-
-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Follow up: CIS Compliance guide fixes #441
Conversation
✔️ Deploy Preview for keen-clarke-470db9 ready! 🔨 Explore the source changes: 11a6d7e 🔍 Inspect the deploy log: https://app.netlify.com/sites/keen-clarke-470db9/deploys/60edb2374c7cbc0008ce485b 😎 Browse the preview: https://deploy-preview-441--keen-clarke-470db9.netlify.app |
Holy cannoli, that's a lot of stuff in the checklist. Can I help, since I've made a lot of these suggestions, and I've already made these changes in the LZ guide? |
I took care of a few of these in #442 if that helps! |
Ok, so I would like to merge this asap, otherwise, this is getting too big again. Is there any big blocker for this PR that is left for us to fix? |
… better readability
Wohoo! Thanks for all the attention and feedback, @marinalimeira! Last round done! I hope to get this merged as soon as we can, so I guess if any other changes come up, I'm sure we can do separately. Thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Yay! Thanks, Yori ❤️ |
This PR is a follow up from the previous CIS Compliance guide PR to address all the NITs and additional feedback. This should help us to manage the changes better and see them easier (the last one was getting too big).
The NITs are taken from comments in this PR and translated into these checkboxes below:
Cleanup tasks:
accounts = {x,y,z}
toaccounts = jsondecode(file("accounts.json"))
See commentlocal.accounts["stage"]
tolocal.accounts.stage
to be consistent across guides (e.g. the LZ guide) See commentus-east-1
, and replace with a generic placeholder. See commentacme-*
specific placeholders with potentially<RESOURCE_ACCOUNT>
like suggested here and herename_prefix = "stage-logs"
with something unique likename_prefix = "<SOME UNIQUE IDENTIFIER>-logs"
- see this commentkms_cmk_arn = "arn:aws:kms:us-east-1:${local.accounts.shared}:alias/ami-encryption"
should be more generic - See this commentforce_destroy_*
params - we don't need those in a production guide - See this commentmax_session_duration_machine_users
andmax_session_duration_human_users
- See this commentReadability tasks:⚠️ Consider a separate PR for these if they're not small and quick changes)
More generic feedback to address (
common.hcl
to hold hard-coded values that are repeated across the code examples - See this commentinfra-modules
- See this commentcallout
format so it's easy for customers to spot - See this commentPotential bugs: (⚠️ Consider a separate PR for these if they're not small and quick changes)
terraform source
on lines 978-979 - See this commentauto-deploy
permissions in the root baseline example? Remove it, as we shouldn't be needing this access - See this commentdev_services
in thelogs
account example - See this commentlogs
account example - See this comment & this oneauto-scaling
configuration fromlogs
account - do we need any? - See this commentAdditional notes: