kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

ECS Service Without Running Tasks Terraform Security Query False Positive Result

Open cxMiguelSilva opened this issue 2 years ago • 0 comments

Expected Behavior

A new implementation of the query is suggested, as searching for the deployment_maximum_percent and deployment_minimum_healthy_percent string does not suffice. The newly implemented query should check if the desired_count parameter equals to 0 and scheduling_strategy is not DAEMON.

Actual Behavior

The ECS Service Without Running Tasks query is flagging a false positive result in line 94.

Documentation Reference

{
	"query_name": "ECS Service Without Running Tasks",
	"query_id": "91f16d09-689e-4926-aca7-155157f634ed",
	"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service",
	"severity": "MEDIUM",
	"platform": "Terraform",
	"cloud_provider": "AWS",
	"category": "Availability",
	"description": "ECS Service should have at least 1 task running",
	"description_id": "8bcc00c2",
	"files": [
		{
			"file_name": "../../path/main.tf",
			"similarity_id": "df9b435932de7ca1ba4ee7426ab698ac3b874a305369a94a900ccc8c1ad62e10",
			"line": 94,
			"resource_type": "aws_ecs_service",
			"resource_name": "km_ecs_service_${var.environment}",
			"issue_type": "IncorrectValue",
			"search_key": "aws_ecs_service[km_ecs_service]",
			"search_line": 0,
			"search_value": "",
			"expected_value": "'aws_ecs_service[km_ecs_service]' has at least 1 task running'",
			"actual_value": "'aws_ecs_service[km_ecs_service]' must have at least 1 task running"
		}
	]
},

Steps to Reproduce the Problem

  1. Run KICS Scan docker run -v /path/folder:/path checkmarx/kics:v1.6.1 scan -p /path/sample.tf

Sample to reproduce the problem:

data "template_file" "km_ecs_template" {
  template = file("./modules/compute/task-definitions.json")
  vars = {
    ENVIRONMENT = var.environment
    LOG_GROUP   = aws_cloudwatch_log_group.km_log_group.name
    REGION      = var.region
  }
}

resource "aws_iam_role" "km_ecs_task_execution_role" {
  name = "km_ecs_task_execution_role_${var.environment}"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

  tags = merge(var.default_tags, {
    name        = "km_ecs_task_execution_role_${var.environment}"
  })
}

resource "aws_iam_policy" "km_ssm_secrets_policy" {
  name        = "km_ssm_secrets_policy_${var.environment}"
  description = "Kai Monkey SSM Secrets Policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KaiMonkeySSMSecretsPolicyGet",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        },
        {
            "Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "km_ecs_task_exec_role_policy_attach" {
  role       = aws_iam_role.km_ecs_task_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

resource "aws_iam_role_policy_attachment" "km_ssm_secrets_policy_policy_attach" {
  role       = aws_iam_role.km_ecs_task_execution_role.name
  policy_arn = aws_iam_policy.km_ssm_secrets_policy.arn
}

resource "aws_ecs_cluster" "km_ecs_cluster" {
  name = "km_ecs_cluster-${var.environment}"

  tags = merge(var.default_tags, {
    Name = "km_ecs_cluster_${var.environment}"
  })
}

resource "aws_ecs_task_definition" "km_ecs_task" {
  family                   = "km_ecs_task_${var.environment}"
  container_definitions    = data.template_file.km_ecs_template.rendered
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = 512
  memory                   = 1024
  execution_role_arn       = aws_iam_role.km_ecs_task_execution_role.arn
  tags = merge(var.default_tags, {
    Name = "km_ecs_task_${var.environment}"
  })
}

resource "aws_ecs_service" "km_ecs_service" {
  name            = "km_ecs_service_${var.environment}"
  cluster         = aws_ecs_cluster.km_ecs_cluster.id
  task_definition = aws_ecs_task_definition.km_ecs_task.arn
  desired_count   = 1
  launch_type     = "FARGATE"

  load_balancer {
    target_group_arn = var.elb_target_group_arn
    container_name   = "km-frontend"
    container_port   = 80
  }
  network_configuration {
    assign_public_ip = true
    subnets          = var.private_subnet
    security_groups  = [ var.elb_sg ]
  }
  tags = merge(var.default_tags, {
  })
}

resource "aws_cloudwatch_log_group" "km_log_group" {
  name              = "km_log_group_${var.environment}"
  retention_in_days = 1

  tags = merge(var.default_tags, {
    Name = "km_log_group_${var.environment}"
  })
}

resource "aws_instance" "km_vm"{
  ami = data.aws_ami.ubuntu_ami.id
  instance_type = "t2.micro"
  vpc_security_group_ids = [ var.elb_sg ]
  subnet_id = var.public_subnet[0]
  tags = merge(var.default_tags, {
    Name = "km_vm_${var.environment}"
  })
}

cxMiguelSilva avatar Oct 03 '22 16:10 cxMiguelSilva