diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 1918a59..809fc6c 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -20,4 +20,16 @@ jobs: - name: Terraform Validate id: validate - run: terraform validate -no-color \ No newline at end of file + run: terraform validate -no-color + + - name: Set up Python 3.8 for Checkov + uses: actions/setup-python@v4 + with: + python-version: 3.8 + + - name: Test with Checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + framework: terraform + skip_path: ./examples diff --git a/ec2.tf b/ec2.tf index 24c21cd..071c5af 100644 --- a/ec2.tf +++ b/ec2.tf @@ -32,6 +32,7 @@ data "aws_arn" "ssm_param" { } resource "aws_launch_template" "main" { + #checkov:skip=CKV_AWS_88:NAT instances must have a public IP. name = var.name image_id = local.ami_id instance_type = var.instance_type @@ -85,10 +86,17 @@ resource "aws_launch_template" "main" { TERRAFORM_CWAGENT_CFG_PARAM_NAME = local.cwagent_param_name != null ? local.cwagent_param_name : "" })) + # Enforce IMDSv2 + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + tags = var.tags } resource "aws_instance" "main" { + #checkov:skip=CKV2_AWS_41:False positive, IAM role is attached via the launch template. count = var.ha_mode ? 0 : 1 launch_template { diff --git a/main.tf b/main.tf index 75b04d1..5e37621 100644 --- a/main.tf +++ b/main.tf @@ -64,7 +64,7 @@ resource "aws_ssm_parameter" "cloudwatch_agent_config" { name = "${var.name}-cloudwatch-agent-config" key_id = var.kms_key_id - type = "String" + type = "SecureString" value = templatefile("${path.module}/templates/cwagent.json", { METRICS_COLLECTION_INTERVAL = var.cloudwatch_agent_configuration.collection_interval, METRICS_NAMESPACE = var.cloudwatch_agent_configuration.namespace