From 0a980f5c090018ef7d5a7d7cfd4219878cbf6c19 Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 09:52:39 -0500 Subject: [PATCH 1/6] Bump tfsec to 0.39.0 --- .github/workflows/terraform_static_analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_static_analysis.yml b/.github/workflows/terraform_static_analysis.yml index cb2e8f0c8..4b0175b71 100644 --- a/.github/workflows/terraform_static_analysis.yml +++ b/.github/workflows/terraform_static_analysis.yml @@ -16,8 +16,8 @@ jobs: uses: actions/checkout@v2 - name: Terraform security scan - uses: triat/terraform-security-scan@v2.0.2 + uses: triat/terraform-security-scan@v2.1.0 with: - tfsec_version: 'v0.37.1' + tfsec_version: 'v0.39.0' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 76266698db0d58c8d01c36f6438bea989d849350 Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 09:58:23 -0500 Subject: [PATCH 2/6] AWS067: add authenticator log type --- aws/eks/eks.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 68476c1b8..3b0e745d5 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -6,7 +6,7 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { name = var.eks_cluster_name role_arn = aws_iam_role.eks-cluster-role.arn - enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler"] + enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler", "authenticator"] vpc_config { security_group_ids = [ @@ -15,6 +15,9 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { subnet_ids = var.vpc_private_subnets } + #tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled + # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/202 + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ From 9b17bf6602d48ca6b8356c29041decc25d874aec Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 10:04:56 -0500 Subject: [PATCH 3/6] Tackle AWS069: EKS Clusters should have the public access disabled --- aws/eks/eks.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 3b0e745d5..31944127c 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -12,12 +12,16 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { security_group_ids = [ aws_security_group.notification-canada-ca-worker.id ] - subnet_ids = var.vpc_private_subnets + subnet_ids = var.vpc_private_subnets + endpoint_public_access = false } - #tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled + # tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/202 + # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access + # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203 + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ From 7fb1f8c1f9d1f567c5d8e6615d1cec1ef8fb8af3 Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 10:06:58 -0500 Subject: [PATCH 4/6] Move comment around --- aws/eks/eks.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 31944127c..6ac8123a3 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -8,6 +8,8 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler", "authenticator"] + # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access + # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203 vpc_config { security_group_ids = [ aws_security_group.notification-canada-ca-worker.id @@ -19,8 +21,6 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { # tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/202 - # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access - # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203 # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. From ff8fa55ee8ef67aa606326ddd5845952b5b6c173 Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 10:08:20 -0500 Subject: [PATCH 5/6] Move comment around --- aws/eks/eks.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 6ac8123a3..36cd2a950 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -8,9 +8,9 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler", "authenticator"] - # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access - # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203 vpc_config { + # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access + # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203 security_group_ids = [ aws_security_group.notification-canada-ca-worker.id ] From af1f7e5226c4a5a82d29a219bdcc776a9de168b9 Mon Sep 17 00:00:00 2001 From: Antoine Augusti Date: Wed, 24 Feb 2021 10:10:50 -0500 Subject: [PATCH 6/6] Remove blank line --- aws/eks/eks.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 36cd2a950..b2d20eb48 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -21,7 +21,6 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" { # tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/202 - # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [