complete/example.tf

clouddrove-ci · 2023-09-11T15:26:56Z

`Terraform Security Scan` Failed

Show Output

clouddrove-ci · 2023-09-11T15:35:58Z

`Terraform Security Scan` Failed

Show Output

Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Public access block does not block public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:542
────────────────────────────────────────────────────────────────────────────────
  537    resource "aws_s3_bucket_public_access_block" "this" {
  538      count = var.enabled && var.attach_public_policy ? 1 : 0
  539    
  540      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  541    
  542  [   block_public_acls       = var.block_public_acls (false)
  543      block_public_policy     = var.block_public_policy
  544      ignore_public_acls      = var.ignore_public_acls
  545      restrict_public_buckets = var.restrict_public_buckets
  546    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable blocking any PUT calls with a public ACL specified

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #4 HIGH Public access block does not block public policies 
────────────────────────────────────────────────────────────────────────────────
  main.tf:543
────────────────────────────────────────────────────────────────────────────────
  537    resource "aws_s3_bucket_public_access_block" "this" {
  538      count = var.enabled && var.attach_public_policy ? 1 : 0
  539    
  540      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  541    
  542      block_public_acls       = var.block_public_acls
  543  [   block_public_policy     = var.block_public_policy (false)
  544      ignore_public_acls      = var.ignore_public_acls
  545      restrict_public_buckets = var.restrict_public_buckets
  546    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-policy
      Impact Users could put a policy that allows public access
  Resolution Prevent policies that allow public access being PUT

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH Public access block does not ignore public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:544
────────────────────────────────────────────────────────────────────────────────
  537    resource "aws_s3_bucket_public_access_block" "this" {
  538      count = var.enabled && var.attach_public_policy ? 1 : 0
  539    
  540      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  541    
  542      block_public_acls       = var.block_public_acls
  543      block_public_policy     = var.block_public_policy
  544  [   ignore_public_acls      = var.ignore_public_acls (false)
  545      restrict_public_buckets = var.restrict_public_buckets
  546    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH Public access block does not restrict public buckets 
────────────────────────────────────────────────────────────────────────────────
  main.tf:545
────────────────────────────────────────────────────────────────────────────────
  537    resource "aws_s3_bucket_public_access_block" "this" {
  538      count = var.enabled && var.attach_public_policy ? 1 : 0
  539    
  540      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  541    
  542      block_public_acls       = var.block_public_acls
  543      block_public_policy     = var.block_public_policy
  544      ignore_public_acls      = var.ignore_public_acls
  545  [   restrict_public_buckets = var.restrict_public_buckets (false)
  546    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #7 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #8 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             143.303µs
  parsing              95.025521ms
  adaptation           163.304µs
  checks               7.162375ms
  total                102.494503ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     83
  files read           4

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 6
  medium               2
  low                  0

  2 passed, 8 potential problem(s) detected.

d4kverma

LGTM

mamrajyadav and others added 8 commits August 1, 2023 22:40

feat: added new argument and updated module

f729f6c

feat: added vpc endpoint resource and updated module

4a8b5e6

bug: updated this code

dabd606

bug: updated this code

12bd996

feat: add endpoint resource

6ffb0dd

feat: Added vpc_endpoint and its example

be87987

fix: Update vpc endpoint resource

171c833

fix: update terraform latest version and fix namning issue

2b79843

mamrajyadav requested review from anmolnagpal and clouddrove-ci as code owners September 11, 2023 15:24

mamrajyadav requested a review from a team September 11, 2023 15:24

clouddrove-ci self-assigned this Sep 11, 2023

github-advanced-security bot found potential problems Sep 11, 2023

View reviewed changes

_example/complete/example.tf Fixed Show fixed Hide fixed

_example/complete/example.tf Fixed Show fixed Hide fixed

fix: dfsec issue

864815f

mamrajyadav requested review from nikitadugar, d4kverma, themaniskshah and 13archit September 11, 2023 15:35

d4kverma approved these changes Sep 11, 2023

View reviewed changes

anmolnagpal approved these changes Sep 11, 2023

View reviewed changes

anmolnagpal merged commit 9727c0c into master Sep 11, 2023
35 checks passed

delete-merged-branch bot deleted the issue-232-l branch September 11, 2023 19:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update terraform latest version and fix naming issue #44

update terraform latest version and fix naming issue #44

mamrajyadav commented Sep 11, 2023

clouddrove-ci commented Sep 11, 2023

clouddrove-ci commented Sep 11, 2023

d4kverma left a comment

update terraform latest version and fix naming issue #44

update terraform latest version and fix naming issue #44

Conversation

mamrajyadav commented Sep 11, 2023

what

clouddrove-ci commented Sep 11, 2023

Terraform Security Scan Failed

clouddrove-ci commented Sep 11, 2023

Terraform Security Scan Failed

d4kverma left a comment

Choose a reason for hiding this comment

`Terraform Security Scan` Failed

`Terraform Security Scan` Failed