Repository | cloudposse / terraform-aws-eks-cluster |
Description | Terraform module for provisioning an EKS cluster |
Stars | 467 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:45:42,037 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:42,037 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:42,037 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:2.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:42,037 [MainThread ] [WARNI] Failed to download module cloudposse/eks-node-group/aws:2.4.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 78, Failed checks: 2, Skipped checks: 5
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.eks_cluster.aws_iam_policy_document.cluster_elb_service_role
File: /iam.tf:48-74
Calling File: /examples/complete/main.tf:58-101
48 | data "aws_iam_policy_document" "cluster_elb_service_role" {
49 | count = local.create_eks_service_role ? 1 : 0
50 |
51 | statement {
52 | sid = "AllowElasticLoadBalancer"
53 | effect = "Allow"
54 | #bridgecrew:skip=BC_AWS_IAM_57:There is no workable constraint to add to this policy
55 | actions = [
56 | "ec2:DescribeAccountAttributes",
57 | "ec2:DescribeAddresses",
58 | "ec2:DescribeInternetGateways",
59 | "elasticloadbalancing:SetIpAddressType",
60 | "elasticloadbalancing:SetSubnets"
61 | ]
62 | resources = ["*"]
63 | }
64 | # Adding a policy to cluster IAM role that deny permissions to logs:CreateLogGroup
65 | # it is not needed since we create the log group elsewhere in this module, and it is causing trouble during "destroy"
66 | statement {
67 | sid = "DenyCreateLogGroup"
68 | effect = "Deny"
69 | actions = [
70 | "logs:CreateLogGroup"
71 | ]
72 | resources = ["*"]
73 | }
74 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: module.eks_cluster.aws_eks_cluster.default
File: /main.tf:53-113
Calling File: /examples/complete/main.tf:58-101
Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools