Skip to content

Commit

Permalink
fix examples
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Sep 24, 2024
1 parent 5631ba6 commit 2891869
Show file tree
Hide file tree
Showing 36 changed files with 381 additions and 199 deletions.
11 changes: 10 additions & 1 deletion avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@
Use Customer managed key

```hcl
resource "aws_kms_key" "trail" {
enable_key_rotation = true
}
resource "aws_kms_alias" "trail" {
name = "alias/trail"
target_key_id = aws_kms_key.trail.key_id
}
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
enable_log_file_validation = true
kms_key_id = var.kms_id
kms_key_id = aws_kms_alias.trail.arn
event_selector {
read_write_type = "All"
Expand Down
11 changes: 10 additions & 1 deletion avd_docs/aws/cloudwatch/AVD-AWS-0017/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@
Enable CMK encryption of CloudWatch Log Groups

```hcl
resource "aws_kms_key" "cloudwatch" {
enable_key_rotation = true
}
resource "aws_kms_alias" "cloudwatch" {
name = "alias/cloudwatch"
target_key_id = aws_kms_key.cloudwatch.key_id
}
resource "aws_cloudwatch_log_group" "good_example" {
name = "good_example"
kms_key_id = aws_kms_key.log_key.arn
kms_key_id = aws_kms_alias.cloudwatch.arn
}
```
Expand Down
8 changes: 7 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,18 @@ Resources:
```
```yaml---
Resources:
MyKey:
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
GoodExample:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
KmsKeyId: !ImportValue "MyStack:Key"
KmsKeyId: !Ref MyKey
DeletionPolicy: Snapshot
```
Expand Down
3 changes: 3 additions & 0 deletions avd_docs/aws/ec2/AVD-AWS-0101/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ Create a non-default vpc for resources to be created in

```hcl
# no aws default vpc present
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
```

Expand Down
2 changes: 1 addition & 1 deletion avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Resources:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: "something"
RuleAction: "allow"
RuleAction: "allow"
Rule:
Type: AWS::EC2::NetworkAclEntry
Properties:
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ Set a more restrictive cidr range
```
```hcl
resource "aws_security_group_rule" "allow_partner_rsync" {
resource "aws_security_group_rule" "example" {
type = "ingress"
security_group_id = aws_security_group.….id
security_group_id = "sg-123456"
from_port = 22
to_port = 22
protocol = "tcp"
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ Resources:
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-good-example
EncryptionConfig:
Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
- Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
Expand Down
6 changes: 5 additions & 1 deletion avd_docs/aws/eks/AVD-AWS-0039/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@
Enable encryption of EKS secrets

```hcl
resource "aws_kms_key" "eks" {
enable_key_rotation = true
}
resource "aws_eks_cluster" "good_example" {
encryption_config {
resources = [ "secrets" ]
provider {
key_arn = var.kms_arn
key_arn = aws_kms_key.eks.arn
}
}
Expand Down
5 changes: 4 additions & 1 deletion avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ Switch to VPC resources
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of redshift sgr
Resources:
myCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "mydb"
```

Expand Down
20 changes: 4 additions & 16 deletions avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,29 +3,17 @@ Add a logging block to the resource to enable access logging

```yaml---
Resources:
GoodExample:
TestBucket:
Type: AWS::S3::Bucket
Properties:
LoggingConfiguration:
DestinationBucketName: logging-bucket
DestinationBucketName: !Ref TestLoggingBucket
LogFilePrefix: accesslogs/
```
```yaml---
Resources:
GoodExample:
TestLoggingBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub my-s3-bucket-${BucketSuffix}
LoggingConfiguration:
DestinationBucketName: !FindInMap [EnvironmentMapping, s3, logging]
LogFilePrefix: !Sub s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix}
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: LogDeliveryWrite
```

Expand Down
34 changes: 26 additions & 8 deletions avd_docs/aws/s3/AVD-AWS-0089/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,44 @@
Add a logging block to the resource to enable access logging

```hcl
resource "aws_s3_bucket" "good_example" {
resource "aws_s3_bucket" "this" {
bucket = "test-bucket"
logging {
target_bucket = "target-bucket"
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}
}
resource "aws_s3_bucket" "log_bucket" {
bucket = "test-log-bucket"
}
resource "aws_s3_bucket_acl" "log_bucket" {
acl = "log-delivery-write"
bucket = aws_s3_bucket.log_bucket.id
}
```
```hcl
resource "aws_s3_bucket" "example" {
bucket = "yournamehere"
# ... other configuration ...
resource "aws_s3_bucket" "this" {
bucket = "test-bucket"
}
resource "aws_s3_bucket_logging" "example" {
bucket = aws_s3_bucket.example.id
resource "aws_s3_bucket_logging" "this" {
bucket = aws_s3_bucket.this.id
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}
resource "aws_s3_bucket" "log_bucket" {
bucket = "test-log-bucket"
}
resource "aws_s3_bucket_acl" "log_bucket" {
acl = "log-delivery-write"
bucket = aws_s3_bucket.log_bucket.id
}
```

