chore: resolve trivy alerts (#47)

oqtopus-team · Oct 23, 2024 · 2a63629 · 2a63629
1 parent 75a7f15
commit 2a63629
Show file tree

Hide file tree

Showing 18 changed files with 183 additions and 67 deletions.
diff --git a/docs/terraform_modules/api-server/README.md b/docs/terraform_modules/api-server/README.md
@@ -60,6 +60,7 @@ module "user_api" {
 | [aws_iam_role_policy_attachment.lambda_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_access_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.api_gateway_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.api_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

diff --git a/docs/terraform_modules/db/README.md b/docs/terraform_modules/db/README.md
@@ -47,6 +47,7 @@ module "db" {
 | [aws_iam_policy.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.db_performance_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.db_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_iam_policy_document.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.db_proxy_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -56,6 +57,7 @@ module "db" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_db_name"></a> [db\_name](#input\_db\_name) | The name of the database | `string` | n/a | yes |
+| <a name="input_db_performance_insights_enabled"></a> [db\_performance\_insights\_enabled](#input\_db\_performance\_insights\_enabled) | DB performance insights enabled | `bool` | n/a | yes |
 | <a name="input_db_proxy_security_group_ids"></a> [db\_proxy\_security\_group\_ids](#input\_db\_proxy\_security\_group\_ids) | The security group IDs for the RDS proxy | `list(string)` | n/a | yes |
 | <a name="input_db_security_group_ids"></a> [db\_security\_group\_ids](#input\_db\_security\_group\_ids) | The security group IDs for the RDS instance | `list(string)` | n/a | yes |
 | <a name="input_env"></a> [env](#input\_env) | environment name | `string` | n/a | yes |

diff --git a/docs/terraform_modules/management/README.md b/docs/terraform_modules/management/README.md
@@ -42,9 +42,7 @@ module "management" {
 | [aws_iam_instance_profile.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_instance.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
-| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_iam_policy_document.ec2_bastion_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.amzn2_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs

diff --git a/docs/terraform_modules/network/README.md b/docs/terraform_modules/network/README.md
@@ -46,10 +46,19 @@ module "network" {
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.vpc_flow_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
+| [aws_iam_policy.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
 | [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.vpc_flow_log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vpc_flow_logs_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

diff --git a/docs/terraform_modules/security-group/README.md b/docs/terraform_modules/security-group/README.md
@@ -28,7 +28,7 @@ module "security_group" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.57.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.57.0 |
 
 ## Resources
 
@@ -41,7 +41,6 @@ module "security_group" {
 | [aws_security_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_vpc_security_group_egress_rule.db_proxy_to_db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
-| [aws_vpc_security_group_egress_rule.ec2_bastion_to_anywhere](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_egress_rule.ec2_bastion_to_db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_egress_rule.ec2_bastion_to_secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_egress_rule.eic_to_ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |

diff --git a/terraform/infrastructure/example-dev/main.tf b/terraform/infrastructure/example-dev/main.tf
@@ -35,15 +35,16 @@ module "security_group" {
 module "db" {
   source = "../modules/db"
 
-  product                     = var.product
-  org                         = var.org
-  env                         = var.env
-  region                      = var.region
-  subnet_ids                  = module.network.private_subnet_ids
-  db_security_group_ids       = module.security_group.db_security_group_ids
-  db_name                     = "main"
-  user_name                   = var.db_user_name
-  db_proxy_security_group_ids = module.security_group.db_proxy_security_group_ids
+  product                         = var.product
+  org                             = var.org
+  env                             = var.env
+  region                          = var.region
+  subnet_ids                      = module.network.private_subnet_ids
+  db_security_group_ids           = module.security_group.db_security_group_ids
+  db_name                         = "main"
+  user_name                       = var.db_user_name
+  db_proxy_security_group_ids     = module.security_group.db_proxy_security_group_ids
+  db_performance_insights_enabled = var.db_performance_insights_enabled
 }
 
 module "management" {

diff --git a/terraform/infrastructure/example-dev/variables.tf b/terraform/infrastructure/example-dev/variables.tf
@@ -23,6 +23,11 @@ variable "db_user_name" {
   type        = string
 }
 
+variable "db_performance_insights_enabled" {
+  description = "DB performance insights enabled"
+  type        = bool
+}
+
 variable "profile" {
   description = "aws profile"
   type        = string

diff --git a/terraform/infrastructure/modules/db/README.md b/terraform/infrastructure/modules/db/README.md
@@ -47,6 +47,7 @@ module "db" {
 | [aws_iam_policy.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.db_performance_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.db_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_iam_policy_document.db_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.db_proxy_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -56,6 +57,7 @@ module "db" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_db_name"></a> [db\_name](#input\_db\_name) | The name of the database | `string` | n/a | yes |
+| <a name="input_db_performance_insights_enabled"></a> [db\_performance\_insights\_enabled](#input\_db\_performance\_insights\_enabled) | DB performance insights enabled | `bool` | n/a | yes |
 | <a name="input_db_proxy_security_group_ids"></a> [db\_proxy\_security\_group\_ids](#input\_db\_proxy\_security\_group\_ids) | The security group IDs for the RDS proxy | `list(string)` | n/a | yes |
 | <a name="input_db_security_group_ids"></a> [db\_security\_group\_ids](#input\_db\_security\_group\_ids) | The security group IDs for the RDS instance | `list(string)` | n/a | yes |
 | <a name="input_env"></a> [env](#input\_env) | environment name | `string` | n/a | yes |

diff --git a/terraform/infrastructure/modules/db/main.tf b/terraform/infrastructure/modules/db/main.tf
@@ -23,14 +23,11 @@
 *
 */
 
