tfsec ignores #143

andycognitoiq · 2022-06-20T13:32:59Z

what

tfsec ignores

why

references

…rds-cluster into cloudposse-master

bridgecrew

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

bridgecrew · 2022-06-20T13:33:51Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters have an AWS Backup backup plan
Resource: aws_rds_cluster.primary | ID: BC_AWS_GENERAL_49

How to Fix

resource "aws_rds_cluster" "rds_cluster_good" { cluster_identifier = "aurora-cluster-demo" engine = "aurora-mysql" engine_version = "5.7.mysql_aurora.2.03.2" availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] database_name = "mydb" master_username = "foo" master_password = "bar" } resource "aws_backup_plan" "example" { name = "tf_example_backup_plan" rule { rule_name = "tf_example_backup_rule" target_vault_name = "vault-name" schedule = "cron(0 12 * * ? *)" } } resource "aws_backup_selection" "backup_good" { iam_role_arn = "arn:partition:service:region:account-id:resource-id" name = "tf_example_backup_selection" plan_id = aws_backup_plan.example.id resources = [ aws_rds_cluster.rds_cluster_good.arn ] }

Description
TBA

bridgecrew · 2022-06-20T13:33:52Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters have an AWS Backup backup plan
Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_49

How to Fix

resource "aws_rds_cluster" "rds_cluster_good" { cluster_identifier = "aurora-cluster-demo" engine = "aurora-mysql" engine_version = "5.7.mysql_aurora.2.03.2" availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] database_name = "mydb" master_username = "foo" master_password = "bar" } resource "aws_backup_plan" "example" { name = "tf_example_backup_plan" rule { rule_name = "tf_example_backup_rule" target_vault_name = "vault-name" schedule = "cron(0 12 * * ? *)" } } resource "aws_backup_selection" "backup_good" { iam_role_arn = "arn:partition:service:region:account-id:resource-id" name = "tf_example_backup_selection" plan_id = aws_backup_plan.example.id resources = [ aws_rds_cluster.rds_cluster_good.arn ] }

Description
TBA

bridgecrew · 2022-06-20T13:35:05Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:07Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.primary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:08Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Postgres RDS has Query Logging enabled
Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_96

How to Fix

resource "aws_rds_cluster_parameter_group" "examplea" { name = "rds-cluster-pg" family = "aurora5.7" description = "RDS default cluster parameter group" + parameter { + name="log_statement" + value="all" + } + parameter { + name="log_min_duration_statement" + value="1" + } }

Description
This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of *log_statement* and *log_min_duration_statement*, these need to be set to *all* and *1* respectively to get sufficient logs.
Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

bridgecrew · 2022-06-20T13:35:10Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.primary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:11Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:12Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.primary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:13Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.primary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:14Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:16Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:17Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:19Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:20Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.primary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:21Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:23Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.primary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:24Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:25Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.primary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:26Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:27Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.primary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:28Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:29Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.primary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:31Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:32Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:33Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:34Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:35Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.primary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:36Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" { ... + iam_database_authentication_enabled = true }

Description
TBD

bridgecrew · 2022-06-20T13:35:38Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:40Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:41Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:42Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:43Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.primary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:45Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" { ... + deletion_protection = true }

Description
TBA

bridgecrew · 2022-06-20T13:35:46Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

bridgecrew · 2022-06-20T13:35:47Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" { ... cluster_identifier = "aurora-cluster-demo" + storage_encrypted = true ... }

Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew · 2022-06-20T13:35:49Z

main.tf

@@ -62,7 +62,7 @@ resource "aws_rds_cluster" "primary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Postgres RDS has Query Logging enabled
Resource: aws_rds_cluster.primary | ID: BC_AWS_GENERAL_96

How to Fix

resource "aws_rds_cluster_parameter_group" "examplea" { name = "rds-cluster-pg" family = "aurora5.7" description = "RDS default cluster parameter group" + parameter { + name="log_statement" + value="all" + } + parameter { + name="log_min_duration_statement" + value="1" + } }

Description
This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of *log_statement* and *log_min_duration_statement*, these need to be set to *all* and *1* respectively to get sufficient logs.
Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

bridgecrew · 2022-06-20T13:35:50Z

main.tf

@@ -155,15 +155,15 @@ resource "aws_rds_cluster" "secondary" {
  cluster_identifier                  = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
  database_name                       = var.db_name
  master_username                     = local.ignore_admin_credentials ? null : var.admin_user
-  master_password                     = local.ignore_admin_credentials ? null : var.admin_password
+  master_password                     = local.ignore_admin_credentials ? null : var.admin_password #tfsec:ignore:GEN003


Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" { cluster_identifier = "aurora-cluster-demo" ... + iam_database_authentication_enabled = true }

Description
TBA. Identity and Access Management (IAM)

kevcube · 2022-06-30T20:21:20Z

@andycognitoiq looks like this was opened by mistake, can you close it?

Gowiem · 2022-07-23T14:07:57Z

@andycognitoiq friendly ping on this PR -- Can you please share if this was a mistake to open upstream or your reasoning behind this PR?

hans-d · 2024-03-02T00:42:51Z

closing

leigh507 and others added 4 commits June 24, 2021 19:46

Update main.tf

4810901

Update main.tf

ad02286

Merge branch 'master' of https://github.com/cloudposse/terraform-aws-…

62735e3

…rds-cluster into cloudposse-master

Merge branch 'cloudposse-master' into serverlessV2

beb5cef

andycognitoiq requested review from a team as code owners June 20, 2022 13:32

andycognitoiq requested review from joe-niland and woz5999 June 20, 2022 13:33

bridgecrew bot reviewed Jun 20, 2022

View reviewed changes

nitrocode added the no-release Do not create a new release (wait for additional code changes) label Jul 10, 2022

nitrocode changed the title ~~Serverless v2~~ tfsec ignores Jul 10, 2022

hans-d closed this Mar 2, 2024

tfsec ignores #143

tfsec ignores #143

Conversation

andycognitoiq commented Jun 20, 2022 • edited by nitrocode Loading

what

why

references

bridgecrew bot left a comment

Choose a reason for hiding this comment

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

Description

bridgecrew bot Jun 20, 2022

Choose a reason for hiding this comment

How to Fix

andycognitoiq commented Jun 20, 2022 •

edited by nitrocode

Loading