Merge pull request #678 from Smana/refactor_trivy_migrate

refactor: replace deprecated tfsec with trivy

.pre-commit-config.yaml

@@ -1,13 +1,13 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform.git
-    rev: v1.94.1
+    rev: v1.97.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
       - id: terraform_validate
-      - id: terraform_tfsec
+      - id: terraform_trivy
         args:
-          - --args=--config-file=__GIT_WORKING_DIR__/.tfsec.yaml
+          - --args=--skip-dirs="**/.terraform"
       - id: terraform_tflint
         args:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl

opentofu/eks/iam.tf

@@ -43,7 +43,7 @@ module "irsa_crossplane" {
   }
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
+#trivy:ignore:AVD-AWS-0342
 resource "aws_iam_policy" "crossplane_iam" {
   name        = "crossplane_iam_${var.cluster_name}"
   path        = "/"
@@ -93,8 +93,6 @@ resource "aws_iam_policy" "crossplane_iam" {
 EOF
 }
 
-# Managing all the security groups can be a security issue, didn't find a way to restrict to the ones created by Crossplane so far
-#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "crossplane_ec2" {
   name        = "crossplane_ec2_${var.cluster_name}"
   path        = "/"
@@ -128,7 +126,6 @@ resource "aws_iam_policy" "crossplane_ec2" {
 EOF
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "crossplane_eks" {
   name        = "crossplane_eks_${var.cluster_name}"
   path        = "/"
@@ -153,7 +150,6 @@ resource "aws_iam_policy" "crossplane_eks" {
 EOF
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "crossplane_s3" {
   name        = "crossplane_s3_${var.cluster_name}"
   path        = "/"
@@ -200,7 +196,6 @@ resource "aws_iam_policy" "crossplane_s3" {
 EOF
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "crossplane_kms" {
   name        = "crossplane_kms_${var.cluster_name}"
   path        = "/"

opentofu/eks/karpenter.tf

@@ -1,3 +1,4 @@
+#trivy:ignore:AVD-AWS-0342
 module "karpenter" {
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
   version = "~> 20.0"

opentofu/eks/main.tf

@@ -1,6 +1,4 @@
-# Demo cluster we need to access to the API publicly
-#tfsec:ignore:aws-eks-no-public-cluster-access
-#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
+#trivy:ignore:AVD-AWS-0104 # Allow unrestricted egress traffic
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 20"
@@ -11,6 +9,14 @@ module "eks" {
 
   bootstrap_self_managed_addons = false
 
+  cluster_enabled_log_types = [
+    "api",
+    "audit",
+    "authenticator",
+    "controllerManager",
+    "scheduler"
+  ]
+
   cluster_addons = {
     coredns = {
       most_recent = true

opentofu/openbao/cluster/iam.tf

@@ -38,7 +38,6 @@ resource "aws_iam_role_policy_attachment" "ec2_read_only" {
 
 
 # For the auto unseal using AWS KMS
-#tfsec:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "openbao-kms-unseal" {
   statement {
     sid       = "VaultKMSUnseal"

opentofu/openbao/cluster/kms.tf

@@ -1,4 +1,4 @@
-#tfsec:ignore:aws-kms-auto-rotate-keys
+#trivy:ignore:AVD-AWS-0104 trivy:ignore:AVD-AWS-0065
 resource "aws_kms_key" "openbao" {
   description             = "OpenBao unseal key"
   deletion_window_in_days = 10

opentofu/openbao/cluster/security_group.tf

@@ -84,6 +84,7 @@ resource "aws_security_group_rule" "openbao_node_exporter" {
   cidr_blocks       = [data.aws_vpc.selected.cidr_block]
 }
 
+#trivy:ignore:AVD-AWS-0104
 resource "aws_security_group_rule" "openbao_outbound" {
   description       = "Allow OpenBao nodes to send outbound traffic"
   security_group_id = aws_security_group.openbao.id

opentofu/openbao/management/pki.tf

@@ -17,7 +17,6 @@ resource "vault_pki_secret_backend_key" "this" {
 }
 
 # Create a CSR (Certificate Signing Request)
-#tfsec:ignore:general-secrets-no-plaintext-exposure
 resource "vault_pki_secret_backend_intermediate_cert_request" "this" {
   backend     = vault_mount.this.path
   type        = "existing"