Skip to content

Latest commit

 

History

History
101 lines (100 loc) · 38.1 KB

TFSEC.md

File metadata and controls

101 lines (100 loc) · 38.1 KB

We use GitHub Actions and tfsec to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below:

Layer Security issue Description Why skipped?
layer1-aws/aws-eks.tf aws-vpc-no-public-egress-sgr Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. We use recommended option. More info
layer1-aws/aws-eks.tf aws-eks-enable-control-plane-logging Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types
layer1-aws/aws-eks.tf aws-eks-encrypt-secrets Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block By default encryption is disabled, but can be enabled via setting eks_cluster_encryption_config_enable = true in your tfvars file.
layer1-aws/aws-eks.tf aws-eks-no-public-cluster-access Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled By default we create public accessible EKS cluster from anywhere
layer1-aws/aws-eks.tf aws-eks-no-public-cluster-access-to-cidr Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open By default we create public accessible EKS cluster from anywhere
layer1-aws/aws-eks.tf aws-vpc-no-public-egress-sgr Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule We use recommended option. More info
modules/aws-ec2-pritunl/security_groups.tf aws-vpc-no-public-egress-sgr Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. This is a VPN server and it need to have egress traffic to anywhere by default
modules/aws-ec2-pritunl/security_groups.tf aws-vpc-no-public-egress-sgr Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. This is a VPN server and by default it needs to have ingress traffic from anywhere
modules/aws-iam-eks-trusted/main.tf aws-iam-no-policy-wildcards Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. We use this policy for external-secrets and grant it access to all secrets.
modules/aws-iam-eks-trusted/main.tf aws-iam-no-policy-wildcards Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources We use condition to allow run actions only for certain autoscaling groups
modules/aws-iam-eks-trusted/main.tf aws-iam-no-policy-wildcards Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources We use recommended policy
layer2-k8s/eks-elk.tf general-secrets-sensitive-in-attribute-value Block 'locals.' includes potentially sensitive data. Password literal text tfsec complains on local.elk_metricbeat_values
layer2-k8s/eks-elk.tf general-secrets-sensitive-in-attribute-value Block 'locals.' includes potentially sensitive data. Password literal text tfsec complains on local.elk_filebeat_values
layer2-k8s/eks-elk.tf general-secrets-sensitive-in-attribute-value Block 'locals.' includes potentially sensitive data. Password literal text tfsec complains on local.elk_apm_values
modules/aws-iam-eks-trusted/main.tf aws-iam-no-policy-wildcards Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources We use the policy from the documentation
modules/aws-iam-eks-trusted/main.tf aws-iam-no-policy-wildcards Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[4]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows egress traffic to the internet We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[1]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-egress Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default We don't want to deny egress traffic in a default installation
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.external_secrets_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.loki_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.reloader_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.cluster_autoscaler_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.certmanager_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.aws_node_termination_handler_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.external_dns_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[3]' allows ingress traffic from the internet We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[4]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.gitlab_runner_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.elk_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[3]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.aws_load_balancer_controller_namespace[0]:kubernetes_network_policy.this[2]' allows ingress traffic from the internet We allow traffic from 0.0.0.0/0 to trigger webhooks only on certain port and certain pods
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[2]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)
modules/kubernetes-namespace/network-policy.tf kubernetes-network-no-public-ingress Resource 'module.keda_namespace[0]:kubernetes_network_policy.this[0]' allows all ingress traffic by default We deny all ingress trafic by default, but tfsec doesn't work as expected (bug)