Updates tfsec & checkov ignores + syntax updates

No actual changes here - just ignores and syntax clean up on aisle 6 ;)
Ignore comments for AWS X-Ray tracing / IAM Wildcards / . We do not enable X-Ray Tracing for Lambda

Lambda functions should have X-Ray tracing enabled. Function does not have tracing enabled.

ID         - aws-lambda-enable-tracing ; aws-iam-no-policy-wildcards
Severity   - Low
Impact     - Without full tracing enabled it is difficult to trace the flow of logs
Resolution - Enable tracing

tfsec       - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/lambda/enable-tracing/
checkov     - https://docs.bridgecrew.io/docs/bc_aws_serverless_4
tf registry - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#tracing_config

To be tagged as v5.2.3

base/CA_Infrastructure/root_CA/iam_splunk_sh.tf

@@ -20,6 +20,7 @@ resource "aws_iam_role" "run_audit_report_role" {
   tags = merge(local.standard_tags, var.tags)
 }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {
   statement {
     sid       = ""

base/CA_Infrastructure/subordinate_CAs/iam_splunk_sh.tf

@@ -21,6 +21,7 @@ resource "aws_iam_role" "run_audit_report_role" {
   tags = merge(local.standard_tags, var.tags)
 }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {
   statement {
     sid       = ""

base/account_standards/config.tf

@@ -46,9 +46,9 @@ data "aws_iam_policy_document" "awsconfig" {
     sid    = "PermissionsForRuleChecks"
     effect = "Allow"
     actions = [
-      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "kms:DescribeKey"
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
   }
 }

base/account_standards/flowlogs.tf

@@ -45,6 +45,7 @@ resource "aws_iam_role_policy" "flowlogs" {
         "logs:DescribeLogStreams"
       ],
       "Effect": "Allow",
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "Resource": "*"
     }
   ]

base/account_standards/iam.tf

@@ -119,12 +119,13 @@ resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_at
 ##########################
 # cloudwatch events
 data "aws_iam_policy_document" "cloudwatch_events" {
+	# checkov:skip=CKV_AWS_111: see tfsec ignore - we use wildcards
   statement {
     sid = "1"
     actions = [
       "events:PutRule"
     ]
-
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
   }
 }
@@ -261,12 +262,13 @@ resource "aws_iam_role" "splunk_addon_for_aws" {
   assume_role_policy = data.aws_iam_policy_document.splunk_addon_for_aws_assume_role.json
 }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "policy" {
   statement {
     sid       = ""
     effect    = "Allow"
+    
     resources = ["*"]
-
     actions = [
       "sqs:GetQueueAttributes",
       "sqs:ListQueues",

base/account_standards_c2/iam.moose-hf.tf

@@ -59,6 +59,7 @@ resource "aws_iam_policy" "moose-hf" {
           "logs:DescribeLogStreams",
           "logs:GetLogEvents"
       ],
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "Resource": "*"
     }
   ]

base/aws_client_vpn/lambda.tf

@@ -32,6 +32,7 @@ data "aws_iam_policy_document" "lambda_connection_authorization_policy_doc" {
   statement {
     sid       = ""
     effect    = "Allow"
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
 
     actions = [
@@ -55,7 +56,9 @@ resource "aws_iam_role_policy_attachment" "lambda_connection_authorization_polic
   policy_arn = aws_iam_policy.lambda_connection_authorization_policy.arn
 }
 
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "lambda_connection_authorization" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   function_name = "AWSClientVPN-ConnectionHandler${var.suffix}"
   description   = "Only allows one concurrent connection"
   runtime       = "python3.9"

base/aws_client_vpn/security-groups.tf

@@ -1,12 +1,20 @@
+#----------------------------------------------------------------------------
+# VPN Access Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "vpn_access" {
+	# checkov:skip=CKV2_AWS_5: This SG is not an Orphan
   name_prefix = "${var.dns_name}${var.suffix}_vpn_access"
   description = "Security Group for the AWS VPN"
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vpn-in-443-tcp" {
   type              = "ingress"
+  description       = "443 - TCP - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -16,6 +24,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
 
 resource "aws_security_group_rule" "vpn-in-443-udp" {
   type              = "ingress"
+  description       = "443 - UDP - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
@@ -25,6 +34,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
 
 resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   type              = "ingress"
+  description       = "1194 - TCP - Inbound"
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
@@ -34,6 +44,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
 
 resource "aws_security_group_rule" "vpn-in-1194-udp" {
   type              = "ingress"
+  description       = "1194 - UDP - Inbound"
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
@@ -41,8 +52,12 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   security_group_id = aws_security_group.vpn_access.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vpn-out" {
   type              = "egress"
+  description       = "VPN - Outbound"
   from_port         = -1
   to_port           = -1
   protocol          = -1

base/codebuild_lcp_magic_machine/security-group.tf

@@ -8,57 +8,73 @@ data "aws_subnet" "this" {
   id = var.public_subnets[0]
 }
 
+#----------------------------------------------------------------------------
+# LCP Magic Machine Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "this" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Magic Machine 
   name        = "${var.name}_magic_machine_security_group"
   description = "Security Group for magic machine ${var.name}"
   tags        = merge(local.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "this" {
   type              = "ingress"
+  description       = "Allows Codebuild to access Magic Machine and for troubleshooting"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  description       = "Allows codebuild to access Magic Machine and for troubleshooting"
   security_group_id = aws_security_group.this.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "allow_outbound_mm" {
   type              = "egress"
+  description       = "HTTPS - Outbound - Allow Magic Machine"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Allow Magic Machine to communicate via HTTPS outbound"
   security_group_id = aws_security_group.this.id
 }
 
-
+#----------------------------------------------------------------------------
+# Codebuild Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "codebuild" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Codebuild
   name        = "${var.name}_codebuild_security_group"
   description = "Security Group for codebuild ${var.name}"
   tags        = merge(local.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "allow_outbound" {
   type              = "egress"
+  description       = "HTTPS - Outbound - Allow Codebuild"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Allow codebuild to communicate via HTTPS outbound"
   security_group_id = aws_security_group.codebuild.id
 }
 
 resource "aws_security_group_rule" "allow_ssh_outbound" {
   type              = "egress"
+  description       = "SSH - Outbound - Allow Codebuild"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  description       = "Allow codebuild to communicate via SSH outbound"
   security_group_id = aws_security_group.codebuild.id
 }

base/customer_portal/elb.tf

@@ -3,6 +3,8 @@
 # LOAD BALANCER FOR PORTAL
 # ---------------------------------------------------------------------------------------------------------------------
 resource "aws_alb" "portal" {
+	# checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
+	# checkov:skip=CKV2_AWS_28: Portal is protected by WAF
   name                       = "portal-alb-${var.environment}"
   security_groups            = [aws_security_group.customer_portal_alb.id, ]
   internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure

base/customer_portal_lambda/main.tf

@@ -13,11 +13,9 @@ locals {
   }
 }
 
-####
-#
-#Security Group
-#
-####
+#----------------------------------------------------------------------------
+# Portal Lambda Security Group
+#----------------------------------------------------------------------------
 data "aws_security_group" "typical-host" {
   name   = "typical-host"
   vpc_id = var.vpc_id
@@ -29,38 +27,42 @@ resource "aws_security_group" "portal_lambda_splunk_sg" {
   description = "Allow Lambda network access"
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "portal_lambda_splunk_out" {
   type              = "egress"
+  description       = "All Splunk SH"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
   cidr_blocks       = ["10.0.0.0/8"]
-  description       = "All Splunk SH"
   security_group_id = aws_security_group.portal_lambda_splunk_sg.id
 }
 
 resource "aws_security_group_rule" "portal_lambda_phantom_out" {
   type              = "egress"
+  description       = "Allow Lambda to connect to all server APIs in private-services"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
   cidr_blocks       = local.cidr_map["vpc-private-services"]
-  description       = "Allow Lambda to connect to all server APIs in private-services"
   security_group_id = aws_security_group.portal_lambda_splunk_sg.id
 }
 
 resource "aws_security_group_rule" "portal_lambda_splunk_in" {
   type              = "ingress"
+  description       = "Moose SH"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
-  description       = "Moose SH"
   security_group_id = aws_security_group.portal_lambda_splunk_sg.id
   self              = "true"
 }
 
-
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "portal_scheduler" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   description      = "Used to schedule Portal sync jobs"
   filename         = "code.zip"
   source_code_hash = filebase64sha256("code.zip")
@@ -95,7 +97,9 @@ resource "aws_lambda_function_event_invoke_config" "portal_scheduler" {
   maximum_retry_attempts = 0
 }
 
