Feat terrascan compliance (#146)

penguinjournals · web-flow · commit 338f42f5b869 · 2022-11-21T14:34:19.000+01:00
diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml
@@ -72,6 +72,7 @@ jobs:
         run: |
           pip install pre-commit
           go install github.com/hashicorp/terraform-config-inspect@latest
+          make deps
 
       - name: Execute generate-terraform-providers for organizational
         if: ${{ matrix.directory !=  '.' }}
@@ -128,9 +129,7 @@ jobs:
       - name: Install pre-commit dependencies
         run: |
           pip install pre-commit
-          go install github.com/terraform-docs/terraform-docs@v0.16.0
-          go install github.com/hashicorp/terraform-config-inspect@latest
-          curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+          make deps
       - name: Clean pre-commit cache
         run: pre-commit clean
       - name: Execute pre-commit max_version
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -70,6 +70,10 @@ repos:
       # https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
       - id: terraform_validate
         exclude: (test)|(examples-internal)\/.*$
+      - id: terrascan
+        exclude: (test)
+        args:
+          - '--args=--skip-rules AC_AWS_0369'
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.1.0
     hooks:
diff --git a/Makefile b/Makefile
@@ -5,6 +5,11 @@ deps:
 		unzip tflint.zip && \
 		rm tflint.zip && \
 		mv tflint "`go env GOPATH`/bin"
+	curl -L https://github.com/tenable/terrascan/releases/download/v1.9.0/terrascan_1.9.0_Linux_x86_64.tar.gz -o terrascan.tar.gz && \
+                tar -xf terrascan.tar.gz terrascan && \
+                rm terrascan.tar.gz && \
+                install terrascan "`go env GOPATH`/bin" && \
+                rm terrascan
 
 clean:
 	find -name ".terraform" -type d | xargs rm -rf
diff --git a/modules/infrastructure/cloudtrail/s3.tf b/modules/infrastructure/cloudtrail/s3.tf
@@ -1,4 +1,10 @@
 resource "aws_s3_bucket" "cloudtrail" {
+  # AC_AWS_0214
+  # Why: S3 bucket versioning is disabled
+  #ts:skip=AC_AWS_0214 S3 is for testing purpose by the customer. In production S3 it's pretended to be provided by the customer with the logging related decisions taken by them as it has costs.
+  # AC_AWS_0497
+  # Why: S3 access logging is disabled
+  #ts:skip=AC_AWS_0497 S3 is for testing purpose by the customer. In production S3 it's pretended to be provided by the customer with the logging related decisions taken by them as it has costs.
   bucket        = "${var.name}-${data.aws_caller_identity.me.account_id}"
   force_destroy = true
   tags          = var.tags
diff --git a/modules/infrastructure/cloudtrail/sns.tf b/modules/infrastructure/cloudtrail/sns.tf
@@ -1,4 +1,7 @@
 resource "aws_sns_topic" "cloudtrail" {
+  # AC_AWS_0502
+  # Why: Encrypt SNS with KMS
+  #ts:skip=AC_AWS_0502 Don't encrypt as far as SNS can be provided by customer
   name = var.name
   tags = var.tags
 }
diff --git a/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf b/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf
@@ -13,8 +13,10 @@ locals {
 
 
 resource "aws_sns_topic" "s3_sns" {
-  name = local.s3_sns_name
-
+  # AC_AWS_0502
+  # Why: Encrypt SNS with KMS
+  #ts:skip=AC_AWS_0502 Don't encrypt as far as SNS can be provided by customer
+  name   = local.s3_sns_name
   policy = <<POLICY
 {
     "Version":"2012-10-17",
diff --git a/modules/infrastructure/ecs-vpc/vpc.tf b/modules/infrastructure/ecs-vpc/vpc.tf
@@ -3,6 +3,8 @@ data "aws_availability_zones" "zones" {
 
 # https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest
 module "vpc" {
+  # AC_AWS_0369
+  #ts:skip=AC_AWS_0369 Cannot be ignored on external module
   source  = "terraform-aws-modules/vpc/aws"
   version = ">=3.14.0"
 
diff --git a/modules/infrastructure/permissions/iam-user/main.tf b/modules/infrastructure/permissions/iam-user/main.tf
@@ -5,6 +5,8 @@ resource "aws_iam_user" "this" {
 }
 
 resource "aws_iam_access_key" "this" {
+  # AC_AWS_0133
+  #ts:skip=AC_AWS_0133 Doesn't apply
   user = aws_iam_user.this.name
   lifecycle {
     create_before_destroy = true
diff --git a/modules/infrastructure/sqs-sns-subscription/main.tf b/modules/infrastructure/sqs-sns-subscription/main.tf
@@ -1,4 +1,7 @@
 resource "aws_sqs_queue" "this" {
+  # AC_AWS_0366
+  # Why: Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE).
+  #ts:skip=AC_AWS_0366 Doesn't apply as the content of the event is stored on S3 not on the log
   name = var.name
   tags = var.tags
 }
@@ -8,6 +11,7 @@ resource "aws_sns_topic_subscription" "this" {
   protocol  = "sqs"
   endpoint  = aws_sqs_queue.this.arn
   topic_arn = var.cloudtrail_sns_arn
+
 }
 
