Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform Module GKE #15

Merged
merged 54 commits into from
Aug 29, 2024
Merged

Terraform Module GKE #15

merged 54 commits into from
Aug 29, 2024

Conversation

Kkhandale2024
Copy link
Member

what

  • Enhanced GKE module integration and configuration for improved cluster management.

Comment on lines +5 to +497
sandbox_type = sandbox_config.value
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
}
}
}

dynamic "resource_usage_export_config" {
for_each = var.resource_usage_export_dataset_id != "" ? [{
enable_network_egress_metering = var.enable_network_egress_export
enable_resource_consumption_metering = var.enable_resource_consumption_export
dataset_id = var.resource_usage_export_dataset_id
}] : []

content {
enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering
enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
bigquery_destination {
dataset_id = resource_usage_export_config.value.dataset_id
}
}
}

dynamic "private_cluster_config" {
for_each = var.enable_private_nodes ? [{
enable_private_nodes = var.enable_private_nodes,
enable_private_endpoint = var.enable_private_endpoint
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}] : []

content {
enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
enable_private_nodes = private_cluster_config.value.enable_private_nodes
master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block
dynamic "master_global_access_config" {
for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
content {
enabled = master_global_access_config.value
}
}
}
}

remove_default_node_pool = var.remove_default_node_pool

dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}

dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

content {
workload_pool = workload_identity_config.value.workload_pool
}
}

dynamic "mesh_certificates" {
for_each = local.cluster_mesh_certificates_config

content {
enable_certificates = mesh_certificates.value.enable_certificates
}
}

dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
topic = var.notification_config_topic
}
}

node_pool_defaults {
node_config_defaults {
gcfs_config {
enabled = var.enable_gcfs
}
}
}

depends_on = [google_project_iam_member.service_agent]
}

Check failure

Code scanning / defsec

Master authorized networks should be configured on GKE clusters Error

Cluster does not have master authorized networks enabled.
Comment on lines +5 to +497
sandbox_type = sandbox_config.value
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
}
}
}

dynamic "resource_usage_export_config" {
for_each = var.resource_usage_export_dataset_id != "" ? [{
enable_network_egress_metering = var.enable_network_egress_export
enable_resource_consumption_metering = var.enable_resource_consumption_export
dataset_id = var.resource_usage_export_dataset_id
}] : []

content {
enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering
enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
bigquery_destination {
dataset_id = resource_usage_export_config.value.dataset_id
}
}
}

dynamic "private_cluster_config" {
for_each = var.enable_private_nodes ? [{
enable_private_nodes = var.enable_private_nodes,
enable_private_endpoint = var.enable_private_endpoint
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}] : []

content {
enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
enable_private_nodes = private_cluster_config.value.enable_private_nodes
master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block
dynamic "master_global_access_config" {
for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
content {
enabled = master_global_access_config.value
}
}
}
}

remove_default_node_pool = var.remove_default_node_pool

dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}

dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

content {
workload_pool = workload_identity_config.value.workload_pool
}
}

dynamic "mesh_certificates" {
for_each = local.cluster_mesh_certificates_config

content {
enable_certificates = mesh_certificates.value.enable_certificates
}
}

dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
topic = var.notification_config_topic
}
}

node_pool_defaults {
node_config_defaults {
gcfs_config {
enabled = var.enable_gcfs
}
}
}

depends_on = [google_project_iam_member.service_agent]
}

Check warning

Code scanning / defsec

Network Policy should be enabled on GKE clusters Warning

Cluster does not have a network policy enabled.
Comment on lines +5 to +497
sandbox_type = sandbox_config.value
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
}
}
}

dynamic "resource_usage_export_config" {
for_each = var.resource_usage_export_dataset_id != "" ? [{
enable_network_egress_metering = var.enable_network_egress_export
enable_resource_consumption_metering = var.enable_resource_consumption_export
dataset_id = var.resource_usage_export_dataset_id
}] : []

