Merge pull request #85 from ranikamadurawe/main-alt

Update modules

.trivyignore

@@ -0,0 +1,3 @@
+# Ignore
+AVD-AWS-0052
+AVD-AWS-0053

modules/aws/Cloud-Watch-Log-Group/log_group.tf

@@ -9,6 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
+# Ignore: AVD-AWS-0017 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017)
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "log_group" {
   name              = var.log_group_name
   retention_in_days = var.retention_in_days

modules/aws/CloudTrail-Logs/cloudtrail_logs.tf

@@ -9,6 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
+# Ignore: AVD-AWS-0015 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0017)
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# trivy:ignore:AVD-AWS-0015
 # trivy:ignore:AVD-AWS-0162 # TODO: fix this
 resource "aws_cloudtrail" "cloudtrail_config" {
   name                          = join("-", [var.project, var.application, var.environment, var.region, "cloudtrail-log-config"])

modules/aws/ECR/ecr.tf

@@ -32,53 +32,59 @@ resource "aws_ecr_repository" "ecr_repository" {
   }
 }
 
-resource "aws_iam_policy" "ecr_admin_iam_policy" {
-  name = join("-", [local.name_prefix, "ecr-admin-iam-policy"])
+data "aws_iam_policy_document" "admin_policy" {
+  statement {
+    sid    = "External Admin policy"
+    effect = "Allow"
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Action = [
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:BatchGetImage",
-          "ecr:BatchCheckLayerAvailability",
-          "ecr:PutImage",
-          "ecr:InitiateLayerUpload",
-          "ecr:UploadLayerPart",
-          "ecr:CompleteLayerUpload"
-        ],
-        Effect   = "Allow",
-        Resource = aws_ecr_repository.ecr_repository.arn
-      }
+    principals {
+      type        = "AWS"
+      identifiers = var.external_admin_account_ids
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeRepositories",
+      "ecr:GetRepositoryPolicy",
+      "ecr:ListImages",
+      "ecr:DeleteRepository",
+      "ecr:BatchDeleteImage",
+      "ecr:SetRepositoryPolicy",
+      "ecr:DeleteRepositoryPolicy",
     ]
-  })
-  depends_on = [
-    aws_ecr_repository.ecr_repository
-  ]
-  tags = var.tags
+  }
+}
+
+resource "aws_ecr_repository_policy" "admin_policy" {
+  repository = aws_ecr_repository.ecr_repository.name
+  policy     = data.aws_iam_policy_document.admin_policy.json
 }
 
-resource "aws_iam_policy" "ecr_pull_only_iam_policy" {
-  name = join("-", [local.name_prefix, "ecr-pull-only-iam-policy"])
+data "aws_iam_policy_document" "pull_only_policy" {
+  statement {
+    sid    = "External Pull only policy"
+    effect = "Allow"
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Action = [
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:BatchGetImage",
-          "ecr:BatchCheckLayerAvailability"
-        ],
-        Effect   = "Allow",
-        Resource = aws_ecr_repository.ecr_repository.arn
-      }
+    principals {
+      type        = "AWS"
+      identifiers = var.external_pull_only_account_ids
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability"
     ]
-  })
-  tags = var.tags
+  }
+}
 
-  depends_on = [
-    aws_ecr_repository.ecr_repository
-  ]
+resource "aws_ecr_repository_policy" "pull_only_policy" {
+  repository = aws_ecr_repository.ecr_repository.name
+  policy     = data.aws_iam_policy_document.pull_only_policy.json
 }

modules/aws/ECR/outputs.tf

@@ -9,14 +9,6 @@
 #
 # --------------------------------------------------------------------------------------
 
-output "ecr_admin_iam_policy_arn" {
-  value      = aws_iam_policy.ecr_admin_iam_policy.arn
-  depends_on = [aws_iam_policy.ecr_admin_iam_policy]
-}
-output "ecr_pull_only_iam_policy_arn" {
-  value      = aws_iam_policy.ecr_pull_only_iam_policy.arn
-  depends_on = [aws_iam_policy.ecr_pull_only_iam_policy]
-}
 output "ecr_id" {
   value      = aws_ecr_repository.ecr_repository.id
   depends_on = [aws_ecr_repository.ecr_repository]

modules/aws/ECR/variables.tf

@@ -60,3 +60,13 @@ variable "generate_name" {
   description = "Whether to generate name for the image repository"
   default     = false
 }
+variable "external_admin_account_ids" {
+  type        = list(string)
+  description = "List of external admin account IDs"
+  default     = []
+}
+variable "external_pull_only_account_ids" {
+  type        = list(string)
+  description = "List of external pull only account IDs"
+  default     = []
+}

modules/aws/EKS-Cluster/iam_role.tf

@@ -175,7 +175,8 @@ resource "aws_iam_policy" "cluster_loadbalancer_policy" {
           "elasticloadbalancing:DescribeTargetGroups",
           "elasticloadbalancing:DescribeTargetGroupAttributes",
           "elasticloadbalancing:DescribeTargetHealth",
-          "elasticloadbalancing:DescribeTags"
+          "elasticloadbalancing:DescribeTags",
+          "elasticloadbalancing:DescribeListenerAttributes"
         ],
         Resource : "*"
       },

modules/aws/EKS-Node-Group/iam_role.tf

@@ -59,6 +59,16 @@ resource "aws_iam_role_policy_attachment" "amazon_ec2_container_registry_read_on
   ]
 }
 
