initial commit

Author: IA Automator

.config/.checkov.yml

@@ -0,0 +1,15 @@
+download-external-modules: False
+evaluate-variables: true
+directory:
+- ./
+framework:
+- terraform
+skip-check:
+- CKV2_GCP*
+- CKV_AZURE*
+- CKV2_AZURE*
+- CKV_TF_1 # default to Terraform registry instead of Git
+summary-position: bottom
+output: 'cli'
+compact: True
+quiet: True

.config/.mdlrc

@@ -0,0 +1,5 @@
+# Ignoring the following rules
+# MD007 Unordered list indentation
+# MD013 Line length
+# MD029 Ordered list item prefix
+rules "~MD007", "~MD013", "~MD029"

.config/.terraform-docs.yaml

@@ -0,0 +1,20 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

.config/.tflint.hcl

@@ -0,0 +1,66 @@
+# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
+# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
+
+plugin "aws" {
+  enabled = true
+  version = "0.22.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  module = true
+  force  = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

.config/.tfsec.yml

@@ -0,0 +1,3 @@
+{
+  "minimum_severity": "MEDIUM"
+}

.config/.tfsec/launch_configuration_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS002",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/launch_template_imdsv2_tfchecks.json

@@ -0,0 +1,39 @@
+{
+  "checks": [
+    {
+      "code": "CUS001",
+      "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
+      "impact": "Instance metadata service can be interacted with freely",
+      "resolution": "Enable HTTP token requirement for IMDS",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_template"
+      ],
+      "severity": "CRITICAL",
+      "matchSpec": {
+          "action": "isPresent",
+          "name": "metadata_options",
+          "subMatch": {
+            "action": "and",
+            "predicateMatchSpec": [
+              {
+                "action": "equals",
+                "name": "http_tokens",
+                "value": "required"
+
+              }
+            ]
+          }
+        },
+
+      "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
+      "relatedLinks": [
+        "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/no_launch_config_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS003",
+      "description": "Use `aws_launch_template` over `aws_launch_configuration",
+      "impact": "Launch configurations are not capable of versions",
+      "resolution": "Convert resource type and attributes to `aws_launch_template`",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_launch_configuration"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "image_id"
+        },
+
+      "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
+        "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_egress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS005",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "egress"
+        },
+
+      "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}

.config/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json

@@ -0,0 +1,27 @@
+{
+  "checks": [
+    {
+      "code": "CUS004",
+      "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
+      "impact": "Embedded security group rules can cause issues during configuration updates.",
+      "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
+      "requiredTypes": [
+        "resource"
+      ],
+      "requiredLabels": [
+        "aws_security_group"
+      ],
+      "severity": "MEDIUM",
+      "matchSpec": {
+          "action": "notPresent",
+          "name": "ingress"
+        },
+
+      "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
+      "relatedLinks": [
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
+        "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
+      ]
+    }
+  ]
+}