fix: (IAC-996) Remediate the critical security vulnerabilities (#311)

Author: riragh

Dockerfile

@@ -10,7 +10,8 @@ WORKDIR /viya4-iac-azure
 COPY --from=terraform /bin/terraform /bin/terraform
 COPY . .
 
-RUN apk --update --no-cache add git openssh \
+RUN apk update \
+  && apk --no-cache add git openssh \
   && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl /viya4-iac-azure/docker-entrypoint.sh \
   && mv ./kubectl /usr/local/bin/kubectl \

modules/kubeconfig/main.tf

@@ -5,24 +5,28 @@ locals {
   service_account_name        = "${var.prefix}-cluster-admin-sa"
   cluster_role_binding_name   = "${var.prefix}-cluster-admin-crb"
   service_account_secret_name = "${var.prefix}-sa-secret"
-}
-
-# Provider based kube config data/template/resources
-data "template_file" "kubeconfig_provider" {
-  count = var.create_static_kubeconfig ? 0 : 1
-  template = file("${path.module}/templates/kubeconfig-provider.tmpl")
 
-  vars = {
+  # Provider based kubeconfig: modules/kubeconfig/templates/kubeconfig-provider.tmpl
+  kubeconfig_provider = var.create_static_kubeconfig ? null : templatefile("${path.module}/templates/kubeconfig-provider.tmpl", {
     cluster_name = var.cluster_name
     endpoint     = var.endpoint
     ca_crt       = var.ca_crt
     client_crt   = var.client_crt
     client_key   = var.client_key
     token        = var.token
-  }
+  })
+
+  # Service Account based kubeconfig: modules/kubeconfig/templates/kubeconfig-sa.tmpl
+  kubeconfig_sa = var.create_static_kubeconfig ? templatefile("${path.module}/templates/kubeconfig-sa.tmpl", {
+    cluster_name = var.cluster_name
+    endpoint     = var.endpoint
+    name         = local.service_account_name
+    ca_crt       = base64encode(lookup(data.kubernetes_secret.sa_secret.0.data,"ca.crt", ""))
+    token        = lookup(data.kubernetes_secret.sa_secret.0.data,"token", "")
+    namespace    = var.namespace
+  }) : null
 }
 
-# Service Account based kube config data/template/resources
 data "kubernetes_secret" "sa_secret" {
   count = var.create_static_kubeconfig ? 1 : 0
   metadata {
@@ -33,22 +37,6 @@ data "kubernetes_secret" "sa_secret" {
   depends_on = [kubernetes_secret.sa_secret]
 }
 
-data "template_file" "kubeconfig_sa" {
-  count = var.create_static_kubeconfig ? 1 : 0
-  template = file("${path.module}/templates/kubeconfig-sa.tmpl")
-
-  vars = {
-    cluster_name = var.cluster_name
-    endpoint     = var.endpoint
-    name         = local.service_account_name
-    ca_crt       = base64encode(lookup(data.kubernetes_secret.sa_secret.0.data,"ca.crt", ""))
-    token        = lookup(data.kubernetes_secret.sa_secret.0.data,"token", "")
-    namespace    = var.namespace
-  }
-
-  depends_on = [data.kubernetes_secret.sa_secret]
-}
-
 # 1.24 change: Create service account secret
 resource "kubernetes_secret" "sa_secret" {
   count = var.create_static_kubeconfig ? 1 : 0
@@ -94,7 +82,7 @@ resource "kubernetes_cluster_role_binding" "kubernetes_crb" {
 
 # kube config file generation
 resource "local_file" "kubeconfig" {
-  content              = var.create_static_kubeconfig ? data.template_file.kubeconfig_sa.0.rendered : data.template_file.kubeconfig_provider.0.rendered
+  content              = var.create_static_kubeconfig ? local.kubeconfig_sa : local.kubeconfig_provider
   filename             = var.path
   file_permission      = "0644"
   directory_permission = "0755"

