Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub OIDC provider module #2

Merged
merged 6 commits into from
Aug 1, 2022
Merged

GitHub OIDC provider module #2

merged 6 commits into from
Aug 1, 2022

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Aug 1, 2022

  • Creates a reusable module based on existing module
  • Creates go-based unit tests

@dms1981 dms1981 requested a review from a team as a code owner August 1, 2022 10:37
@github-actions
Copy link
Contributor

github-actions bot commented Aug 1, 2022

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             56.5µs
  parsing              730.6µs
  adaptation           97.6µs
  checks               32.855513ms
  total                33.740213ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     13
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 17, Failed checks: 4, Skipped checks: 0

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.extra_permissions
	File: /test/unit-test/main.tf:10-27
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration

		10 | data "aws_iam_policy_document" "extra_permissions" {
		11 |   version = "2012-10-17"
		12 | 
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "account:GetAlternateContact",
		17 |       "cur:DescribeReportDefinitions",
		18 |       "identitystore:ListGroups",
		19 |       "secretsmanager:GetSecretValue",
		20 |       "sts:AssumeRole",
		21 |       "s3:*",
		22 |       "kms:*",
		23 |     ]
		24 | 
		25 |     resources = ["*"]
		26 |   }
		27 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.extra_permissions
	File: /test/unit-test/main.tf:10-27
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		10 | data "aws_iam_policy_document" "extra_permissions" {
		11 |   version = "2012-10-17"
		12 | 
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "account:GetAlternateContact",
		17 |       "cur:DescribeReportDefinitions",
		18 |       "identitystore:ListGroups",
		19 |       "secretsmanager:GetSecretValue",
		20 |       "sts:AssumeRole",
		21 |       "s3:*",
		22 |       "kms:*",
		23 |     ]
		24 | 
		25 |     resources = ["*"]
		26 |   }
		27 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.extra_permissions
	File: /test/unit-test/main.tf:10-27
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		10 | data "aws_iam_policy_document" "extra_permissions" {
		11 |   version = "2012-10-17"
		12 | 
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "account:GetAlternateContact",
		17 |       "cur:DescribeReportDefinitions",
		18 |       "identitystore:ListGroups",
		19 |       "secretsmanager:GetSecretValue",
		20 |       "sts:AssumeRole",
		21 |       "s3:*",
		22 |       "kms:*",
		23 |     ]
		24 | 
		25 |     resources = ["*"]
		26 |   }
		27 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.extra_permissions
	File: /test/unit-test/main.tf:10-27
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure

		10 | data "aws_iam_policy_document" "extra_permissions" {
		11 |   version = "2012-10-17"
		12 | 
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "account:GetAlternateContact",
		17 |       "cur:DescribeReportDefinitions",
		18 |       "identitystore:ListGroups",
		19 |       "secretsmanager:GetSecretValue",
		20 |       "sts:AssumeRole",
		21 |       "s3:*",
		22 |       "kms:*",
		23 |     ]
		24 | 
		25 |     resources = ["*"]
		26 |   }
		27 | }

github_actions scan results:

Passed checks: 76, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `aws` plugin...
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.13.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

@dms1981 dms1981 merged commit 0a458ad into main Aug 1, 2022
@dms1981 dms1981 deleted the features/github-oidc-provider-module branch August 1, 2022 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zuriguardiola zuriguardiola zuriguardiola approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dms1981 @zuriguardiola @gfou-al