From a97b59a0a4675b6a7d43e4b7763f6d8d3b9bf280 Mon Sep 17 00:00:00 2001 From: Ranika Madurawe Date: Fri, 8 Nov 2024 11:35:31 +0530 Subject: [PATCH 1/5] Update ECR --- modules/aws/ECR/ecr.tf | 90 +++++++++++++------------ modules/aws/ECR/variables.tf | 10 +++ modules/aws/EKS-Cluster/iam_role.tf | 3 +- modules/aws/EKS-Node-Group/iam_role.tf | 10 +++ modules/aws/EKS-Node-Group/variables.tf | 5 ++ 5 files changed, 75 insertions(+), 43 deletions(-) diff --git a/modules/aws/ECR/ecr.tf b/modules/aws/ECR/ecr.tf index 98e5a5d..679e3dc 100644 --- a/modules/aws/ECR/ecr.tf +++ b/modules/aws/ECR/ecr.tf @@ -32,53 +32,59 @@ resource "aws_ecr_repository" "ecr_repository" { } } -resource "aws_iam_policy" "ecr_admin_iam_policy" { - name = join("-", [local.name_prefix, "ecr-admin-iam-policy"]) +data "aws_iam_policy_document" "admin_policy" { + statement { + sid = "External Admin policy" + effect = "Allow" - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload" - ], - Effect = "Allow", - Resource = aws_ecr_repository.ecr_repository.arn - } + principals { + type = "AWS" + identifiers = var.external_admin_account_ids + } + + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecr:DeleteRepository", + "ecr:BatchDeleteImage", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepositoryPolicy", ] - }) - depends_on = [ - aws_ecr_repository.ecr_repository - ] - tags = var.tags + } +} + +resource "aws_ecr_repository_policy" "admin_policy" { + repository = aws_ecr_repository.ecr_repository.name + policy = data.aws_iam_policy_document.admin_policy.json } -resource "aws_iam_policy" "ecr_pull_only_iam_policy" { - name = join("-", [local.name_prefix, "ecr-pull-only-iam-policy"]) +data "aws_iam_policy_document" "pull_only_policy" { + statement { + sid = "External Pull only policy" + effect = "Allow" - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - Effect = "Allow", - Resource = aws_ecr_repository.ecr_repository.arn - } + principals { + type = "AWS" + identifiers = var.external_pull_only_account_ids + } + + actions = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" ] - }) - tags = var.tags + } +} - depends_on = [ - aws_ecr_repository.ecr_repository - ] +resource "aws_ecr_repository_policy" "pull_only_policy" { + repository = aws_ecr_repository.ecr_repository.name + policy = data.aws_iam_policy_document.pull_only_policy.json } diff --git a/modules/aws/ECR/variables.tf b/modules/aws/ECR/variables.tf index 958c565..b94b02f 100644 --- a/modules/aws/ECR/variables.tf +++ b/modules/aws/ECR/variables.tf @@ -60,3 +60,13 @@ variable "generate_name" { description = "Whether to generate name for the image repository" default = false } +variable "external_admin_account_ids" { + type = list(string) + description = "List of external admin account IDs" + default = [] +} +variable "external_pull_only_account_ids" { + type = list(string) + description = "List of external pull only account IDs" + default = [] +} diff --git a/modules/aws/EKS-Cluster/iam_role.tf b/modules/aws/EKS-Cluster/iam_role.tf index c599cc6..15af58c 100644 --- a/modules/aws/EKS-Cluster/iam_role.tf +++ b/modules/aws/EKS-Cluster/iam_role.tf @@ -175,7 +175,8 @@ resource "aws_iam_policy" "cluster_loadbalancer_policy" { "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeListenerAttributes" ], Resource : "*" }, diff --git a/modules/aws/EKS-Node-Group/iam_role.tf b/modules/aws/EKS-Node-Group/iam_role.tf index bbc45c6..99ecf5f 100644 --- a/modules/aws/EKS-Node-Group/iam_role.tf +++ b/modules/aws/EKS-Node-Group/iam_role.tf @@ -59,6 +59,16 @@ resource "aws_iam_role_policy_attachment" "amazon_ec2_container_registry_read_on ] } +resource "aws_iam_role_policy_attachment" "amazon_ssm_managed_instance_core" { + count = var.enable_ssm_access == false ? 