versions.tf

@@ -12,35 +12,31 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "1.5.0"
+      version = "2.38.0"
     }
     external = {
       source  = "hashicorp/external"
-      version = "2.1.0"
+      version = "2.3.1"
     }
     local = {
       source  = "hashicorp/local"
-      version = "2.1.0"
+      version = "2.4.0"
     }
     null = {
       source  = "hashicorp/null"
-      version = "3.1.0"
-    }
-    template = {
-      source  = "hashicorp/template"
-      version = "2.2.0"
+      version = "3.2.1"
     }
     tls = {
       source  = "hashicorp/tls"
-      version = "3.1.0"
+      version = "4.0.4"
     }
     cloudinit = {
       source  = "hashicorp/cloudinit"
-      version = "2.2.0"
+      version = "2.3.2"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.14.0"
+      version = "2.20.0"
     }
   }
 }

vms.tf

@@ -6,18 +6,13 @@ locals {
     ? ""
     : var.storage_type == "ha" ? module.netapp.0.netapp_endpoint : module.nfs.0.private_ip_address
   )
+
   rwx_filestore_path = (var.storage_type == "none"
     ? ""
     : var.storage_type == "ha" ? module.netapp.0.netapp_path : "/export"
   )
-}
-
-
-data "template_file" "jump-cloudconfig" {
-  template = file("${path.module}/files/cloud-init/jump/cloud-config")
-  count    = var.create_jump_vm ? 1 : 0
 
-  vars = {
+  jump_cloudconfig = var.create_jump_vm ? templatefile("${path.module}/files/cloud-init/jump/cloud-config", {
     mounts = (var.storage_type == "none"
       ? "[]"
       : jsonencode(
@@ -33,18 +28,24 @@ data "template_file" "jump-cloudconfig" {
     rwx_filestore_path      = local.rwx_filestore_path
     jump_rwx_filestore_path = var.jump_rwx_filestore_path
     vm_admin                = var.jump_vm_admin
-  }
+  }) : null
+
+  nfs_cloudconfig = var.storage_type == "standard" ? templatefile("${path.module}/files/cloud-init/nfs/cloud-config", {
+    aks_cidr_block  = module.vnet.subnets["aks"].address_prefixes.0
+    misc_cidr_block = module.vnet.subnets["misc"].address_prefixes.0
+    vm_admin        = var.nfs_vm_admin
+  }) : null
 }
 
-data "template_cloudinit_config" "jump" {
+data "cloudinit_config" "jump" {
   count = var.create_jump_vm ? 1 : 0
 
   gzip          = true
   base64_encode = true
 
   part {
     content_type = "text/cloud-config"
-    content      = data.template_file.jump-cloudconfig.0.rendered
+    content      = local.jump_cloudconfig
   }
 }
 
@@ -63,32 +64,22 @@ module "jump" {
   vm_zone           = var.jump_vm_zone
   fips_enabled      = var.fips_enabled
   ssh_public_key    = local.ssh_public_key
-  cloud_init        = data.template_cloudinit_config.jump.0.rendered
+  cloud_init        = data.cloudinit_config.jump.0.rendered
   create_public_ip  = var.create_jump_public_ip
 
   # Jump VM mounts NFS path hence dependency on 'module.nfs'
   depends_on = [module.vnet, module.nfs]
 }
 
-data "template_file" "nfs-cloudconfig" {
-  template = file("${path.module}/files/cloud-init/nfs/cloud-config")
-  count    = var.storage_type == "standard" ? 1 : 0
-  vars = {
-    aks_cidr_block  = module.vnet.subnets["aks"].address_prefixes.0
-    misc_cidr_block = module.vnet.subnets["misc"].address_prefixes.0
-    vm_admin        = var.nfs_vm_admin
-  }
-}
-
-data "template_cloudinit_config" "nfs" {
+data "cloudinit_config" "nfs" {
   count = var.storage_type == "standard" ? 1 : 0
 
   gzip          = true
   base64_encode = true
 
   part {
     content_type = "text/cloud-config"
-    content      = data.template_file.nfs-cloudconfig.0.rendered
+    content      = local.nfs_cloudconfig
   }
 }
 
@@ -108,7 +99,7 @@ module "nfs" {
   vm_zone                        = var.nfs_vm_zone
   fips_enabled                   = var.fips_enabled
   ssh_public_key                 = local.ssh_public_key
-  cloud_init                     = data.template_cloudinit_config.nfs.0.rendered
+  cloud_init                     = data.cloudinit_config.nfs.0.rendered
   create_public_ip               = var.create_nfs_public_ip
   data_disk_count                = 4
   data_disk_size                 = var.nfs_raid_disk_size