Issue 5899 #127

mikereiddigital · 2024-01-15T15:48:36Z

Adds fix for issue 5899 and increments release of github-actions to 15.3.0. Also bumps checkout to 4.1.1.

…5.3.0. Also bumps checkout to 4.1.1.

github-actions · 2024-01-15T15:50:43Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
.

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 116.466µs
parsing 7.867719ms
adaptation 431.403µs
checks 3.72636ms
total 12.141948ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 60
files read 4

results
──────────────────────────────────────────
passed 6
ignored 34
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 70, Failed checks: 10, Skipped checks: 10

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs.aws_iam_policy.ec2_instance_policy
	File: /main.tf:176-215
	Calling File: /test/unit-test/main.tf:1-30

		176 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		177 |   name = "${var.app_name}-ec2-instance-policy"
		178 | 
		179 |   policy = <<EOF
		180 | {
		181 |     "Version": "2012-10-17",
		182 |     "Statement": [
		183 |         {
		184 |             "Effect": "Allow",
		185 |             "Action": [
		186 |                 "ec2:DescribeTags",
		187 |                 "ecs:CreateCluster",
		188 |                 "ecs:DeregisterContainerInstance",
		189 |                 "ecs:DiscoverPollEndpoint",
		190 |                 "ecs:Poll",
		191 |                 "ecs:RegisterContainerInstance",
		192 |                 "ecs:StartTelemetrySession",
		193 |                 "ecs:UpdateContainerInstancesState",
		194 |                 "ecs:Submit*",
		195 |                 "ecr:GetAuthorizationToken",
		196 |                 "ecr:BatchCheckLayerAvailability",
		197 |                 "ecr:GetDownloadUrlForLayer",
		198 |                 "ecr:BatchGetImage",
		199 |                 "logs:CreateLogStream",
		200 |                 "logs:PutLogEvents",
		201 |                 "s3:ListBucket",
		202 |                 "s3:*Object*",
		203 |                 "kms:Decrypt",
		204 |                 "kms:Encrypt",
		205 |                 "kms:GenerateDataKey",
		206 |                 "kms:ReEncrypt",
		207 |                 "kms:GenerateDataKey",
		208 |                 "kms:DescribeKey"
		209 |             ],
		210 |             "Resource": "*"
		211 |         }
		212 |     ]
		213 | }
		214 | EOF
		215 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /main.tf:235-256
	Calling File: /test/unit-test/main.tf:1-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		235 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		236 |   family             = "${var.app_name}-task-definition"
		237 |   count              = var.container_instance_type == "windows" ? 1 : 0
		238 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn
		239 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn
		240 |   requires_compatibilities = [
		241 |     "EC2",
		242 |   ]
		243 | 
		244 |   volume {
		245 |     name = var.task_definition_volume
		246 |   }
		247 | 
		248 |   container_definitions = var.task_definition
		249 | 
		250 |   tags = merge(
		251 |     var.tags_common,
		252 |     {
		253 |       Name = "${var.app_name}-windows-task-definition"
		254 |     }
		255 |   )
		256 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /main.tf:349-372
	Calling File: /test/unit-test/main.tf:1-30

		349 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		350 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		351 |   policy = <<EOF
		352 | {
		353 |   "Version": "2012-10-17",
		354 |   "Statement": [
		355 |     {
		356 |       "Effect": "Allow",
		357 |       "Action": [
		358 |         "s3:ListBucket",
		359 |         "s3:*Object*",
		360 |         "kms:Decrypt",
		361 |         "kms:Encrypt",
		362 |         "kms:GenerateDataKey",
		363 |         "kms:ReEncrypt",
		364 |         "kms:GenerateDataKey",
		365 |         "kms:DescribeKey"
		366 |       ],
		367 |       "Resource": ["*"]
		368 |     }
		369 |   ]
		370 | }
		371 | EOF
		372 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /main.tf:458-468
	Calling File: /test/unit-test/main.tf:1-30

		458 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		459 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		460 |   name              = "${var.app_name}-ecs"
		461 |   retention_in_days = 30
		462 |   tags = merge(
		463 |     var.tags_common,
		464 |     {
		465 |       Name = "${var.app_name}-ecs-cloudwatch-group"
		466 |     }
		467 |   )
		468 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

`Trivy Scan`

Show Output

ewastempel

LGTM

Adds fix for issue 5899 and increments release of github-actions to 1…

ab26cb1

…5.3.0. Also bumps checkout to 4.1.1.

mikereiddigital requested a review from connormaglynn January 15, 2024 15:49

mikereiddigital requested review from modernisation-platform-ci and dms1981 January 15, 2024 15:57

ewastempel approved these changes Jan 15, 2024

View reviewed changes

mikereiddigital merged commit 06855ed into main Jan 15, 2024
3 of 5 checks passed

mikereiddigital deleted the issue-5899 branch January 15, 2024 16:15

mikereiddigital mentioned this pull request Jan 15, 2024

Terraform Static Analysis pipeline failing in tflint v0.50.0 ministryofjustice/modernisation-platform#5899

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issue 5899 #127

Issue 5899 #127

mikereiddigital commented Jan 15, 2024

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

ewastempel left a comment

Issue 5899 #127

Issue 5899 #127

Conversation

mikereiddigital commented Jan 15, 2024

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

ewastempel left a comment

Choose a reason for hiding this comment

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`