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "portal_customer_sync" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   description      = "Sync data between Splunk and Portal"
   filename         = "code.zip"
   source_code_hash = filebase64sha256("code.zip")

base/dns/inbound_dns_resolver/main.tf

@@ -15,13 +15,20 @@ resource "aws_route53_resolver_endpoint" "private_resolver" {
   tags = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# DNS Resolver Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "resolver_security_group" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to DNS Resolver
   name        = "route53_resolver_inbound"
   description = "Allow DNS inbound traffic"
   vpc_id      = var.primary_vpc
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
   ingress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -29,15 +36,18 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   ingress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"
     cidr_blocks = ["10.0.0.0/8"]
   }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
   egress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -45,7 +55,7 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   egress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"

base/dns/outbound_dns_resolver/main.tf

@@ -15,13 +15,20 @@ resource "aws_route53_resolver_endpoint" "private_resolver" {
   tags = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# DNS Resolver Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "resolver_security_group" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Private Resolver
   name        = "route53_resolver_outbound"
   description = "Allow DNS inbound traffic"
   vpc_id      = var.primary_vpc
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
   ingress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -29,15 +36,18 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   ingress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"
     cidr_blocks = ["10.0.0.0/8"]
   }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
   egress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -45,7 +55,7 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   egress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"

base/dns/private_dns/main.tf

@@ -97,13 +97,19 @@ resource "aws_route53_resolver_endpoint" "private_resolver" {
   tags = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# Inbound DNS Resolver Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "resolver_security_group" {
   name        = "route53_resolver"
   description = "Allow DNS inbound traffic"
   vpc_id      = local.first_vpc
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
   ingress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -111,15 +117,18 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   ingress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Inbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"
     cidr_blocks = ["10.0.0.0/8"]
   }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
   egress {
-    description = "DNS_UDP"
+    description = "DNS_UDP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "udp"
@@ -127,7 +136,7 @@ resource "aws_security_group" "resolver_security_group" {
   }
 
   egress {
-    description = "DNS_TCP"
+    description = "DNS_TCP - Outbound"
     from_port   = 53
     to_port     = 53
     protocol    = "tcp"

base/generic_s3_bucket_with_role/iam.tf

@@ -92,6 +92,7 @@ data "aws_iam_policy_document" "policy_doc" {
       "s3:GetBucketLocation",
       "s3:GetObjectVersion",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = [
       aws_s3_bucket.bucket.arn,
       "${aws_s3_bucket.bucket.arn}/*",
@@ -110,6 +111,7 @@ data "aws_iam_policy_document" "policy_doc" {
       "s3:GetBucketLocation",
       "s3:GetObjectVersion",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = [
       aws_s3_bucket.bucket.arn,
       "${aws_s3_bucket.bucket.arn}/*",

base/github/instance_profile.tf

@@ -72,6 +72,7 @@ data "aws_iam_policy_document" "github_instance_policy_doc" {
       "kms:ReEncryptTo",
       "kms:Sign",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
   }
 }

base/github/securitygroup-backupserver.tf

@@ -9,6 +9,9 @@ resource "aws_security_group" "ghe_backup_server" {
   description = "github backup server"
 }
 
+#----------------------------------------------------------------------------
+# GHE Backup Security Group to GH
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_backup_server_122_to_github" {
   security_group_id        = aws_security_group.ghe_backup_server.id
   type                     = "egress"
@@ -19,6 +22,9 @@ resource "aws_security_group_rule" "ghe_backup_server_122_to_github" {
   description              = "Outbound ssh to GH mgmt"
 }
 
+#----------------------------------------------------------------------------
+# GHE Backup Security Group to Legacy
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_backup_server_122_to_legacy" {
   security_group_id        = aws_security_group.ghe_backup_server.id
   type                     = "egress"
@@ -29,6 +35,9 @@ resource "aws_security_group_rule" "ghe_backup_server_122_to_legacy" {
   description              = "Outbound ssh to GH mgmt"
 }
 
+#----------------------------------------------------------------------------
+# GHE Backup Security Group to NFS - EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_backup_server_egress_nfs" {
   security_group_id        = aws_security_group.ghe_backup_server.id
   type                     = "egress"
@@ -39,6 +48,9 @@ resource "aws_security_group_rule" "ghe_backup_server_egress_nfs" {
   description              = "Outbound NFS"
 }
 
+#----------------------------------------------------------------------------
+# GHE Backup Security Group to NFS - INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_backup_server_ingress_nfs" {
   security_group_id        = aws_security_group.ghe_backup_server.id
   type                     = "ingress"

base/github/securitygroup-server.tf

@@ -7,6 +7,7 @@
 #   8444 - From Load Balancers
 #   
 resource "aws_security_group" "ghe_server" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to GitHub
   name_prefix = "ghe_server"
   tags        = merge(local.standard_tags, var.tags, { Name = "github-enterprise-server" })
   vpc_id      = var.vpc_id
@@ -14,15 +15,16 @@ resource "aws_security_group" "ghe_server" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# INGRESS
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_server_inbound_22" {
+	# checkov:skip=CKV_AWS_24: Intentionally Open
   security_group_id = aws_security_group.ghe_server.id
   type              = "ingress"
+  description       = "Inbound tcp/22 (ssh) from external IPs (through NLB)"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  description       = "Inbound tcp/22 (ssh) from external IPs (through NLB)"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open
 }
 
@@ -30,120 +32,121 @@ resource "aws_security_group_rule" "ghe_server_inbound_external_elb_80" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = module.elb.security_group_id
   type                     = "ingress"
+  description              = "HTTP - Inbound from external ELBs for LetsEncrypt"
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
-  description              = "Inbound HTTP from external ELBs for LetsEncrypt"
+  
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_cidr" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "ingress"
+  description       = "Inbound SSH (for mgmt)"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 122
   to_port           = 122
   protocol          = "tcp"
-  description       = "Inbound ssh (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_sgs" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_server.id
   type                     = "ingress"
+  description              = "Inbound SSH (for mgmt)"
   from_port                = 122
   to_port                  = 122
   protocol                 = "tcp"
-  description              = "Inbound ssh (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_ssh_backup_sgs" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_backup_server.id
   type                     = "ingress"
+  description              = "Inbound SSH (for mgmt)"
   from_port                = 122
   to_port                  = 122
   protocol                 = "tcp"
-  description              = "Inbound ssh (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_https_cidr" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 443
   to_port           = 444
   protocol          = "tcp"
-  description       = "Inbound https"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = module.elb.security_group_id
   type                     = "ingress"
+  description              = "HTTPS - Inbound from external ELBs"
   from_port                = 443
   to_port                  = 444
   protocol                 = "tcp"
-  description              = "Inbound https from external ELBs"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_elb_internal.id
   type                     = "ingress"
+  description              = "HTTPS - Inbound from internal ELBs"
   from_port                = 443
   to_port                  = 444
   protocol                 = "tcp"
-  description              = "Inbound https from internal ELBs"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_cidr" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "ingress"
+  description       = "HTTPS - Inbound (for mgmt)"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 8443
   to_port           = 8444
   protocol          = "tcp"
-  description       = "Inbound https (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_sgs" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_server.id
   type                     = "ingress"
+  description              = "HTTPS - Inbound (for mgmt)"
   from_port                = 8443
   to_port                  = 8444
   protocol                 = "tcp"
-  description              = "Inbound https (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_mgmt_https_backup_sgs" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_backup_server.id
   type                     = "ingress"
+  description              = "HTTPS - Inbound (for mgmt)"
   from_port                = 8443
   to_port                  = 8444
   protocol                 = "tcp"
-  description              = "Inbound https (for mgmt)"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_https_internal_elb_8444" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = aws_security_group.ghe_elb_internal.id
   type                     = "ingress"
+  description              = "HTTPS - Inbound/8444 from internal ELBs"
   from_port                = 8443
   to_port                  = 8444
   protocol                 = "tcp"
-  description              = "Inbound https/8444 from internal ELBs"
 }
 
 resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444" {
   security_group_id        = aws_security_group.ghe_server.id
   source_security_group_id = module.elb.security_group_id
   type                     = "ingress"
+  description              = "HTTPS - Inbound/8444 from external ELBs"
   from_port                = 8443
   to_port                  = 8444
   protocol                 = "tcp"
-  description              = "Inbound https/8444 from external ELBs"
 }
 
 #-----------------------------------------------------------------
@@ -152,31 +155,31 @@ resource "aws_security_group_rule" "ghe_server_inbound_https_external_elb_8444"
 resource "aws_security_group_rule" "ghe_server_outbound_http" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "egress"
+  description       = "Outbound http for LetsEncrypt"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  description       = "Outbound http for letsencrypt"
 }
 
 resource "aws_security_group_rule" "ghe_server_outbound_https" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "egress"
+  description       = "Outbound https for LetsEncrypt"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr Purposefully accessible
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Outbound https for letsencrypt"
 }
 
 resource "aws_security_group_rule" "ghe_server_outbound_syslog" {
   security_group_id = aws_security_group.ghe_server.id
   type              = "egress"
+  description       = "Outbound syslog - TCP"
   cidr_blocks       = local.cidr_map["vpc-splunk"]
   from_port         = 1514
   to_port           = 1514
   protocol          = "tcp"
-  description       = "Outbound syslog"
 }
 
 

base/github/securitygroups-load-balancers.tf

@@ -33,71 +33,78 @@ locals {
 }
 
 #----------------------------------------------------------------
-# SG for the internal ELB
+# SG for the Internal ELB
 #----------------------------------------------------------------
 resource "aws_security_group" "ghe_elb_internal" {
+	# checkov:skip=CKV2_AWS_5: attached to GHE Internal ELB
   name_prefix = "ghe_elb_internal"
   tags        = merge(local.standard_tags, var.tags, { Name = "github-internal-lb" })
   vpc_id      = var.vpc_id
   description = "Internal ELB for GitHub Enterprise Server"
 }
 
+#-----------------------------------------------------------------
+# INGRESS
+#-----------------------------------------------------------------
 resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
   security_group_id = aws_security_group.ghe_elb_internal.id
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Inbound https"
 }
 
 resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
   security_group_id = aws_security_group.ghe_elb_internal.id
   type              = "ingress"
+  description       = "HTTPS 8443 - Inbound"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 8443
   to_port           = 8443
   protocol          = "tcp"
-  description       = "Inbound https"
 }
 resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
   security_group_id = aws_security_group.ghe_elb_internal.id
   type              = "ingress"
+  description       = "Inbound git"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  description       = "Inbound git"
 }
 
+#-----------------------------------------------------------------
+# INGRESS
+#-----------------------------------------------------------------
 # Let the ELB talk to the github server(s)
 resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
   security_group_id        = aws_security_group.ghe_elb_internal.id
   type                     = "egress"
+  description              = "HTTPS - Outbound from ELB to GH Servers"
   source_security_group_id = aws_security_group.ghe_server.id
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
-  description              = "Outbound https from ELB to GH Servers"
 }
 