0 : 1 + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + role = aws_iam_role.iam_role.name + + depends_on = [ + aws_iam_role.iam_role + ] +} + /* TODO:: Review and remove if not required resource "aws_iam_role_policy_attachment" "amazon_cloud_watch_agent_policy" { policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy" diff --git a/modules/aws/EKS-Node-Group/variables.tf b/modules/aws/EKS-Node-Group/variables.tf index d5058b9..4fa245f 100644 --- a/modules/aws/EKS-Node-Group/variables.tf +++ b/modules/aws/EKS-Node-Group/variables.tf @@ -98,3 +98,8 @@ variable "custom_ami_id" { description = "Custom AMI ID to be used for the node group" default = null } +variable "enable_ssm_access" { + type = bool + description = "Flag to enable SSM access" + default = false +} From d6a8d39b55ac44fbd57ec2f8cf27b0c00c75f975 Mon Sep 17 00:00:00 2001 From: Ranika Madurawe Date: Fri, 8 Nov 2024 11:54:59 +0530 Subject: [PATCH 2/5] Update policy --- modules/aws/ECR/outputs.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/aws/ECR/outputs.tf b/modules/aws/ECR/outputs.tf index 12f6456..780ad0b 100644 --- a/modules/aws/ECR/outputs.tf +++ b/modules/aws/ECR/outputs.tf @@ -9,14 +9,6 @@ # # -------------------------------------------------------------------------------------- -output "ecr_admin_iam_policy_arn" { - value = aws_iam_policy.ecr_admin_iam_policy.arn - depends_on = [aws_iam_policy.ecr_admin_iam_policy] -} -output "ecr_pull_only_iam_policy_arn" { - value = aws_iam_policy.ecr_pull_only_iam_policy.arn - depends_on = [aws_iam_policy.ecr_pull_only_iam_policy] -} output "ecr_id" { value = aws_ecr_repository.ecr_repository.id depends_on = [aws_ecr_repository.ecr_repository] From 04613cc9ce7c80e8ceb43a4d492e78cebcc4f178 Mon Sep 17 00:00:00 2001 From: Ranika Madurawe Date: Fri, 8 Nov 2024 16:03:36 +0530 Subject: [PATCH 3/5] Update s3 bucket --- modules/aws/S3-Account/s3_account.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/aws/S3-Account/s3_account.tf b/modules/aws/S3-Account/s3_account.tf index 2c416a0..9c30c92 100644 --- a/modules/aws/S3-Account/s3_account.tf +++ b/modules/aws/S3-Account/s3_account.tf @@ -18,11 +18,6 @@ resource "aws_s3_bucket" "s3_bucket" { tags = var.tags } -resource "aws_s3_bucket_acl" "bucket_acl" { - bucket = aws_s3_bucket.s3_bucket.id - acl = var.acl -} - # Ignore: AVD-AWS-0090 (https://avd.aquasec.com/misconfig/avd-aws-0090) # Reason: Versioning has been enabled as a parameter with default value true # trivy:ignore:AVD-AWS-0090 From 7b0f9af96548daeacde95c633393559da01531e6 Mon Sep 17 00:00:00 2001 From: Ranika Madurawe Date: Mon, 11 Nov 2024 11:25:32 +0530 Subject: [PATCH 4/5] Update trivy --- modules/aws/Cloud-Watch-Log-Group/log_group.tf | 3 +++ modules/aws/CloudTrail-Logs/cloudtrail_logs.tf | 3 +++ modules/aws/RDS-Aurora/rds.tf | 6 ++++++ modules/aws/S3-Account/s3_account.tf | 3 +++ modules/aws/S3-Account/variables.tf | 4 ---- modules/aws/SNS-Topic/sns_topic.tf | 3 +++ modules/aws/Secret-Manager-Secret/secret_manager_secret.tf | 3 +++ modules/aws/Security-Group/security_group.tf | 3 +++ 8 files changed, 24 insertions(+), 4 deletions(-) diff --git a/modules/aws/Cloud-Watch-Log-Group/log_group.tf b/modules/aws/Cloud-Watch-Log-Group/log_group.tf index 024dbff..1f47b59 100644 --- a/modules/aws/Cloud-Watch-Log-Group/log_group.tf +++ b/modules/aws/Cloud-Watch-Log-Group/log_group.tf @@ -9,6 +9,9 @@ # # -------------------------------------------------------------------------------------- +# Ignore: AVD-AWS-0017 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017) +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# trivy:ignore:AVD-AWS-0017 resource "aws_cloudwatch_log_group" "log_group" { name = var.log_group_name retention_in_days = var.retention_in_days diff --git a/modules/aws/CloudTrail-Logs/cloudtrail_logs.tf b/modules/aws/CloudTrail-Logs/cloudtrail_logs.tf index b5a4f61..da87aca 100644 --- a/modules/aws/CloudTrail-Logs/cloudtrail_logs.tf +++ b/modules/aws/CloudTrail-Logs/cloudtrail_logs.tf @@ -9,6 +9,9 @@ # # -------------------------------------------------------------------------------------- +# Ignore: AVD-AWS-0015 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017) +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# trivy:ignore:AVD-AWS-0015 # trivy:ignore:AVD-AWS-0162 # TODO: fix this resource "aws_cloudtrail" "cloudtrail_config" { name = join("-", [var.project, var.application, var.environment, var.region, "cloudtrail-log-config"]) diff --git a/modules/aws/RDS-Aurora/rds.tf b/modules/aws/RDS-Aurora/rds.tf index 1bfd9ea..5912a02 100644 --- a/modules/aws/RDS-Aurora/rds.tf +++ b/modules/aws/RDS-Aurora/rds.tf @@ -10,8 +10,14 @@ # -------------------------------------------------------------------------------------- # Ignore: AVD-AWS-0343 (https://avd.aquasec.com/misconfig/aws/rds/avd-aws-0343/) +# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0079) +# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0077) # Reason: Delete protection has been configured as an optional parameter as this will depend on the usage of the RDS +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# Reason: Variable backup_retention_period is defined and can be used for explicitlty setting backup retention # trivy:ignore:AVD-AWS-0343 +# trivy:ignore:AVD-AWS-0079 +# trivy:ignore:AVD-AWS-0077 resource "aws_rds_cluster" "rds_cluster" { allow_major_version_upgrade = var.allow_major_version_upgrade diff --git a/modules/aws/S3-Account/s3_account.tf b/modules/aws/S3-Account/s3_account.tf index 9c30c92..bad8406 100644 --- a/modules/aws/S3-Account/s3_account.tf +++ b/modules/aws/S3-Account/s3_account.tf @@ -42,6 +42,9 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" { restrict_public_buckets = var.restrict_public_buckets } +# Ignore: AVD-AWS-0132 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-00132) +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# trivy:ignore:AVD-AWS-0132 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" { bucket = aws_s3_bucket.s3_bucket.id diff --git a/modules/aws/S3-Account/variables.tf b/modules/aws/S3-Account/variables.tf index 31432aa..708209d 100644 --- a/modules/aws/S3-Account/variables.tf +++ b/modules/aws/S3-Account/variables.tf @@ -30,10 +30,6 @@ variable "tags" { description = "Tags for the resources" default = {} } -variable "acl" { - type = string - description = "ACL to be applied to the bucket" -} variable "block_public_acls" { type = bool description = "Block public access to the bucket" diff --git a/modules/aws/SNS-Topic/sns_topic.tf b/modules/aws/SNS-Topic/sns_topic.tf index 50e1995..74d0036 100644 --- a/modules/aws/SNS-Topic/sns_topic.tf +++ b/modules/aws/SNS-Topic/sns_topic.tf @@ -9,6 +9,9 @@ # # -------------------------------------------------------------------------------------- +# Ignore: AVD-AWS-0095 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0095) +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# trivy:ignore:AVD-AWS-0095 resource "aws_sns_topic" "sns_topic" { name = join("-", [var.project, var.application, var.environment, var.region, var.topic_name]) kms_master_key_id = var.kms_master_key_id diff --git a/modules/aws/Secret-Manager-Secret/secret_manager_secret.tf b/modules/aws/Secret-Manager-Secret/secret_manager_secret.tf index 68e3fd0..cad7348 100644 --- a/modules/aws/Secret-Manager-Secret/secret_manager_secret.tf +++ b/modules/aws/Secret-Manager-Secret/secret_manager_secret.tf @@ -9,6 +9,9 @@ # # -------------------------------------------------------------------------------------- +# Ignore: AVD-AWS-0098 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0098) +# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption +# trivy:ignore:AVD-AWS-0098 resource "aws_secretsmanager_secret" "secretsmanager_secret" { name = var.secret_name recovery_window_in_days = var.recovery_window_in_days diff --git a/modules/aws/Security-Group/security_group.tf b/modules/aws/Security-Group/security_group.tf index d2d24f3..d8d54f8 100644 --- a/modules/aws/Security-Group/security_group.tf +++ b/modules/aws/Security-Group/security_group.tf @@ -9,6 +9,9 @@ # # -------------------------------------------------------------------------------------- +# Ignore: AVD-AWS-0099 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0099) +# Reason: Description is a required variable for the security group +# trivy:ignore:AVD-AWS-0099 resource "aws_security_group" "security_group" { name = join("-", [var.project, var.application, var.environment, var.region, "sg"]) description = var.description From ed1fdd8b4ee096e709e74849062b7df90e6cef83 Mon Sep 17 00:00:00 2001 From: Ranika Madurawe Date: Mon, 11 Nov 2024 11:32:58 +0530 Subject: [PATCH 5/5] Update trivyignore --- .trivyignore | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..6b36426 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# Ignore +AVD-AWS-0052 +AVD-AWS-0053