Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: update github-action version and added automerge file #8

Merged
merged 5 commits into from
Jan 5, 2024
Merged

feat: update github-action version and added automerge file #8

merged 5 commits into from
Jan 5, 2024

Conversation

theprashantyadav
Copy link
Contributor

what

  • Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
  • Use bullet points to be concise and to the point.

why

  • Provide the justifications for the changes (e.g. business case).
  • Describe why these changes were made (e.g. why do these commits fix the problem?)
  • Use bullet points to be concise and to the point.

references

  • Link to any supporting jira issues or helpful documentation to add some context (e.g. stackoverflow).
  • Use closes #123, if this PR closes a Jira issue #123

@clouddrove-ci clouddrove-ci self-assigned this Jan 4, 2024
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:27
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:34
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   34  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster storage does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:53
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   53  [   storage_encrypted               = var.storage_encrypted (false)
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-storage-encryption
      Impact Unencrypted sensitive data is vulnerable to compromise.
  Resolution Enable storage encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-storage-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Neither CloudWatch audit nor profiler log exports are enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-63
────────────────────────────────────────────────────────────────────────────────
   43resource "aws_docdb_cluster" "this" {
   44  │   cluster_identifier              = var.database_name
   45  │   master_username                 = var.master_username
   46  │   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
   47  │   backup_retention_period         = var.retention_period
   48  │   preferred_backup_window         = var.preferred_backup_window
   49  │   final_snapshot_identifier       = lower(var.database_name)
   50  │   skip_final_snapshot             = var.skip_final_snapshot
   51  └   apply_immediately               = var.apply_immediately
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-log-export
      Impact Limited visibility of audit trail for changes to the DocumentDB
  Resolution Enable export logs

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-log-export/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:23-28
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   23  ┌   ingress {
   24  │     from_port   = var.port
   25  │     to_port     = var.port
   26  │     protocol    = "tcp"
   27  │     cidr_blocks = ["0.0.0.0/0"]
   28  └   }
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:30-35
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   30  ┌   egress {
   31  │     from_port   = 0
   32  │     to_port     = 0
   33  │     protocol    = "-1"
   34  │     cidr_blocks = ["0.0.0.0/0"]
   35  └   }
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster encryption does not use a customer-managed KMS key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:54
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   54  [   kms_key_id                      = var.kms_key_id ("")
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             66.334µs
  parsing              48.260388ms
  adaptation           178.022µs
  checks               3.357536ms
  total                51.86228ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           4

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             2
  high                 1
  medium               1
  low                  3

  1 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:27
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:34
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   34  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster storage does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:53
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   53  [   storage_encrypted               = var.storage_encrypted (false)
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-storage-encryption
      Impact Unencrypted sensitive data is vulnerable to compromise.
  Resolution Enable storage encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-storage-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Neither CloudWatch audit nor profiler log exports are enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-63
────────────────────────────────────────────────────────────────────────────────
   43resource "aws_docdb_cluster" "this" {
   44  │   cluster_identifier              = var.database_name
   45  │   master_username                 = var.master_username
   46  │   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
   47  │   backup_retention_period         = var.retention_period
   48  │   preferred_backup_window         = var.preferred_backup_window
   49  │   final_snapshot_identifier       = lower(var.database_name)
   50  │   skip_final_snapshot             = var.skip_final_snapshot
   51  └   apply_immediately               = var.apply_immediately
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-log-export
      Impact Limited visibility of audit trail for changes to the DocumentDB
  Resolution Enable export logs

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-log-export/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:23-28
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   23  ┌   ingress {
   24  │     from_port   = var.port
   25  │     to_port     = var.port
   26  │     protocol    = "tcp"
   27  │     cidr_blocks = ["0.0.0.0/0"]
   28  └   }
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:30-35
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   30  ┌   egress {
   31  │     from_port   = 0
   32  │     to_port     = 0
   33  │     protocol    = "-1"
   34  │     cidr_blocks = ["0.0.0.0/0"]
   35  └   }
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster encryption does not use a customer-managed KMS key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:54
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   54  [   kms_key_id                      = var.kms_key_id ("")
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             72.094µs
  parsing              83.140217ms
  adaptation           143.879µs
  checks               5.421044ms
  total                88.777234ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           4

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             2
  high                 1
  medium               1
  low                  3

  1 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:27
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:34
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   34  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster storage does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:53
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   53  [   storage_encrypted               = var.storage_encrypted (false)
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-storage-encryption
      Impact Unencrypted sensitive data is vulnerable to compromise.
  Resolution Enable storage encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-storage-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Neither CloudWatch audit nor profiler log exports are enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-63
────────────────────────────────────────────────────────────────────────────────
   43resource "aws_docdb_cluster" "this" {
   44  │   cluster_identifier              = var.database_name
   45  │   master_username                 = var.master_username
   46  │   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
   47  │   backup_retention_period         = var.retention_period
   48  │   preferred_backup_window         = var.preferred_backup_window
   49  │   final_snapshot_identifier       = lower(var.database_name)
   50  │   skip_final_snapshot             = var.skip_final_snapshot
   51  └   apply_immediately               = var.apply_immediately
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-log-export
      Impact Limited visibility of audit trail for changes to the DocumentDB
  Resolution Enable export logs

