Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update modules #85

Merged
merged 5 commits into from
Nov 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Ignore
AVD-AWS-0052
AVD-AWS-0053
3 changes: 3 additions & 0 deletions modules/aws/Cloud-Watch-Log-Group/log_group.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
#
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0017 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017)
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# trivy:ignore:AVD-AWS-0017
resource "aws_cloudwatch_log_group" "log_group" {
name = var.log_group_name
retention_in_days = var.retention_in_days
Expand Down
3 changes: 3 additions & 0 deletions modules/aws/CloudTrail-Logs/cloudtrail_logs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
#
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0015 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017)
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# trivy:ignore:AVD-AWS-0015
# trivy:ignore:AVD-AWS-0162 # TODO: fix this
resource "aws_cloudtrail" "cloudtrail_config" {
name = join("-", [var.project, var.application, var.environment, var.region, "cloudtrail-log-config"])
Expand Down
90 changes: 48 additions & 42 deletions modules/aws/ECR/ecr.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,53 +32,59 @@ resource "aws_ecr_repository" "ecr_repository" {
}
}

resource "aws_iam_policy" "ecr_admin_iam_policy" {
name = join("-", [local.name_prefix, "ecr-admin-iam-policy"])
data "aws_iam_policy_document" "admin_policy" {
statement {
sid = "External Admin policy"
effect = "Allow"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
Effect = "Allow",
Resource = aws_ecr_repository.ecr_repository.arn
}
principals {
type = "AWS"
identifiers = var.external_admin_account_ids
}

actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
]
})
depends_on = [
aws_ecr_repository.ecr_repository
]
tags = var.tags
}
}

resource "aws_ecr_repository_policy" "admin_policy" {
repository = aws_ecr_repository.ecr_repository.name
policy = data.aws_iam_policy_document.admin_policy.json
}

resource "aws_iam_policy" "ecr_pull_only_iam_policy" {
name = join("-", [local.name_prefix, "ecr-pull-only-iam-policy"])
data "aws_iam_policy_document" "pull_only_policy" {
statement {
sid = "External Pull only policy"
effect = "Allow"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
Effect = "Allow",
Resource = aws_ecr_repository.ecr_repository.arn
}
principals {
type = "AWS"
identifiers = var.external_pull_only_account_ids
}

actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
})
tags = var.tags
}
}

depends_on = [
aws_ecr_repository.ecr_repository
]
resource "aws_ecr_repository_policy" "pull_only_policy" {
repository = aws_ecr_repository.ecr_repository.name
policy = data.aws_iam_policy_document.pull_only_policy.json
}
8 changes: 0 additions & 8 deletions modules/aws/ECR/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,6 @@
#
# --------------------------------------------------------------------------------------

output "ecr_admin_iam_policy_arn" {
value = aws_iam_policy.ecr_admin_iam_policy.arn
depends_on = [aws_iam_policy.ecr_admin_iam_policy]
}
output "ecr_pull_only_iam_policy_arn" {
value = aws_iam_policy.ecr_pull_only_iam_policy.arn
depends_on = [aws_iam_policy.ecr_pull_only_iam_policy]
}
output "ecr_id" {
value = aws_ecr_repository.ecr_repository.id
depends_on = [aws_ecr_repository.ecr_repository]
Expand Down
10 changes: 10 additions & 0 deletions modules/aws/ECR/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,13 @@ variable "generate_name" {
description = "Whether to generate name for the image repository"
default = false
}
variable "external_admin_account_ids" {
type = list(string)
description = "List of external admin account IDs"
default = []
}
variable "external_pull_only_account_ids" {
type = list(string)
description = "List of external pull only account IDs"
default = []
}
3 changes: 2 additions & 1 deletion modules/aws/EKS-Cluster/iam_role.tf
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,8 @@ resource "aws_iam_policy" "cluster_loadbalancer_policy" {
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListenerAttributes"
],
Resource : "*"
},
Expand Down
10 changes: 10 additions & 0 deletions modules/aws/EKS-Node-Group/iam_role.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,16 @@ resource "aws_iam_role_policy_attachment" "amazon_ec2_container_registry_read_on
]
}

