use tfsec for static analysing terraform code

mglotov · mglotov · commit ad0294b6202c · 2021-08-31T12:31:38.000+06:00
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
@@ -30,6 +30,18 @@ jobs:
     - name: Terraform Validate l2
       working-directory: ./terraform/layer2-k8s
       run: terraform validate -no-color .
+    - name: Upload files for l1
+      uses: actions/upload-artifact@v2
+      with:
+        name: l1
+        path: ./terraform/layer1-aws/.terraform
+        retention-days: 1
+    - name: Upload files for l2
+      uses: actions/upload-artifact@v2
+      with:
+        name: l2
+        path: ./terraform/layer2-k8s/.terraform
+        retention-days: 1
 
   # Checks that all Terraform configuration files format
   terraform-format:
@@ -63,3 +75,52 @@ jobs:
     - name: Terraform tflint l2
       working-directory: ./terraform/layer2-k8s
       run: tflint --no-color
+
+  terraform-tfsec-l1:
+    name: 'Terraform-tfsec-l1'
+    needs: terraform-validate
+    runs-on: ubuntu-latest
+    container:
+      image: tfsec/tfsec
+      options: --user root
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Download init for l1
+      uses: actions/download-artifact@v2
+      with:
+        name: l1
+        path: ./terraform/layer1-aws/.terraform
+    - name: tfsec l1
+      working-directory: ./terraform
+      run: tfsec layer1-aws
+    - uses: geekyeggo/delete-artifact@v1
+      with:
+        name: l1
+        failOnError: false
+      if: ${{ always() }}
+
+  terraform-tfsec-l2:
+    name: 'Terraform-tfsec-l2'
+    needs: terraform-validate
+    runs-on: ubuntu-latest
+    container:
+      image: tfsec/tfsec
+      options: --user root
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Download init for l2
+      uses: actions/download-artifact@v2
+      with:
+        name: l2
+        path: ./terraform/layer2-k8s/.terraform
+    - name: Terraform tfsec l2
+      working-directory: ./terraform
+      run: tfsec layer2-k8s
+    - uses: geekyeggo/delete-artifact@v1
+      with:
+        name: l2
+        failOnError: false
+      if: ${{ always() }}
+
diff --git a/README.md b/README.md
@@ -42,39 +42,51 @@ You can find more about this project in Anton Babenko stream:
 
