Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update main.tf, version.tf and github action and add locals in e… #20

Merged
merged 8 commits into from
Sep 7, 2023
Merged

update main.tf, version.tf and github action and add locals in e… #20

merged 8 commits into from
Sep 7, 2023

Conversation

mamrajyadav
Copy link
Contributor

what

  • added new Argument main.tf file
  • added terraform latest version.
  • update output.tf in root module and example.
  • update github actions.
  • dynamic hard coded value and added variables.tf

@clouddrove-ci clouddrove-ci self-assigned this Sep 6, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 6, 2023
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

defsec found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Results #1-2 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:205
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_security_group" "this" {
  ...  
  205  [       cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "0.0.0.0/0")))
  ...  
  211    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:187-211 (aws_security_group.this) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:187-211
────────────────────────────────────────────────────────────────────────────────
  187resource "aws_security_group" "this" {
  188  │   name_prefix = var.name
  189  │   vpc_id      = var.vpc_id
  190  │   tags        = module.labels.tags
  191192  │   dynamic "ingress" {
  193  │     for_each = var.security_group_ingress
  194  │     content {
  195  └       self      = lookup(ingress.value, "self", true)
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Results #4-5 LOW Security group rule does not have a description. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:194-199
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_security_group" "this" {
  ...  
  194  ┌     content {
  195  │       self      = lookup(ingress.value, "self", true)
  196  │       from_port = lookup(ingress.value, "from_port", 0)
  197  │       to_port   = lookup(ingress.value, "to_port", 0)
  198  │       protocol  = lookup(ingress.value, "protocol", "-1")
  199  └     }
  ...  
  211    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:187-211 (aws_security_group.this) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Results #6-7 LOW Security group rule does not have a description. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:204-209
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_security_group" "this" {
  ...  
  204  ┌     content {
  205  │       cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "0.0.0.0/0")))
  206  │       from_port   = lookup(egress.value, "from_port", 0)
  207  │       to_port     = lookup(egress.value, "to_port", 0)
  208  │       protocol    = lookup(egress.value, "protocol", "-1")
  209  └     }
  ...  
  211    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:187-211 (aws_security_group.this) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #8 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:225-230
────────────────────────────────────────────────────────────────────────────────
  225    resource "aws_cloudwatch_log_group" "vpn" {
  226      count             = var.enabled ? 1 : 0
  227      name              = format("/aws/vpn/%s/logs", module.labels.id)
  228      retention_in_days = var.logs_retention
  229      tags              = module.labels.tags
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             129.406µs
  parsing              46.633289ms
  adaptation           180.908µs
  checks               12.344954ms
  total                59.288557ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     62
  files read           4

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             2
  high                 0
  medium               0
  low                  6

  4 passed, 8 potential problem(s) detected.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 6, 2023
View reviewed changes
_example/example.tf Fixed Show fixed Hide fixed
_example/example.tf Fixed Show fixed Hide fixed
_example/example.tf Fixed Show fixed Hide fixed
_example/example.tf Fixed Show fixed Hide fixed
_example/example.tf Fixed Show fixed Hide fixed
@mamrajyadav mamrajyadav requested a review from a team September 7, 2023 12:51
themaniskshah
themaniskshah approved these changes Sep 7, 2023
View reviewed changes
Copy link
Member

@themaniskshah themaniskshah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@anmolnagpal anmolnagpal merged commit b6b320b into master Sep 7, 2023
7 checks passed
@delete-merged-branch delete-merged-branch bot deleted the issue-255 branch September 7, 2023 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmolnagpal anmolnagpal anmolnagpal approved these changes

@themaniskshah themaniskshah themaniskshah approved these changes

@clouddrove-ci clouddrove-ci Awaiting requested review from clouddrove-ci clouddrove-ci is a code owner

@13archit 13archit Awaiting requested review from 13archit

@d4kverma d4kverma Awaiting requested review from d4kverma

@nikitadugar nikitadugar Awaiting requested review from nikitadugar

Assignees

@mamrajyadav mamrajyadav

@clouddrove-ci clouddrove-ci

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mamrajyadav @clouddrove-ci @anmolnagpal @themaniskshah