Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update new github-action and subnet vpc tag #19

Merged
merged 1 commit into from
Aug 1, 2023
Merged

feat: update new github-action and subnet vpc tag #19

merged 1 commit into from
Aug 1, 2023

Conversation

theprashantyadav
Copy link
Contributor

what
added new vpc and subnet tag
added new github-action

why
`need to update vpc and subnet tag

@clouddrove-ci clouddrove-ci self-assigned this Aug 1, 2023
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:207
────────────────────────────────────────────────────────────────────────────────
  190    resource "aws_security_group" "this" {
  ...  
  207  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:190-209
────────────────────────────────────────────────────────────────────────────────
  190resource "aws_security_group" "this" {
  191  │   name_prefix = var.name
  192  │   vpc_id      = var.vpc_id
  193  │   tags        = module.labels.tags
  194195  │   ingress {
  196  │     from_port = 0
  197  │     protocol  = -1
  198  └     self      = true
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #3 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:195-201
────────────────────────────────────────────────────────────────────────────────
  190    resource "aws_security_group" "this" {
  ...  
  195  ┌   ingress {
  196  │     from_port = 0
  197  │     protocol  = -1
  198  │     self      = true
  199  │     to_port   = 0
  200201  └   }
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #4 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:203-208
────────────────────────────────────────────────────────────────────────────────
  190    resource "aws_security_group" "this" {
  ...  
  203  ┌   egress {
  204  │     from_port   = 0
  205  │     to_port     = 0
  206  │     protocol    = "-1"
  207  │     cidr_blocks = ["0.0.0.0/0"]
  208  └   }
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:223-229
────────────────────────────────────────────────────────────────────────────────
  223    resource "aws_cloudwatch_log_group" "vpn" {
  224      count             = var.enabled ? 1 : 0
  225      name              = format("/aws/vpn/%s/logs", module.labels.id)
  226      retention_in_days = var.logs_retention
  227    
  228      tags = module.labels.tags
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             82.5µs
  parsing              72.315529ms
  adaptation           176.102µs
  checks               12.276341ms
  total                84.850472ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           4

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             1
  high                 0
  medium               0
  low                  4

  3 passed, 5 potential problem(s) detected.

@themaniskshah themaniskshah merged commit c5f445b into master Aug 1, 2023
8 checks passed
@delete-merged-branch delete-merged-branch bot deleted the issue-465 branch August 1, 2023 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@clouddrove-ci clouddrove-ci

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@theprashantyadav @clouddrove-ci @themaniskshah