Handle tfsec issues

Signed-off-by: Jim Enright <[email protected]>
cloudera-labs · Sep 25, 2023 · ed1d5fc · ed1d5fc
1 parent 8f4c033
commit ed1d5fc
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 7 deletions.
diff --git a/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml b/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml
@@ -1,9 +1,17 @@
----
-#region TODO: Remove once https://github.com/aquasecurity/tfsec/issues/1799 is fixed
+# ---
 exclude:
+#region1 TODO: Remove once https://github.com/aquasecurity/tfsec/issues/1799 is fixed
   - aws-s3-block-public-acls
   - aws-s3-block-public-policy
   - aws-s3-ignore-public-acls
   - aws-s3-no-public-buckets
   - aws-s3-specify-public-access-block
-#endregion
+#endregion1
+#region2 TODO: Remove once have tested CDP deployment with bucket encryption
+  - aws-s3-enable-bucket-encryption
+  - aws-s3-encryption-customer-key
+#endregion2
+#region3 TODO: Explore how to expose these parameters
+  - aws-s3-enable-versioning 
+  - aws-s3-enable-bucket-logging
+#endregion3
diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf
@@ -69,7 +69,7 @@ resource "aws_security_group_rule" "cdp_default_sg_egress" {
   description       = "Egress rule for Default CDP Security Group"
   security_group_id = aws_security_group.cdp_default_sg.id
   type              = "egress"
-  cidr_blocks       = var.cdp_default_sg_egress_cidrs
+  cidr_blocks       = var.cdp_default_sg_egress_cidrs #tfsec:ignore:aws-ec2-no-public-egress-sgr #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 0
   to_port           = 0
   protocol          = "all"
@@ -113,7 +113,7 @@ resource "aws_security_group_rule" "cdp_knox_sg_egress" {
   description       = "Egress rule for Knox CDP Security Group"
   security_group_id = aws_security_group.cdp_knox_sg.id
   type              = "egress"
-  cidr_blocks       = var.cdp_knox_sg_egress_cidrs
+  cidr_blocks       = var.cdp_knox_sg_egress_cidrs #tfsec:ignore:aws-ec2-no-public-egress-sgr #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 0
   to_port           = 0
   protocol          = "all"
@@ -165,7 +165,7 @@ resource "aws_security_group_rule" "cdp_endpoint_sg_egress" {
   description       = "Egress rule for Endpoint CDP Security Group"
   security_group_id = aws_security_group.cdp_endpoint_sg[0].id
   type              = "egress"
-  cidr_blocks       = var.cdp_endpoint_sg_egress_cidrs
+  cidr_blocks       = var.cdp_endpoint_sg_egress_cidrs #tfsec:ignore:aws-ec2-no-public-egress-sgr #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 0
   to_port           = 0
   protocol          = "all"
@@ -254,6 +254,36 @@ resource "aws_s3_bucket_public_access_block" "cdp_storage_locations" {
 
 }
 
+resource "aws_kms_key" "cdp_kms_key" {
+
+  count = var.enable_kms_bucket_encryption ? 1 : 0
+
+  description         = "KMS key for Bucket Encryption of ${var.env_prefix} CDP environment"
+  enable_key_rotation = "true"
+}
+
+resource "aws_kms_alias" "cdp_kms_alias" {
+
+  count = var.enable_kms_bucket_encryption ? 1 : 0
+
+  name          = "alias/${var.env_prefix}"
+  target_key_id = aws_kms_key.cdp_kms_key[0].key_id
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "cdp_storage_location_kms" {
+
+  for_each = var.enable_kms_bucket_encryption ? aws_s3_bucket.cdp_storage_locations : {}
+
+  bucket = each.value.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.cdp_kms_key[0].arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
 # ------- AWS Buckets directory structures -------
 # # Data Storage Objects
 # NOTE: Removing creation of the data storage object because CDP overrides this
@@ -316,7 +346,7 @@ data "aws_iam_policy_document" "cdp_idbroker_policy_doc" {
     sid       = "VisualEditor0"
     actions   = ["sts:AssumeRole"]
     effect    = "Allow"
-    resources = ["*"]
+    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
   }
 }
 

diff --git a/modules/terraform-cdp-aws-pre-reqs/variables.tf b/modules/terraform-cdp-aws-pre-reqs/variables.tf
@@ -279,6 +279,16 @@ variable "backup_storage" {
   default = null
 }
 
+variable "enable_kms_bucket_encryption" {
+
+  type = bool
+
+  description = "Flag to create AWS KMS for encryption of S3 buckets. Currently disabled as further settings needed for successful CDP deployment."
+
+  default = false
+
+}
+
 # ------- Policies -------
 # Cross Account Policy (name and document)
 variable "xaccount_policy_name" {