Skip to content

update module with latest changes #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Jul 26, 2023
Merged

update module with latest changes #54

merged 17 commits into from
Jul 26, 2023

Conversation

@yadavprakash
Copy link
Contributor

@yadavprakash yadavprakash commented Jul 24, 2023

what

  • update module with latest changes
  • add acl resource
  • add cloudwatch flow log resource

why

  • acl deprecation warning showing
  • nedd cloudwatch logs group for vpc flow log
@clouddrove-ci clouddrove-ci self-assigned this Jul 24, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 24, 2023
View reviewed changes
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:25-48 ──────────────────────────────────────────────────────────────────────────────── 25resource "aws_vpc" "default" { 26count = var.enable ? 1 : 0 27cidr_block = var.ipam_pool_enable ? null : var.cidr_block 28ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 29ipv4_netmask_length = var.ipv4_netmask_length 30ipv6_cidr_block = var.ipv6_cidr_block 31ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 32ipv6_netmask_length = var.ipv6_netmask_length 33instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 162.401µs parsing 102.985864ms adaptation 112.601µs checks 20.482972ms total 123.743838ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 93 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:25-48 ──────────────────────────────────────────────────────────────────────────────── 25resource "aws_vpc" "default" { 26count = var.enable ? 1 : 0 27cidr_block = var.ipam_pool_enable ? null : var.cidr_block 28ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 29ipv4_netmask_length = var.ipv4_netmask_length 30ipv6_cidr_block = var.ipv6_cidr_block 31ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 32ipv6_netmask_length = var.ipv6_netmask_length 33instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 151.006µs parsing 76.56701ms adaptation 96.002µs checks 13.387834ms total 90.201852ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:25-48 ──────────────────────────────────────────────────────────────────────────────── 25resource "aws_vpc" "default" { 26count = var.enable ? 1 : 0 27cidr_block = var.ipam_pool_enable ? null : var.cidr_block 28ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 29ipv4_netmask_length = var.ipv4_netmask_length 30ipv6_cidr_block = var.ipv6_cidr_block 31ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 32ipv6_netmask_length = var.ipv6_netmask_length 33instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 114.4µs parsing 113.300611ms adaptation 86.4µs checks 14.698701ms total 128.200112ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:25-48 ──────────────────────────────────────────────────────────────────────────────── 25resource "aws_vpc" "default" { 26count = var.enable ? 1 : 0 27cidr_block = var.ipam_pool_enable ? null : var.cidr_block 28ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 29ipv4_netmask_length = var.ipv4_netmask_length 30ipv6_cidr_block = var.ipv6_cidr_block 31ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 32ipv6_netmask_length = var.ipv6_netmask_length 33instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 132.297µs parsing 54.720944ms adaptation 85.099µs checks 13.603762ms total 68.542102ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 24, 2023
View reviewed changes
_example/complete/example.tf
Comment on lines 7 to 19
module "vpc" {
source = "../.."
name = "vpc"
environment = "example"
cidr_block = "10.0.0.0/16"
enable_flow_log = true
flow_log_destination_type = "s3" # Comment or remove when flow log destination is set "cloud-watch-logs"
flow_logs_bucket_name = "gc-vpc-flow-logs-bucket" # Comment or remove when flow log destination is set "cloud-watch-logs"
# create_flow_log_cloudwatch_iam_role = true # To be uncomment when flow log destination is set "cloud-watch-logs"
additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"]
dhcp_options_domain_name = "service.consul"
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
}

Check warning

Code scanning / defsec

S3 Bucket does not have logging enabled.

Bucket does not have logging enabled
_example/complete/example.tf
Comment on lines 7 to 19
module "vpc" {
source = "../.."
name = "vpc"
environment = "example"
cidr_block = "10.0.0.0/16"
enable_flow_log = true
flow_log_destination_type = "s3" # Comment or remove when flow log destination is set "cloud-watch-logs"
flow_logs_bucket_name = "gc-vpc-flow-logs-bucket" # Comment or remove when flow log destination is set "cloud-watch-logs"
# create_flow_log_cloudwatch_iam_role = true # To be uncomment when flow log destination is set "cloud-watch-logs"
additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"]
dhcp_options_domain_name = "service.consul"
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
}

Check warning

Code scanning / defsec

S3 Data should be versioned

Bucket does not have versioning enabled
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:20-43 ──────────────────────────────────────────────────────────────────────────────── 20resource "aws_vpc" "default" { 21count = var.enable ? 1 : 0 22cidr_block = var.ipam_pool_enable ? null : var.cidr_block 23ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 24ipv4_netmask_length = var.ipv4_netmask_length 25ipv6_cidr_block = var.ipv6_cidr_block 26ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 27ipv6_netmask_length = var.ipv6_netmask_length 28instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 147.404µs parsing 72.704509ms adaptation 107.903µs checks 13.188364ms total 86.14818ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 24, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:20-43 ──────────────────────────────────────────────────────────────────────────────── 20resource "aws_vpc" "default" { 21count = var.enable ? 1 : 0 22cidr_block = var.ipam_pool_enable ? null : var.cidr_block 23ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 24ipv4_netmask_length = var.ipv4_netmask_length 25ipv6_cidr_block = var.ipv6_cidr_block 26ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 27ipv6_netmask_length = var.ipv6_netmask_length 28instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 728.608µs parsing 84.128697ms adaptation 93.501µs checks 8.644002ms total 93.594808ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@clouddrove-ci
Copy link
Member

clouddrove-ci commented Jul 25, 2023

Terraform Security Scan Failed

Show Output 
Result #1 MEDIUM VPC Flow Logs is not enabled for VPC  ──────────────────────────────────────────────────────────────────────────────── main.tf:20-43 ──────────────────────────────────────────────────────────────────────────────── 20resource "aws_vpc" "default" { 21count = var.enable ? 1 : 0 22cidr_block = var.ipam_pool_enable ? null : var.cidr_block 23ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 24ipv4_netmask_length = var.ipv4_netmask_length 25ipv6_cidr_block = var.ipv6_cidr_block 26ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 27ipv6_netmask_length = var.ipv6_netmask_length 28instance_tenancy = var.instance_tenancy .. ──────────────────────────────────────────────────────────────────────────────── ID aws-ec2-require-vpc-flow-logs-for-all-vpcs Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. Resolution Enable flow logs for VPC More Information - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/ ──────────────────────────────────────────────────────────────────────────────── timings ────────────────────────────────────────── disk i/o 713.838µs parsing 116.283626ms adaptation 128.107µs checks 9.588913ms total 126.714484ms counts ────────────────────────────────────────── modules downloaded 0 modules processed 1 blocks processed 94 files read 4 results ────────────────────────────────────────── passed 2 ignored 0 critical 0 high 0 medium 1 low 0 2 passed, 1 potential problem(s) detected.
@dverma-cd dverma-cd merged commit b350e0a into master Jul 26, 2023
@delete-merged-branch delete-merged-branch bot deleted the feat/issue-234-a branch July 26, 2023 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

7 participants

@yadavprakash @clouddrove-ci @dverma-cd @anmolnagpal @13archit @mamrajyadav