fargate profile added and fix aws managed eks #57

d4kverma · 2023-08-09T10:35:12Z

what

fix terraform version.
added fargate profile
fix aws managed eks.
*addditional iam policies resources added for node role.
*default addon added
default variable removed.

github-advanced-security

defsec found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

clouddrove-ci · 2023-08-09T10:37:41Z

`Terraform Security Scan` Failed

Show Output

Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             343.517µs
  parsing              145.405097ms
  adaptation           427.918µs
  checks               21.190003ms
  total                167.366535ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    2
  blocks processed     135
  files read           15

  results
  ──────────────────────────────────────────
  passed               15
  ignored              0
  critical             3
  high                 0
  medium               0
  low                  0

  15 passed, 3 potential problem(s) detected.

clouddrove-ci · 2023-08-09T12:57:21Z

`Terraform Security Scan` Failed

Show Output

Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             288.005µs
  parsing              91.937279ms
  adaptation           363.207µs
  checks               17.573501ms
  total                110.161992ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    2
  blocks processed     135
  files read           15

  results
  ──────────────────────────────────────────
  passed               15
  ignored              0
  critical             3
  high                 0
  medium               0
  low                  0

  15 passed, 3 potential problem(s) detected.

clouddrove-ci · 2023-08-10T08:53:13Z

`Terraform Security Scan` Failed

Show Output

Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:42
────────────────────────────────────────────────────────────────────────────────
   30    resource "aws_eks_cluster" "default" {
   ..  
   42  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43
────────────────────────────────────────────────────────────────────────────────
   30    resource "aws_eks_cluster" "default" {
   ..  
   43  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:22
────────────────────────────────────────────────────────────────────────────────
   16    resource "aws_security_group_rule" "node_group" {
   17      count             = var.enabled ? 1 : 0
   18      description       = "Allow all egress traffic"
   19      from_port         = 0
   20      to_port           = 0
   21      protocol          = "-1"
   22  [   cidr_blocks       = ["0.0.0.0/0"]
   23      security_group_id = join("", aws_security_group.node_group.*.id)
   24      type              = "egress"
   25    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             317.599µs
  parsing              129.075478ms
  adaptation           391.5µs
  checks               11.814889ms
  total                141.599466ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    2
  blocks processed     135
  files read           15

  results
  ──────────────────────────────────────────
  passed               15
  ignored              0
  critical             3
  high                 0
  medium               0
  low                  0

  15 passed, 3 potential problem(s) detected.

fix: updated iampolicy principals of kms module feat: added additional_cidr_block

omsharma07

LGTM

anmolnagpal and others added 5 commits August 8, 2023 22:55

feat: fargate profile added

abe8d90

feat: fargate profile added

1e4c37a

feat: default variable removed

25c9650

feat: version fixed

8afa1d5

feat: version fixed

71b27cd

d4kverma requested a review from anmolnagpal August 9, 2023 10:35

d4kverma self-assigned this Aug 9, 2023

github-advanced-security bot found potential problems Aug 9, 2023

View reviewed changes

fix: Enabled key rotation in fargate example

24b6c49

fix: Fixed tfsec ignore

10c3a9b

13archit and others added 5 commits August 10, 2023 14:52

fix: Added tfsec ignore

3ea65e5

fix: fix tflint workflow.

1bbff08

fix: removed keypair module

72abff5

fix: updated iampolicy principals of kms module feat: added additional_cidr_block

fix: removed keypair module

eef6961

fix: updated iampolicy principals of kms module feat: added additional_cidr_block

fix: removed keypair module

3c6b476

fix: updated iampolicy principals of kms module feat: added additional_cidr_block

omsharma07 approved these changes Aug 10, 2023

View reviewed changes

omsharma07 merged commit 4e66c30 into master Aug 10, 2023
14 checks passed

delete-merged-branch bot deleted the feat/issue-229 branch August 10, 2023 17:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fargate profile added and fix aws managed eks #57

fargate profile added and fix aws managed eks #57

d4kverma commented Aug 9, 2023

github-advanced-security bot left a comment

clouddrove-ci commented Aug 9, 2023

clouddrove-ci commented Aug 9, 2023

clouddrove-ci commented Aug 10, 2023

omsharma07 left a comment

fargate profile added and fix aws managed eks #57

fargate profile added and fix aws managed eks #57

Conversation

d4kverma commented Aug 9, 2023

what

github-advanced-security bot left a comment

Choose a reason for hiding this comment

clouddrove-ci commented Aug 9, 2023

Terraform Security Scan Failed

clouddrove-ci commented Aug 9, 2023

Terraform Security Scan Failed

clouddrove-ci commented Aug 10, 2023

Terraform Security Scan Failed

omsharma07 left a comment

Choose a reason for hiding this comment

`Terraform Security Scan` Failed

`Terraform Security Scan` Failed

`Terraform Security Scan` Failed