 ## Table of contents
 
-- [Architecture diagram](#architecture-diagram)
-- [Current infrastructure cost](#current-infrastructure-cost)
-- [Namespace structure in the K8S cluster](#namespace-structure-in-the-k8s-cluster)
-- [Useful tools](#useful-tools)
-- [Useful VSCode extensions](#useful-vscode-extensions)
-- [AWS account](#aws-account)
-  - [IAM settings](#iam-settings)
-  - [Setting up awscli](#setting-up-awscli)
-- [How to use this repo](#how-to-use-this-repo)
-  - [Getting ready](#getting-ready)
-    - [S3 state backend](#s3-state-backend)
-    - [Secrets](#secrets)
-    - [Domain and SSL](#domain-and-ssl)
-  - [Working with terraform](#working-with-terraform)
-    - [init](#init)
-    - [plan](#plan)
-    - [apply](#apply)
-  - [terragrunt](#terragrunt)
-- [What to do after deployment](#what-to-do-after-deployment)
-  - [examples](#examples)
-- [Coding conventions](#coding-conventions)
-  - [Names and approaches used in code](#names-and-approaches-used-in-code)
-    - [Base project name](#base-project-name)
-    - [Unique prefix of resource names](#unique-prefix-of-resource-names)
-    - [Separators](#separators)
-    - [Resource names](#resource-names)
-    - [Variable names](#variable-names)
-    - [Output names](#output-names)
-  - [Names of terraform files, directories, and modules](#names-of-terraform-files-directories-and-modules)
-    - [General configuration files](#general-configuration-files)
-    - [Specific configuration files](#specific-configuration-files)
-    - [Modules](#modules)
-  - [Project structure](#project-structure)
+- [Boilerplate for a basic AWS infrastructure with EKS cluster](#boilerplate-for-a-basic-aws-infrastructure-with-eks-cluster)
+  - [Advantages of this boilerplate](#advantages-of-this-boilerplate)
+  - [Why you should use this boilerplate](#why-you-should-use-this-boilerplate)
+  - [Description](#description)
+  - [Table of contents](#table-of-contents)
+  - [Architecture diagram](#architecture-diagram)
+  - [Current infrastructure cost](#current-infrastructure-cost)
+  - [Namespace structure in the K8S cluster](#namespace-structure-in-the-k8s-cluster)
+  - [Useful tools](#useful-tools)
+  - [Useful VSCode extensions](#useful-vscode-extensions)
+  - [AWS account](#aws-account)
+    - [IAM settings](#iam-settings)
+    - [Setting up awscli](#setting-up-awscli)
+  - [How to use this repo](#how-to-use-this-repo)
+    - [Getting ready](#getting-ready)
+      - [S3 state backend](#s3-state-backend)
+      - [Inputs](#inputs)
+      - [Secrets](#secrets)
+      - [Domain and SSL](#domain-and-ssl)
+    - [Working with terraform](#working-with-terraform)
+      - [init](#init)
+      - [plan](#plan)
+      - [apply](#apply)
+    - [terragrunt](#terragrunt)
+      - [Apply infrastructure by layers with `terragrunt`](#apply-infrastructure-by-layers-with-terragrunt)
+      - [Target apply by `terragrunt`](#target-apply-by-terragrunt)
+      - [Destroy infrastructure by `terragrunt`](#destroy-infrastructure-by-terragrunt)
+  - [What to do after deployment](#what-to-do-after-deployment)
+  - [Update terraform version](#update-terraform-version)
+  - [Updated terraform providers](#updated-terraform-providers)
+    - [examples](#examples)
+  - [TFSEC](#tfsec)
+  - [Coding conventions](#coding-conventions)
+    - [Names and approaches used in code](#names-and-approaches-used-in-code)
+      - [Base project name](#base-project-name)
+      - [Unique prefix of resource names](#unique-prefix-of-resource-names)
+      - [Separators](#separators)
+      - [Resource names](#resource-names)
+      - [Variable names](#variable-names)
+      - [Output names](#output-names)
+    - [Names of terraform files, directories, and modules](#names-of-terraform-files-directories-and-modules)
+      - [General configuration files](#general-configuration-files)
+      - [Specific configuration files](#specific-configuration-files)
+      - [Modules](#modules)
+    - [Project structure](#project-structure)
 
 ## Architecture diagram
 
@@ -455,6 +467,18 @@ Each layer has an `examples/` directory that contains working examples that expa
 
 This will allow you to expand your basic functionality by launching a monitoring system based on ELK or Prometheus Stack, etc.
 
+## TFSEC
+We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below:
+
+| Layer         | Security issue           | Description    | Why skipped?    |
+|---------------|--------------------------|----------------|-----------------|
+| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) |
+| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types |
+| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. |
+| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere |
+| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere |
+| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) |
+
 ## Coding conventions
 
 This section contains the most basic recommendations for users and contributors on coding, naming, etc. The goal is consistent, standardized, readable code. Additions, suggestions and changes are welcome.
diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
@@ -23,6 +23,7 @@ locals {
   ]
 }
 
+#tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr tfsec:ignore:aws-vpc-no-public-egress-sgr
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "17.1.0"

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ locals {`
`23`	`23`	`]`
`24`	`24`	`}`
`25`	`25`
	`26`	`+#tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr tfsec:ignore:aws-vpc-no-public-egress-sgr`
`26`	`27`	`module "eks" {`
`27`	`28`	`source = "terraform-aws-modules/eks/aws"`
`28`	`29`	`version = "17.1.0"`