From e59807f4f3ae945a768ed2d5dfc71e2c9c0be704 Mon Sep 17 00:00:00 2001 From: maxim Date: Mon, 15 Nov 2021 16:08:44 +0600 Subject: [PATCH] doc: move TFSEC notes from README.md into separate file --- README.md | 101 +------------------------------------------------- docs/TFSEC.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+), 100 deletions(-) create mode 100644 docs/TFSEC.md diff --git a/README.md b/README.md index f026fa31..ddc9fddb 100644 --- a/README.md +++ b/README.md @@ -461,106 +461,7 @@ This boiler installs all basic and necessary components. However, we also provid ## TFSEC -We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below: - -| Layer | Security issue | Description | Why skipped? | -| ---------------------------------------------- | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | -| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | -| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | -| layer2-k8s/locals.tf | general-secrets-sensitive-in-local | Local 'locals.' includes a potentially sensitive value which is defined within the project | tfsec complains on helm_repo_external_secrets url because it contains the word *secret* | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[4]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | -| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | - +[TFSEC](docs/TFSEC.md): Notes related to tfsec ignores ## Contributing diff --git a/docs/TFSEC.md b/docs/TFSEC.md new file mode 100644 index 00000000..36860257 --- /dev/null +++ b/docs/TFSEC.md @@ -0,0 +1,99 @@ +We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below: + +| Layer | Security issue | Description | Why skipped? | +| ---------------------------------------------- | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | +| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | +| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | +| layer2-k8s/locals.tf | general-secrets-sensitive-in-local | Local 'locals.' includes a potentially sensitive value which is defined within the project | tfsec complains on helm_repo_external_secrets url because it contains the word *secret* | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[4]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet | We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) | +| modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-ingress | Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |