From 1a07408275d8c4836e20672b0298e96fe13a8e2b Mon Sep 17 00:00:00 2001 From: Rich Green Date: Mon, 14 Oct 2024 14:16:43 +0100 Subject: [PATCH 1/2] trivy ignore AVD-AWS-0102 for subnet NACLs --- terraform/modules/vpc-nacls/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/vpc-nacls/main.tf b/terraform/modules/vpc-nacls/main.tf index d872ff8b7..64ccf6918 100644 --- a/terraform/modules/vpc-nacls/main.tf +++ b/terraform/modules/vpc-nacls/main.tf @@ -35,7 +35,7 @@ resource "aws_network_acl" "protected" { ) } -#tfsec:ignore:aws-vpc-no-excessive-port-access tfsec:ignore:aws-ec2-no-public-ingress-acl +#trivy:ignore:AVD-AWS-0102 resource "aws_network_acl_rule" "data_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -50,7 +50,7 @@ resource "aws_network_acl_rule" "data_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#tfsec:ignore:aws-vpc-no-excessive-port-access tfsec:ignore:aws-ec2-no-public-ingress-acl +#trivy:ignore:AVD-AWS-0102 resource "aws_network_acl_rule" "private_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -65,7 +65,7 @@ resource "aws_network_acl_rule" "private_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#tfsec:ignore:aws-vpc-no-excessive-port-access tfsec:ignore:aws-ec2-no-public-ingress-acl +#trivy:ignore:AVD-AWS-0102 resource "aws_network_acl_rule" "public_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -80,7 +80,7 @@ resource "aws_network_acl_rule" "public_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#tfsec:ignore:aws-vpc-no-excessive-port-access tfsec:ignore:aws-ec2-no-public-ingress-acl +#trivy:ignore:AVD-AWS-0102 resource "aws_network_acl_rule" "public_subnet_internet_access_rules" { #checkov:skip=CKV_AWS_231:Verified - these rules are reasonable for_each = local.public_access_acl_rules From c80a71dbe751d126efc750ea6512c282cd96524e Mon Sep 17 00:00:00 2001 From: Rich Green Date: Wed, 16 Oct 2024 12:01:52 +0100 Subject: [PATCH 2/2] add justification for trivy ignores --- terraform/modules/vpc-nacls/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/vpc-nacls/main.tf b/terraform/modules/vpc-nacls/main.tf index 64ccf6918..da94b2eb9 100644 --- a/terraform/modules/vpc-nacls/main.tf +++ b/terraform/modules/vpc-nacls/main.tf @@ -35,7 +35,7 @@ resource "aws_network_acl" "protected" { ) } -#trivy:ignore:AVD-AWS-0102 +# trivy:ignore:AVD-AWS-0102:NACL rule allows all ports by design resource "aws_network_acl_rule" "data_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -50,7 +50,7 @@ resource "aws_network_acl_rule" "data_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#trivy:ignore:AVD-AWS-0102 +# trivy:ignore:AVD-AWS-0102:NACL rule allows all ports by design resource "aws_network_acl_rule" "private_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -65,7 +65,7 @@ resource "aws_network_acl_rule" "private_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#trivy:ignore:AVD-AWS-0102 +# trivy:ignore:AVD-AWS-0102:NACL rule allows all ports by design resource "aws_network_acl_rule" "public_subnet_static_rules" { #checkov:skip=CKV_AWS_352:Verified - these rules are reasonable #checkov:skip=CKV_AWS_231:Allow ingress from 0.0.0.0:0 to port 3389 required @@ -80,7 +80,7 @@ resource "aws_network_acl_rule" "public_subnet_static_rules" { to_port = each.value.to_port != null ? each.value.to_port : null } -#trivy:ignore:AVD-AWS-0102 +# trivy:ignore:AVD-AWS-0102:NACL rule allows all ports by design resource "aws_network_acl_rule" "public_subnet_internet_access_rules" { #checkov:skip=CKV_AWS_231:Verified - these rules are reasonable for_each = local.public_access_acl_rules