Skip to content

Create main.tf #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create main.tf #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 125 additions & 0 deletions app/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
###############################################################################

Check notice

Code scanning / Infrabase AI

No raw resources when possible Note

The file contains a large multi-line comment header using '#####' which takes up significant visual space and can reduce readability. This occurs at the beginning of the file. Recommendation: Reduce the size and decoration of comment headers. Use simple, concise comments.
# NOTE: This example is intentionally insecure. It is valid Terraform that
# will apply successfully, but it violates multiple AWS security best-practices.
###############################################################################

terraform {
required_version = ">= 1.5.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}
}

provider "aws" {
region = var.region
}

Check notice

Code scanning / Infrabase AI

No big comment headers Note

The S3 bucket section is preceded by a large multi-line comment header using '#####' which takes up significant visual space. Recommendation: Reduce the size and decoration of comment headers. Use simple, concise comments like # Public S3 bucket.
variable "region" {
description = "AWS region"
type = string
default = "us-east-1"
}

Check failure

Code scanning / Infrabase AI

No raw resources when possible Error

The S3 bucket 'aws_s3_bucket.public_assets' does not have server-side encryption explicitly enabled. Data at rest in this bucket will not be encrypted by default using AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). Recommendation: Enable server-side encryption for the S3 bucket. Add a server\_side\_encryption\_configuration block, e.g., server\_side\_encryption\_configuration { rule { apply\_server\_side\_encryption\_by\_default { sse\_algorithm = "AES256" } } }.

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_s3\_bucket resource 'public_assets' is defined directly. Resources should be defined as modules whenever possible for better reusability, maintainability, and adherence to organizational standards. Recommendation: Consider encapsulating S3 bucket creation logic within a reusable module, especially if common configurations (like encryption, versioning, logging, public access blocks) are desired across multiple buckets.
#######################################
# Public S3 bucket (no block settings)

Check failure

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Error

The S3 bucket 'aws_s3_bucket.public_assets' is configured with acl = "public-read", making its objects publicly readable. This violates the principle of least privilege and the rule that S3 buckets must block public access unless explicitly for website static data. Recommendation: Set acl = "private" for the S3 bucket. If public access is required for specific objects, use bucket policies with specific conditions or CloudFront Origin Access Identity (OAI). Also, ensure the bucket's purpose is clearly for static website hosting if public access is intended, otherwise it should be private.
#######################################
resource "random_id" "suffix" {
byte_length = 4
}

resource "aws_s3_bucket" "public_assets" {

Check warning

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Warning

The aws\_s3\_bucket\_public\_access\_block resource 'disabled' is defined directly. This configuration is often part of a standard S3 bucket setup and could be included in an S3 module. Recommendation: Incorporate S3 public access block configurations within a reusable S3 bucket module to ensure consistent application of security settings.
bucket = "my-public-bucket-${random_id.suffix.hex}"
acl = "public-read" # ❌ public ACL

Check failure

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Error

The aws\_s3\_bucket\_public\_access\_block for 'aws_s3_bucket.public_assets' has block\_public\_acls = false and block\_public\_policy = false. This configuration allows public ACLs and policies to be applied to the bucket, potentially exposing data. Recommendation: Set block\_public\_acls = true, block\_public\_policy = true, ignore\_public\_acls = true, and restrict\_public\_buckets = true to enforce blocking of public access at the bucket level.

tags = {
Environment = "demo"
}
}

Check notice

Code scanning / Infrabase AI

No big comment headers Note

The IAM user section is preceded by a large multi-line comment header using '#####' which takes up significant visual space. Recommendation: Reduce the size and decoration of comment headers. Use simple, concise comments like # IAM user with wildcard permissions.
resource "aws_s3_bucket_public_access_block" "disabled" {
bucket = aws_s3_bucket.public_assets.id
block_public_acls = false # ❌ do not block public ACLs

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_iam\_user resource 'ci' is defined directly. IAM resource management can benefit from modularization to enforce naming conventions, permission boundaries, and standard policies. Recommendation: Consider using or creating an IAM module for managing users, roles, and policies to ensure consistency and adherence to security best practices.
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_iam\_access\_key resource 'ci' is defined directly. Managing access keys is a sensitive operation and often benefits from being part of a broader IAM management module. Recommendation: If managing IAM users via Terraform, include access key creation within an IAM module. However, consider alternatives to long-lived static access keys for CI/CD, such as IAM roles for EC2/ECS/Lambda or OIDC providers.

#######################################
# IAM user with wildcard permissions
#######################################

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_iam\_user\_policy resource 'full_access' is defined directly. Inline policies can be harder to manage and reuse compared to managed policies or policies defined within modules. Recommendation: Define IAM policies within a dedicated IAM module or use AWS managed policies where appropriate. This promotes reusability and centralized management of permissions.
resource "aws_iam_user" "ci" {
name = "ci-user"
}

resource "aws_iam_access_key" "ci" {
user = aws_iam_user.ci.name

Check failure

Code scanning / Infrabase AI

No raw resources when possible Error

The IAM user policy 'full_access' for user 'ci-user' grants Action = "\*" and Resource = "\*". This provides unrestricted access to all AWS services and resources, violating the principle of least privilege. Recommendation: Replace wildcard permissions with specific actions and resources required by the 'ci-user'. Follow the principle of least privilege.
}

resource "aws_iam_user_policy" "full_access" {
name = "ci-all-access"
user = aws_iam_user.ci.name

Check notice

Code scanning / Infrabase AI

No big comment headers Note

The Security Group section is preceded by a large multi-line comment header using '#####' which takes up significant visual space. Recommendation: Reduce the size and decoration of comment headers. Use simple, concise comments like # Security group open to the world.
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = "*" # ❌ wide-open actions
Resource = "*" # ❌ wide-open resources
}]

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_security\_group resource 'open_all' is defined directly. Security group configurations, especially common patterns, are good candidates for modularization. Recommendation: Use or create modules for defining security groups to ensure consistent application of rules and to simplify management of network security policies. The prompt mentions an internal module for VPC; similar modules might exist or should be created for security groups.
})
}

#######################################

Check failure

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Error

The security group 'open_all' allows all inbound traffic (protocol = "-1", from\_port = 0, to\_port = 0) from any source (cidr\_blocks = ["0.0.0.0/0"]). This exposes any associated resources to the entire internet. Recommendation: Restrict inbound rules to only necessary ports, protocols, and source IP ranges. Follow the principle of least privilege for network access.
# Security group open to the world
#######################################
data "aws_vpc" "default" {
default = true
}

resource "aws_security_group" "open_all" {
name = "open-all-sg"
description = "Allows all inbound traffic from anywhere"
vpc_id = data.aws_vpc.default.id

ingress {
description = "all traffic"
from_port = 0

Check notice

Code scanning / Infrabase AI

No big comment headers Note

The RDS instance section is preceded by a large multi-line comment header using '#####' which takes up significant visual space. Recommendation: Reduce the size and decoration of comment headers. Use simple, concise comments like # Public, unencrypted RDS instance.
to_port = 0
protocol = "-1" # ❌ any protocol
cidr_blocks = ["0.0.0.0/0"]

Check failure

Code scanning / Infrabase AI

Encrypt Data at Rest Error

The RDS instance 'public_db' does not have storage encryption enabled (storage\_encrypted is not set to true). Data at rest on this instance is not encrypted. Recommendation: Enable storage encryption for the RDS instance by setting storage\_encrypted = true. Consider using a KMS key for enhanced control by specifying kms\_key\_id.

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The aws\_db\_instance resource 'public_db' is defined directly. RDS instance configurations often involve multiple related settings (parameter groups, option groups, security groups, subnet groups) that can be encapsulated in a module. Recommendation: Consider using or creating an RDS module to manage database instances. This helps in standardizing configurations like encryption, backup policies, instance types, and security settings.
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}

Check failure

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Error

The RDS instance 'public_db' has its password 'P@ssw0rd123' hard-coded in the Terraform configuration. This is a severe security risk as secrets should not be stored in plaintext in code. Recommendation: Store the RDS password in a secure secret management service (e.g., AWS Secrets Manager) and reference it using a data source or variable. Alternatively, use input variables marked as sensitive and provide the value through a secure mechanism at apply time.
}

Check failure

Code scanning / Infrabase AI

S3 Buckets Must Block Public Access Error

The RDS instance 'public_db' is configured with publicly\_accessible = true, making it reachable from the internet. Combined with other vulnerabilities (like open security group or weak/hardcoded password), this significantly increases the risk of unauthorized access. Recommendation: Set publicly\_accessible = false unless absolutely necessary. If public access is required, ensure strong passwords, encryption, and tightly restricted security groups.

#######################################
# Public, unencrypted RDS instance

Check warning

Code scanning / Infrabase AI

No raw resources when possible Warning

The RDS instance 'public_db' is configured with skip\_final\_snapshot = true. This means no final backup will be created when the instance is deleted, potentially leading to data loss. Recommendation: Set skip\_final\_snapshot = false to ensure a final snapshot is taken before deletion, allowing for data recovery if needed. This is especially important for production databases.
#######################################
resource "aws_db_instance" "public_db" {
identifier = "public-db-demo"
engine = "postgres"
engine_version = "15"
instance_class = "db.t3.micro"
allocated_storage = 20

username = "admin"
password = "P@ssw0rd123" # ❌ hard-coded plaintext secret
publicly_accessible = true # ❌ internet-facing DB
vpc_security_group_ids = [aws_security_group.open_all.id]

skip_final_snapshot = true # ❌ no backup before deletion
apply_immediately = true
}