#### Remediation Links
Expand Down
2 changes: 1 addition & 1 deletion avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Turn on SNS Topic encryption
```yaml---
Resources:
GoodTopic:
Type: AWS::SQS::Topic
Type: AWS::SNS::Topic
Properties:
TopicName: blah
KmsMasterKeyId: some-key
Expand Down
9 changes: 7 additions & 2 deletions avd_docs/nifcloud/computing/AVD-NIF-0001/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,14 @@ Set a more restrictive cidr range
```
```hcl
resource "nifcloud_security_group_rule" "allow_partner_rsync" {
resource "nifcloud_security_group" "example" {
group_name = "allowtcp"
availability_zone = "east-11"
}
resource "nifcloud_security_group_rule" "example" {
type = "IN"
security_group_names = [nifcloud_security_group..group_name]
security_group_names = [nifcloud_security_group.example.group_name]
from_port = 22
to_port = 22
protocol = "TCP"
Expand Down
4 changes: 2 additions & 2 deletions checks/cloud/aws/apigateway/no_public_access.rego
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ deny contains res if {
isManaged(api)
some method in api.resources[_].methods
not method_is_option(method)
not is_apikey_required(api)
not is_apikey_required(method)
method.authorizationtype.value == authorization_none
res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
}

method_is_option(method) := method.httpmethod.value == "OPTION"

is_apikey_required(api) := api.apikeyrequired.value
is_apikey_required(method) := method.apikeyrequired.value
2 changes: 1 addition & 1 deletion checks/cloud/aws/apigateway/no_public_access_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_allow_get_method_with_auth if {
}

test_allow_if_api_required if {
test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}})
test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}, "apikeyrequired": {"value": true}})
}

input_with_method(method) = {"aws": {"apigateway": {"v1": {"apis": [{"resources": [{"methods": [method]}]}]}}}}
11 changes: 10 additions & 1 deletion checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@ package cloudtrail

var terraformEncryptionCustomerManagedKeyGoodExamples = []string{
`
resource "aws_kms_key" "trail" {
enable_key_rotation = true
}
resource "aws_kms_alias" "trail" {
name = "alias/trail"
target_key_id = aws_kms_key.trail.key_id
}
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
enable_log_file_validation = true
kms_key_id = var.kms_id
kms_key_id = aws_kms_alias.trail.arn
event_selector {
read_write_type = "All"
Expand Down
11 changes: 10 additions & 1 deletion checks/cloud/aws/cloudwatch/log_group_customer_key.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@ package cloudwatch

var terraformLogGroupCustomerKeyGoodExamples = []string{
`
resource "aws_kms_key" "cloudwatch" {
enable_key_rotation = true
}
resource "aws_kms_alias" "cloudwatch" {
name = "alias/cloudwatch"
target_key_id = aws_kms_key.cloudwatch.key_id
}
resource "aws_cloudwatch_log_group" "good_example" {
name = "good_example"
kms_key_id = aws_kms_key.log_key.arn
kms_key_id = aws_kms_alias.cloudwatch.arn
}
`,
}
Expand Down
8 changes: 7 additions & 1 deletion checks/cloud/aws/ec2/encryption_customer_key.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,18 @@ Resources:
`,
`---
Resources:
MyKey:
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
GoodExample:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
KmsKeyId: !ImportValue "MyStack:Key"
KmsKeyId: !Ref MyKey
DeletionPolicy: Snapshot
`,
}
Expand Down
3 changes: 3 additions & 0 deletions checks/cloud/aws/ec2/no_default_vpc.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ package ec2
var terraformNoDefaultVpcGoodExamples = []string{
`
# no aws default vpc present
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
`,
}

Expand Down
2 changes: 1 addition & 1 deletion checks/cloud/aws/ec2/no_excessive_port_access.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Resources:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: "something"
RuleAction: "allow"
RuleAction: "allow"
Rule:
Type: AWS::EC2::NetworkAclEntry
Properties:
Expand Down
4 changes: 2 additions & 2 deletions checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ var terraformNoPublicIngressSgrGoodExamples = []string{
}
`,
`
resource "aws_security_group_rule" "allow_partner_rsync" {
resource "aws_security_group_rule" "example" {
type = "ingress"
security_group_id = aws_security_group.….id
security_group_id = "sg-123456"
from_port = 22
to_port = 22
protocol = "tcp"
Expand Down
8 changes: 4 additions & 4 deletions checks/cloud/aws/eks/encrypt_secrets.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ Resources:
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-good-example
EncryptionConfig:
Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
- Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
Expand Down
Loading

0 comments on commit 2891869

Please sign in to comment.