Add tfsec

jupyterhub · Jun 30, 2023 · d8168e0 · d8168e0
1 parent 5ac3a89
commit d8168e0
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 15 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -24,13 +24,19 @@ jobs:
           python-version-file: ".python-version"
 
       - name: Install dependencies
-        run: pip install pre-commit
+        run: |
+          pip install pre-commit
+          TFBIN="$GITHUB_WORKSPACE/bin"
+          mkdir "$TFBIN"
+          curl -sfLo $TFBIN/tfsec https://github.com/aquasecurity/tfsec/releases/download/v1.28.1/tfsec-linux-amd64
+          chmod +x $TFBIN/tfsec
+          echo "$TFBIN" >> $GITHUB_PATH
 
       # https://github.com/terraform-linters/setup-tflint
       - name: Install tflint
         uses: terraform-linters/setup-tflint@v3.0.0
         with:
-          tflint_version: v0.46.1
+          tflint_version: v0.47.0
 
       - name: Run terraform pre-commit
         run: pre-commit run --all --config .pre-commit-config-terraform.yaml
diff --git a/.pre-commit-config-terraform.yaml b/.pre-commit-config-terraform.yaml
@@ -7,14 +7,16 @@
 # Prerequisites:
 # - terraform
 # - tflint
+# - tfsec
 
 # Currently only aws/curvenote is checked
 files: "^terraform/aws/curvenote/"
 repos:
   # We can't run any CI tests on production Terraform code, so use as many static linters as possible
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.81.0
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint
+      - id: terraform_tfsec
       - id: terraform_validate
diff --git a/terraform/aws/curvenote/eks-cluster.tf b/terraform/aws/curvenote/eks-cluster.tf
@@ -14,6 +14,9 @@ locals {
 }
 
 # This assumes the EKS service linked role is already created (or the current user has permissions to create it)
+#tfsec:ignore:aws-eks-no-public-cluster-access
+#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
+#tfsec:ignore:aws-ec2-no-public-egress-sgr
 module "eks" {
   source          = "terraform-aws-modules/eks/aws"
   version         = "19.15.3"

diff --git a/terraform/aws/curvenote/security-groups.tf b/terraform/aws/curvenote/security-groups.tf
@@ -3,32 +3,36 @@
 resource "aws_security_group" "worker_group_all" {
   name_prefix = "worker_group_all_ports"
   vpc_id      = module.vpc.vpc_id
-
+  description = "Allow all ports for worker group"
 
   ingress {
-    protocol  = "-1"
-    from_port = 0
-    to_port   = 0
-    self      = true
+    description = "Allow all inbound traffic"
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    self        = true
   }
   egress {
-    protocol  = "-1"
-    from_port = 0
-    to_port   = 0
+    description = "Allow all outbound traffic"
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
     # self      = true
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-ec2-no-public-egress-sgr
   }
 
 }
 
 resource "aws_security_group" "all_worker_mgmt" {
   name_prefix = "all_worker_management"
   vpc_id      = module.vpc.vpc_id
+  description = "Worker nodes internal access"
 
   ingress {
-    from_port = 22
-    to_port   = 22
-    protocol  = "tcp"
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
 
     cidr_blocks = [
       "10.0.0.0/8",

diff --git a/terraform/aws/curvenote/vpc.tf b/terraform/aws/curvenote/vpc.tf
@@ -1,5 +1,7 @@
 # data "aws_availability_zones" "available" {}
 
+#tfsec:ignore:aws-ec2-no-public-ip-subnet
+#tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.0.0"