Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Provider 5.0 upgrade #169

Merged
merged 2 commits into from
Jun 16, 2023
Merged

AWS Provider 5.0 upgrade #169

merged 2 commits into from
Jun 16, 2023

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Jun 15, 2023

Bumps version constraint to ~> 5.0.
Add missing time provider
Related to ministryofjustice/modernisation-platform#4173

@dms1981 dms1981 requested a review from a team as a code owner June 15, 2023 08:03
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

Results #1-2 HIGH IAM policy document uses wildcarded action 'iam:ChangePassword' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:18-40
   via main.tf:71-94 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   18actions = [
   19"iam:ChangePassword",
   20"iam:CreateAccessKey",
   21"iam:CreateLoginProfile",
   22"iam:CreateVirtualMFADevice",
   23"iam:DeleteAccessKey",
   24"iam:DeleteLoginProfile",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:71-94 (module.iam_group_admins_with_policies) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #3-4 HIGH IAM policy document uses wildcarded action 'iam:Get*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:53-56
   via main.tf:71-94 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   53  ┌     actions = [
   54"iam:Get*",
   55"iam:List*",
   56  └     ]
   ..  
   91    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:71-94 (module.iam_group_admins_with_policies) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH IAM policy document uses sensitive action 'iam:Get*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:58
   via main.tf:71-94 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   58  [     resources = ["*"]
   ..  
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH IAM policy document uses sensitive action 'iam:ChangePassword' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:150
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  150  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'iam:CreateAccessKey' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:161
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  161  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'iam:DeleteSigningCertificate' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:172
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  172  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #9 HIGH IAM policy document uses sensitive action 'iam:DeleteSSHPublicKey' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:184
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  184  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #10 HIGH IAM policy document uses sensitive action 'iam:CreateServiceSpecificCredential' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:196
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  196  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH IAM policy document uses sensitive action 'iam:CreateVirtualMFADevice' on wildcarded resource 'arn:aws:iam::*:mfa/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:205
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  205  [     resources = ["arn:aws:iam::*:mfa/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH IAM policy document uses sensitive action 'iam:DeactivateMFADevice' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:216
────────────────────────────────────────────────────────────────────────────────
  130    data "aws_iam_policy_document" "force_mfa" {
  ...  
  216  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  237    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #13 MEDIUM Multi-Factor authentication is not enforced for group 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/main.tf:5-9
   via main.tf:71-94 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
    5    resource "aws_iam_group" "this" {
    6      count = var.create_group ? 1 : 0
    7    
    8      name = var.name
    9    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-enforce-group-mfa
      Impact IAM groups are more vulnerable to compromise without multi factor authentication activated
  Resolution Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/enforce-group-mfa/
  - https://registry.terraform.io/modules/terraform-module/enforce-mfa/aws/latest
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.402982ms
  parsing              4.922916191s
  adaptation           1.306077ms
  checks               24.146331ms
  total                4.949771581s

  counts
  ──────────────────────────────────────────
  modules downloaded   11
  modules processed    12
  blocks processed     455
  files read           49

  results
  ──────────────────────────────────────────
  passed               66
  ignored              0
  critical             0
  high                 12
  medium               1
  low                  0

  66 passed, 13 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-06-15 08:06:11,712 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-account:~>5.2 (for external modules, the --download-external-modules flag is required)
2023-06-15 08:06:11,712 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-roles:~>5.5 (for external modules, the --download-external-modules flag is required)
2023-06-15 08:06:11,712 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:~>5.5 (for external modules, the --download-external-modules flag is required)
2023-06-15 08:06:11,712 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~>5.5 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.assume_role
	File: /main.tf:112-126
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		112 | data "aws_iam_policy_document" "assume_role" {
		113 |   statement {
		114 |     sid    = "AssumeRole"
		115 |     effect = "Allow"
		116 |     actions = [
		117 |       "sts:AssumeRole"
		118 |     ]
		119 |     resources = ["*"]
		120 |     condition {
		121 |       test     = "BoolIfExists"
		122 |       variable = "aws:MultiFactorAuthPresent"
		123 |       values   = ["true"]
		124 |     }
		125 |   }
		126 | }

github_actions scan results:

Passed checks: 132, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.
tflint_exitcode=0

@dms1981 dms1981 merged commit 2390874 into main Jun 16, 2023
@dms1981 dms1981 deleted the feature/4173-aws-provider-v5 branch June 16, 2023 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkelliott davidkelliott davidkelliott approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dms1981 @davidkelliott