tfsec 문제 해결

.github/workflows/cd.yml

@@ -61,8 +61,9 @@ jobs:
           declare -A DEPENDENCY_MAP=(
             ["prod-team-account/vpc"]=""
             ["prod-team-account/iam"]=""
+            ["prod-team-account/acm"]=""
             ["operation-team-account/ecr"]="prod-team-account/iam"
-            ["prod-team-account/alb"]="prod-team-account/vpc"
+            ["prod-team-account/alb"]="prod-team-account/vpc prod-team-account/acm"
             ["prod-team-account/ecs"]="prod-team-account/vpc prod-team-account/iam prod-team-account/alb operation-team-account/ecr"
             ["prod-team-account/codedeploy"]="prod-team-account/ecs"
           )

prod-team-account/acm/backend.tf

@@ -1,8 +1,9 @@
 terraform {
   backend "s3" {
     bucket         = "cloudfence-prod-state"
-    key            = "prod-team-account/acm/terraform.tfstate" 
+    key            = "prod-team-account/acm/terraform.tfstate"
     region         = "ap-northeast-2"
     dynamodb_table = "s3-prod-lock"
+    encrypt        = true
   }
 }

prod-team-account/acm/main.tf

@@ -10,9 +10,9 @@ provider "aws" {
 
 # ACM 인증서 요청
 resource "aws_acm_certificate" "cert" {
-  domain_name       = var.domain_name
+  domain_name               = var.domain_name
   subject_alternative_names = ["*.${var.domain_name}"]
-  validation_method = "DNS"
+  validation_method         = "DNS"
 
   lifecycle {
     create_before_destroy = true
@@ -23,9 +23,9 @@ resource "aws_acm_certificate" "cert" {
 resource "aws_route53_record" "cert_validation" {
   for_each = {
     for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
-      name    = dvo.resource_record_name
-      record  = dvo.resource_record_value
-      type    = dvo.resource_record_type
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
     }
   }
 

prod-team-account/alb/main.tf

@@ -15,9 +15,9 @@ provider "aws" {
 data "terraform_remote_state" "acm" {
   backend = "s3"
   config = {
-    bucket         = "cloudfence-prod-state"
-    key            = "prod-team-account/acm/terraform.tfstate"
-    region         = "ap-northeast-2"
+    bucket = "cloudfence-prod-state"
+    key    = "prod-team-account/acm/terraform.tfstate"
+    region = "ap-northeast-2"
   }
 }
 
@@ -71,6 +71,8 @@ resource "aws_wafv2_web_acl" "alb_waf" {
 }
 
 # ALB
+# 외부 사용자를 위한 로드 밸런서이므로 외부에 노출해야해서 tfsec 경고 무시
+#tfsec:ignore:aws-elb-alb-not-public
 resource "aws_lb" "alb" {
   name               = "${var.project_name}-alb"
   internal           = false
@@ -79,8 +81,8 @@ resource "aws_lb" "alb" {
   subnets            = data.terraform_remote_state.vpc.outputs.public_subnet_ids
 
 
-    drop_invalid_header_fields = true
-    enable_deletion_protection = true
+  drop_invalid_header_fields = true
+  enable_deletion_protection = true
 
 
   tags = {
@@ -128,20 +130,19 @@ resource "aws_lb_target_group" "green" {
 }
 
 # ALB 리스너
-
 resource "aws_lb_listener" "https" {
-    load_balancer_arn = aws_lb.alb.arn
-    port              = 443
-    protocol          = "HTTPS"
-    ssl_policy        = "ELBSecurityPolicy-2016-08"
-    certificate_arn   = data.terraform_remote_state.acm.outputs.certificate_arn
-    default_action {
-        type = "forward"
-        target_group_arn = aws_lb_target_group.blue.arn
-    }
+  load_balancer_arn = aws_lb.alb.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = data.terraform_remote_state.acm.outputs.certificate_arn
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.blue.arn
+  }
 }
 
-resource "aws_lb_listener" "http_redirect" {
+resource "aws_lb_listener" "https_redirect" {
   load_balancer_arn = aws_lb.alb.arn
   port              = 80
   protocol          = "HTTP"

prod-team-account/alb/outputs.tf

@@ -5,7 +5,7 @@ output "dns_name" {
 
 output "listener_arn" {
   description = "The ARN of the ALB listener"
-  value       = aws_lb_listener.http.arn
+  value       = aws_lb_listener.https.arn
 }
 
 output "blue_target_group_name" {
@@ -21,4 +21,4 @@ output "green_target_group_name" {
 output "blue_target_group_arn" {
   description = "The ARN of the blue target group"
   value       = aws_lb_target_group.blue.arn
-}
+}

prod-team-account/vpc/main.tf

@@ -23,6 +23,8 @@ resource "aws_vpc" "vpc" {
 }
 
 # subnet(public)
+# public 서브넷은 외부에서 접근 가능하도록 tfsec 경고 무시
+#tfsec:ignore:aws-ec2-no-public-ip-subnet
 resource "aws_subnet" "public1" {
   vpc_id                  = aws_vpc.vpc.id
   cidr_block              = "10.0.1.0/24"
@@ -33,6 +35,7 @@ resource "aws_subnet" "public1" {
   }
 }
 
+#tfsec:ignore:aws-ec2-no-public-ip-subnet
 resource "aws_subnet" "public2" {
   vpc_id                  = aws_vpc.vpc.id
   cidr_block              = "10.0.2.0/24"
@@ -135,38 +138,41 @@ resource "aws_route_table_association" "private2" {
 }
 
 # security_group
+# ALB를 위한 security group에서는 외부 사용자를위해 HTTPS(443) 포트만 열고 이후 tfsec 경고 무시
+#tfsec:ignore:aws-ec2-no-public-ingress-sgr
 resource "aws_security_group" "alb_sg" {
   name        = "${var.project_name}-alb-sg"
   description = "Security group for ALB"
   vpc_id      = aws_vpc.vpc.id
 
   ingress {
-    from_port   = 80
-    to_port     = 80
+    from_port   = 443
+    to_port     = 443
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
-    description = "Allow HTTP"
+    description = "Allow HTTPS"
   }
 
   egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
 }
 
 # ECS
+# ECS의 security group은 ALB에서 오는 트래픽만 허용하고, 외부로의 모든 트래픽을 허용하므로 tfsec 경고 무시
+#tfsec:ignore:aws-ec2-no-public-egress-sgr
 resource "aws_security_group" "ecs_sg" {
   name        = "${var.project_name}-ecs-sg"
   description = "Security group for ECS tasks"
   vpc_id      = aws_vpc.vpc.id
 
   ingress {
-    from_port       = 80
-    to_port         = 80
-    protocol        = "tcp"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
     security_groups = [aws_security_group.alb_sg.id]
   }
 
@@ -176,5 +182,4 @@ resource "aws_security_group" "ecs_sg" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-}
+}