content {
enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering
enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
bigquery_destination {
dataset_id = resource_usage_export_config.value.dataset_id
}
}
}

dynamic "private_cluster_config" {
for_each = var.enable_private_nodes ? [{
enable_private_nodes = var.enable_private_nodes,
enable_private_endpoint = var.enable_private_endpoint
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}] : []

content {
enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
enable_private_nodes = private_cluster_config.value.enable_private_nodes
master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block
dynamic "master_global_access_config" {
for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
content {
enabled = master_global_access_config.value
}
}
}
}

remove_default_node_pool = var.remove_default_node_pool

dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}

dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

content {
workload_pool = workload_identity_config.value.workload_pool
}
}

dynamic "mesh_certificates" {
for_each = local.cluster_mesh_certificates_config

content {
enable_certificates = mesh_certificates.value.enable_certificates
}
}

dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
topic = var.notification_config_topic
}
}

node_pool_defaults {
node_config_defaults {
gcfs_config {
enabled = var.enable_gcfs
}
}
}

depends_on = [google_project_iam_member.service_agent]
}

Check warning

Code scanning / defsec

Clusters should be set to private Warning

Cluster does not have private nodes.
Comment on lines +5 to +497
sandbox_type = sandbox_config.value
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
}
}
}

dynamic "resource_usage_export_config" {
for_each = var.resource_usage_export_dataset_id != "" ? [{
enable_network_egress_metering = var.enable_network_egress_export
enable_resource_consumption_metering = var.enable_resource_consumption_export
dataset_id = var.resource_usage_export_dataset_id
}] : []

content {
enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering
enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
bigquery_destination {
dataset_id = resource_usage_export_config.value.dataset_id
}
}
}

dynamic "private_cluster_config" {
for_each = var.enable_private_nodes ? [{
enable_private_nodes = var.enable_private_nodes,
enable_private_endpoint = var.enable_private_endpoint
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}] : []

content {
enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
enable_private_nodes = private_cluster_config.value.enable_private_nodes
master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block
dynamic "master_global_access_config" {
for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
content {
enabled = master_global_access_config.value
}
}
}
}

remove_default_node_pool = var.remove_default_node_pool

dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}

dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

content {
workload_pool = workload_identity_config.value.workload_pool
}
}

dynamic "mesh_certificates" {
for_each = local.cluster_mesh_certificates_config

content {
enable_certificates = mesh_certificates.value.enable_certificates
}
}

dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
topic = var.notification_config_topic
}
}

node_pool_defaults {
node_config_defaults {
gcfs_config {
enabled = var.enable_gcfs
}
}
}

depends_on = [google_project_iam_member.service_agent]
}

Check failure

Code scanning / defsec

Pod security policy enforcement not defined. Error

Cluster pod security policy is not enforced.
Comment on lines +5 to +497
sandbox_type = sandbox_config.value
}
}

boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false)
enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
}
}
}

dynamic "resource_usage_export_config" {
for_each = var.resource_usage_export_dataset_id != "" ? [{
enable_network_egress_metering = var.enable_network_egress_export
enable_resource_consumption_metering = var.enable_resource_consumption_export
dataset_id = var.resource_usage_export_dataset_id
}] : []

content {
enable_network_egress_metering = resource_usage_export_config.value.enable_network_egress_metering
enable_resource_consumption_metering = resource_usage_export_config.value.enable_resource_consumption_metering
bigquery_destination {
dataset_id = resource_usage_export_config.value.dataset_id
}
}
}

dynamic "private_cluster_config" {
for_each = var.enable_private_nodes ? [{
enable_private_nodes = var.enable_private_nodes,
enable_private_endpoint = var.enable_private_endpoint
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}] : []

content {
enable_private_endpoint = private_cluster_config.value.enable_private_endpoint
enable_private_nodes = private_cluster_config.value.enable_private_nodes
master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block
dynamic "master_global_access_config" {
for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : []
content {
enabled = master_global_access_config.value
}
}
}
}

