tf-free icon indicating copy to clipboard operation
tf-free copied to clipboard
verified publisher icon gruberdev

WIP: Fixing tfsec issues

Open gruberdev opened this issue 4 years ago • 0 comments

  • [ ] Check1

    [GCP003][WARNING] Resource 'module.google_cloud:module.gcp_firewall:google_compute_firewall.allow_web' defines a fully open inbound firewall rule. /home/gruber/projects/tf-free/modules/gcp/firewall/main.tf:11

     8 |     ports    = ["80", "443"]
 9 |   }
10 | 
11 |   source_ranges = ["0.0.0.0/0"]
12 |   target_tags   = ["web"]
13 | }
14 |

    Impact: The port is exposed for ingress from the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/google/GCP003/ for more information.

  • [ ] Check2

    [AWS012][ERROR] Resource 'module.aws:module.ec2:aws_instance.ec2' has a public IP address associated. /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:47

    44 | 
45 |   subnet_id                   = var.public_subnet_id
46 |   vpc_security_group_ids      = [aws_security_group.security_group.id]
47 |   associate_public_ip_address = true
48 |   user_data                   = var.seed_data
49 |   metadata_options {
50 |     http_tokens = var.imds-enable

    Impact: The instance or configuration is publically accessible Resolution: Set the instance to not be publically accessible

    See https://tfsec.dev/docs/aws/AWS012/ for more information.

  • [ ] Check3

    [GEN001][WARNING] Variable 'module.aws:module.rds:variable.db_password' includes a potentially sensitive default value. /home/gruber/projects/tf-free/modules/aws/rds/variables.tf:45

    42 | variable "db_password" {
43 |   description = "Region for AWS resources"
44 |   sensitive   = true
45 |   default     = "forALEKkjkfeajme"
46 |   type        = string
47 | }
48 |

    Impact: Default values could be exposing sensitive data Resolution: Don't include sensitive data in variable defaults

    See https://tfsec.dev/docs/general/GEN001/ for more information.

  • [ ] Check4

    [AZU017][ERROR] Resource 'module.google_cloud:module.gcp_vpc:azurerm_network_security_group.ssh' has a . /home/gruber/projects/tf-free/modules/azure/vpc/main.tf:13-29

    10 |   }
11 | }
12 | 
13 | resource "azurerm_network_security_group" "ssh" {
14 |   name                = "ssh"
15 |   resource_group_name = var.resource_group_name
16 |   location            = var.location
17 |   security_rule {
18 |     name                       = "test123"
19 |     priority                   = 100
20 |     direction                  = "Inbound"
21 |     access                     = "Allow"
22 |     protocol                   = "Tcp"
23 |     source_port_range          = "*"
24 |     destination_port_range     = "22"
25 |     source_address_prefix      = "*"
26 |     destination_address_prefix = "*"
27 |   }
28 | 
29 | }
30 | 
31 | resource "azurerm_route_table" "example" {
32 |   name                = "MyRouteTable"

    Impact: Its dangerous to allow SSH access from the internet Resolution: Block port 22 access from the internet

    See https://tfsec.dev/docs/azure/AZU017/ for more information.

  • [ ] Check5

    [GCP003][WARNING] Resource 'module.google_cloud:module.gcp_firewall:google_compute_firewall.allow_ssh' defines a fully open inbound firewall rule. /home/gruber/projects/tf-free/modules/gcp/firewall/main.tf:24

    21 |     ports    = ["22"]
22 |   }
23 | 
24 |   source_ranges = ["0.0.0.0/0"]
25 |   target_tags   = ["ssh"]
26 | }
27 |

    Impact: The port is exposed for ingress from the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/google/GCP003/ for more information.

  • [ ] Check6

    [AZU017][ERROR] Resource 'module.aws:module.vpc:azurerm_network_security_group.ssh' has a . /home/gruber/projects/tf-free/modules/azure/vpc/main.tf:13-29

    10 |   }
11 | }
12 | 
13 | resource "azurerm_network_security_group" "ssh" {
14 |   name                = "ssh"
15 |   resource_group_name = var.resource_group_name
16 |   location            = var.location
17 |   security_rule {
18 |     name                       = "test123"
19 |     priority                   = 100
20 |     direction                  = "Inbound"
21 |     access                     = "Allow"
22 |     protocol                   = "Tcp"
23 |     source_port_range          = "*"
24 |     destination_port_range     = "22"
25 |     source_address_prefix      = "*"
26 |     destination_address_prefix = "*"
27 |   }
28 | 
29 | }
30 | 
31 | resource "azurerm_route_table" "example" {
32 |   name                = "MyRouteTable"

    Impact: Its dangerous to allow SSH access from the internet Resolution: Block port 22 access from the internet

    See https://tfsec.dev/docs/azure/AZU017/ for more information.

  • [ ] Check7

    [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group. /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:11

     8 |     from_port   = 22
 9 |     to_port     = 22
10 |     protocol    = "tcp"
11 |     cidr_blocks = ["0.0.0.0/0"]
12 |   }
13 | 
14 |   ingress {

    Impact: The port is exposed for ingress from the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/aws/AWS008/ for more information.

  • [ ] Check8

    [AWS009][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open egress security group. /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:32

    29 |     from_port   = 0
30 |     to_port     = 0
31 |     protocol    = "-1"
32 |     cidr_blocks = ["0.0.0.0/0"]
33 |   }
34 | 
35 |   tags = {

    Impact: The port is exposed for egressing data to the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/aws/AWS009/ for more information.

  • [ ] Check9

    [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group. /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:18

    15 |     from_port   = 80
16 |     to_port     = 80
17 |     protocol    = "tcp"
18 |     cidr_blocks = ["0.0.0.0/0"]
19 |   }
20 | 
21 |   ingress {

    Impact: The port is exposed for ingress from the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/aws/AWS008/ for more information.

  • [ ] Check10

    [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group. /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:25

    22 |     from_port   = 443
23 |     to_port     = 443
24 |     protocol    = "tcp"
25 |     cidr_blocks = ["0.0.0.0/0"]
26 |   }
27 | 
28 |   egress {

    Impact: The port is exposed for ingress from the internet Resolution: Set a more restrictive cidr range

    See https://tfsec.dev/docs/aws/AWS008/ for more information.

  • [ ] Check11

    [GEN001][WARNING] Variable 'module.aws:variable.rds_password' includes a potentially sensitive default value. /home/gruber/projects/tf-free/modules/aws/variables.tf:49

    46 |   description = "Region for the RDS database"
47 |   type        = string
48 |   sensitive   = true
49 |   default     = "testingdatabase89372934279"
50 | }
51 |

    Impact: Default values could be exposing sensitive data Resolution: Don't include sensitive data in variable defaults

    See https://tfsec.dev/docs/general/GEN001/ for more information.

    times

    disk i/o 42.8751ms parsing HCL 301.9µs evaluating values 72.4109ms running checks 17.7196ms

    counts

    files loaded 63 blocks 30 evaluated blocks 602 modules 18 module blocks 572 ignored checks 0

11 potential problems detected.

gruberdev avatar Aug 07 '21 19:08 gruberdev