 # Let the ELB talk to the github server(s)
 resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
   security_group_id        = aws_security_group.ghe_elb_internal.id
   type                     = "egress"
+  description              = "HTTPS 8443 - Outbound from ELB to GH Servers"
   source_security_group_id = aws_security_group.ghe_server.id
   from_port                = 8443
   to_port                  = 8444
   protocol                 = "tcp"
-  description              = "Outbound https from ELB to GH Servers"
 }
 resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
   security_group_id        = aws_security_group.ghe_elb_internal.id
   type                     = "egress"
+  description              = "HTTPS 23 - Outbound from ELB to GH Servers"
   source_security_group_id = aws_security_group.ghe_server.id
   from_port                = 23
   to_port                  = 23
   protocol                 = "tcp"
-  description              = "Outbound https from ELB to GH Servers"
 }

base/jira/instance_jira/securitygroup-server.tf

@@ -16,27 +16,27 @@ resource "aws_security_group" "jira_server" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Ingress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "jira_server_inbound_8080" {
   security_group_id = aws_security_group.jira_server.id
   type              = "ingress"
+  description       = "Inbound 8080 (from access, for testing)"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 8080
   to_port           = 8080
   protocol          = "tcp"
-  description       = "Inbound 8080 (from access, for testing)"
 }
 
 #-----------------------------------------------------------------
-# Outbound access
+# Egress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "jira_server_outbound_postgres" {
   security_group_id        = aws_security_group.jira_server.id
   type                     = "egress"
+  description              = "Outbound postgres to RDS"
   source_security_group_id = var.rds_sg
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
-  description              = "Outbound postgres to RDS"
 }

base/jira/rds_jira/security-groups.tf

@@ -1,13 +1,20 @@
+#----------------------------------------------------------------------------
+# Jira RDS Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "jira_rds_sg" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Jira RDS
   name        = "${var.identifier}_rds_sg"
   description = "Security Group for Jira RDS"
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#-----------------------------------------------------------------
+# Ingress
+#-----------------------------------------------------------------
 resource "aws_security_group_rule" "jira_rds_in" {
-  description       = "Inbound Postgres"
   type              = "ingress"
+  description       = "Inbound Postgres"
   from_port         = 5432
   to_port           = 5432
   protocol          = "tcp"
@@ -16,8 +23,8 @@ resource "aws_security_group_rule" "jira_rds_in" {
 }
 
 resource "aws_security_group_rule" "jira_security_in" {
-  description       = "Inbound From Scanners"
   type              = "ingress"
+  description       = "Inbound From Scanners"
   from_port         = 0
   to_port           = 65535
   protocol          = "-1"

base/mailrelay/main.tf

@@ -15,6 +15,9 @@ data "aws_kms_key" "ebs-key" {
   key_id = "alias/ebs_root_encrypt_decrypt"
 }
 
+#----------------------------------------------------------------------------
+# Mailrelay Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "mailrelay_security_group" {
   name        = "mailrelay_security_group"
   description = "Security Group for the Mail Relay Server(s)"
@@ -22,9 +25,12 @@ resource "aws_security_group" "mailrelay_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#-----------------------------------------------------------------
+# Ingress
+#-----------------------------------------------------------------
 resource "aws_security_group_rule" "smtp-in" {
-  description       = "inbound smtp requests"
   type              = "ingress"
+  description       = "SMTP - Inbound requests"
   from_port         = 25
   to_port           = 25
   protocol          = "tcp"
@@ -33,7 +39,7 @@ resource "aws_security_group_rule" "smtp-in" {
 }
 
 resource "aws_security_group_rule" "submission-in" {
-  description       = "inbound submission (smtp-s) requests"
+  description       = "Submission SMTP-S - Inbound requests"
   type              = "ingress"
   from_port         = 587
   to_port           = 587
@@ -52,8 +58,11 @@ resource "aws_security_group_rule" "submission-in" {
 #  security_group_id = aws_security_group.mailrelay_security_group.id
 #}
 
+#-----------------------------------------------------------------
+# Egress
+#-----------------------------------------------------------------
 resource "aws_security_group_rule" "submission-out" {
-  description       = "outbound submission (smtp-s) requests"
+  description       = "Submission SMTP-S - Outbound requests"
   type              = "egress"
   from_port         = 587
   to_port           = 587

base/mailrelay/ses.tf

@@ -139,6 +139,7 @@ resource "aws_iam_user_policy" "ses_user" {
         "ses:SendRawEmail"
       ],
       "Effect": "Allow",
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "Resource": "*"
     }
   ]

base/nessus/instance_nessus_manager/securitygroup-server.tf

@@ -15,16 +15,16 @@ resource "aws_security_group" "nessus_manager" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Ingress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "nessus_manager_inbound_nessus" {
   security_group_id = aws_security_group.nessus_manager.id
   type              = "ingress"
+  description       = "Inbound Nessus"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 8834
   to_port           = 8834 # no 8835 according to https://docs.tenable.com/nessusagent/Content/RequirementsDataflow.htm
   protocol          = "tcp"
-  description       = "Inbound Nessus"
 }
 
 resource "aws_security_group_rule" "http-in-external-c2-users" {
@@ -56,7 +56,7 @@ resource "aws_security_group_rule" "http-in-external-c2-users" {
 }
 
 #-----------------------------------------------------------------
-# Outbound access
+# Egress
 #-----------------------------------------------------------------
 #resource "aws_security_group_rule" "nessus_manager_outbound_all_ports" {
 #  security_group_id        = aws_security_group.nessus_manager.id

base/nessus/instance_nessus_scanner/securitygroup-server.tf

@@ -15,56 +15,56 @@ resource "aws_security_group" "nessus_scanner" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Ingress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "nessus_scanner_inbound_icmp" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "ingress"
+  description       = "Inbound pings"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = -1
   to_port           = -1
   protocol          = "ICMP"
-  description       = "Inbound pings"
 }
 
 resource "aws_security_group_rule" "nessus_scanner_inbound_22" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "ingress"
+  description       = "SSH - Inbound (from access)"
   cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"]))
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  description       = "Inbound ssh (from access)"
 }
 
 resource "aws_security_group_rule" "nessus_scanner_inbound_3022" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "ingress"
+  description       = "Inbound teleport (from access)"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 3022
   to_port           = 3022
   protocol          = "tcp"
-  description       = "Inbound teleport (from access)"
 }
 
 resource "aws_security_group_rule" "nessus_scanner_inbound_443" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "ingress"
+  description       = "443 - Inbound (from access)"
   cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"]))
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Inbound 443 (from access)"
 }
 
 resource "aws_security_group_rule" "nessus_scanner_inbound_nessus" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "ingress"
+  description       = "Inbound Nessus"
   cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.cidr_map["vpc-private-services"]))
   from_port         = 8834
   to_port           = 8835
   protocol          = "tcp"
-  description       = "Inbound Nessus"
 }
 
 resource "aws_security_group_rule" "nessus_scanner_inbound_scan_ourselves" {
@@ -78,14 +78,14 @@ resource "aws_security_group_rule" "nessus_scanner_inbound_scan_ourselves" {
 }
 
 #-----------------------------------------------------------------
-# Outbound access
+# Egress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "nessus_scanner_outbound_all_ports" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "egress"
+  description       = "Outbound to All Ports"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = -1
   to_port           = -1
   protocol          = "all"
-  description       = "Outbound to All Ports"
 }

base/nessus/instance_security_center/elb.tf

@@ -106,10 +106,10 @@ resource "aws_security_group" "security_center_alb_server_internal" {
 }
 
 #----------------------------------------------------------------------------
-# INGRESS
+# Ingress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http_from_access" {
-  description       = "HTTP inbound from Internet"
+  description       = "HTTP - Inbound from Internet"
   type              = "ingress"
   from_port         = "80"
   to_port           = "80"
@@ -129,7 +129,7 @@ resource "aws_security_group_rule" "https_from_access" {
 }
 
 #----------------------------------------------------------------------------
-# EGRESS
+# Egress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "security_center_alb_to_server" {
   description              = "Security Center ALB to the Server"

base/nessus/instance_security_center/securitygroup-server.tf

@@ -15,16 +15,17 @@ resource "aws_security_group" "security_center" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Ingress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "security_center_inbound_443" {
   security_group_id = aws_security_group.security_center.id
   type              = "ingress"
+  description       = "443 - Inbound (from access, for testing)"
   cidr_blocks       = local.cidr_map["vpc-access"]
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  description       = "Inbound 443 (from access, for testing)"
+  
 }
 
 resource "aws_security_group_rule" "security_center_inbound_443_from_alb" {
@@ -38,7 +39,7 @@ resource "aws_security_group_rule" "security_center_inbound_443_from_alb" {
 }
 
 #-----------------------------------------------------------------
-# Outbound access
+# Egress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "security_center_outbound_nessus" {
   security_group_id = aws_security_group.security_center.id

base/phantom/alb.tf

@@ -107,10 +107,10 @@ resource "aws_security_group" "phantom_alb_internal" {
 }
 
 #----------------------------------------------------------------------------
-# INGRESS
+# Ingress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http_from_local" {
-  description       = "HTTP inbound from Internet"
+  description       = "HTTP - Inbound from Internet"
   type              = "ingress"
   from_port         = "80"
   to_port           = "80"
@@ -120,7 +120,7 @@ resource "aws_security_group_rule" "http_from_local" {
 }
 
 resource "aws_security_group_rule" "https_from_local" {
-  description       = "HTTPS inbound from Internet"
+  description       = "HTTPS - Inbound from Internet"
   type              = "ingress"
   from_port         = "443"
   to_port           = "443"
@@ -130,7 +130,7 @@ resource "aws_security_group_rule" "https_from_local" {
 }
 
 #----------------------------------------------------------------------------
-# EGRESS
+# Egress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "phantom_alb_to_server" {
   description              = "HTTPS to the Server"

base/phantom/securitygroup-server.tf

@@ -20,7 +20,7 @@ resource "aws_security_group" "phantom_server" {
 }
 
 #-----------------------------------------------------------------
-# Inbound access
+# Ingress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "phantom_server_inbound_8888" {
   security_group_id = aws_security_group.phantom_server.id
@@ -53,46 +53,46 @@ resource "aws_security_group_rule" "phantom_server_inbound_alb_443_from_vpn" {
 }
 
