cds-snc · AntoineAugusti · Feb 24, 2021 · Feb 24, 2021 · Feb 24, 2021 · Feb 24, 2021
@@ -16,8 +16,8 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Terraform security scan
-        uses: triat/terraform-security-scan@v2.0.2
+        uses: triat/terraform-security-scan@v2.1.0
         with:
-          tfsec_version: 'v0.37.1'
+          tfsec_version: 'v0.39.0'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -6,15 +6,21 @@ resource "aws_eks_cluster" "notification-canada-ca-eks-cluster" {
   name     = var.eks_cluster_name
   role_arn = aws_iam_role.eks-cluster-role.arn
 
-  enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler"]
+  enabled_cluster_log_types = ["api", "audit", "controllerManager", "scheduler", "authenticator"]
 
   vpc_config {
+    # tfsec:ignore:AWS068 EKS cluster should not have open CIDR range for public access
+    # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/203
     security_group_ids = [
       aws_security_group.notification-canada-ca-worker.id
     ]
-    subnet_ids = var.vpc_private_subnets
+    subnet_ids             = var.vpc_private_subnets
+    endpoint_public_access = false
   }
 
+  # tfsec:ignore:AWS066 EKS should have the encryption of secrets enabled
+  # Will be tackled in the future https://github.com/cds-snc/notification-terraform/issues/202
+
   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
   depends_on = [