 resource "aws_sqs_queue_policy" "this" {
diff --git a/test/eks/README.md b/test/eks/README.md
@@ -2,7 +2,7 @@
 
 ```terraform
 module "eks"{
-  source = "sysdiglabs/secure-for-cloud/aws//modules/infrastructure/eks"
+  source = "sysdiglabs/secure-for-cloud/aws//test/eks"
   default_vpc_subnets = ["<SUBNET_1>", "<SUBNET_2>"]
   name = "<IDENTIFYING_NAME>"
 }
diff --git a/test/eks/data.tf b/test/eks/data.tf
diff --git a/test/eks/main.tf b/test/eks/main.tf
@@ -66,6 +66,8 @@ resource "aws_iam_role_policy_attachment" "container_registry_read_only" {
 
 
 resource "aws_eks_cluster" "aws_eks" {
+  # AC_AWS_0465
+  #ts:skip=AC_AWS_0465 Doesn't apply as this cluster is for developer testing purposes
   name     = var.name
   role_arn = aws_iam_role.eks_cluster.arn
 
diff --git a/test/eks/outputs.tf b/test/eks/outputs.tf
diff --git a/test/eks/variables.tf b/test/eks/variables.tf
diff --git a/test/eks/versions.tf b/test/eks/versions.tf
diff --git a/use-cases/README.md b/use-cases/README.md
@@ -12,7 +12,7 @@ and for AWS in [Cloudformation](https://github.com/sysdiglabs/aws-templates-secu
 | GCP | K8S `-k8s`, CloudRun |
 | Azure | K8S `-k8s`, AzureContainerInstances |
 
-**Which should I choose?** 
+**Which should I choose?**
 <br/>There are no preffered way, just take a technology you're familiar with. Otherwise, prefer non K8S, as it will be harder to maintain.
 <br/>For AWS, beware of [AppRunner region limitations](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-apprunner/README.md#prerequisites)
 <br/><br/>
diff --git a/use-cases/org-three-way-ecs.md b/use-cases/org-three-way-ecs.md
@@ -7,7 +7,7 @@ With ECS as workload-type.
 <br/>This is terraform-based guidelines, but can also check [Manual Organizational Setup - Three-Way Cross-Account ](./manual-org-three-way.md)
 
 
-- **User Infrastructure Setup**: 
+- **User Infrastructure Setup**:
   1. Management Account
     - Organizational Cloudtrail with no SNS activation
   2. Log Archive Account
diff --git a/use-cases/org-three-way-k8s.md b/use-cases/org-three-way-k8s.md
@@ -14,14 +14,14 @@ With EKS as workload-type.
     3. Member Account
     - Sysdig Secure for cloud deployment
     - Existing K8S Cluster
-      - permission setup rely on an `accessKey/secretAccessKey` parameters of the workload, but can setup the 
+      - permission setup rely on an `accessKey/secretAccessKey` parameters of the workload, but can setup the
         service-account manually and ignore those two parameters.
 
 - Required **Sysdig Secure For Cloud [Features](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/)**
   - Threat-Detection
   - :warning: Posture; Compliance + Identity Access Management not delivered with this use-case. Can use [manual compliance setup](./manual-compliance.md)
   - :warning: Cloud image scanning is not supported yet
-  
+
 
 ## Suggested building-blocks
 
@@ -68,7 +68,7 @@ provider "helm" {
        ```text
        cloudtrail_s3_name=cloudtrail-logging-237944556329
        ```
-   2. Optionally, populate `CLOUDTRAIL_S3_FILTER_PREFIX` in order to ingest a specific-account. Otherwise, just remove 
+   2. Optionally, populate `CLOUDTRAIL_S3_FILTER_PREFIX` in order to ingest a specific-account. Otherwise, just remove
       its assignation
    <br/>ex.:
        ```text

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,7 @@`
`1`	`1`	`resource "aws_sns_topic" "cloudtrail" {`
	`2`	`+ # AC_AWS_0502`
	`3`	`+ # Why: Encrypt SNS with KMS`
	`4`	`+ #ts:skip=AC_AWS_0502 Don't encrypt as far as SNS can be provided by customer`
`2`	`5`	`name = var.name`
`3`	`6`	`tags = var.tags`
`4`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ resource "aws_iam_user" "this" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`resource "aws_iam_access_key" "this" {`
	`8`	`+ # AC_AWS_0133`
	`9`	`+ #ts:skip=AC_AWS_0133 Doesn't apply`
`8`	`10`	`user = aws_iam_user.this.name`
`9`	`11`	`lifecycle {`
`10`	`12`	`create_before_destroy = true`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,7 @@`
`1`	`1`	`resource "aws_sqs_queue" "this" {`
	`2`	`+ # AC_AWS_0366`
	`3`	`+ # Why: Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE).`
	`4`	`+ #ts:skip=AC_AWS_0366 Doesn't apply as the content of the event is stored on S3 not on the log`
`2`	`5`	`name = var.name`
`3`	`6`	`tags = var.tags`
`4`	`7`	`}`
`@@ -8,6 +11,7 @@ resource "aws_sns_topic_subscription" "this" {`
`8`	`11`	`protocol = "sqs"`
`9`	`12`	`endpoint = aws_sqs_queue.this.arn`
`10`	`13`	`topic_arn = var.cloudtrail_sns_arn`
	`14`	`+`
`11`	`15`	`}`
`12`	`16`
`13`	`17`	`resource "aws_sqs_queue_policy" "this" {`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`	```terraform
`4`	`4`	`module "eks"{`
`5`		`- source = "sysdiglabs/secure-for-cloud/aws//modules/infrastructure/eks"`
	`5`	`+ source = "sysdiglabs/secure-for-cloud/aws//test/eks"`
`6`	`6`	`default_vpc_subnets = ["<SUBNET_1>", "<SUBNET_2>"]`
`7`	`7`	`name = "<IDENTIFYING_NAME>"`
`8`	`8`	`}`