Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Training certificate add in UAT ALB #3505

Merged
merged 2 commits into from
Sep 28, 2023
Merged

Training certificate add in UAT ALB #3505

merged 2 commits into from
Sep 28, 2023

Conversation

umeshc-roy
Copy link
Contributor

No description provided.

@umeshc-roy umeshc-roy requested review from a team as code owners September 28, 2023 09:28
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 28, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             2.581713ms
  parsing              394.777986ms
  adaptation           781.505µs
  checks               11.307062ms
  total                409.448266ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     275
  files read           74

  results
  ──────────────────────────────────────────
  passed               37
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 120, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:323-371

		323 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		324 |   statement {
		325 |     sid    = "AllowReadingMetricsFromCloudWatch"
		326 |     effect = "Allow"
		327 |     actions = [
		328 |       "cloudwatch:DescribeAlarmsForMetric",
		329 |       "cloudwatch:DescribeAlarmHistory",
		330 |       "cloudwatch:DescribeAlarms",
		331 |       "cloudwatch:ListMetrics",
		332 |       "cloudwatch:GetMetricData",
		333 |       "cloudwatch:GetInsightRuleReport"
		334 |     ]
		335 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		336 |     resources = ["*"]
		337 |   }
		338 |   statement {
		339 |     sid    = "AllowReadingLogsFromCloudWatch"
		340 |     effect = "Allow"
		341 |     actions = [
		342 |       "logs:DescribeLogGroups",
		343 |       "logs:GetLogGroupFields",
		344 |       "logs:StartQuery",
		345 |       "logs:StopQuery",
		346 |       "logs:GetQueryResults",
		347 |       "logs:GetLogEvents"
		348 |     ]
		349 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |     resources = ["*"]
		351 |   }
		352 |   statement {
		353 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		354 |     effect = "Allow"
		355 |     actions = [
		356 |       "ec2:DescribeTags",
		357 |       "ec2:DescribeInstances",
		358 |       "ec2:DescribeRegions"
		359 |     ]
		360 |     resources = ["*"]
		361 |   }
		362 |   statement {
		363 |     sid    = "AllowReadingResourcesForTags"
		364 |     effect = "Allow"
		365 |     actions = [
		366 |       "tag:GetResources"
		367 |     ]
		368 |     resources = ["*"]
		369 |   }
		370 | 
		371 | }

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

markgov
markgov approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@markgov markgov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             3.345345ms
  parsing              518.359713ms
  adaptation           577.808µs
  checks               11.941059ms
  total                534.223925ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     275
  files read           74

  results
  ──────────────────────────────────────────
  passed               37
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 120, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:323-371

		323 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		324 |   statement {
		325 |     sid    = "AllowReadingMetricsFromCloudWatch"
		326 |     effect = "Allow"
		327 |     actions = [
		328 |       "cloudwatch:DescribeAlarmsForMetric",
		329 |       "cloudwatch:DescribeAlarmHistory",
		330 |       "cloudwatch:DescribeAlarms",
		331 |       "cloudwatch:ListMetrics",
		332 |       "cloudwatch:GetMetricData",
		333 |       "cloudwatch:GetInsightRuleReport"
		334 |     ]
		335 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		336 |     resources = ["*"]
		337 |   }
		338 |   statement {
		339 |     sid    = "AllowReadingLogsFromCloudWatch"
		340 |     effect = "Allow"
		341 |     actions = [
		342 |       "logs:DescribeLogGroups",
		343 |       "logs:GetLogGroupFields",
		344 |       "logs:StartQuery",
		345 |       "logs:StopQuery",
		346 |       "logs:GetQueryResults",
		347 |       "logs:GetLogEvents"
		348 |     ]
		349 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |     resources = ["*"]
		351 |   }
		352 |   statement {
		353 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		354 |     effect = "Allow"
		355 |     actions = [
		356 |       "ec2:DescribeTags",
		357 |       "ec2:DescribeInstances",
		358 |       "ec2:DescribeRegions"
		359 |     ]
		360 |     resources = ["*"]
		361 |   }
		362 |   statement {
		363 |     sid    = "AllowReadingResourcesForTags"
		364 |     effect = "Allow"
		365 |     actions = [
		366 |       "tag:GetResources"
		367 |     ]
		368 |     resources = ["*"]
		369 |   }
		370 | 
		371 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@umeshc-roy umeshc-roy merged commit 9580387 into main Sep 28, 2023
12 of 13 checks passed
@umeshc-roy umeshc-roy deleted the 28092023 branch September 28, 2023 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markgov markgov markgov approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@umeshc-roy @markgov