Update comments

wso2 · Oct 16, 2023 · fd819d5 · fd819d5
1 parent a2b0470
commit fd819d5
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 36 deletions.
diff --git a/modules/aws/ECR-IAM-User/iam_role.tf b/modules/aws/ECR-IAM-User/iam_role.tf
@@ -14,9 +14,8 @@ resource "aws_iam_user" "ecr_access_user" {
   tags = var.tags
 }
 
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope. This resource is specifically
-# created for an Admin user with access to all ECR resources. Hence, the wildcard is required.
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)
+# This if for an Admin user with access to all ECR resources. Hence, the wildcard is required.
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "ecr_access_policy" {
   name = join("-", [var.project, var.application, var.environment, var.region, "ecr-access-iam-policy"])

diff --git a/modules/aws/ECR/ecr.tf b/modules/aws/ECR/ecr.tf
@@ -9,13 +9,11 @@
 #
 # --------------------------------------------------------------------------------------
 
-# AVD-AWS-0030 checks whether AWS's default scanning tool is enabled for the ECR repository,
-# This ideally should be a customized parameter, based on the user's requirement
-# https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0030/
-# AVD-AWS-0033 checks whether AWS's default encryption is enabled for the ECR repository,
-# While it has been enabled by default at the module level (check `encryption_type`) users may configure it
-# as per their requirement
-# https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0033/
+# AVD-AWS-0030 (https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0030/)
+# Scanning on Image push should not be enabled by default and should be customizable per user requirement
+# AVD-AWS-0033 (https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0033/)
+# While it has been enabled by default at the module level (check `encryption_type`)
+# Further use of customer managed keys will be required per user requirement
 # trivy:ignore:AVD-AWS-0030
 # trivy:ignore:AVD-AWS-0033
 resource "aws_ecr_repository" "ecr_repository" {

diff --git a/modules/aws/EKS-Cluster/eks.tf b/modules/aws/EKS-Cluster/eks.tf
@@ -9,9 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
-# avd-aws-0038 Checks whether cluster has logging enabled, but this may not be required based on the purpose of the cluster.
-# As such this has been configured as a parameter
-# https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0038/
+# avd-aws-0038 (https://avd.aquasec.com/misconfig/aws/ecr/avd-aws-0038/)
+# Requirement to enable logs for EKS cluster will vary based on cluster purpose and requirements
+# Therefore has not been enforced as a requirement
 # trivy:ignore:AVD-AWS-0038
 resource "aws_eks_cluster" "eks_cluster" {
   name     = join("-", [var.project, var.application, var.environment, var.region, "eks"])

diff --git a/modules/aws/EKS-Cluster/iam_role.tf b/modules/aws/EKS-Cluster/iam_role.tf
@@ -72,10 +72,9 @@ resource "aws_iam_role" "cluster_autoscaler_role" {
   ]
 }
 
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope.
-# This however is an AWS Recommended Policy as per https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)
 # This policy provides the necessary permissions for configuring the cluster autoscaler
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# This is based on official AWS documentation https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "cluster_autoscaler_policy" {
   name = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-autoscaler-iam-policy"])
@@ -108,10 +107,9 @@ resource "aws_iam_role_policy_attachment" "eks_ca_iam_policy_attach" {
   ]
 }
 
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope.
-# Despite the wildcard, the tag definition only allows for accessing resources with a specific tag
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)
 # This policy provides the necessary permissions for the EKS cluster to mount an EFS as a persistent volume
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# Despite the wildcard, the tag definition only allows for accessing resources with a specific tag
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "node_efs_policy" {
   name        = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-efs-iam-policy"])
@@ -158,11 +156,9 @@ resource "aws_iam_role" "cluster_loadbalancer_role" {
     data.aws_iam_policy_document.cluster_lb_sts_policy
   ]
 }
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope.
-# This however is an AWS Recommended Policy as per https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json
-# which was based on the following doc https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)# This however is an AWS Recommended Policy as per https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.json
 # This policy provides the necessary permissions for the EKS cluster to create AWS Load Balancers
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# This is based on the following AWS Official Doc https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "cluster_loadbalancer_policy" {
   name = join("-", [var.project, var.application, var.environment, var.region, "eks-cluster-lb-iam-policy"])

diff --git a/modules/aws/EKS-Node-Group/iam_role.tf b/modules/aws/EKS-Node-Group/iam_role.tf
@@ -61,10 +61,9 @@ resource "aws_iam_role_policy_attachment" "amazon_cloud_watch_agent_policy" {
   ]
 }
 
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope.
-# This however is an AWS Recommended Policy as per https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)
 # This policy provides the necessary permissions for configuring the cluster autoscaler
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# This is based on official AWS documentation https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "node_group_autoscaler_policy" {
   name = join("-", [var.eks_cluster_name, var.node_group_name, "eks-cluster-auto-scaler-policy"])

diff --git a/modules/aws/Elastic-LoadBalancer/elastic_loadbalancer.tf b/modules/aws/Elastic-LoadBalancer/elastic_loadbalancer.tf
@@ -9,9 +9,8 @@
 #
 # --------------------------------------------------------------------------------------
 
-# avd-aws-0053 checks whether the Load Balancer is internal or not.
-# However based on the use case we may need public load balancers which has been configured as a parameter.
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0053/
+# avd-aws-0053 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0053/)
+# We may need public load balancers. As such this has been configured as a parameter.
 # trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "lb" {
   name               = join("-", [var.project, var.application, var.environment, var.region, "elb"])

diff --git a/modules/aws/VPC-Flow-Log/iam.tf b/modules/aws/VPC-Flow-Log/iam.tf
@@ -28,10 +28,9 @@ resource "aws_iam_role" "iam_role" {
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
-# avd-aws-0057 misconfig checks for IAM policy with wildcards for resource scope.
-# This however is an AWS Recommended Policy as per https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html
-# This policy allows the User publishing Flow logs to Cloudwatch with the required permissions.
-# https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/
+# avd-aws-0057 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0057/)
+# This permission is required to publish flow logs to Cloud watch
+# This was derived per official AWS documentation https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html
 # trivy:ignore:AVD-AWS-0057
 data "aws_iam_policy_document" "iam_policy_document" {
   statement {

diff --git a/modules/aws/VPC/vpc.tf b/modules/aws/VPC/vpc.tf
@@ -9,9 +9,8 @@
 #
 # --------------------------------------------------------------------------------------
 
-# avd-aws-0178 checks for whether flow logs are enabled.
-# However whether flow logs are required  via a separate module at the subnet level (Refer VPC-Flow-Log Module)
-# # https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0178
+# avd-aws-0178 (https://avd.aquasec.com/misconfig/aws/iam/avd-aws-0178)
+# For more granular control Flow logs are enabled at the subnet level via a separate module at the subnet level (Refer VPC-Flow-Log Module), instead of the VPC level.
 # trivy:ignore:AVD-AWS-0178
 resource "aws_vpc" "vpc" {
   cidr_block           = var.vpc_cidr_block