diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c7373162..6e405183 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,13 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform.git - rev: v1.94.1 + rev: v1.97.0 hooks: - id: terraform_fmt - id: terraform_docs - id: terraform_validate - - id: terraform_tfsec + - id: terraform_trivy args: - - --args=--config-file=__GIT_WORKING_DIR__/.tfsec.yaml + - --args=--skip-dirs="**/.terraform" - id: terraform_tflint args: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl diff --git a/.tfsec.yaml b/.tfsec.yaml deleted file mode 100644 index 7146b878..00000000 --- a/.tfsec.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Ignore rules for the whole repository -# It is preferable to ignore per resource: https://aquasecurity.github.io/tfsec/v1.28.1/guides/configuration/ignores/ -exclude: - # Demo cluster, need to work on security best-practices for real production - - aws-s3-encryption-customer-key - - aws-s3-enable-bucket-logging - - aws-ec2-no-public-egress-sgr - - aws-ec2-no-excessive-port-access - - aws-ec2-no-public-ingress-acl - - aws-ec2-no-excessive-port-access - - aws-ec2-no-public-ip-subnet - - aws-ec2-require-vpc-flow-logs-for-all-vpcs - - aws-eks-enable-control-plane-logging diff --git a/opentofu/eks/iam.tf b/opentofu/eks/iam.tf index 5ce85638..e94c5714 100644 --- a/opentofu/eks/iam.tf +++ b/opentofu/eks/iam.tf @@ -43,7 +43,7 @@ module "irsa_crossplane" { } } -#tfsec:ignore:aws-iam-no-policy-wildcards +#trivy:ignore:AVD-AWS-0342 resource "aws_iam_policy" "crossplane_iam" { name = "crossplane_iam_${var.cluster_name}" path = "/" @@ -93,8 +93,6 @@ resource "aws_iam_policy" "crossplane_iam" { EOF } -# Managing all the security groups can be a security issue, didn't find a way to restrict to the ones created by Crossplane so far -#tfsec:ignore:aws-iam-no-policy-wildcards resource "aws_iam_policy" "crossplane_ec2" { name = "crossplane_ec2_${var.cluster_name}" path = "/" @@ -128,7 +126,6 @@ resource "aws_iam_policy" "crossplane_ec2" { EOF } -#tfsec:ignore:aws-iam-no-policy-wildcards resource "aws_iam_policy" "crossplane_eks" { name = "crossplane_eks_${var.cluster_name}" path = "/" @@ -153,7 +150,6 @@ resource "aws_iam_policy" "crossplane_eks" { EOF } -#tfsec:ignore:aws-iam-no-policy-wildcards resource "aws_iam_policy" "crossplane_s3" { name = "crossplane_s3_${var.cluster_name}" path = "/" @@ -200,7 +196,6 @@ resource "aws_iam_policy" "crossplane_s3" { EOF } -#tfsec:ignore:aws-iam-no-policy-wildcards resource "aws_iam_policy" "crossplane_kms" { name = "crossplane_kms_${var.cluster_name}" path = "/" diff --git a/opentofu/eks/karpenter.tf b/opentofu/eks/karpenter.tf index 481a24ee..b7f07d44 100644 --- a/opentofu/eks/karpenter.tf +++ b/opentofu/eks/karpenter.tf @@ -1,3 +1,4 @@ +#trivy:ignore:AVD-AWS-0342 module "karpenter" { source = "terraform-aws-modules/eks/aws//modules/karpenter" version = "~> 20.0" diff --git a/opentofu/eks/main.tf b/opentofu/eks/main.tf index 556db8b7..c4d1c672 100644 --- a/opentofu/eks/main.tf +++ b/opentofu/eks/main.tf @@ -1,6 +1,4 @@ -# Demo cluster we need to access to the API publicly -#tfsec:ignore:aws-eks-no-public-cluster-access -#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr +#trivy:ignore:AVD-AWS-0104 # Allow unrestricted egress traffic module "eks" { source = "terraform-aws-modules/eks/aws" version = "~> 20" @@ -11,6 +9,14 @@ module "eks" { bootstrap_self_managed_addons = false + cluster_enabled_log_types = [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler" + ] + cluster_addons = { coredns = { most_recent = true diff --git a/opentofu/openbao/cluster/iam.tf b/opentofu/openbao/cluster/iam.tf index 80d75b7a..955293a6 100644 --- a/opentofu/openbao/cluster/iam.tf +++ b/opentofu/openbao/cluster/iam.tf @@ -38,7 +38,6 @@ resource "aws_iam_role_policy_attachment" "ec2_read_only" { # For the auto unseal using AWS KMS -#tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "openbao-kms-unseal" { statement { sid = "VaultKMSUnseal" diff --git a/opentofu/openbao/cluster/kms.tf b/opentofu/openbao/cluster/kms.tf index 9532bc5c..877de118 100644 --- a/opentofu/openbao/cluster/kms.tf +++ b/opentofu/openbao/cluster/kms.tf @@ -1,4 +1,4 @@ -#tfsec:ignore:aws-kms-auto-rotate-keys +#trivy:ignore:AVD-AWS-0104 trivy:ignore:AVD-AWS-0065 resource "aws_kms_key" "openbao" { description = "OpenBao unseal key" deletion_window_in_days = 10 diff --git a/opentofu/openbao/cluster/security_group.tf b/opentofu/openbao/cluster/security_group.tf index f10cc205..5f14c4ab 100644 --- a/opentofu/openbao/cluster/security_group.tf +++ b/opentofu/openbao/cluster/security_group.tf @@ -84,6 +84,7 @@ resource "aws_security_group_rule" "openbao_node_exporter" { cidr_blocks = [data.aws_vpc.selected.cidr_block] } +#trivy:ignore:AVD-AWS-0104 resource "aws_security_group_rule" "openbao_outbound" { description = "Allow OpenBao nodes to send outbound traffic" security_group_id = aws_security_group.openbao.id diff --git a/opentofu/openbao/management/pki.tf b/opentofu/openbao/management/pki.tf index a69044e3..6e02f352 100644 --- a/opentofu/openbao/management/pki.tf +++ b/opentofu/openbao/management/pki.tf @@ -17,7 +17,6 @@ resource "vault_pki_secret_backend_key" "this" { } # Create a CSR (Certificate Signing Request) -#tfsec:ignore:general-secrets-no-plaintext-exposure resource "vault_pki_secret_backend_intermediate_cert_request" "this" { backend = vault_mount.this.path type = "existing"