Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature/asg_schedul]Feat: Added the autoscaling group schedule resour… #49

Merged
merged 21 commits into from
May 18, 2023
Merged

feature/asg_schedul]Feat: Added the autoscaling group schedule resour… #49

merged 21 commits into from
May 18, 2023

Conversation

vaibhav7797
Copy link
Member

…ce in EKS managed and self managed tf code and updated the README.yaml

what

  • Added the Auto scaling group schedule terraform resource in eks managed and self managed tf code.
  • Updated the README.yaml and README.md

why

  • To schedule the auto-scaling group start and stop on scheduled time.
  • Updated the README.yaml with Autoscaling schedule.
  • Added the README.md , it was not present in the module.

references

@anmolnagpal
feature/asg_schedul]Feat: Added the autoscaling group schedule resour…
4a83963 
…ce in EKS managed and self managed tf code and updated the README.yaml
@vaibhav7797 vaibhav7797 added the enhancement New feature or request label May 11, 2023
@vaibhav7797 vaibhav7797 self-assigned this May 11, 2023
@anmolnagpal
feature/asg_schedul]Feat: Added the autoscaling group schedule resour…
c99d800 
…ce in EKS managed and self managed tf code and updated the README.yaml
@anmolnagpal
feature/asg_schedul]Feat: Added the autoscaling group schedule resour…
0fe5c7f 
…ce in EKS managed and self managed tf code and updated the README.yaml
@anmolnagpal
feature/asg_schedul]Feat: Added the autoscaling group schedule resour…
dfdf519 
…ce in EKS managed and self managed tf code and updated the README.yaml
@anmolnagpal
feature/asg_schedul]Feat: Removed the autoscaling and fargate terrafo…
f470a58 
…rm fmt from the terraform.yml github action, not present autoscaling and fargate in eks module
@anmolnagpal
feature/asg_schedul]Feat: Removed the autoscaling and fargate terrafo…
2a835b8 
…rm fmt from the terraform.yml github action, not present autoscaling and fargate in eks module
@anmolnagpal
[feature/asg_schedule]Feat: Added the changelog.md and dependantbot.y…
228f02d 
…aml, updated the github workflows and updated the submodules latest tag in eks module.
@anmolnagpal
[feature/asg_schedule]Fix: updated the main.tf
d830105
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             443.308µs
  parsing              60.834278ms
  adaptation           358.207µs
  checks               11.135716ms
  total                72.771509ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             239.498µs
  parsing              188.848187ms
  adaptation           297.797µs
  checks               17.003936ms
  total                206.389418ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             336.917µs
  parsing              154.379053ms
  adaptation           346.217µs
  checks               17.010021ms
  total                172.072208ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             254.407µs
  parsing              85.95484ms
  adaptation           328.405µs
  checks               18.118061ms
  total                104.655713ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             678.438µs
  parsing              80.54033ms
  adaptation           595.434µs
  checks               16.371021ms
  total                98.185223ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             229.302µs
  parsing              58.917197ms
  adaptation           290.503µs
  checks               17.411946ms
  total                76.848948ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21  [   cidr_blocks       = ["0.0.0.0/0"]
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             242.407µs
  parsing              71.562365ms
  adaptation           298.311µs
  checks               17.355522ms
  total                89.458605ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Results #3-7 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             272.309µs
  parsing              129.621186ms
  adaptation           311.507µs
  checks               18.126946ms
  total                148.331948ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     111
  files read           11

  results
  ──────────────────────────────────────────
  passed               10
  ignored              0
  critical             2
  high                 0
  medium               5
  low                  0

  10 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Results #1-5 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27  ┌ resource "aws_eks_cluster" "default" {
   28count                     = var.enabled ? 1 : 0
   29name                      = module.labels.id
   30role_arn                  = join("", aws_iam_role.default.*.arn)
   31version                   = var.kubernetes_version
   32enabled_cluster_log_types = var.enabled_cluster_log_types
   33tags                      = module.labels.tags
   3435..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             297.804µs
  parsing              166.001295ms
  adaptation           476.702µs
  checks               22.393935ms
  total                189.169736ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     111
  files read           11

  results
  ──────────────────────────────────────────
  passed               11
  ignored              0
  critical             0
  high                 0
  medium               5
  low                  0

