Skip to content
This repository has been archived by the owner on Jan 17, 2024. It is now read-only.

Sets required_providers to ~> 5.30 #129

Merged
merged 1 commit into from
Jan 16, 2024
Merged

Sets required_providers to ~> 5.30 #129

merged 1 commit into from
Jan 16, 2024

Conversation

mikereiddigital
Copy link
Contributor

Sets required_providers version to ~> 5.30 instead of the 5.32 offered by dependabot so it's in line with the required version in other module repos.

@mikereiddigital mikereiddigital requested a review from a team as a code owner January 16, 2024 11:52
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Success

Show Output ```hcl

TFSEC will check the following folders:
.

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
https://github.com/aquasecurity/tfsec/discussions/1994

timings
──────────────────────────────────────────
disk i/o 97.482µs
parsing 2.816095ms
adaptation 379.909µs
checks 3.456749ms
total 6.750235ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 60
files read 4

results
──────────────────────────────────────────
passed 6
ignored 34
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 70, Failed checks: 10, Skipped checks: 10

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /main.tf:235-256
	Calling File: /test/unit-test/main.tf:1-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		235 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		236 |   family             = "${var.app_name}-task-definition"
		237 |   count              = var.container_instance_type == "windows" ? 1 : 0
		238 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
		239 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn
		240 |   requires_compatibilities = [
		241 |     "EC2",
		242 |   ]
		243 | 
		244 |   volume {
		245 |     name = var.task_definition_volume
		246 |   }
		247 | 
		248 |   container_definitions = var.task_definition
		249 | 
		250 |   tags = merge(
		251 |     var.tags_common,
		252 |     {
		253 |       Name = "${var.app_name}-windows-task-definition"
		254 |     }
		255 |   )
		256 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /main.tf:458-468
	Calling File: /test/unit-test/main.tf:1-30

		458 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		459 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		460 |   name              = "${var.app_name}-ecs"
		461 |   retention_in_days = 30
		462 |   tags = merge(
		463 |     var.tags_common,
		464 |     {
		465 |       Name = "${var.app_name}-ecs-cloudwatch-group"
		466 |     }
		467 |   )
		468 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output 



      		
    

  





        


            

              
            

        

      


      

            
  

    
  
  

  

  



    












      

  
          

  

    
  

  


        
        @mikereiddigital
  mikereiddigital



        merged commit da1edfc
      into

      
  
    main
  


    Jan 16, 2024

      

        2 of 5 checks passed
      


      

        
          
  
  

        
      

  







  

  
  

  
      @mikereiddigital
  mikereiddigital


    
    deleted the
    
      
        required-providers-530
    
    branch

    
      January 16, 2024 11:57
    
    













  
  

    

      

  




    


    

      

             

  
      Sign up for free
      to subscribe to this conversation on GitHub.
      Already have an account?
      Sign in.


  


      

    

  




  
          




      

  

    

    
  

    Reviewers
  


    


        

          

  
    @ep-93
  
    ep-93



          
            
              
            
          
          ep-93 approved these changes

        


      






    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      

  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  



          



Successfully merging this pull request may close these issues.


  
    
None yet

  




    
  




        
      

    

  
      

  

    

      2 participants
    

    

        
          @mikereiddigital 
        
          @ep-93