remove_default_node_pool = var.remove_default_node_pool

dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}

dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

content {
workload_pool = workload_identity_config.value.workload_pool
}
}

dynamic "mesh_certificates" {
for_each = local.cluster_mesh_certificates_config

content {
enable_certificates = mesh_certificates.value.enable_certificates
}
}

dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
topic = var.notification_config_topic
}
}

node_pool_defaults {
node_config_defaults {
gcfs_config {
enabled = var.enable_gcfs
}
}
}

depends_on = [google_project_iam_member.service_agent]
}

Check notice

Code scanning / defsec

Clusters should be configured with Labels Note

Cluster does not use GCE resource labels.
Comment on lines +501 to +741
}

dynamic "local_nvme_ssd_block_config" {
for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : []
content {
local_ssd_count = local_nvme_ssd_block_config.value
}
}

service_account = lookup(
each.value,
"service_account",
local.service_account,
)
preemptible = lookup(each.value, "preemptible", false)
spot = lookup(each.value, "spot", false)

oauth_scopes = concat(
local.node_pools_oauth_scopes["all"],
local.node_pools_oauth_scopes[each.value["name"]],
)

dynamic "guest_accelerator" {
for_each = lookup(each.value, "accelerator_count", 0) > 0 ? [1] : []
content {
type = lookup(each.value, "accelerator_type", "")
count = lookup(each.value, "accelerator_count", 0)
gpu_partition_size = lookup(each.value, "gpu_partition_size", null)

dynamic "gpu_driver_installation_config" {
for_each = lookup(each.value, "gpu_driver_version", "") != "" ? [1] : []
content {
gpu_driver_version = lookup(each.value, "gpu_driver_version", "")
}
}
}
}

dynamic "workload_metadata_config" {
for_each = local.cluster_node_metadata_config

content {
mode = lookup(each.value, "node_metadata", workload_metadata_config.value.mode)
}
}

dynamic "sandbox_config" {
for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : []
content {
sandbox_type = sandbox_config.value
}
}

dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
}
}

dynamic "linux_node_config" {
for_each = length(merge(
local.node_pools_linux_node_configs_sysctls["all"],
local.node_pools_linux_node_configs_sysctls[each.value["name"]]
)) != 0 ? [1] : []

content {
sysctls = merge(
local.node_pools_linux_node_configs_sysctls["all"],
local.node_pools_linux_node_configs_sysctls[each.value["name"]]
)
}
}

boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "")

shielded_instance_config {
enable_secure_boot = lookup(each.value, "enable_secure_boot", false)
enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true)
}
}

lifecycle {
ignore_changes = [initial_node_count]

}

timeouts {
create = lookup(var.timeouts, "create", "45m")
update = lookup(var.timeouts, "update", "45m")
delete = lookup(var.timeouts, "delete", "45m")
}

}

Check failure

Code scanning / defsec

Legacy metadata endpoints enabled. Error

Cluster has legacy metadata endpoints enabled.
examples/managed-node-pools/example.tf Fixed Show fixed Hide fixed
examples/managed-node-pools/example.tf Fixed Show fixed Hide fixed
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster has legacy metadata endpoints enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:578-728
────────────────────────────────────────────────────────────────────────────────
  501    resource "google_container_node_pool" "pools" {
  ...  
  578node_config {
  579image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
  580machine_type     = lookup(each.value, "machine_type", "e2-medium")
  581min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
  582dynamic "gcfs_config" {
  583for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
  584content {
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-metadata-endpoints-disabled
      Impact Legacy metadata endpoints don't require metadata headers
  Resolution Disable legacy metadata endpoints

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/metadata-endpoints-disabled/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:23
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   23  [       enabled  = network_policy.value.enabled (false)
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6  │   provider = google-beta
    78  │   name            = var.name
    9  │   description     = var.description
   10  │   project         = var.project_id
   11  │   resource_labels = var.cluster_resource_labels
   1213  └   location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:11
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   11  [   resource_labels = var.cluster_resource_labels
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             253.59µs
  parsing              35.797501ms
  adaptation           288.973µs
  checks               8.534971ms
  total                44.875035ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     188
  files read           11

  results
  ──────────────────────────────────────────
  passed               16
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  1

  16 passed, 6 potential problem(s) detected.

