-
-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update test-framework to current #142
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found infrastructure configuration errors in this PR ⬇️
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS clusters have an AWS Backup backup plan
Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_49
How to Fix
resource "aws_rds_cluster" "rds_cluster_good" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
master_username = "foo"
master_password = "bar"
}
resource "aws_backup_plan" "example" {
name = "tf_example_backup_plan"
rule {
rule_name = "tf_example_backup_rule"
target_vault_name = "vault-name"
schedule = "cron(0 12 * * ? *)"
}
}
resource "aws_backup_selection" "backup_good" {
iam_role_arn = "arn:partition:service:region:account-id:resource-id"
name = "tf_example_backup_selection"
plan_id = aws_backup_plan.example.id
resources = [
aws_rds_cluster.rds_cluster_good.arn
]
}
Description
TBA
/test all |
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59
How to Fix
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
...
+ iam_database_authentication_enabled = true
}
Description
TBA. Identity and Access Management (IAM)@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66
How to Fix
resource "aws_rds_cluster" "enabled" {
...
+ iam_database_authentication_enabled = true
}
Description
TBD@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69
How to Fix
resource "aws_rds_cluster" "default" {
...
+ deletion_protection = true
}
Description
TBA@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59
How to Fix
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
...
+ iam_database_authentication_enabled = true
}
Description
TBA. Identity and Access Management (IAM)@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59
How to Fix
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
...
+ iam_database_authentication_enabled = true
}
Description
TBA. Identity and Access Management (IAM)@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59
How to Fix
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
...
+ iam_database_authentication_enabled = true
}
Description
TBA. Identity and Access Management (IAM)@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66
How to Fix
resource "aws_rds_cluster" "enabled" {
...
+ iam_database_authentication_enabled = true
}
Description
TBD@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66
How to Fix
resource "aws_rds_cluster" "enabled" {
...
+ iam_database_authentication_enabled = true
}
Description
TBD@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38
How to Fix
resource "aws_rds_cluster" "example" {
...
cluster_identifier = "aurora-cluster-demo"
+ storage_encrypted = true
...
}
Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38
How to Fix
resource "aws_rds_cluster" "example" {
...
cluster_identifier = "aurora-cluster-demo"
+ storage_encrypted = true
...
}
Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69
How to Fix
resource "aws_rds_cluster" "default" {
...
+ deletion_protection = true
}
Description
TBA@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59
How to Fix
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
...
+ iam_database_authentication_enabled = true
}
Description
TBA. Identity and Access Management (IAM)@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure Postgres RDS has Query Logging enabled
Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_96
How to Fix
resource "aws_rds_cluster_parameter_group" "examplea" {
name = "rds-cluster-pg"
family = "aurora5.7"
description = "RDS default cluster parameter group"
+ parameter {
+ name="log_statement"
+ value="all"
+ }
+ parameter {
+ name="log_min_duration_statement"
+ value="1"
+ }
}
Description
This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of *log_statement* and *log_min_duration_statement*, these need to be set to *all* and *1* respectively to get sufficient logs.Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38
How to Fix
resource "aws_rds_cluster" "example" {
...
cluster_identifier = "aurora-cluster-demo"
+ storage_encrypted = true
...
}
Description
This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS clusters and instances have deletion protection enabled
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69
How to Fix
resource "aws_rds_cluster" "default" {
...
+ deletion_protection = true
}
Description
TBA@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66
How to Fix
resource "aws_rds_cluster" "enabled" {
...
+ iam_database_authentication_enabled = true
}
Description
TBD@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure RDS cluster has IAM authentication enabled
Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66
How to Fix
resource "aws_rds_cluster" "enabled" {
...
+ iam_database_authentication_enabled = true
}
Description
TBD@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" { | |||
|
|||
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier | |||
resource "aws_rds_cluster" "secondary" { | |||
count = local.enabled && ! local.is_regional_cluster ? 1 : 0 | |||
count = local.enabled && !local.is_regional_cluster ? 1 : 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure all data stored in Aurora is securely encrypted at rest
Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38
How to Fix
resource "aws_rds_cluster" "example" {
...
cluster_identifier = "aurora-cluster-demo"
+ storage_encrypted = true
...
}
what
why