Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update test-framework to current #142

Merged
merged 1 commit into from
Jun 14, 2022
Merged

Update test-framework to current #142

merged 1 commit into from
Jun 14, 2022

Conversation

Nuru
Copy link
Sponsor Contributor

@Nuru Nuru commented Jun 13, 2022

what

  • Update test-framework to current

why

  • Enable parallel testing
  • Bug fixes

@Nuru Nuru added the no-release Do not create a new release (wait for additional code changes) label Jun 13, 2022
@Nuru Nuru requested review from a team as code owners June 13, 2022 21:27
bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure RDS clusters have an AWS Backup backup plan
    Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_49

How to Fix

resource "aws_rds_cluster" "rds_cluster_good" {
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  engine_version          = "5.7.mysql_aurora.2.03.2"
  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name           = "mydb"
  master_username         = "foo"
  master_password         = "bar"
}


resource "aws_backup_plan" "example" {
  name = "tf_example_backup_plan"

  rule {
    rule_name         = "tf_example_backup_rule"
    target_vault_name = "vault-name"
    schedule          = "cron(0 12 * * ? *)"
  }
}

resource "aws_backup_selection" "backup_good" {
  iam_role_arn = "arn:partition:service:region:account-id:resource-id"
  name         = "tf_example_backup_selection"
  plan_id      = aws_backup_plan.example.id

  resources = [
    aws_rds_cluster.rds_cluster_good.arn
  ]
}

Description

TBA

@Nuru
Copy link
Sponsor Contributor Author

Nuru commented Jun 13, 2022

/test all

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
	...
+  iam_database_authentication_enabled = true
}

Description

TBA. Identity and Access Management (IAM)

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure RDS cluster has IAM authentication enabled
    Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" {
	...
+ iam_database_authentication_enabled = true
}

Description

TBD

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure RDS clusters and instances have deletion protection enabled
    Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" {
  ...
+ deletion_protection = true
}

Description

TBA

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
	...
+  iam_database_authentication_enabled = true
}

Description

TBA. Identity and Access Management (IAM)

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
	...
+  iam_database_authentication_enabled = true
}

Description

TBA. Identity and Access Management (IAM)

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
	...
+  iam_database_authentication_enabled = true
}

Description

TBA. Identity and Access Management (IAM)

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure RDS cluster has IAM authentication enabled
    Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" {
	...
+ iam_database_authentication_enabled = true
}

Description

TBD

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure RDS cluster has IAM authentication enabled
    Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" {
	...
+ iam_database_authentication_enabled = true
}

Description

TBD

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in Aurora is securely encrypted at rest
    Resource: module.rds_cluster.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in Aurora is securely encrypted at rest
    Resource: module.rds_cluster_aurora_serverlessv2_postgres_13.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure RDS clusters and instances have deletion protection enabled
    Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" {
  ...
+ deletion_protection = true
}

Description

TBA

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_59

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
	...
+  iam_database_authentication_enabled = true
}

Description

TBA. Identity and Access Management (IAM)

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure Postgres RDS has Query Logging enabled
    Resource: aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_96

How to Fix

resource "aws_rds_cluster_parameter_group" "examplea" {
  name = "rds-cluster-pg"
  family      = "aurora5.7"
  description = "RDS default cluster parameter group"

+  parameter {
+    name="log_statement"
+    value="all"
+  }

+  parameter {
+    name="log_min_duration_statement"
+    value="1"
+  }
}

Description

This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of *log_statement* and *log_min_duration_statement*, these need to be set to *all* and *1* respectively to get sufficient logs.

Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in Aurora is securely encrypted at rest
    Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure RDS clusters and instances have deletion protection enabled
    Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_69

How to Fix

resource "aws_rds_cluster" "default" {
  ...
+ deletion_protection = true
}

Description

TBA

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure RDS cluster has IAM authentication enabled
    Resource: module.rds_cluster_aurora_mysql_serverless.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" {
	...
+ iam_database_authentication_enabled = true
}

Description

TBD

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure RDS cluster has IAM authentication enabled
    Resource: module.rds_cluster_aurora_postgres.aws_rds_cluster.secondary | ID: BC_AWS_IAM_66

How to Fix

resource "aws_rds_cluster" "enabled" {
	...
+ iam_database_authentication_enabled = true
}

Description

TBD

bridgecrew[bot]
bridgecrew bot reviewed Jun 13, 2022
View reviewed changes
main.tf
@@ -148,7 +148,7 @@ resource "aws_rds_cluster" "primary" {

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
count = local.enabled && ! local.is_regional_cluster ? 1 : 0
count = local.enabled && !local.is_regional_cluster ? 1 : 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in Aurora is securely encrypted at rest
    Resource: module.rds_cluster_aurora_mysql.aws_rds_cluster.secondary | ID: BC_AWS_GENERAL_38

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

@Nuru Nuru merged commit c4f3df3 into master Jun 14, 2022
@Nuru Nuru deleted the test-framework branch June 14, 2022 03:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridgecrew Bridgecrew Bridgecrew left review comments

@aknysh aknysh aknysh approved these changes

@adamcrews adamcrews Awaiting requested review from adamcrews adamcrews was automatically assigned from cloudposse/contributors

@florian0410 florian0410 Awaiting requested review from florian0410 florian0410 was automatically assigned from cloudposse/contributors

@dylanbannon dylanbannon Awaiting requested review from dylanbannon

@nitrocode nitrocode Awaiting requested review from nitrocode

Assignees
No one assigned
Labels
no-release Do not create a new release (wait for additional code changes)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Nuru @aknysh