-#trivy:ignore:AVD-AWS-0077 TODO: consider about backup_retention_period https://avd.aquasec.com/misconfig/avd-aws-0077
-#trivy:ignore:AVD-AWS-0133 TODO: consider about performance_insights https://avd.aquasec.com/misconfig/avd-aws-0133
-#trivy:ignore:AVD-AWS-0176 TODO: consider about IAM authentication https://avd.aquasec.com/misconfig/avd-aws-0176 related https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
 resource "aws_db_instance" "this" {
   identifier                            = "${var.product}-${var.org}-${var.env}"
   allocated_storage                     = "20"
   auto_minor_version_upgrade            = "true"
-  backup_retention_period               = "1"
+  backup_retention_period               = "5"
   backup_target                         = "region"
   backup_window                         = "18:33-19:03"
   ca_cert_identifier                    = "rds-ca-rsa2048-g1"
@@ -40,8 +37,8 @@ resource "aws_db_instance" "this" {
   deletion_protection                   = "true"
   engine                                = "mysql"
   engine_version                        = "8.0.35"
-  iam_database_authentication_enabled   = "false"
-  instance_class                        = "db.t3.micro"
+  iam_database_authentication_enabled   = "true"
+  instance_class                        = var.db_performance_insights_enabled == true ? "db.t3.medium" : "db.t3.micro"
   iops                                  = "0"
   kms_key_id                            = aws_kms_key.db_storage.arn
   manage_master_user_password           = true #追加 https://tech.dentsusoken.com/entry/terraform_manage_master_user_password
@@ -53,7 +50,9 @@ resource "aws_db_instance" "this" {
   network_type                          = "IPV4"
   option_group_name                     = "default:mysql-8-0"
   parameter_group_name                  = aws_db_parameter_group.this.name
-  performance_insights_retention_period = "0"
+  performance_insights_enabled          = var.db_performance_insights_enabled
+  performance_insights_kms_key_id       = var.db_performance_insights_enabled == true ? aws_kms_key.db_performance_insights[0].arn : null
+  performance_insights_retention_period = var.db_performance_insights_enabled == true ? 7 : null
   port                                  = "3306"
   storage_encrypted                     = "true"
   storage_throughput                    = "0"
@@ -73,6 +72,17 @@ resource "aws_kms_key" "db_storage" {
   }
 }
 
+resource "aws_kms_key" "db_performance_insights" {
+  count                   = var.db_performance_insights_enabled == true ? 1 : 0
+  description             = "key to encrypt performance insights"
+  key_usage               = "ENCRYPT_DECRYPT"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags = {
+    Name = "${var.product}-${var.org}-${var.env}"
+  }
+}
+
 resource "aws_db_subnet_group" "this" {
   name       = "${var.product}-${var.org}-${var.env}"
   subnet_ids = var.subnet_ids

diff --git a/terraform/infrastructure/modules/db/variables.tf b/terraform/infrastructure/modules/db/variables.tf
@@ -38,3 +38,8 @@ variable "db_proxy_security_group_ids" {
   description = "The security group IDs for the RDS proxy"
   type        = list(string)
 }
+
+variable "db_performance_insights_enabled" {
+  description = "DB performance insights enabled"
+  type        = bool
+}
diff --git a/terraform/infrastructure/modules/management/README.md b/terraform/infrastructure/modules/management/README.md
@@ -42,9 +42,7 @@ module "management" {
 | [aws_iam_instance_profile.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_instance.ec2_bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
-| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_iam_policy_document.ec2_bastion_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.amzn2_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs

diff --git a/terraform/infrastructure/modules/management/main.tf b/terraform/infrastructure/modules/management/main.tf
@@ -85,30 +85,3 @@ resource "aws_iam_instance_profile" "ec2_bastion" {
   name = "${var.product}-${var.org}-${var.env}-ec2-bastion"
   role = aws_iam_role.ec2_bastion.name
 }
-
-
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id            = var.vpc_id
-  service_name      = "com.amazonaws.ap-northeast-1.s3"
-  vpc_endpoint_type = "Gateway"
-  route_table_ids   = var.ec2_bastion_route_table_ids
-  policy            = data.aws_iam_policy_document.s3_vpc_endpoint.json
-  tags = {
-    Name = "${var.product}-${var.org}-${var.env}-s3-vpc-endpoint"
-  }
-}
-
-data "aws_iam_policy_document" "s3_vpc_endpoint" {
-  statement {
-    actions   = ["*"]
-    effect    = "Allow"
-    resources = ["*"]
-    principals {
-      type = "*"
-      identifiers = [
-        "*",
-      ]
-    }
-  }
-}
-
diff --git a/terraform/infrastructure/modules/network/README.md b/terraform/infrastructure/modules/network/README.md
@@ -46,10 +46,19 @@ module "network" {
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.vpc_flow_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
+| [aws_iam_policy.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
 | [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.vpc_flow_log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vpc_flow_logs_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs