add tfsec ignores for layer2

Author: mglotov

README.md

@@ -478,6 +478,16 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec
 | layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere |
 | layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere |
 | layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) |
+| modules/aws-iam-ssm/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets:data.aws_iam_policy_document.this' defines a policy with wildcarded resources. | We use aws-iam-ssm module for external-secrets and grant it access to all secrets. |
+| modules/aws-iam-autoscaler/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler:data.aws_iam_policy_document.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups |
+| modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-ingress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.deny-all' allows all ingress traffic by default | We deny all ingress trafic by default, but tfsec doesn't work as expected (bug) |
+| modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.deny-all' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
+| kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.allow-from-this' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
+| modules/kubernetes-network-policy-namespace/main.tf | kubernetes-network-no-public-egress | Resource 'module.dev_ns_network_policy:kubernetes_network_policy.allow-from-ns[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation |
+| modules/aws-iam-aws-loadbalancer-controller/iam.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) |
+| layer2-k8s/locals.tf | general-secrets-sensitive-in-local | Local 'locals.' includes a potentially sensitive value which is defined within the project | tfsec complains on helm_repo_external_secrets url because it contains the word *secret* |
+| modules/aws-iam-external-dns/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
+| modules/aws-iam-external-dns/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones |
 
 ## Coding conventions
 

terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 module "eks_alb_ingress" {
   source = "../modules/eks-aws-loadbalancer-controller"
   count  = var.aws_loadbalancer_controller_enable ? 1 : 0

terraform/layer2-k8s/eks-cert-manager.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 module "aws_iam_cert_manager" {
   source = "../modules/aws-iam-external-dns"
 

terraform/layer2-k8s/eks-cluster-autoscaler.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 module "aws_iam_autoscaler" {
   source = "../modules/aws-iam-autoscaler"
 

terraform/layer2-k8s/eks-external-dns.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 module "aws_iam_external_dns" {
   source = "../modules/aws-iam-external-dns"
 

terraform/layer2-k8s/eks-external-secrets.tf

@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
 module "aws_iam_external_secrets" {
   source = "../modules/aws-iam-ssm"
 

terraform/layer2-k8s/eks-network-policy.tf

@@ -16,6 +16,7 @@ resource "helm_release" "calico_daemonset" {
   ]
 }
 
+#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "dev_ns_network_policy" {
   source                = "../modules/kubernetes-network-policy-namespace"
   namespace             = kubernetes_namespace.dev.metadata[0].name

terraform/layer2-k8s/locals.tf

@@ -22,7 +22,7 @@ locals {
   helm_repo_eks                  = "https://aws.github.io/eks-charts"
   helm_repo_softonic             = "https://charts.softonic.io"
   helm_repo_elastic              = "https://helm.elastic.co"
-  helm_repo_external_secrets     = "https://external-secrets.github.io/kubernetes-external-secrets"
+  helm_repo_external_secrets     = "https://external-secrets.github.io/kubernetes-external-secrets" #tfsec:ignore:general-secrets-sensitive-in-local
   helm_repo_stakater             = "https://stakater.github.io/stakater-charts"
   helm_repo_cluster_autoscaler   = "https://kubernetes.github.io/autoscaler"
   helm_repo_ingress_nginx        = "https://kubernetes.github.io/ingress-nginx"