Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto changelog action and changelog.md and dependabot.yml file added #2

Merged
merged 4 commits into from
May 16, 2023
Merged

auto changelog action and changelog.md and dependabot.yml file added #2

merged 4 commits into from
May 16, 2023

Conversation

vibhutigoyal
Copy link
Contributor

what
• auto changelog action and changelog.md and dependabot.yml file added.
why
• need to auto changelog action to automatically update the changelog.md file
• need to dependabot.yml file to weekly check and automatically create a pull request with the latest tag of modules used in the module

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Cluster pod security policy is not enforced. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10resource "google_container_cluster" "primary" {
   11count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213name     = module.labels.id
   14location = var.location
   1516network                  = var.network
   17subnetwork               = var.subnetwork
   18remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enforce-pod-security-policy
      Impact Pods could be operating with more permissions than required to be effective
  Resolution Use security policies for pods to restrict permissions to those needed to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enforce-pod-security-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#pod_security_policy_config
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Cluster does not have master authorized networks enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10resource "google_container_cluster" "primary" {
   11count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213name     = module.labels.id
   14location = var.location
   1516network                  = var.network
   17subnetwork               = var.subnetwork
   18remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-master-networks
      Impact Unrestricted network access to the master
  Resolution Enable master authorized networks

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-master-networks/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Node pool exposes node metadata. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:43-50
────────────────────────────────────────────────────────────────────────────────
   23    resource "google_container_node_pool" "node_pool" {
   ..  
   43node_config {
   44image_type      = var.image_type
   45machine_type    = var.machine_type
   46service_account = var.service_account
   47disk_size_gb    = var.disk_size_gb
   48disk_type       = var.disk_type
   49preemptible     = var.preemptible
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-node-metadata-security
      Impact Metadata that isn't concealed potentially risks leakage of sensitive data
  Resolution Set node metadata to SECURE or GKE_METADATA_SERVER

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/node-metadata-security/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_metadata
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Cluster does not have a network policy enabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10resource "google_container_cluster" "primary" {
   11count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213name     = module.labels.id
   14location = var.location
   1516network                  = var.network
   17subnetwork               = var.subnetwork
   18remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-network-policy
      Impact Unrestricted inter-cluster communication
  Resolution Enable network policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-network-policy/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Cluster does not have private nodes. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10resource "google_container_cluster" "primary" {
   11count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213name     = module.labels.id
   14location = var.location
   1516network                  = var.network
   17subnetwork               = var.subnetwork
   18remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-private-cluster
      Impact Nodes may be exposed to the public internet
  Resolution Enable private cluster

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-private-cluster/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes
────────────────────────────────────────────────────────────────────────────────


Result #6 MEDIUM Node pool does not override the default service account. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:46
────────────────────────────────────────────────────────────────────────────────
   23    resource "google_container_node_pool" "node_pool" {
   ..  
   46  [     service_account = var.service_account ("")
   ..  
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-service-account
      Impact Service accounts with wide permissions can increase the risk of compromise
  Resolution Use limited permissions for service accounts to be effective

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-service-account/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#service_account
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Cluster has IP aliasing disabled. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10resource "google_container_cluster" "primary" {
   11  │   count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213  │   name     = module.labels.id
   14  │   location = var.location
   1516  │   network                  = var.network
   17  │   subnetwork               = var.subnetwork
   18  └   remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-enable-ip-aliasing
      Impact Nodes need a NAT gateway to access local services
  Resolution Enable IP aliasing

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/enable-ip-aliasing/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#ip_allocation_policy
────────────────────────────────────────────────────────────────────────────────


Result #8 LOW Cluster does not use GCE resource labels. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:10-21
────────────────────────────────────────────────────────────────────────────────
   10  ┌ resource "google_container_cluster" "primary" {
   11  │   count = var.google_container_cluster_enabled && var.module_enabled ? 1 : 0
   1213  │   name     = module.labels.id
   14  │   location = var.location
   1516  │   network                  = var.network
   17  │   subnetwork               = var.subnetwork
   18  └   remove_default_node_pool = var.remove_default_node_pool
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-use-cluster-labels
      Impact Asset management can be limited/more difficult
  Resolution Set cluster resource labels

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/use-cluster-labels/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels
────────────────────────────────────────────────────────────────────────────────


Result #9 LOW Node pool is not using the COS containerd image type. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:44
────────────────────────────────────────────────────────────────────────────────
   23    resource "google_container_node_pool" "node_pool" {
   ..  
   44  [     image_type      = var.image_type ("")
   ..  
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID google-gke-node-pool-uses-cos
      Impact COS is the recommended OS image to use on cluster nodes
  Resolution Use the COS image type

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/google/gke/node-pool-uses-cos/
  - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#image_type
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             47.101µs
  parsing              83.592969ms
  adaptation           182.704µs
  checks               23.686101ms
  total                107.508875ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           3

  results
  ──────────────────────────────────────────
  passed               12
  ignored              0
  critical             0
  high                 3
  medium               3
  low                  3

  12 passed, 9 potential problem(s) detected.

@anmolnagpal anmolnagpal merged commit b937419 into master May 16, 2023
@delete-merged-branch delete-merged-branch bot deleted the issue-362 branch May 16, 2023 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vibhutigoyal @clouddrove-ci @anmolnagpal @vibutigoyal