 #-----------------------------------------------------------------
-# Outbound access
+# Egress
 #-----------------------------------------------------------------
 resource "aws_security_group_rule" "phantom_server_outbound_postgres" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
+  description       = "Outbound to splunk everywhere"
   cidr_blocks       = ["10.0.0.0/8"]
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
-  description       = "Outbound to splunk everywhere"
 }
 
 resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
+  description       = "DNS TCP - Outbound anywhere"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
-  description       = "Outbound tcp dns anywhere"
 }
 
 resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
+  description       = "DNS UDP - Outbound anywhere"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
-  description       = "Outbound udp dns anywhere"
 }
 
 resource "aws_security_group_rule" "phantom_server_outbound_http" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
+  description       = "HTTP - Outbound anywhere (required for saleforce and others)"
   cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  description       = "Outbound http anywhere (required for saleforce and others)"
 }
 
 resource "aws_security_group_rule" "phantom_server_outbound_https" {

base/phantom_s3_bucket/iam_phantom_s3_role.tf

@@ -65,6 +65,7 @@ data "aws_iam_policy_document" "phantom_s3_policy_doc" {
       "s3:GetBucketLocation",
       "s3:GetObjectVersion",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = [
       aws_s3_bucket.bucket.arn,
       "${aws_s3_bucket.bucket.arn}/*",
@@ -83,6 +84,7 @@ data "aws_iam_policy_document" "phantom_s3_policy_doc" {
       "s3:GetBucketLocation",
       "s3:GetObjectVersion",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = [
       aws_s3_bucket.bucket.arn,
       "${aws_s3_bucket.bucket.arn}/*",

base/proxy_server/main.tf

@@ -207,7 +207,7 @@ resource "aws_security_group" "proxy_server_security_group" {
 }
 
 #----------------------------------------------------------------------------
-# EGRESS
+# Egress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http-out" {
   description       = "Proxy allowed HTTP anywhere"
@@ -220,8 +220,8 @@ resource "aws_security_group_rule" "http-out" {
 }
 
 resource "aws_security_group_rule" "https-out" {
-  description       = "For endpoints and troubleshooting - HTTPS"
   type              = "egress"
+  description       = "HTTPS - Outbound - For endpoints and troubleshooting"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -230,11 +230,11 @@ resource "aws_security_group_rule" "https-out" {
 }
 
 #----------------------------------------------------------------------------
-# INGRESS
+# Ingress
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "proxy-in" {
-  description       = "Proxy Inbound HTTP"
   type              = "ingress"
+  description       = "Proxy Inbound HTTP"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -243,8 +243,8 @@ resource "aws_security_group_rule" "proxy-in" {
 }
 
 resource "aws_security_group_rule" "proxy-in-https" {
-  description       = "Proxy Inbound HTTPS"
   type              = "ingress"
+  description       = "Proxy Inbound HTTPS"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"

base/repo_server/lb_internal.tf

@@ -109,8 +109,8 @@ resource "aws_security_group" "alb_internal" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http_from_local" {
-  description       = "HTTP inbound from Private Servers"
   type              = "ingress"
+  description       = "HTTP - Inbound from Private Servers"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -119,8 +119,8 @@ resource "aws_security_group_rule" "http_from_local" {
 }
 
 resource "aws_security_group_rule" "https_from_local" {
-  description       = "HTTPS inbound from private servers"
   type              = "ingress"
+  description       = "HTTPS - Inbound from private servers"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -132,8 +132,8 @@ resource "aws_security_group_rule" "https_from_local" {
 # EGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alb_to_server" {
-  description              = "HTTP to the Server"
   type                     = "egress"
+  description              = "HTTP to the Server"
   from_port                = "80"
   to_port                  = "80"
   protocol                 = "tcp"

base/repo_server/main.tf

@@ -187,6 +187,9 @@ data "template_cloudinit_config" "cloud_init_config" {
   }
 }
 
+#----------------------------------------------------------------------------
+# Repo Server Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "repo_server_security_group" {
   name        = "repo_server_security_group"
   description = "Security Group for the Repository Server(s) port 80"
@@ -194,9 +197,12 @@ resource "aws_security_group" "repo_server_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# Ingress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http-in" {
-  description              = "inbound repository requests"
   type                     = "ingress"
+  description              = "HTTP - Inbound repository requests"
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -205,8 +211,8 @@ resource "aws_security_group_rule" "http-in" {
 }
 
 resource "aws_security_group_rule" "http-in-external" {
-  description              = "inbound repository requests from the alb"
   type                     = "ingress"
+  description              = "HTTP - Inbound repository requests from the alb"
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"

base/rhsso/security-groups-rds.tf

@@ -1,3 +1,6 @@
+#----------------------------------------------------------------------------
+# RHSSO RDS Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "rhsso_rds_sg" {
   name        = "${var.identifier}_rds_sg"
   description = "Security Group for KeyCloak RDS"
@@ -5,9 +8,12 @@ resource "aws_security_group" "rhsso_rds_sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# Ingress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "rhsso_rds_in" {
-  description       = "Inbound Postgres"
   type              = "ingress"
+  description       = "Inbound Postgres"
   from_port         = 5432
   to_port           = 5432
   protocol          = "tcp"
@@ -16,8 +22,8 @@ resource "aws_security_group_rule" "rhsso_rds_in" {
 }
 
 resource "aws_security_group_rule" "rhsso_security_in" {
-  description       = "Inbound From Scanners"
   type              = "ingress"
+  description       = "Inbound From Scanners"
   from_port         = 0
   to_port           = 65535
   protocol          = "-1"

base/rhsso/security-groups.tf

@@ -17,17 +17,20 @@ data "aws_security_group" "aws_endpoints" {
 #   mgmt-https: 9993
 #   txn-recovery-environment: 4712
 #   txn-status-manager: 4713
-
 resource "aws_security_group" "instance" {
   name        = "RHSSO"
   description = "RHSSO Instances"
+	# checkov:skip=CKV2_AWS_5: this SG is attached to RHSSO
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# Ingress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "cluster-connectivity-ingress" {
-  description              = "Receive any from other cluster members"
   type                     = "ingress"
+  description              = "Receive any from other cluster members"
   from_port                = -1
   to_port                  = -1
   protocol                 = -1
@@ -35,9 +38,12 @@ resource "aws_security_group_rule" "cluster-connectivity-ingress" {
   source_security_group_id = aws_security_group.instance.id
 }
 
+#----------------------------------------------------------------------------
+# Egress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "cluster-connectivity-egress" {
-  description              = "send any to other cluster members"
   type                     = "egress"
+  description              = "send any to other cluster members"
   from_port                = -1
   to_port                  = -1
   protocol                 = -1
@@ -46,8 +52,8 @@ resource "aws_security_group_rule" "cluster-connectivity-egress" {
 }
 
 resource "aws_security_group_rule" "outbound_http" {
-  description       = "CRL Lookups go direct"
   type              = "egress"
+  description       = "HTTP - Outbound - CRL Lookups go direct"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -85,9 +91,12 @@ resource "aws_security_group_rule" "outbound_http" {
 #  security_group_id = aws_security_group.instance.id
 #}
 
+#----------------------------------------------------------------------------
+# Ingress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "instance-alt-http-in-from-access" {
-  description       = "Alt HTTP from access"
   type              = "ingress"
+  description       = "HTTP 8080 - Inbound - from access"
   from_port         = "8080"
   to_port           = "8080"
   protocol          = "tcp"
@@ -106,8 +115,8 @@ resource "aws_security_group_rule" "instance-alt-http-in-from-access" {
 #}
 
 resource "aws_security_group_rule" "instance-alt-https-in-from-access" {
-  description       = "Alt HTTPS from Access"
   type              = "ingress"
+  description       = "HTTPS 8443 - Inbound - from access"
   from_port         = "8443"
   to_port           = "8443"
   protocol          = "tcp"
@@ -116,8 +125,8 @@ resource "aws_security_group_rule" "instance-alt-https-in-from-access" {
 }
 
 resource "aws_security_group_rule" "instance-alt-https-in-from-nlb" {
-  description       = "Alt HTTPS from Internet"
   type              = "ingress"
+  description       = "HTTPS 8443 - Inbound - from Internet"
   from_port         = "8443"
   to_port           = "8443"
   protocol          = "tcp"
@@ -126,8 +135,8 @@ resource "aws_security_group_rule" "instance-alt-https-in-from-nlb" {
 }
 
 resource "aws_security_group_rule" "instance-mgmt-in-from-access" {
-  description       = "Management HTTPS from Access"
   type              = "ingress"
+  description       = "HTTPS - Inbound - Management from Access"
   from_port         = "9990"
   to_port           = "9990"
   protocol          = "tcp"
@@ -135,9 +144,12 @@ resource "aws_security_group_rule" "instance-mgmt-in-from-access" {
   security_group_id = aws_security_group.instance.id
 }
 
+#----------------------------------------------------------------------------
+# Egress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "instance-db-outbound" {
-  description              = "Postgres Outbound"
   type                     = "egress"
+  description              = "Postgres - Outbound"
   from_port                = "5432"
   to_port                  = "5432"
   protocol                 = "tcp"

base/salt_master/main.tf

@@ -207,6 +207,9 @@ data "template_cloudinit_config" "salt_master_cloud_init_config" {
   }
 }
 