Comment on lines +67 to +187
istio = false
network_policy = true
ip_range_services = "services"
create_service_account = false
cluster_resource_labels = { env = "test" }
service_account = "example@example.gserviceaccount.com"
remove_default_node_pool = true
disable_legacy_metadata_endpoints = true
deletion_protection = false


node_pools = [
{
name = "critical"
master_version = "1.30.2-gke.1587003"
machine_type = "g1-small"
node_locations = "us-central1-c"
min_count = 1
max_count = 1
local_ssd_count = 0
spot = true
disk_size_gb = 10
disk_type = "pd-standard"
image_type = "cos_containerd"
enable_gcfs = false
enable_gvnic = false
logging_variant = "DEFAULT"
auto_repair = true
auto_upgrade = true
create_service_account = false
service_account = "example@example.gserviceaccount.com"
preemptible = false
initial_node_count = 1
enable_node_pool_autoscaling = false
enable_private_nodes = true

},
{
name = "application"
master_version = "1.30.2-gke.1587003"
machine_type = "g1-small"
node_locations = "us-central1-c"
min_count = 1
max_count = 2
local_ssd_count = 0
spot = true
disk_size_gb = 10
disk_type = "pd-standard"
image_type = "cos_containerd"
enable_gcfs = false
enable_gvnic = false
logging_variant = "DEFAULT"
auto_repair = true
auto_upgrade = true
create_service_account = false
service_account = "example@example.gserviceaccount.com"
preemptible = false
initial_node_count = 1
enable_node_pool_autoscaling = true
enable_private_nodes = true
},
]

node_pools_labels = {
all = {}

default-node-pool = {
default-node-pool = true
}
}

node_pools_metadata = {
all = {}

default-node-pool = {
node-pool-metadata-custom-value = "my-node-pool"
}
}

node_pools_taints = {
all = []

default-node-pool = [
{
key = "default-node-pool"
value = true
effect = "PREFER_NO_SCHEDULE"
},
]
}

node_pools_tags = {
all = []

default-node-pool = [
"default-node-pool",
]
}

}

Check failure

Code scanning / defsec

Master authorized networks should be configured on GKE clusters Error

Cluster does not have master authorized networks enabled.
Comment on lines +67 to +187
istio = false
network_policy = true
ip_range_services = "services"
create_service_account = false
cluster_resource_labels = { env = "test" }
service_account = "example@example.gserviceaccount.com"
remove_default_node_pool = true
disable_legacy_metadata_endpoints = true
deletion_protection = false


node_pools = [
{
name = "critical"
master_version = "1.30.2-gke.1587003"
machine_type = "g1-small"
node_locations = "us-central1-c"
min_count = 1
max_count = 1
local_ssd_count = 0
spot = true
disk_size_gb = 10
disk_type = "pd-standard"
image_type = "cos_containerd"
enable_gcfs = false
enable_gvnic = false
logging_variant = "DEFAULT"
auto_repair = true
auto_upgrade = true
create_service_account = false
service_account = "example@example.gserviceaccount.com"
preemptible = false
initial_node_count = 1
enable_node_pool_autoscaling = false
enable_private_nodes = true