+resource "aws_iam_role_policy_attachment" "amazon_ssm_managed_instance_core" {
+  count      = var.enable_ssm_access == false ? 0 : 1
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  role       = aws_iam_role.iam_role.name
+
+  depends_on = [
+    aws_iam_role.iam_role
+  ]
+}
+
 /* TODO:: Review and remove if not required
 resource "aws_iam_role_policy_attachment" "amazon_cloud_watch_agent_policy" {
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"

modules/aws/EKS-Node-Group/variables.tf

@@ -98,3 +98,8 @@ variable "custom_ami_id" {
   description = "Custom AMI ID to be used for the node group"
   default     = null
 }
+variable "enable_ssm_access" {
+  type        = bool
+  description = "Flag to enable SSM access"
+  default     = false
+}

modules/aws/RDS-Aurora/rds.tf

@@ -10,8 +10,14 @@
 # --------------------------------------------------------------------------------------
 
 # Ignore: AVD-AWS-0343 (https://avd.aquasec.com/misconfig/aws/rds/avd-aws-0343/)
+# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0079)
+# Ignore: AVD-AWS-0059 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0077)
 # Reason: Delete protection has been configured as an optional parameter as this will depend on the usage of the RDS
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# Reason: Variable backup_retention_period is defined and can be used for explicitlty setting backup retention
 # trivy:ignore:AVD-AWS-0343
+# trivy:ignore:AVD-AWS-0079
+# trivy:ignore:AVD-AWS-0077
 resource "aws_rds_cluster" "rds_cluster" {
 
   allow_major_version_upgrade = var.allow_major_version_upgrade

modules/aws/S3-Account/s3_account.tf

@@ -18,11 +18,6 @@ resource "aws_s3_bucket" "s3_bucket" {
   tags = var.tags
 }
 
-resource "aws_s3_bucket_acl" "bucket_acl" {
-  bucket = aws_s3_bucket.s3_bucket.id
-  acl    = var.acl
-}
-
 # Ignore: AVD-AWS-0090 (https://avd.aquasec.com/misconfig/avd-aws-0090)
 # Reason: Versioning has been enabled as a parameter with default value true
 # trivy:ignore:AVD-AWS-0090
@@ -47,6 +42,9 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
   restrict_public_buckets = var.restrict_public_buckets
 }
 
+# Ignore: AVD-AWS-0132 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-00132)
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_server_side_encryption_configuration" {
   bucket = aws_s3_bucket.s3_bucket.id
 

modules/aws/S3-Account/variables.tf

@@ -30,10 +30,6 @@ variable "tags" {
   description = "Tags for the resources"
   default     = {}
 }
-variable "acl" {
-  type        = string
-  description = "ACL to be applied to the bucket"
-}
 variable "block_public_acls" {
   type        = bool
   description = "Block public access to the bucket"

modules/aws/SNS-Topic/sns_topic.tf

@@ -9,6 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
+# Ignore: AVD-AWS-0095 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0095)
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# trivy:ignore:AVD-AWS-0095
 resource "aws_sns_topic" "sns_topic" {
   name              = join("-", [var.project, var.application, var.environment, var.region, var.topic_name])
   kms_master_key_id = var.kms_master_key_id

modules/aws/Secret-Manager-Secret/secret_manager_secret.tf

@@ -9,6 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
+# Ignore: AVD-AWS-0098 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0098)
+# Reason: Variable KMS_KEY_ID is defined and can be used for explicit key encryption
+# trivy:ignore:AVD-AWS-0098
 resource "aws_secretsmanager_secret" "secretsmanager_secret" {
   name                    = var.secret_name
   recovery_window_in_days = var.recovery_window_in_days

modules/aws/Security-Group/security_group.tf

@@ -9,6 +9,9 @@
 #
 # --------------------------------------------------------------------------------------
 
+# Ignore: AVD-AWS-0099 (https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0099)
+# Reason: Description is a required variable for the security group
+# trivy:ignore:AVD-AWS-0099
 resource "aws_security_group" "security_group" {
   name        = join("-", [var.project, var.application, var.environment, var.region, "sg"])
   description = var.description