+#----------------------------------------------------------------------------
+# Salt Master Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "salt_master_security_group" {
   name        = "salt_master_security_group"
   description = "Security Group for Salt Master(s)"
@@ -214,9 +217,12 @@ resource "aws_security_group" "salt_master_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# Egress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http-out" {
-  description       = "For endpoints and troubleshooting"
   type              = "egress"
+  description       = "HTTP - Outbound - For endpoints and troubleshooting"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -225,8 +231,8 @@ resource "aws_security_group_rule" "http-out" {
 }
 
 resource "aws_security_group_rule" "https-out" {
-  description       = "For endpoints and troubleshooting"
   type              = "egress"
+  description       = "HTTPS - Outbound - For endpoints and troubleshooting"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -234,9 +240,12 @@ resource "aws_security_group_rule" "https-out" {
   security_group_id = aws_security_group.salt_master_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# Ingress
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "saltstack" {
-  description       = "SaltStack"
   type              = "ingress"
+  description       = "SaltStack"
   from_port         = "4505"
   to_port           = "4506"
   protocol          = "tcp"
@@ -270,11 +279,14 @@ resource "aws_security_group_rule" "saltstack-external-ips" {
   security_group_id = aws_security_group.salt_master_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# Egress
+#----------------------------------------------------------------------------
 #TODO: make this better
 #for now, just allow 22 outbound anywhere
 resource "aws_security_group_rule" "saltstack-github" {
-  description       = "SaltStack - Github Access"
   type              = "egress"
+  description       = "SaltStack - Github Access"
   from_port         = "22"
   to_port           = "22"
   protocol          = "tcp"

base/sensu/main.tf

@@ -187,7 +187,7 @@ module "private_dns_record" {
 }
 
 #----------------------------------------------------------------------------
-# Server SG
+# Sensu Security Group
 #----------------------------------------------------------------------------
 
 resource "aws_security_group" "instance_security_group" {
@@ -203,50 +203,50 @@ resource "aws_security_group" "instance_security_group" {
 
 resource "aws_security_group_rule" "sensu_ui" {
   type                     = "ingress"
+  description              = "Sensu UI"
   from_port                = 8000
   to_port                  = 8000
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.sensu_alb_server_internal.id
-  description              = "Sensu UI"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
 resource "aws_security_group_rule" "sensu_agent_internal" {
   type                     = "ingress"
+  description              = "Internal Sensu Agents"
   from_port                = 8081
   to_port                  = 8081
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.sensu_alb_server_internal.id
-  description              = "Internal Sensu Agents"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
 resource "aws_security_group_rule" "sensu_api" {
   type                     = "ingress"
+  description              = "Sensu API"
   from_port                = 8080
   to_port                  = 8080
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.sensu_alb_server_internal.id
-  description              = "Sensu API"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
 resource "aws_security_group_rule" "sensu_agent_external" {
   type                     = "ingress"
+  description              = "External Sensu Agents"
   from_port                = 8081
   to_port                  = 8081
   protocol                 = "tcp"
   source_security_group_id = module.elb.security_group_id
-  description              = "External Sensu Agents"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
 resource "aws_security_group_rule" "sensu_api_external" {
   type                     = "ingress"
+  description              = "External Sensu API"
   from_port                = 8080
   to_port                  = 8080
   protocol                 = "tcp"
   source_security_group_id = module.elb.security_group_id
-  description              = "External Sensu API"
   security_group_id        = aws_security_group.instance_security_group.id
 }

base/sensu/private_elb.tf

@@ -85,7 +85,7 @@ resource "aws_route53_record" "sensu_internal" {
 }
 
 #----------------------------------------------------------------------------
-# ALB Security Group
+# Sensu ALB Security Group
 #----------------------------------------------------------------------------
 
 resource "aws_security_group" "sensu_alb_server_internal" {
@@ -98,16 +98,14 @@ resource "aws_security_group" "sensu_alb_server_internal" {
 #----------------------------------------------------------------------------
 # INGRESS
 #----------------------------------------------------------------------------
-
-
 resource "aws_security_group_rule" "sensu_from_vpc" {
   for_each          = local.alb_listener_ports
   type              = "ingress"
+  description       = "Sensu ${each.key}"
   from_port         = each.value
   to_port           = each.value
   protocol          = "tcp"
   cidr_blocks       = ["10.0.0.0/8"]
-  description       = "Sensu ${each.key}"
   security_group_id = aws_security_group.sensu_alb_server_internal.id
 }
 
@@ -118,10 +116,10 @@ resource "aws_security_group_rule" "sensu_from_vpc" {
 resource "aws_security_group_rule" "sensu_from_alb" {
   for_each                 = local.alb_listener_ports
   type                     = "egress"
+  description              = "Sensu ${each.key}"
   from_port                = each.value
   to_port                  = each.value
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.instance_security_group.id
-  description              = "Sensu ${each.key}"
   security_group_id        = aws_security_group.sensu_alb_server_internal.id
 }

base/shared_ami_key/main.tf

@@ -110,6 +110,7 @@ EOF
 resource "aws_iam_role_policy" "vmimport" {
   name   = "vmimport"
   role   = aws_iam_role.vmimport.id
+  # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   policy = <<EOF
 {
   "Version":"2012-10-17",

base/splunk_servers/app_s3_bucket/iam_splunk_apps_s3_role.tf

@@ -88,8 +88,9 @@ data "aws_iam_policy_document" "splunk_apps_s3_policy_doc" {
   statement {
     sid    = "UseTheKey"
     effect = "Allow"
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = [
-      #aws_kms_key.bucketkey.arn
+      # aws_kms_key.bucketkey.arn
       "*" # Needs access to the not-yet-created key for codebuild
     ]
     actions = [

base/splunk_servers/cluster_master/main.tf

@@ -220,9 +220,12 @@ resource "aws_security_group" "cluster_master_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-web-in" {
-  description = "Web access from bastions and vpn"
   type        = "ingress"
+  description = "Web access from bastions and vpn"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -232,8 +235,8 @@ resource "aws_security_group_rule" "splunk-web-in" {
 }
 
 resource "aws_security_group_rule" "splunk-api-in" {
-  description       = "Splunk API + Indexer Discovery"
   type              = "ingress"
+  description       = "Splunk API + Indexer Discovery"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -243,8 +246,8 @@ resource "aws_security_group_rule" "splunk-api-in" {
 
 resource "aws_security_group_rule" "splunk-api-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
   type              = "ingress"
+  description       = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -252,10 +255,13 @@ resource "aws_security_group_rule" "splunk-api-in-moose" {
   security_group_id = aws_security_group.cluster_master_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ssh-out" {
   count             = length(local.splunk_legacy_cidr) > 0 ? 1 : 0
-  description       = "SSH to legacy splunk"
   type              = "egress"
+  description       = "SSH to legacy splunk"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -264,8 +270,8 @@ resource "aws_security_group_rule" "ssh-out" {
 }
 
 resource "aws_security_group_rule" "splunk-api-out" {
-  description       = "Splunk API Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk API Outbound to talk to indexers"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -274,8 +280,8 @@ resource "aws_security_group_rule" "splunk-api-out" {
 }
 
 resource "aws_security_group_rule" "splunk-data-out" {
-  description       = "Splunk Data Outbound to record to local indexers"
   type              = "egress"
+  description       = "Splunk Data Outbound to record to local indexers"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"

base/splunk_servers/customer_searchhead/elb.tf

@@ -30,8 +30,9 @@ resource "aws_lb" "searchhead-alb" {
   tags = merge(local.standard_tags, var.tags)
 }
 
-#########################
+#----------------------------------------------------------------------------
 # Listeners
+#----------------------------------------------------------------------------
 resource "aws_lb_listener" "searchhead-alb-listener-https" {
   load_balancer_arn = aws_lb.searchhead-alb.arn
   port              = "443"
@@ -93,8 +94,9 @@ resource "aws_lb_target_group_attachment" "searchhead-alb-target-8000-instance"
   port             = 8000
 }
 
-#########################
+#----------------------------------------------------------------------------
 # Security Group for ALB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "searchhead-alb-sg" {
   name        = "${local.alb_name}-customer-alb-sh"
   description = "Security Group for the Customer Searchhead ALB"
@@ -102,9 +104,12 @@ resource "aws_security_group" "searchhead-alb-sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "searchhead-alb-https-in" {
-  description       = "HTTPS in"
   type              = "ingress"
+  description       = "HTTPS - Inbound to SH ALB"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -113,9 +118,9 @@ resource "aws_security_group_rule" "searchhead-alb-https-in" {
 }
 
 resource "aws_security_group_rule" "searchhead-http-in" {
+  type              = "ingress"
   # Port 80 is open as a redirect to 443
   description       = "Allow redirect from 80 to 443"
-  type              = "ingress"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -123,9 +128,12 @@ resource "aws_security_group_rule" "searchhead-http-in" {
   security_group_id = aws_security_group.searchhead-alb-sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "searchhead-alb-8000-out" {
-  description = "Allow outbound to default splunk web"
   type        = "egress"
+  description = "Allow outbound to default splunk web"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -134,8 +142,9 @@ resource "aws_security_group_rule" "searchhead-alb-8000-out" {
   security_group_id = aws_security_group.searchhead-alb-sg.id
 }
 
-#########################
+#----------------------------------------------------------------------------
 # DNS Entry
+#----------------------------------------------------------------------------
 module "public_dns_record_cust-elb" {
   source = "../../../submodules/dns/public_ALIAS_record"
 

base/splunk_servers/customer_searchhead/main.tf

@@ -221,10 +221,12 @@ resource "aws_security_group" "searchhead_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
-# Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-web-in" {
-  description = "Web access"
   type        = "ingress"
+  description = "Splunk Web - Inbound access"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -236,8 +238,8 @@ resource "aws_security_group_rule" "splunk-web-in" {
 }
 
 resource "aws_security_group_rule" "splunk-auth-in" {
-  description = "Web access"
   type        = "ingress"
+  description = "Splunk Auth - Inbound Web access"
   from_port   = 10000
   to_port     = 10000
   protocol    = "tcp"
@@ -249,8 +251,8 @@ resource "aws_security_group_rule" "splunk-auth-in" {
 }
 
 resource "aws_security_group_rule" "splunk-api-in" {
-  description = "Splunk API"
   type        = "ingress"
+  description = "Splunk API - Inbound"
   from_port   = 8089
   to_port     = 8089
   protocol    = "tcp"
@@ -263,10 +265,12 @@ resource "aws_security_group_rule" "splunk-api-in" {
   security_group_id = aws_security_group.searchhead_security_group.id
 }
 
-# Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-api-out" {
-  description       = "Splunk API Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk API - Outbound to talk to indexers"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -275,8 +279,8 @@ resource "aws_security_group_rule" "splunk-api-out" {
 }
 
 resource "aws_security_group_rule" "splunk-data-out" {
-  description       = "Splunk Data Outbound to talk to own indexers"
   type              = "egress"
+  description       = "Splunk Data - Outbound to talk to own indexers"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"

base/splunk_servers/heavy_forwarder/main.tf

@@ -208,10 +208,12 @@ resource "aws_security_group" "heavy_forwarder_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
-# Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-web-in" {
-  description = "Web access"
   type        = "ingress"
+  description = "Splunk Web - Inbound access"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -222,8 +224,8 @@ resource "aws_security_group_rule" "splunk-web-in" {
 }
 
 resource "aws_security_group_rule" "splunk-api-in" {
-  description       = "Splunk API"
   type              = "ingress"
+  description       = "Splunk API - Inbound"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -232,8 +234,8 @@ resource "aws_security_group_rule" "splunk-api-in" {
 }
 
 resource "aws_security_group_rule" "syslog-in" {
-  description       = "Syslog-ng"
   type              = "ingress"
+  description       = "Syslog-ng TCP - Inbound"
   from_port         = 1514
   to_port           = 1514
   protocol          = "tcp"
@@ -241,11 +243,13 @@ resource "aws_security_group_rule" "syslog-in" {
   security_group_id = aws_security_group.heavy_forwarder_security_group.id
 }
 
-# Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ssh-out" {
   count             = length(local.splunk_legacy_cidr) > 0 ? 1 : 0
-  description       = "SSH to legacy splunk"
   type              = "egress"
+  description       = "SSH to legacy splunk"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -254,8 +258,8 @@ resource "aws_security_group_rule" "ssh-out" {
 }
 
 resource "aws_security_group_rule" "splunk-api-out" {
-  description       = "Splunk API Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk API - Outbound to talk to indexers"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -264,8 +268,8 @@ resource "aws_security_group_rule" "splunk-api-out" {
 }
 
 resource "aws_security_group_rule" "splunk-data-out" {
-  description       = "Splunk Data Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk Data - Outbound to talk to indexers"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"

base/splunk_servers/indexer_cluster/instance_profile_indexers.tf

@@ -67,6 +67,7 @@ data "aws_iam_policy_document" "instance_policy_doc_idx" {
       "kms:ReEncryptTo",
       "kms:Sign",
     ]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
   }
 

base/splunk_servers/indexer_cluster/security-group-elb-pvt.tf

@@ -1,4 +1,8 @@
+#----------------------------------------------------------------------------
+# Security Group for HEC ELB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "hec_pvt_elb_security_group" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to HEC
   count       = local.splunk_private_hec ? 1 : 0
   name        = "hec_pvt_elb_security_group"
   description = "Security Group for the private moose HEC ELBs"
@@ -6,11 +10,13 @@ resource "aws_security_group" "hec_pvt_elb_security_group" {
   tags        = merge(local.standard_tags, var.tags, { "Name" = "hec_pvt_elb_security_group" })
 }
 
-## Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "hec-pvt-https-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "HEC port - HTTPS for moose only"
   type              = "ingress"
+  description       = "HEC port - HTTPS - Inbound - Moose Only"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -20,8 +26,8 @@ resource "aws_security_group_rule" "hec-pvt-https-in-moose" {
 
 resource "aws_security_group_rule" "hec-pvt-https-in-customer" {
   count             = local.splunk_private_hec ? 1 : 0
-  description       = "HEC port - HTTPS for customer instances"
   type              = "ingress"
+  description       = "HEC port - HTTPS - Inbound - Customer Instances"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -31,8 +37,8 @@ resource "aws_security_group_rule" "hec-pvt-https-in-customer" {
 
 resource "aws_security_group_rule" "hec-pvt-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "HEC port in - Moose Only"
   type              = "ingress"
+  description       = "HEC port - Inbound - Moose Only"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"
@@ -42,8 +48,8 @@ resource "aws_security_group_rule" "hec-pvt-in-moose" {
 
 resource "aws_security_group_rule" "hec-pvt-in-customer" {
   count             = local.splunk_private_hec ? 1 : 0
-  description       = "HEC port in for Customer"
   type              = "ingress"
+  description       = "HEC port - Inbound - Customer Instances"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"
@@ -51,11 +57,13 @@ resource "aws_security_group_rule" "hec-pvt-in-customer" {
   security_group_id = aws_security_group.hec_pvt_elb_security_group[0].id
 }
 
-## Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "hec-pvt-out" {
   count             = local.splunk_private_hec ? 1 : 0
-  description       = "HEC to the indexers"
   type              = "egress"
+  description       = "HEC to the indexers"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"

base/splunk_servers/indexer_cluster/security-group-elbs.tf

@@ -20,11 +20,13 @@ resource "aws_security_group" "hec_elb_security_group" {
   tags        = merge(local.standard_tags, var.tags, { "Name" = "hec_elb_security_group" })
 }
 
-## Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "hec-https-in" {
   count             = anytrue([local.is_moose, var.hec_listen_443]) ? 1 : 0
-  description       = "HEC port - HTTPS for moose only"
   type              = "ingress"
+  description       = "HEC port - HTTPS - Moose only"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -33,8 +35,8 @@ resource "aws_security_group_rule" "hec-https-in" {
 }
 
 resource "aws_security_group_rule" "hec-in" {
-  description       = "HEC port in"
   type              = "ingress"
+  description       = "HEC port in"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"
@@ -42,10 +44,12 @@ resource "aws_security_group_rule" "hec-in" {
   security_group_id = aws_security_group.hec_elb_security_group.id
 }
 
-## Egress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "hec-out" {
-  description       = "HEC to the indexers"
   type              = "egress"
+  description       = "HEC to the indexers"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"

base/splunk_servers/indexer_cluster/security-group-indexers.tf

@@ -21,17 +21,20 @@ locals {
 }
 
 resource "aws_security_group" "indexer_security_group" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Indexers
   name        = "indexer_security_group"
   description = "Security Group for Splunk Indexers"
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags, { "Name" = "indexer_security_group" })
 }
 
-## Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 
 resource "aws_security_group_rule" "splunk-web-in" {
-  description       = "Web access from bastions and vpn"
   type              = "ingress"
+  description       = "Web access from Bastions and VPN"
   from_port         = 8000
   to_port           = 8000
   protocol          = "tcp"
@@ -40,8 +43,8 @@ resource "aws_security_group_rule" "splunk-web-in" {
 }
 
 resource "aws_security_group_rule" "splunk-hec-in" {
-  description       = "Splunk HEC access"
   type              = "ingress"
+  description       = "Splunk HEC access"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"
@@ -51,8 +54,8 @@ resource "aws_security_group_rule" "splunk-hec-in" {
 
 resource "aws_security_group_rule" "splunk-hec-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "Splunk HEC access"
   type              = "ingress"
+  description       = "Splunk HEC - Inbound to Moose access"
   from_port         = 8088
   to_port           = 8088
   protocol          = "tcp"
@@ -61,8 +64,8 @@ resource "aws_security_group_rule" "splunk-hec-in-moose" {
 }
 
 resource "aws_security_group_rule" "splunk-api-in-access" {
-  description = "Splunk API + Indexer Discovery"
   type        = "ingress"
+  description = "Splunk API + Indexer Discovery"
   from_port   = 8089
   to_port     = 8089
   protocol    = "tcp"
@@ -73,8 +76,8 @@ resource "aws_security_group_rule" "splunk-api-in-access" {
 
 resource "aws_security_group_rule" "splunk-api-in-moose" {
   count       = local.is_moose ? 1 : 0
-  description = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
   type        = "ingress"
+  description = "Splunk API + Indexer Discovery - 10/8 for MOOSE ONLY"
   from_port   = 8089
   to_port     = 8089
   protocol    = "tcp"
@@ -84,8 +87,8 @@ resource "aws_security_group_rule" "splunk-api-in-moose" {
 }
 
 resource "aws_security_group_rule" "splunk-idx-replication" {
-  description       = "Splunk Indexer Replication"
   type              = "ingress"
+  description       = "Splunk Indexer Replication"
   from_port         = 9887
   to_port           = 9887
   protocol          = "tcp"
@@ -94,8 +97,8 @@ resource "aws_security_group_rule" "splunk-idx-replication" {
 }
 
 resource "aws_security_group_rule" "splunk-data-in" {
-  description       = "Splunk Data In"
   type              = "ingress"
+  description       = "Splunk Data - Inbound"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"
@@ -105,8 +108,8 @@ resource "aws_security_group_rule" "splunk-data-in" {
 
 resource "aws_security_group_rule" "splunk-data-in-moose" {
   count             = local.is_moose ? 1 : 0
-  description       = "Splunk Data In for Moose"
   type              = "ingress"
+  description       = "Splunk Data - Inbound for Moose"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"
@@ -114,10 +117,12 @@ resource "aws_security_group_rule" "splunk-data-in-moose" {
   security_group_id = aws_security_group.indexer_security_group.id
 }
 
-## Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-idx-replication-out" {
-  description       = "Splunk Indexer Replication"
   type              = "egress"
+  description       = "Splunk Indexer Replication - Outbound"
   from_port         = 9887
   to_port           = 9887
   protocol          = "tcp"
@@ -126,8 +131,8 @@ resource "aws_security_group_rule" "splunk-idx-replication-out" {
 }
 
 resource "aws_security_group_rule" "splunk-api-out" {
-  description       = "Splunk API Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk API - Outbound to talk to indexers"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"

base/splunk_servers/searchhead/elb.tf

@@ -140,9 +140,9 @@ resource "aws_lb_target_group_attachment" "searchhead-alb-target-api-instance" {
   port             = 8089
 }
 
-
-#########################
-# Security Group for ALB
+#----------------------------------------------------------------------------
+# Security Group for SH ALB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "searchhead-alb-sg" {
   name        = var.alb_name != "" ? "${local.alb_name}-alb-sh" : "${var.prefix}-sh-alb-sg"
   description = "Security Group for the Searchhead ALB"
@@ -150,9 +150,12 @@ resource "aws_security_group" "searchhead-alb-sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "searchhead-alb-api-in" {
-  description       = "SH ALB API In"
   type              = "ingress"
+  description       = "SH ALB API - Inbound"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -161,8 +164,8 @@ resource "aws_security_group_rule" "searchhead-alb-api-in" {
 }
 
 resource "aws_security_group_rule" "searchhead-alb-https-in" {
-  description       = "SH HTTPS Inbound"
   type              = "ingress"
+  description       = "SH HTTPS - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -171,8 +174,8 @@ resource "aws_security_group_rule" "searchhead-alb-https-in" {
 }
 
 resource "aws_security_group_rule" "searchhead-alb-8000-in" {
-  description       = "SH web port inbound"
   type              = "ingress"
+  description       = "SH web port - Inbound"
   from_port         = 8000
   to_port           = 8000
   protocol          = "tcp"
@@ -181,9 +184,9 @@ resource "aws_security_group_rule" "searchhead-alb-8000-in" {
 }
 
 resource "aws_security_group_rule" "searchhead-http-in" {
-  # Port 80 is open as a redirect to 443
-  description       = "SH Redirect 80 to 443"
   type              = "ingress"
+  # Port 80 is open as a redirect to 443
+  description       = "SH Redirect 80 to 443 - Inbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -191,9 +194,12 @@ resource "aws_security_group_rule" "searchhead-http-in" {
   security_group_id = aws_security_group.searchhead-alb-sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "searchhead-alb-8000-out" {
-  description = "SH outbound on default http port"
   type        = "egress"
+  description = "SH - Outbound on default HTTP port"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -203,8 +209,8 @@ resource "aws_security_group_rule" "searchhead-alb-8000-out" {
 }
 
 resource "aws_security_group_rule" "searchhead-alb-api-out" {
-  description = "SH API outbound"
   type        = "egress"
+  description = "SH API - Outbound"
   from_port   = 8089
   to_port     = 8089
   protocol    = "tcp"
@@ -213,8 +219,9 @@ resource "aws_security_group_rule" "searchhead-alb-api-out" {
   security_group_id = aws_security_group.searchhead-alb-sg.id
 }
 
-#########################
-# DNS Entry
+#----------------------------------------------------------------------------
+# DNS ENTRY
+#----------------------------------------------------------------------------
 resource "aws_route53_record" "searchhead_internal" {
   zone_id  = var.dns_info["private"]["zone_id"]
   name     = local.alb_name

base/splunk_servers/searchhead/main.tf

@@ -218,10 +218,12 @@ resource "aws_security_group" "searchhead_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
-# Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "splunk-web-in" {
-  description = "Web access"
   type        = "ingress"
+  description = "Splunk Web - Inbound access"
   from_port   = 8000
   to_port     = 8000
   protocol    = "tcp"
@@ -235,8 +237,8 @@ resource "aws_security_group_rule" "splunk-web-in" {
 }
 
 resource "aws_security_group_rule" "splunk-api-in" {
-  description = "Splunk API"
   type        = "ingress"
+  description = "Splunk API - Inbound access"
   from_port   = 8089
   to_port     = 8089
   protocol    = "tcp"
@@ -250,11 +252,13 @@ resource "aws_security_group_rule" "splunk-api-in" {
   security_group_id = aws_security_group.searchhead_security_group.id
 }
 
-# Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ssh-out" {
   count             = length(local.splunk_legacy_cidr) > 0 ? 1 : 0
-  description       = "SSH to legacy splunk"
   type              = "egress"
+  description       = "SSH to Legacy Splunk"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -263,8 +267,8 @@ resource "aws_security_group_rule" "ssh-out" {
 }
 
 resource "aws_security_group_rule" "splunk-api-out" {
-  description       = "Splunk API Outbound to talk to indexers"
   type              = "egress"
+  description       = "Splunk API - Outbound to talk to indexers"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -274,8 +278,8 @@ resource "aws_security_group_rule" "splunk-api-out" {
 
 resource "aws_security_group_rule" "splunk-api-out-to-all" {
   count             = local.is_monitoring_console || local.is_fm_searchhead ? 1 : 0
-  description       = "Splunk API Outbound to talk to Other Segments"
   type              = "egress"
+  description       = "Splunk API - Outbound to talk to Other Segments"
   from_port         = 8089
   to_port           = 8089
   protocol          = "tcp"
@@ -284,8 +288,8 @@ resource "aws_security_group_rule" "splunk-api-out-to-all" {
 }
 
 resource "aws_security_group_rule" "splunk-data-out" {
-  description       = "Splunk Data Outbound to talk to own indexers"
   type              = "egress"
+  description       = "Splunk Data - Outbound to talk to own indexers"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"

base/standard_iam/codebuild.tf

@@ -78,9 +78,11 @@ data "aws_iam_policy_document" "codebuild_base_policy" {
     ]
   }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
     sid    = "StoreArtifactsInBucket"
     effect = "Allow"
+
     resources = [
       "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*"
     ]
@@ -91,9 +93,11 @@ data "aws_iam_policy_document" "codebuild_base_policy" {
     ]
   }
 
+ # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
     sid    = "UpdateECRRepos"
     effect = "Allow"
+   
     resources = [
       "*"
     ]
@@ -108,6 +112,7 @@ data "aws_iam_policy_document" "codebuild_base_policy" {
     ]
   }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
     sid    = "LetEventBridgeTriggerABuild"
     effect = "Allow"
@@ -142,6 +147,7 @@ resource "aws_iam_policy" "codebuild_build_ec2_amis_policy" {
   policy      = data.aws_iam_policy_document.codebuild_build_ec2_amis.json
 }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
 	statement {
 		sid       = "BuildEC2AMIFromPackerDocs"
@@ -177,6 +183,8 @@ data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
 			"ec2:TerminateInstances"
 		]
 	}
+
+  # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 	statement {
 		sid       = "BuildEC2WithInstanceRole"
 		effect    = "Allow"
@@ -198,6 +206,7 @@ data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
 		]
 	}
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
 		sid       = "KMSAccessNeededForEBS"
 		effect    = "Allow"
@@ -224,6 +233,7 @@ data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
 		]
 	}
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
     sid       = "CreateGrantForEBS"
     effect    = "Allow"

base/teleport-single-instance/alb-internal.tf

@@ -131,8 +131,8 @@ resource "aws_security_group" "alb_server_internal" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alb-internal-http-in" {
-  description       = "HTTPS In"
   type              = "ingress"
+  description       = "HTTP - Inbound"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -141,8 +141,8 @@ resource "aws_security_group_rule" "alb-internal-http-in" {
 }
 
 resource "aws_security_group_rule" "alb-internal-https-in" {
-  description       = "HTTPS In"
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -151,8 +151,8 @@ resource "aws_security_group_rule" "alb-internal-https-in" {
 }
 
 resource "aws_security_group_rule" "alb-internal-3080-in" {
-  description       = "3080 In"
   type              = "ingress"
+  description       = "3080 TCP - Inbound"
   from_port         = "3080"
   to_port           = "3080"
   protocol          = "tcp"
@@ -166,10 +166,10 @@ resource "aws_security_group_rule" "alb-internal-3080-in" {
 
 resource "aws_security_group_rule" "alb_internal-to_server" {
   type                     = "egress"
+  description              = "Allows the ALB to talk to the Sensu servers"
   from_port                = 3080
   to_port                  = 3080
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.instance.id
-  description              = "Allows the ALB to talk to the Sensu servers"
   security_group_id        = aws_security_group.alb_server_internal.id
 }

base/teleport-single-instance/alb.tf

@@ -97,8 +97,9 @@ resource "aws_lb_listener" "http_external" {
   }
 }
 
-# #########################
-# # DNS Entry
+#----------------------------------------------------------------------------
+# DNS Entry
+#----------------------------------------------------------------------------
 module "public_dns_record_for_alb" {
   source = "../../submodules/dns/public_ALIAS_record"
 
@@ -132,8 +133,8 @@ resource "aws_security_group" "alb_server_external" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alb-http-in" {
-  description       = "HTTPS In"
   type              = "ingress"
+  description       = "HTTP - Inbound"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -142,8 +143,8 @@ resource "aws_security_group_rule" "alb-http-in" {
 }
 
 resource "aws_security_group_rule" "alb-https-in" {
-  description       = "HTTPS In"
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -152,8 +153,8 @@ resource "aws_security_group_rule" "alb-https-in" {
 }
 
 resource "aws_security_group_rule" "alb-3080-in" {
-  description       = "3080 In"
   type              = "ingress"
+  description       = "3080 TCP - Inbound"
   from_port         = "3080"
   to_port           = "3080"
   protocol          = "tcp"
@@ -167,10 +168,10 @@ resource "aws_security_group_rule" "alb-3080-in" {
 
 resource "aws_security_group_rule" "alb_to_server" {
   type                     = "egress"
+  description              = "Allows the ALB to talk to the Sensu servers"
   from_port                = 3080
   to_port                  = 3080
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.instance.id
-  description              = "Allows the ALB to talk to the Sensu servers"
   security_group_id        = aws_security_group.alb_server_external.id
 }

base/teleport-single-instance/iam.tf

@@ -86,6 +86,7 @@ data "aws_iam_policy_document" "policy_auth_dynamo" {
     sid       = "AllActionsOnTeleportDB"
     effect    = "Allow"
     resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport.name}"]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     actions   = ["dynamodb:*"]
   }
 