},
{
name = "application"
master_version = "1.30.2-gke.1587003"
machine_type = "g1-small"
node_locations = "us-central1-c"
min_count = 1
max_count = 2
local_ssd_count = 0
spot = true
disk_size_gb = 10
disk_type = "pd-standard"
image_type = "cos_containerd"
enable_gcfs = false
enable_gvnic = false
logging_variant = "DEFAULT"
auto_repair = true
auto_upgrade = true
create_service_account = false
service_account = "example@example.gserviceaccount.com"
preemptible = false
initial_node_count = 1
enable_node_pool_autoscaling = true
enable_private_nodes = true
},
]

node_pools_labels = {
all = {}

default-node-pool = {
default-node-pool = true
}
}

node_pools_metadata = {
all = {}

default-node-pool = {
node-pool-metadata-custom-value = "my-node-pool"
}
}

node_pools_taints = {
all = []

default-node-pool = [
{
key = "default-node-pool"
value = true
effect = "PREFER_NO_SCHEDULE"
},
]
}

node_pools_tags = {
all = []

default-node-pool = [
"default-node-pool",
]
}

}

Check failure

Code scanning / defsec

Pod security policy enforcement not defined. Error

Cluster pod security policy is not enforced.
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster has legacy metadata endpoints enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:578-728
────────────────────────────────────────────────────────────────────────────────
  501    resource "google_container_node_pool" "pools" {
  ...  
  578node_config {
  579image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
  580machine_type     = lookup(each.value, "machine_type", "e2-medium")
  581min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
  582dynamic "gcfs_config" {
  583for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
  584content {
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-metadata-endpoints-disabled
      Impact Legacy metadata endpoints don't require metadata headers
  Resolution Disable legacy metadata endpoints

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/metadata-endpoints-disabled/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:23
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   23  [       enabled  = network_policy.value.enabled (false)
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6  │   provider = google-beta
    78  │   name            = var.name
    9  │   description     = var.description
   10  │   project         = var.project_id
   11  │   resource_labels = var.cluster_resource_labels
   1213  └   location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:11
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   11  [   resource_labels = var.cluster_resource_labels
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             288.529µs
  parsing              42.965306ms
  adaptation           469.099µs
  checks               3.606076ms
  total                47.32901ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     188
  files read           11

  results
  ──────────────────────────────────────────
  passed               16
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  1

  16 passed, 6 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6provider = google-beta
    78name            = var.name
    9description     = var.description
   10project         = var.project_id
   11resource_labels = var.cluster_resource_labels
   1213location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Cluster has legacy metadata endpoints enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:578-728
────────────────────────────────────────────────────────────────────────────────
  501    resource "google_container_node_pool" "pools" {
  ...  
  578node_config {
  579image_type       = lookup(each.value, "image_type", "COS_CONTAINERD")
  580machine_type     = lookup(each.value, "machine_type", "e2-medium")
  581min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
  582dynamic "gcfs_config" {
  583for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
  584content {
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-metadata-endpoints-disabled
      Impact Legacy metadata endpoints don't require metadata headers
  Resolution Disable legacy metadata endpoints

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/metadata-endpoints-disabled/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:23
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   23  [       enabled  = network_policy.value.enabled (false)
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:5-497
────────────────────────────────────────────────────────────────────────────────
    5resource "google_container_cluster" "primary" {
    6  │   provider = google-beta
    78  │   name            = var.name
    9  │   description     = var.description
   10  │   project         = var.project_id
   11  │   resource_labels = var.cluster_resource_labels
   1213  └   location            = local.location
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  cluster.tf:11
────────────────────────────────────────────────────────────────────────────────
    5    resource "google_container_cluster" "primary" {
    .  
   11  [   resource_labels = var.cluster_resource_labels
  ...  
  497    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             289.873µs
  parsing              45.675268ms
  adaptation           372.806µs
  checks               3.775632ms
  total                50.113579ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     188
  files read           11

  results
  ──────────────────────────────────────────
  passed               16
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  1

  16 passed, 6 potential problem(s) detected.

Copy link
Contributor

@AshutoshAM2002 AshutoshAM2002 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@VishwajitNagulkar VishwajitNagulkar merged commit a12a648 into master Aug 29, 2024
6 of 7 checks passed
@VishwajitNagulkar VishwajitNagulkar deleted the feat/modified_module branch August 29, 2024 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants