-
Notifications
You must be signed in to change notification settings - Fork 0
Create main.tf #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: prod
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "3.26.0" | ||
| } | ||
| random = { | ||
| source = "hashicorp/random" | ||
| version = "3.0.1" | ||
| } | ||
| } | ||
| required_version = ">= 1.1.0" | ||
|
|
||
| cloud { | ||
| organization = "REPLACE_ME" | ||
|
|
||
| workspaces { | ||
| name = "gh-actions-demo" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws" { | ||
| region = "us-west-2" | ||
| } | ||
|
|
||
| resource "random_pet" "sg" {} | ||
|
|
||
| data "aws_ami" "ubuntu" { | ||
| most_recent = true | ||
|
|
||
| filter { | ||
| name = "name" | ||
| values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] | ||
| } | ||
|
|
||
| filter { | ||
| name = "virtualization-type" | ||
| values = ["hvm"] | ||
| } | ||
|
|
||
| owners = ["099720109477"] # Canonical | ||
| } | ||
|
|
||
| resource "aws_instance" "web" { | ||
| ami = data.aws_ami.ubuntu.id | ||
| instance_type = "t2.micro" | ||
| vpc_security_group_ids = [aws_security_group.web-sg.id] | ||
|
|
||
| user_data = <<-EOF | ||
| #!/bin/bash | ||
| apt-get update | ||
| apt-get install -y apache2 | ||
| sed -i -e 's/80/8080/' /etc/apache2/ports.conf | ||
| echo "Hello World" > /var/www/html/index.html | ||
| systemctl restart apache2 | ||
| EOF | ||
| } | ||
|
Comment on lines
+45
to
+58
Check failureCode scanning / defsec aws_instance should activate session tokens for Instance Metadata Service.
Instance does not require IMDS access to require a token
|
||
|
|
||
| resource "aws_security_group" "web-sg" { | ||
| name = "${random_pet.sg.id}-sg" | ||
| ingress { | ||
| from_port = 8080 | ||
| to_port = 8080 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
| // connectivity to ubuntu mirrors is required to run `apt-get update` and `apt-get install apache2` | ||
| egress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
| } | ||
|
Comment on lines
+60
to
+75
Check failureCode scanning / defsec An egress security group rule allows traffic to /0.
Security group rule allows egress to multiple public internet addresses.
Comment on lines
+60
to
+75
Check failureCode scanning / defsec An ingress security group rule allows traffic from /0.
Security group rule allows ingress from public internet.
Comment on lines
+60
to
+75
Check noticeCode scanning / defsec Missing description for security group.
Security group explicitly uses the default description.
Comment on lines
+60
to
+75
Check noticeCode scanning / defsec Missing description for security group rule.
Security group rule does not have a description.
Comment on lines
+60
to
+75
Check noticeCode scanning / defsec Missing description for security group rule.
Security group rule does not have a description.
|
||
|
|
||
| output "web-address" { | ||
| value = "${aws_instance.web.public_dns}:8080" | ||
| } | ||
Check failure
Code scanning / defsec
Instance with unencrypted block device.