  11 passed, 5 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access  #tfsec:ignore:aws_eks_cluster-endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs #tfsec:ignore:aws_eks_cluster-public-access-cidr
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Results #3-7 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types #tfsec:ignore:aws_eks_enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             232.102µs
  parsing              55.393443ms
  adaptation           297.904µs
  checks               17.429402ms
  total                73.352851ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               10
  ignored              0
  critical             2
  high                 0
  medium               5
  low                  0

  10 passed, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access  #tfsec:ignore:aws_eks_cluster-endpoint_public_access (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs #tfsec:ignore:aws_eks_cluster-public-access-cidr
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:22
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21    #tfsec:ignore:aws_security_group_rule-cidr_blocks  
   22  [   cidr_blocks       = ["0.0.0.0/0"] 
   23      security_group_id = join("", aws_security_group.node_group.*.id)
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27  ┌ resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types #tfsec:ignore:aws_eks_enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             261.007µs
  parsing              87.259887ms
  adaptation           310.306µs
  checks               14.099672ms
  total                101.930872ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:41
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   41  [     endpoint_public_access  = var.endpoint_public_access  (true)
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   43  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:22
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1"
   21    #tfsec:ignore:aws_security_group_rule-cidr_blocks  
   22  [   cidr_blocks       = ["0.0.0.0/0"] 
   23      security_group_id = join("", aws_security_group.node_group.*.id)
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-69
────────────────────────────────────────────────────────────────────────────────
   27  ┌ resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version
   32#tfsec:ignore:aws_eks_enabled_cluster_log_types  
   33  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   34  │   tags                      = module.labels.tags
   35  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-69 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             273.005µs
  parsing              128.386584ms
  adaptation           364.405µs
  checks               14.98522ms
  total                144.009214ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access     (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1" 
   21  [   cidr_blocks       = ["0.0.0.0/0"] 
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version  
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             212.698µs
  parsing              75.050421ms
  adaptation           317.398µs
  checks               16.630894ms
  total                92.211411ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Public cluster access is enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:39
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   39  [     endpoint_public_access  = var.endpoint_public_access     (true)
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access
      Impact EKS can be access from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Cluster allows access from a public CIDR: 0.0.0.0/0. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:40
────────────────────────────────────────────────────────────────────────────────
   27    resource "aws_eks_cluster" "default" {
   ..  
   40  [     public_access_cidrs     = var.public_access_cidrs
   ..  
   66    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-no-public-cluster-access-to-cidr
      Impact EKS can be accessed from the internet
  Resolution Don't enable public access to EKS Clusters

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/no-public-cluster-access-to-cidr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  security_groups.tf:21
────────────────────────────────────────────────────────────────────────────────
   15    resource "aws_security_group_rule" "node_group" {
   16      count             = var.enabled ? 1 : 0
   17      description       = "Allow all egress traffic"
   18      from_port         = 0
   19      to_port           = 0
   20      protocol          = "-1" 
   21  [   cidr_blocks       = ["0.0.0.0/0"] 
   22      security_group_id = join("", aws_security_group.node_group.*.id)
   23      type              = "egress"
   24    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #4-8 MEDIUM Control plane scheduler logging is not enabled. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:27-66
────────────────────────────────────────────────────────────────────────────────
   27resource "aws_eks_cluster" "default" {
   28  │   count                     = var.enabled ? 1 : 0
   29  │   name                      = module.labels.id
   30  │   role_arn                  = join("", aws_iam_role.default.*.arn)
   31  │   version                   = var.kubernetes_version  
   32  │   enabled_cluster_log_types = var.enabled_cluster_log_types
   33  │   tags                      = module.labels.tags
   3435  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:27-66 (aws_eks_cluster.default[0]) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-enable-control-plane-logging
      Impact Logging provides valuable information about access and usage
  Resolution Enable logging for the EKS control plane

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/eks/enable-control-plane-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             325.101µs
  parsing              61.577043ms
  adaptation           304.403µs
  checks               11.242418ms
  total                73.448965ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     110
  files read           11

  results
  ──────────────────────────────────────────
  passed               9
  ignored              0
  critical             3
  high                 0
  medium               5
  low                  0

  9 passed, 8 potential problem(s) detected.

@themaniskshah themaniskshah merged commit c7ebd1c into master May 18, 2023
@delete-merged-branch delete-merged-branch bot deleted the feature/asg_schedule branch May 18, 2023 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@themaniskshah themaniskshah Awaiting requested review from themaniskshah

Assignees

@vaibhav7797 vaibhav7797

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vaibhav7797 @clouddrove-ci @themaniskshah @anmolnagpal