From 1fb24e9f55991d1bc9e78ad3263988e7d8308d35 Mon Sep 17 00:00:00 2001 From: Rodrigo Bersa Date: Mon, 13 Feb 2023 21:39:26 -0500 Subject: [PATCH] Adding `checkov` skip check for `CKV_K8S_49` wildcard on `kubernetes_role`. Fixing `pre-commit-config.yaml`. --- .gitignore | 2 +- .header.md | 63 ------------------ .pre-commit-config.yaml | 45 ++++++++++--- .terraform-docs.yaml | 21 ------ .tflint.hcl | 66 ------------------- .../launch_configuration_imdsv2_tfchecks.json | 39 ----------- .tfsec/launch_template_imdsv2_tfchecks.json | 39 ----------- .tfsec/no_launch_config_tfchecks.json | 27 -------- .../sg_no_embedded_egress_rules_tfchecks.json | 27 -------- ...sg_no_embedded_ingress_rules_tfchecks.json | 27 -------- CODEOWNERS | 2 +- README.md | 1 + examples/basic/README.md | 2 +- main.tf | 1 + providers.tf | 13 ---- versions.tf | 4 ++ 16 files changed, 45 insertions(+), 334 deletions(-) delete mode 100644 .header.md delete mode 100644 .terraform-docs.yaml delete mode 100644 .tflint.hcl delete mode 100644 .tfsec/launch_configuration_imdsv2_tfchecks.json delete mode 100644 .tfsec/launch_template_imdsv2_tfchecks.json delete mode 100644 .tfsec/no_launch_config_tfchecks.json delete mode 100644 .tfsec/sg_no_embedded_egress_rules_tfchecks.json delete mode 100644 .tfsec/sg_no_embedded_ingress_rules_tfchecks.json delete mode 100644 providers.tf diff --git a/.gitignore b/.gitignore index 3406448..52167fd 100644 --- a/.gitignore +++ b/.gitignore @@ -41,4 +41,4 @@ terraform.rc go.mod go.sum -.DS_Store \ No newline at end of file +.DS_Store diff --git a/.header.md b/.header.md deleted file mode 100644 index 4cd153d..0000000 --- a/.header.md +++ /dev/null @@ -1,63 +0,0 @@ -# Creating modules for AWS I&A Organization - -This repo template is used to seed Terraform Module templates for the [AWS I&A GitHub organization](https://github.com/aws-ia). Usage of this template is allowed per included license. PRs to this template will be considered but are not guaranteed to be included. Consider creating an issue to discuss a feature you want to include before taking the time to create a PR. - - -### TL;DR - -1. [install pre-commit](https://pre-commit.com/#install) - - Prerequisites: - - [Python](https://docs.python.org/3/using/index.html) - - [Pip](https://pip.pypa.io/en/stable/installation/) -2. configure pre-commit: `pre-commit install` -3. install required tools - - [tflint](https://github.com/terraform-linters/tflint) - - [tfsec](https://aquasecurity.github.io/tfsec/v1.0.11/) - - [terraform-docs](https://github.com/terraform-docs/terraform-docs) - - [golang](https://go.dev/doc/install) (for macos you can use `brew`) - - [coreutils](https://www.gnu.org/software/coreutils/) - -Write code according to [I&A module standards](https://aws-ia.github.io/standards-terraform/) - -## Module Documentation - -**Do not manually update README.md**. README.md is automatically generated by pulling in content from other files. For instructions, including a fill-in-the-blank content template, see [Create readmes for Terraform-based Partner Solutions.](https://aws-ia-us-west-2.s3.us-west-2.amazonaws.com/docs/content/index.html#/lessons/8rpYWWL59M7dcS-NsjYmaISUu-L_UqEv) - -## Terratest - -Please include tests to validate your examples/<> root modules, at a minimum. This can be accomplished with usually only slight modifications to the [boilerplate test provided in this template](./test/examples_basic_test.go) - -### Configure and run Terratest - -1. Install - - [golang](https://go.dev/doc/install) (for macos you can use `brew`) -2. Change directory into the test folder. - - `cd test` -3. Initialize your test - - go mod init github.com/[github org]/[repository] - - `go mod init github.com/aws-ia/terraform-aws-vpc` -4. Run tidy - - `go mod tidy` -5. Install Terratest - - `go get github.com/gruntwork-io/terratest/modules/terraform` -6. Run test (You can have multiple test files). - - Run all tests - - `go test` - - Run a specific test with a timeout - - `go test -run TestExamplesBasic -timeout 45m` - -## Module Standards - -For best practices and information on developing with Terraform, see the [I&A Module Standards](https://aws-ia.github.io/standards-terraform/) - -## Continuous Integration - -The I&A team uses AWS CodeBuild to perform continuous integration (CI) within the organization. Our CI uses the a repo's `.pre-commit-config.yaml` file as well as some other checks. All PRs with other CI will be rejected. See our [FAQ](https://aws-ia.github.io/standards-terraform/faq/#are-modules-protected-by-ci-automation) for more details. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cbafa4b..29eff7d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,11 +1,38 @@ ---- -fail_fast: false -minimum_pre_commit_version: "2.6.0" repos: - - - repo: https://github.com/aws-ia/pre-commit-configs - # To update run: - # pre-commit autoupdate --freeze - rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932 # frozen: v1.5.0 + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 hooks: - - id: aws-ia-meta-hook + - id: trailing-whitespace + args: ['--markdown-linebreak-ext=md'] + - id: end-of-file-fixer + - id: check-merge-conflict + - id: detect-private-key + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.77.1 + hooks: + - id: terraform_fmt + - id: terraform_docs + args: + - '--args=--lockfile=false' + - id: terraform_tflint + args: + - '--args=--only=terraform_deprecated_interpolation' + - '--args=--only=terraform_deprecated_index' + - '--args=--only=terraform_unused_declarations' + - '--args=--only=terraform_comment_syntax' + - '--args=--only=terraform_documented_outputs' + - '--args=--only=terraform_documented_variables' + - '--args=--only=terraform_typed_variables' + - '--args=--only=terraform_module_pinned_source' + - '--args=--only=terraform_naming_convention' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' + - '--args=--only=terraform_standard_module_structure' + - '--args=--only=terraform_workspace_remote' + - id: terraform_validate + exclude: deploy + - id: terraform_tfsec + args: + - --args=--concise-output diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml deleted file mode 100644 index 6dc99de..0000000 --- a/.terraform-docs.yaml +++ /dev/null @@ -1,21 +0,0 @@ -formatter: markdown -header-from: .header.md -settings: - anchor: true - color: true - default: true - escape: true - html: true - indent: 2 - required: true - sensitive: true - type: true - lockfile: false - -sort: - enabled: true - by: required - -output: - file: README.md - mode: replace diff --git a/.tflint.hcl b/.tflint.hcl deleted file mode 100644 index 0e31ba5..0000000 --- a/.tflint.hcl +++ /dev/null @@ -1,66 +0,0 @@ -# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md -# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl - -plugin "aws" { - enabled = true - version = "0.14.0" - source = "github.com/terraform-linters/tflint-ruleset-aws" -} - -config { - module = true - force = false -} - -rule "terraform_required_providers" { - enabled = true -} - -rule "terraform_required_version" { - enabled = true -} - -rule "terraform_naming_convention" { - enabled = true - format = "snake_case" -} - -rule "terraform_typed_variables" { - enabled = true -} - -rule "terraform_unused_declarations" { - enabled = true -} - -rule "terraform_comment_syntax" { - enabled = true -} - -rule "terraform_deprecated_index" { - enabled = true -} - -rule "terraform_deprecated_interpolation" { - enabled = true -} - -rule "terraform_documented_outputs" { - enabled = true -} - -rule "terraform_documented_variables" { - enabled = true -} - -rule "terraform_module_pinned_source" { - enabled = true -} - -rule "terraform_standard_module_structure" { - enabled = true -} - -rule "terraform_workspace_remote" { - enabled = true -} diff --git a/.tfsec/launch_configuration_imdsv2_tfchecks.json b/.tfsec/launch_configuration_imdsv2_tfchecks.json deleted file mode 100644 index 308ef01..0000000 --- a/.tfsec/launch_configuration_imdsv2_tfchecks.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "checks": [ - { - "code": "CUS002", - "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template", - "impact": "Instance metadata service can be interacted with freely", - "resolution": "Enable HTTP token requirement for IMDS", - "requiredTypes": [ - "resource" - ], - "requiredLabels": [ - "aws_launch_configuration" - ], - "severity": "CRITICAL", - "matchSpec": { - "action": "isPresent", - "name": "metadata_options", - "subMatch": { - "action": "and", - "predicateMatchSpec": [ - { - "action": "equals", - "name": "http_tokens", - "value": "required" - - } - ] - } - }, - - "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.", - "relatedLinks": [ - "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2", - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options", - "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" - ] - } - ] -} diff --git a/.tfsec/launch_template_imdsv2_tfchecks.json b/.tfsec/launch_template_imdsv2_tfchecks.json deleted file mode 100644 index e1f1aa7..0000000 --- a/.tfsec/launch_template_imdsv2_tfchecks.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "checks": [ - { - "code": "CUS001", - "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template", - "impact": "Instance metadata service can be interacted with freely", - "resolution": "Enable HTTP token requirement for IMDS", - "requiredTypes": [ - "resource" - ], - "requiredLabels": [ - "aws_launch_template" - ], - "severity": "CRITICAL", - "matchSpec": { - "action": "isPresent", - "name": "metadata_options", - "subMatch": { - "action": "and", - "predicateMatchSpec": [ - { - "action": "equals", - "name": "http_tokens", - "value": "required" - - } - ] - } - }, - - "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.", - "relatedLinks": [ - "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2", - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options", - "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" - ] - } - ] -} diff --git a/.tfsec/no_launch_config_tfchecks.json b/.tfsec/no_launch_config_tfchecks.json deleted file mode 100644 index 89b6328..0000000 --- a/.tfsec/no_launch_config_tfchecks.