Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tfsec, and fix reported issues #240

Merged
merged 6 commits into from
Oct 19, 2021
Merged

Add tfsec, and fix reported issues #240

merged 6 commits into from
Oct 19, 2021

Conversation

errm
Copy link
Member

@errm errm commented Aug 24, 2021
edited
Loading

tfsec uses static analysis of your terraform templates to spot potential security issues.

https://tfsec.dev/

Fixes #253

@errm
Add tfsec PR commenter
4b159b5 
tfsec uses static analysis of your terraform templates to spot potential security issues.

https://tfsec.dev/
@errm
Make encryption of EKS secrets mandatory
d478d19 
Fixes tfsec AWS066

see: https://tfsec.dev/docs/aws/eks/encrypt-secrets#aws/eks
@errm
Configure KMS key to auto rotate
3c51653 
Long life KMS keys increase the attack surface when compromised

fixes: tfsec AWS019

https://tfsec.dev/docs/aws/kms/auto-rotate-keys#aws/kms
@errm
Enable CMK encryption of CloudWatch Log Groups
1fedbe2 
Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.

fixes: tfsec AWS089

https://tfsec.dev/docs/aws/cloudwatch/log-group-customer-key#aws/cloudwatch
@errm
Don't enable public access to EKS Clusters by default
16c18af 
Disables public access to EKS Clusters by default.

Fixes tfsec: AWS069

To have previous default behaviour you now need to set:

```
endpoint_public_access       = true
endpoint_public_access_cidrs = ["0.0.0.0/0"]
```

https://tfsec.dev/docs/aws/eks/no-public-cluster-access#aws/eks
@errm
Ignore tfsec AWS099 rule
8da5839 
These IAM polices need wildcard rules for the correct functioning of
our name tagging script and the cluster autoscaler.

I think it is OK to have these wildcards as I can't think of
a more restrictive way to specify the required permissions.
@errm errm requested a review from a team as a code owner August 24, 2021 14:02
@errm errm requested review from mtpereira and aidy and removed request for a team August 24, 2021 14:02
@errm errm changed the title Add tfsec PR commenter Add tfsec, and fix reported issues Aug 24, 2021
@mtpereira
Copy link
Contributor

👏 Really nice improvement!

❓ I've noticed that tfsec did not output anything: https://github.com/cookpad/terraform-aws-eks/runs/3411881464?check_suite_focus=true . Is this expected when there are no violations?

@mtpereira
Copy link
Contributor

📝 This is probably something we should add to release notes:

To have previous default behaviour you now need to set:

endpoint_public_access       = true
endpoint_public_access_cidrs = ["0.0.0.0/0"]

@errm errm mentioned this pull request Oct 19, 2021
Closed
@bermannoah bermannoah mentioned this pull request Oct 19, 2021
Closed
@errm errm merged commit 16d6be2 into main Oct 19, 2021
@errm errm deleted the errm/tfsec branch October 19, 2021 15:40
@takanabe takanabe added the enhancement New feature or request label Nov 4, 2021
takanabe pushed a commit that referenced this pull request Nov 5, 2021
@errm @takanabe
Add tfsec, and fix reported issues (#240)
57ae086
ettiee added a commit that referenced this pull request Nov 16, 2021
@ettiee
require aws provider version >= 3.49.0
1147f3b 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 16, 2021
@ettiee
require aws provider version >= 3.49.0
4c72c02 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
@ettiee ettiee mentioned this pull request Nov 16, 2021
Merged
ettiee added a commit that referenced this pull request Nov 16, 2021
@ettiee
require aws provider version >= 3.49.0
94a2a84 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 16, 2021
@ettiee
require aws provider version >= 3.49.0
0b7e788 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 17, 2021
@ettiee
require aws provider version >= 3.49.0
ac13702 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 17, 2021
@ettiee
require aws provider version >= 3.49.0
d2d3c3f 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 17, 2021
@ettiee
require aws provider version >= 3.49.0
d3a0b06 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
@ettiee ettiee mentioned this pull request Nov 19, 2021
Merged
ettiee added a commit that referenced this pull request Nov 19, 2021
@ettiee
require aws provider version >= 3.49.0
d4d0363 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 19, 2021
@ettiee
require aws provider version >= 3.49.0
f3f1328 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Nov 19, 2021
@ettiee
require aws provider version >= 3.49.0
de0e1b7 
Since #240 we require secret encrytion on all clusters. Users hit this bug after enabling secret encryption hashicorp/terraform-provider-aws#19986 unless using aws provider >=3.49.0
ettiee added a commit that referenced this pull request Dec 6, 2021
@ettiee
Add #240 as a breaking change in UPGRADING.md for 1.20 release
66927db
ettiee added a commit that referenced this pull request Dec 6, 2021
@ettiee
Merge pull request #282 from cookpad/ettiee/add-pr-240-to-breaking-ch…
2044e3d 
…anges

Add #240 as a breaking change in UPGRADING.md for 1.20 release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtpereira mtpereira Awaiting requested review from mtpereira

@aidy aidy Awaiting requested review from aidy

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Default behaviour of endpoint_public_access is not a secure default
3 participants
@errm @mtpereira @takanabe