resource "aws_iam_role_policy_attachment" "amazon_ssm_managed_instance_core" {
count = var.enable_ssm_access == false ? 0 : 1
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = aws_iam_role.iam_role.name

depends_on = [
aws_iam_role.iam_role
]
}

/* TODO:: Review and remove if not required
resource "aws_iam_role_policy_attachment" "amazon_cloud_watch_agent_policy" {
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
Expand Down
5 changes: 5 additions & 0 deletions modules/aws/EKS-Node-Group/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,8 @@ variable "custom_ami_id" {
description = "Custom AMI ID to be used for the node group"
default = null
}
variable "enable_ssm_access" {
type = bool
description = "Flag to enable SSM access"
default = false
}
6 changes: 6 additions & 0 deletions modules/aws/RDS-Aurora/rds.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,14 @@
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0343 (https://avd.aquasec.com/misconfig/aws/rds/avd-aws-0343/)
# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0079)
# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0077)
# Reason: Delete protection has been configured as an optional parameter as this will depend on the usage of the RDS
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# Reason: Variable backup_retention_period is defined and can be used for explicitlty setting backup retention
# trivy:ignore:AVD-AWS-0343
# trivy:ignore:AVD-AWS-0079
# trivy:ignore:AVD-AWS-0077
resource "aws_rds_cluster" "rds_cluster" {

allow_major_version_upgrade = var.allow_major_version_upgrade
Expand Down
8 changes: 3 additions & 5 deletions modules/aws/S3-Account/s3_account.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@ resource "aws_s3_bucket" "s3_bucket" {
tags = var.tags
}

resource "aws_s3_bucket_acl" "bucket_acl" {
bucket = aws_s3_bucket.s3_bucket.id
acl = var.acl
}

# Ignore: AVD-AWS-0090 (https://avd.aquasec.com/misconfig/avd-aws-0090)
# Reason: Versioning has been enabled as a parameter with default value true
# trivy:ignore:AVD-AWS-0090
Expand All @@ -47,6 +42,9 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
restrict_public_buckets = var.restrict_public_buckets
}

# Ignore: AVD-AWS-0132 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-00132)
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# trivy:ignore:AVD-AWS-0132
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
bucket = aws_s3_bucket.s3_bucket.id

Expand Down
4 changes: 0 additions & 4 deletions modules/aws/S3-Account/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,6 @@ variable "tags" {
description = "Tags for the resources"
default = {}
}
variable "acl" {
type = string
description = "ACL to be applied to the bucket"
}
variable "block_public_acls" {
type = bool
description = "Block public access to the bucket"
Expand Down
3 changes: 3 additions & 0 deletions modules/aws/SNS-Topic/sns_topic.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
#
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0095 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0095)
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# trivy:ignore:AVD-AWS-0095
resource "aws_sns_topic" "sns_topic" {
name = join("-", [var.project, var.application, var.environment, var.region, var.topic_name])
kms_master_key_id = var.kms_master_key_id
Expand Down
3 changes: 3 additions & 0 deletions modules/aws/Secret-Manager-Secret/secret_manager_secret.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
#
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0098 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0098)
# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
# trivy:ignore:AVD-AWS-0098
resource "aws_secretsmanager_secret" "secretsmanager_secret" {
name = var.secret_name
recovery_window_in_days = var.recovery_window_in_days
Expand Down
3 changes: 3 additions & 0 deletions modules/aws/Security-Group/security_group.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
#
# --------------------------------------------------------------------------------------

# Ignore: AVD-AWS-0099 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0099)
# Reason: Description is a required variable for the security group
# trivy:ignore:AVD-AWS-0099
resource "aws_security_group" "security_group" {
name = join("-", [var.project, var.application, var.environment, var.region, "sg"])
description = var.description
Expand Down
Loading