From d8168e0e192800ed4ee47aef012ec8bb9acca27d Mon Sep 17 00:00:00 2001 From: Simon Li Date: Fri, 30 Jun 2023 22:02:42 +0100 Subject: [PATCH] Add tfsec --- .github/workflows/terraform.yml | 10 ++++++-- .pre-commit-config-terraform.yaml | 4 +++- terraform/aws/curvenote/eks-cluster.tf | 3 +++ terraform/aws/curvenote/security-groups.tf | 28 ++++++++++++---------- terraform/aws/curvenote/vpc.tf | 2 ++ 5 files changed, 32 insertions(+), 15 deletions(-) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index d784bb0630..e7b8ef9ac7 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -24,13 +24,19 @@ jobs: python-version-file: ".python-version" - name: Install dependencies - run: pip install pre-commit + run: | + pip install pre-commit + TFBIN="$GITHUB_WORKSPACE/bin" + mkdir "$TFBIN" + curl -sfLo $TFBIN/tfsec https://github.com/aquasecurity/tfsec/releases/download/v1.28.1/tfsec-linux-amd64 + chmod +x $TFBIN/tfsec + echo "$TFBIN" >> $GITHUB_PATH # https://github.com/terraform-linters/setup-tflint - name: Install tflint uses: terraform-linters/setup-tflint@v3.0.0 with: - tflint_version: v0.46.1 + tflint_version: v0.47.0 - name: Run terraform pre-commit run: pre-commit run --all --config .pre-commit-config-terraform.yaml diff --git a/.pre-commit-config-terraform.yaml b/.pre-commit-config-terraform.yaml index 2474dbfc67..42e79586ea 100644 --- a/.pre-commit-config-terraform.yaml +++ b/.pre-commit-config-terraform.yaml @@ -7,14 +7,16 @@ # Prerequisites: # - terraform # - tflint +# - tfsec # Currently only aws/curvenote is checked files: "^terraform/aws/curvenote/" repos: # We can't run any CI tests on production Terraform code, so use as many static linters as possible - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.80.0 + rev: v1.81.0 hooks: - id: terraform_fmt - id: terraform_tflint + - id: terraform_tfsec - id: terraform_validate diff --git a/terraform/aws/curvenote/eks-cluster.tf b/terraform/aws/curvenote/eks-cluster.tf index d3adfd2cc0..da701c8fa7 100644 --- a/terraform/aws/curvenote/eks-cluster.tf +++ b/terraform/aws/curvenote/eks-cluster.tf @@ -14,6 +14,9 @@ locals { } # This assumes the EKS service linked role is already created (or the current user has permissions to create it) +#tfsec:ignore:aws-eks-no-public-cluster-access +#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr +#tfsec:ignore:aws-ec2-no-public-egress-sgr module "eks" { source = "terraform-aws-modules/eks/aws" version = "19.15.3" diff --git a/terraform/aws/curvenote/security-groups.tf b/terraform/aws/curvenote/security-groups.tf index 2b098e1bf7..f36fb8cd2d 100644 --- a/terraform/aws/curvenote/security-groups.tf +++ b/terraform/aws/curvenote/security-groups.tf @@ -3,20 +3,22 @@ resource "aws_security_group" "worker_group_all" { name_prefix = "worker_group_all_ports" vpc_id = module.vpc.vpc_id - + description = "Allow all ports for worker group" ingress { - protocol = "-1" - from_port = 0 - to_port = 0 - self = true + description = "Allow all inbound traffic" + protocol = "-1" + from_port = 0 + to_port = 0 + self = true } egress { - protocol = "-1" - from_port = 0 - to_port = 0 + description = "Allow all outbound traffic" + protocol = "-1" + from_port = 0 + to_port = 0 # self = true - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-ec2-no-public-egress-sgr } } @@ -24,11 +26,13 @@ resource "aws_security_group" "worker_group_all" { resource "aws_security_group" "all_worker_mgmt" { name_prefix = "all_worker_management" vpc_id = module.vpc.vpc_id + description = "Worker nodes internal access" ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" + description = "SSH" + from_port = 22 + to_port = 22 + protocol = "tcp" cidr_blocks = [ "10.0.0.0/8", diff --git a/terraform/aws/curvenote/vpc.tf b/terraform/aws/curvenote/vpc.tf index 2311e9a3f4..7520baaa02 100644 --- a/terraform/aws/curvenote/vpc.tf +++ b/terraform/aws/curvenote/vpc.tf @@ -1,5 +1,7 @@ # data "aws_availability_zones" "available" {} +#tfsec:ignore:aws-ec2-no-public-ip-subnet +#tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.0"