Skip to content

Update main.tf #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
labtestsubb wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update main.tf #4

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
157 changes: 130 additions & 27 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,45 +1,148 @@
resource "aws_s3_bucket" "bad_bucket" {
bucket = "prisma-cloud-test-bucket"
acl = "private"
locals {
eks_name = {
value = "${local.resource_prefix.value}-eks"
}
}

data aws_iam_policy_document "iam_policy_eks" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["eks.amazonaws.com"]
}
}
}

resource aws_iam_role "iam_for_eks" {
name = "${local.resource_prefix.value}-iam-for-eks"
assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json
tags = {
Name = "PrismaCloudTestBucket"
Environment = "Test"
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "de052596-21a0-43de-8153-469add277b18"
}
}

resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.iam_for_eks.name
}

resource "aws_s3_bucket" "bad_bucket_log_bucket" {
bucket = "bad_bucket-log-bucket"
resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = aws_iam_role.iam_for_eks.name
}

resource "aws_s3_bucket_logging" "bad_bucket" {
bucket = aws_s3_bucket.bad_bucket.id
target_bucket = aws_s3_bucket.bad_bucket_log_bucket.id
target_prefix = "log/"
resource aws_vpc "eks_vpc" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.eks_vpc | Checkov ID: CKV2_AWS_12

How to Fix

resource "aws_vpc" "issue_vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.issue_vpc.id

-  ingress {
-    protocol  = "-1"
-    self      = true
-    from_port = 0
-    to_port   = 0
-  }

-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group.
If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group.
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.
We recommend that your default security group restricts all inbound and outbound traffic.
The default VPC in every region should have its default security group updated to comply with this recommendation.
Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups.
This in-turn reduces the exposure of those resources.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly. VPC flow logging can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering, discovering the minimum ports required by systems in the environment.
Even if the VPC flow logging recommendation described is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

cidr_block = "10.10.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = merge({
Name = "${local.resource_prefix.value}-eks-vpc"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "1600ca6c-72f6-45c0-a71d-88e117e51d6b"
})
}

resource aws_subnet "eks_subnet1" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.eks_subnet1 | Checkov ID: CKV_AWS_130

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.10.10.0/24"
availability_zone = "${var.region}a"
map_public_ip_on_launch = true
tags = merge({
Name = "${local.resource_prefix.value}-eks-subnet"
"kubernetes.io/cluster/${local.eks_name.value}" = "shared"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
yor_trace = "1fb4fa23-a5d6-4d6a-b7dc-88749383f48d"
}, {
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
}, {
"kubernetes.io/cluster/$$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
})
}

resource "aws_security_group" "bad_security_group" {
name = "prisma-cloud-test-sg"
description = "Allow all inbound traffic"
resource aws_subnet "eks_subnet2" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.eks_subnet2 | Checkov ID: CKV_AWS_130

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.10.11.0/24"
availability_zone = "${var.region}b"
map_public_ip_on_launch = true
tags = merge({
Name = "${local.resource_prefix.value}-eks-subnet2"
"kubernetes.io/cluster/${local.eks_name.value}" = "shared"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
yor_trace = "9ce04af2-5321-4e6c-a262-e4d7c1f69525"
}, {
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
}, {
"kubernetes.io/cluster/$$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
})
}

ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] # This is a misconfiguration (open to the world)
}
resource aws_eks_cluster "eks_cluster" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  AWS EKS cluster does not have secrets encryption enabled
    Resource: aws_eks_cluster.eks_cluster | Checkov ID: CKV_AWS_58

How to Fix

resource "aws_eks_cluster" "example" {
  ...
  encryption_config {
+    resources = ["secrets"]
    provider {
      key_arn = aws_kms_key.example.arn
    }
  }
  ...
}

Description

This policy identifies AWS EKS clusters that do not have secrets encryption enabled. AWS EKS cluster secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with direct access to etcd or with API access can retrieve or modify the secrets. Using secrets encryption for your Amazon EKS cluster allows you to protect sensitive information such as passwords and API keys using Kubernetes-native APIs. It is recommended to enable secrets encryption to ensure its security and reduce the risk of unauthorized access or data breaches.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS EKS cluster endpoint access publicly enabled
    Resource: aws_eks_cluster.eks_cluster | Checkov ID: CKV_AWS_39

How to Fix

resource "aws_eks_cluster" "disabled" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    endpoint_public_access = False
  }
}

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster.
This API server endpoint is public to the internet by default.
Access to it should be regulated using AWS IAM and native Kubernetes RBAC.
We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC.
If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS EKS cluster security group overly permissive to all traffic
    Resource: aws_eks_cluster.eks_cluster | Checkov ID: CKV_AWS_38

How to Fix

##Option 1
resource "aws_eks_cluster" "disabled" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    endpoint_public_access = False
  }

##Option 2:
resource "aws_eks_cluster" "restricted" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    public_access_cidrs = ["10.0.0.0/16"]
  }
}
}

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster.
By default, this API server endpoint is public to the internet.
Access to it should be regulated using AWS IAM and native Kubernetes RBAC.
We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC.
If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.
Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.

name = local.eks_name.value
role_arn = "${aws_iam_role.iam_for_eks.arn}"

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
vpc_config {
endpoint_private_access = true
subnet_ids = ["${aws_subnet.eks_subnet1.id}", "${aws_subnet.eks_subnet2.id}"]
}

depends_on = [
"aws_iam_role_policy_attachment.policy_attachment-AmazonEKSClusterPolicy",
"aws_iam_role_policy_attachment.policy_attachment-AmazonEKSServicePolicy",
]
tags = {
Name = "PrismaCloudTestSG"
Environment = "Test"
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "7fa14261-c18d-4fa2-aec4-746f6e64d2d3"
}
}

output "endpoint" {
value = "${aws_eks_cluster.eks_cluster.endpoint}"
}

output "kubeconfig-certificate-authority-data" {
value = "${aws_eks_cluster.eks_cluster.certificate_authority.0.data}"
}