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-log-export/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:23-28
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   23  ┌   ingress {
   24  │     from_port   = var.port
   25  │     to_port     = var.port
   26  │     protocol    = "tcp"
   27  │     cidr_blocks = ["0.0.0.0/0"]
   28  └   }
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:30-35
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   30  ┌   egress {
   31  │     from_port   = 0
   32  │     to_port     = 0
   33  │     protocol    = "-1"
   34  │     cidr_blocks = ["0.0.0.0/0"]
   35  └   }
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster encryption does not use a customer-managed KMS key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:54
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   54  [   kms_key_id                      = var.kms_key_id ("")
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             66.792µs
  parsing              64.892449ms
  adaptation           194.851µs
  checks               2.99244ms
  total                68.146532ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           4

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             2
  high                 1
  medium               1
  low                  3

  1 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:27
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:34
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   34  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster storage does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:53
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   53  [   storage_encrypted               = var.storage_encrypted (false)
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-storage-encryption
      Impact Unencrypted sensitive data is vulnerable to compromise.
  Resolution Enable storage encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-storage-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Neither CloudWatch audit nor profiler log exports are enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-63
────────────────────────────────────────────────────────────────────────────────
   43resource "aws_docdb_cluster" "this" {
   44  │   cluster_identifier              = var.database_name
   45  │   master_username                 = var.master_username
   46  │   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
   47  │   backup_retention_period         = var.retention_period
   48  │   preferred_backup_window         = var.preferred_backup_window
   49  │   final_snapshot_identifier       = lower(var.database_name)
   50  │   skip_final_snapshot             = var.skip_final_snapshot
   51  └   apply_immediately               = var.apply_immediately
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-log-export
      Impact Limited visibility of audit trail for changes to the DocumentDB
  Resolution Enable export logs

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-log-export/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:23-28
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   23  ┌   ingress {
   24  │     from_port   = var.port
   25  │     to_port     = var.port
   26  │     protocol    = "tcp"
   27  │     cidr_blocks = ["0.0.0.0/0"]
   28  └   }
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:30-35
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   30  ┌   egress {
   31  │     from_port   = 0
   32  │     to_port     = 0
   33  │     protocol    = "-1"
   34  │     cidr_blocks = ["0.0.0.0/0"]
   35  └   }
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster encryption does not use a customer-managed KMS key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:54
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   54  [   kms_key_id                      = var.kms_key_id ("")
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             69.151µs
  parsing              96.20064ms
  adaptation           180.508µs
  checks               8.152424ms
  total                104.602723ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           4

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             2
  high                 1
  medium               1
  low                  3

  1 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:27
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:34
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   34  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster storage does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:53
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   53  [   storage_encrypted               = var.storage_encrypted (false)
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-storage-encryption
      Impact Unencrypted sensitive data is vulnerable to compromise.
  Resolution Enable storage encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-storage-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Neither CloudWatch audit nor profiler log exports are enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-63
────────────────────────────────────────────────────────────────────────────────
   43resource "aws_docdb_cluster" "this" {
   44  │   cluster_identifier              = var.database_name
   45  │   master_username                 = var.master_username
   46  │   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
   47  │   backup_retention_period         = var.retention_period
   48  │   preferred_backup_window         = var.preferred_backup_window
   49  │   final_snapshot_identifier       = lower(var.database_name)
   50  │   skip_final_snapshot             = var.skip_final_snapshot
   51  └   apply_immediately               = var.apply_immediately
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-enable-log-export
      Impact Limited visibility of audit trail for changes to the DocumentDB
  Resolution Enable export logs

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/enable-log-export/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports
────────────────────────────────────────────────────────────────────────────────


Result #5 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:23-28
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   23  ┌   ingress {
   24  │     from_port   = var.port
   25  │     to_port     = var.port
   26  │     protocol    = "tcp"
   27  │     cidr_blocks = ["0.0.0.0/0"]
   28  └   }
   ..  
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:30-35
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_security_group" "this" {
   ..  
   30  ┌   egress {
   31  │     from_port   = 0
   32  │     to_port     = 0
   33  │     protocol    = "-1"
   34  │     cidr_blocks = ["0.0.0.0/0"]
   35  └   }
   36    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster encryption does not use a customer-managed KMS key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:54
────────────────────────────────────────────────────────────────────────────────
   43    resource "aws_docdb_cluster" "this" {
   ..  
   54  [   kms_key_id                      = var.kms_key_id ("")
   ..  
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-documentdb-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/documentdb/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             71.152µs
  parsing              48.383887ms
  adaptation           204.13µs
  checks               3.613764ms
  total                52.272933ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           4

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             2
  high                 1
  medium               1
  low                  3

  1 passed, 7 potential problem(s) detected.

@themaniskshah themaniskshah merged commit 327bbb3 into master Jan 5, 2024
14 checks passed
@themaniskshah themaniskshah deleted the feat/automerge branch January 5, 2024 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmolnagpal anmolnagpal anmolnagpal approved these changes

@themaniskshah themaniskshah themaniskshah approved these changes

Assignees

@clouddrove-ci clouddrove-ci

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@theprashantyadav @clouddrove-ci @anmolnagpal @themaniskshah