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "checks": [ - { - "code": "CUS003", - "description": "Use `aws_launch_template` over `aws_launch_configuration", - "impact": "Launch configurations are not capable of versions", - "resolution": "Convert resource type and attributes to `aws_launch_template`", - "requiredTypes": [ - "resource" - ], - "requiredLabels": [ - "aws_launch_configuration" - ], - "severity": "MEDIUM", - "matchSpec": { - "action": "notPresent", - "name": "image_id" - }, - - "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.", - "relatedLinks": [ - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template", - "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service" - ] - } - ] -} diff --git a/.tfsec/sg_no_embedded_egress_rules_tfchecks.json b/.tfsec/sg_no_embedded_egress_rules_tfchecks.json deleted file mode 100644 index ce43e66..0000000 --- a/.tfsec/sg_no_embedded_egress_rules_tfchecks.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "checks": [ - { - "code": "CUS005", - "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.", - "impact": "Embedded security group rules can cause issues during configuration updates.", - "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.", - "requiredTypes": [ - "resource" - ], - "requiredLabels": [ - "aws_security_group" - ], - "severity": "MEDIUM", - "matchSpec": { - "action": "notPresent", - "name": "egress" - }, - - "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.", - "relatedLinks": [ - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule", - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" - ] - } - ] -} diff --git a/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json b/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json deleted file mode 100644 index 333ebc5..0000000 --- a/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "checks": [ - { - "code": "CUS004", - "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.", - "impact": "Embedded security group rules can cause issues during configuration updates.", - "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.", - "requiredTypes": [ - "resource" - ], - "requiredLabels": [ - "aws_security_group" - ], - "severity": "MEDIUM", - "matchSpec": { - "action": "notPresent", - "name": "ingress" - }, - - "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.", - "relatedLinks": [ - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule", - "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" - ] - } - ] -} diff --git a/CODEOWNERS b/CODEOWNERS index 1006f66..b713cc0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @aws-ia/aws-ia \ No newline at end of file +* @aws-ia/aws-ia diff --git a/README.md b/README.md index 87b49bf..c1aeeb3 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ Make sure to replace the `${eks_cluster_id}`, `${AWS_REGION}` and `${TEAM_ROLE_A |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 3.72 | +| [awscc](#requirement\_awscc) | >= 0.24.0 | | [kubectl](#requirement\_kubectl) | >= 1.14 | | [kubernetes](#requirement\_kubernetes) | >= 2.10 | diff --git a/examples/basic/README.md b/examples/basic/README.md index f53c234..6a963bc 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -26,4 +26,4 @@ No inputs. ## Outputs No outputs. - \ No newline at end of file + diff --git a/main.tf b/main.tf index 01478fc..8bbe09b 100644 --- a/main.tf +++ b/main.tf @@ -82,6 +82,7 @@ resource "kubernetes_cluster_role_binding" "team" { resource "kubernetes_role" "team" { for_each = var.application_teams + #checkov:skip=CKV_K8S_49:API Groups access required for first deployment. metadata { name = "${each.key}-role" namespace = kubernetes_namespace.team[each.key].metadata[0].name diff --git a/providers.tf b/providers.tf deleted file mode 100644 index e492a2c..0000000 --- a/providers.tf +++ /dev/null @@ -1,13 +0,0 @@ -terraform { - required_version = ">= 1.0.7" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0.0, < 5.0.0" - } - awscc = { - source = "hashicorp/awscc" - version = ">= 0.24.0" - } - } -} diff --git a/versions.tf b/versions.tf index c91b6fb..eb6deab 100644 --- a/versions.tf +++ b/versions.tf @@ -14,5 +14,9 @@ terraform { source = "gavinbunney/kubectl" version = ">= 1.14" } + awscc = { + source = "hashicorp/awscc" + version = ">= 0.24.0" + } } }