@@ -93,6 +94,7 @@ data "aws_iam_policy_document" "policy_auth_dynamo" {
     sid       = "AllActionsOnTeleportEventsDB"
     effect    = "Allow"
     resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport_events.name}"]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     actions   = ["dynamodb:*"]
   }
 
@@ -100,6 +102,7 @@ data "aws_iam_policy_document" "policy_auth_dynamo" {
     sid       = "AllActionsOnTeleportEventsIndexDB"
     effect    = "Allow"
     resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport_events.name}/index/*"]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     actions   = ["dynamodb:*"]
   }
 
@@ -107,6 +110,7 @@ data "aws_iam_policy_document" "policy_auth_dynamo" {
     sid       = "AllActionsOnTeleportStreamsDB"
     effect    = "Allow"
     resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport.name}/stream/*"]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     actions   = ["dynamodb:*"]
   }
 }
@@ -127,6 +131,7 @@ data "aws_iam_policy_document" "policy_auth_locks" {
     sid       = "AllActionsOnLocks"
     effect    = "Allow"
     resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.locks.name}"]
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     actions   = ["dynamodb:*"]
   }
 }
@@ -180,6 +185,7 @@ resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
 }
 
 // Allow use of the key
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "policy_kms" {
   statement {
     sid       = "AllowKMSUse"

base/teleport-single-instance/security-groups.tf

@@ -5,7 +5,11 @@ data "aws_security_group" "typical-host" {
   vpc_id = var.vpc_id
 }
 
+#----------------------------------------------------------------------------
+# Security Group for Teleport
+#----------------------------------------------------------------------------
 resource "aws_security_group" "instance" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to Teleport
   # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
   # otherwise, you get stuck in `destroying` during routine changes.
   name_prefix = "instance-${var.instance_name}"
@@ -17,9 +21,12 @@ resource "aws_security_group" "instance" {
   }
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "instance-http-in-external" {
-  description              = "Web Interface from External ALB"
   type                     = "ingress"
+  description              = "Web Interface from External ALB"
   from_port                = "3080"
   to_port                  = "3080"
   protocol                 = "tcp"
@@ -28,8 +35,8 @@ resource "aws_security_group_rule" "instance-http-in-external" {
 }
 
 resource "aws_security_group_rule" "instance-http-in-internal" {
-  description              = "Web Interface from Internal ALB"
   type                     = "ingress"
+  description              = "Web Interface from Internal ALB"
   from_port                = "3080"
   to_port                  = "3080"
   protocol                 = "tcp"
@@ -38,8 +45,8 @@ resource "aws_security_group_rule" "instance-http-in-internal" {
 }
 
 resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
-  description       = "Teleport Proprietary Ports via NLB"
   type              = "ingress"
+  description       = "Teleport Proprietary Ports via NLB"
   from_port         = "3023"
   to_port           = "3026"
   protocol          = "tcp"
@@ -67,9 +74,12 @@ resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
 #  security_group_id = aws_security_group.instance.id
 #}
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "instance-teleport-out-ssh" {
-  description       = "Outbound SSH"
   type              = "egress"
+  description       = "Outbound SSH"
   from_port         = "22"
   to_port           = "22"
   protocol          = "tcp"
@@ -78,8 +88,8 @@ resource "aws_security_group_rule" "instance-teleport-out-ssh" {
 }
 
 resource "aws_security_group_rule" "instance-teleport-out-teleport" {
-  description       = "Outbound teleport"
   type              = "egress"
+  description       = "Outbound Teleport"
   from_port         = "3022"
   to_port           = "3026"
   protocol          = "tcp"
@@ -88,8 +98,8 @@ resource "aws_security_group_rule" "instance-teleport-out-teleport" {
 }
 
 resource "aws_security_group_rule" "instance-teleport-out-https" {
-  description       = "Outbound HTTPS, required for dynamodb Streams (no vpc endpoint available)"
   type              = "egress"
+  description       = "HTTPS - Outbound, required for DynamoDB Streams (no vpc endpoint available)"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"

base/threatquotient/alb.tf

@@ -82,8 +82,9 @@ resource "aws_lb_listener" "listener_http" {
   }
 }
 
-# #########################
-# # DNS Entry
+#----------------------------------------------------------------------------
+# DNS Entry
+#----------------------------------------------------------------------------
 module "alb_private_dns_record" {
   source = "../../submodules/dns/private_CNAME_record"
 
@@ -110,8 +111,8 @@ resource "aws_security_group" "alb_internal" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "internal_http_from_local" {
-  description       = "HTTP inbound from internal VPCs"
   type              = "ingress"
+  description       = "HTTP - Inbound from internal VPCs"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -120,8 +121,8 @@ resource "aws_security_group_rule" "internal_http_from_local" {
 }
 
 resource "aws_security_group_rule" "internal_https_from_local" {
-  description       = "HTTPS inbound from internal_vpc"
   type              = "ingress"
+  description       = "HTTPS - Inbound from internal_vpc"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -133,8 +134,8 @@ resource "aws_security_group_rule" "internal_https_from_local" {
 # EGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "internal_alb_to_server" {
-  description              = "HTTPS to the Server"
   type                     = "egress"
+  description              = "HTTPS to the Server"
   from_port                = "443"
   to_port                  = "443"
   protocol                 = "tcp"

base/threatquotient/security-groups.tf

@@ -1,5 +1,8 @@
 # Rather than pass in the aws security group, we just look it up. This will
 # probably be useful other places, as well.
+#----------------------------------------------------------------------------
+# TQ Security Group
+#----------------------------------------------------------------------------
 data "aws_security_group" "typical-host" {
   name   = "typical-host"
   vpc_id = var.vpc_id
@@ -17,9 +20,12 @@ resource "aws_security_group" "instance" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "instance-https-in" {
-  description       = "Access TQ/TQ API from internal IPs"
   type              = "ingress"
+  description       = "Access TQ/TQ API from internal IPs"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"

base/vault/elb.tf

@@ -106,11 +106,11 @@ resource "aws_security_group" "vault_ALB_server" {
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vault_server_from_vpc" {
   type              = "ingress"
+  description       = "Allows the server to receive traffic from everywhere"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
   cidr_blocks       = ["10.0.0.0/8"]
-  description       = "Allows the server to receive traffic from everywhere"
   security_group_id = aws_security_group.vault_ALB_server.id
 }
 
@@ -119,10 +119,10 @@ resource "aws_security_group_rule" "vault_server_from_vpc" {
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alb_to_vault_server" {
   type                     = "egress"
+  description              = "Allows the ALB to talk to the vault servers"
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.instance_security_group.id
-  description              = "Allows the ALB to talk to the vault servers"
   security_group_id        = aws_security_group.vault_ALB_server.id
 }

base/vault/instance_profile.tf

@@ -135,7 +135,7 @@ data "aws_iam_policy_document" "vault_approle" {
       "iam:GetInstanceProfile",
       "iam:GetRole"
     ]
-
+    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
     resources = ["*"]
   }
 }

base/vault/main.tf

@@ -195,7 +195,7 @@ data "template_cloudinit_config" "cloud_init_config" {
 }
 
 #----------------------------------------------------------------------------
-# Vault Server SG
+# Vault Server Security Group
 #----------------------------------------------------------------------------
 
 resource "aws_security_group" "instance_security_group" {
@@ -206,27 +206,25 @@ resource "aws_security_group" "instance_security_group" {
 }
 
 #----------------------------------------------------------------------------
-# Vault INGRESS
+# INGRESS
 #----------------------------------------------------------------------------
-
 resource "aws_security_group_rule" "vault_server_from_alb" {
   type                     = "ingress"
+  description              = "Allows the servers to receive traffic for troubleshooting"
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.vault_ALB_server.id
-  description              = "Allows the servers to receive traffic for troubleshooting"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
 
 #----------------------------------------------------------------------------
-# Vault EGRESS
+# EGRESS
 #----------------------------------------------------------------------------
-
 resource "aws_security_group_rule" "https-out" {
-  description       = "For endpoints and troubleshooting"
   type              = "egress"
+  description       = "For endpoints and troubleshooting"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -236,11 +234,11 @@ resource "aws_security_group_rule" "https-out" {
 
 resource "aws_security_group_rule" "vault_server_to_alb" {
   type                     = "egress"
+  description              = "Allow Vault to communicate via HTTPS w/ other members in cluster"
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
   source_security_group_id = aws_security_group.vault_ALB_server.id
-  description              = "Allow vault to communicate via HTTPS w/ other members in cluster"
   security_group_id        = aws_security_group.instance_security_group.id
 }
 
@@ -251,10 +249,10 @@ data "aws_prefix_list" "private_dynamodb" {
 
 resource "aws_security_group_rule" "vault_server_egress_dynamodb" {
   type              = "egress"
+  description       = "Vault HTTPS - Outbound to Dynamodb"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
   security_group_id = aws_security_group.instance_security_group.id
-  description       = "Outbound to Dynamodb"
   prefix_list_ids   = [data.aws_prefix_list.private_dynamodb.id]
 }

base/vmray_instances/alb.tf

@@ -96,7 +96,7 @@ module "private_dns_record" {
 }
 
 #----------------------------------------------------------------------------
-# ALB Security Group
+# VMRAY ALB Security Group
 #----------------------------------------------------------------------------
 resource "aws_security_group" "vmray_alb_internal" {
   vpc_id      = var.vpc_id
@@ -109,8 +109,8 @@ resource "aws_security_group" "vmray_alb_internal" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http_from_local" {
-  description       = "HTTP inbound from Internet"
   type              = "ingress"
+  description       = "HTTP - Inbound from Internet"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -119,8 +119,8 @@ resource "aws_security_group_rule" "http_from_local" {
 }
 
 resource "aws_security_group_rule" "https_from_local" {
-  description       = "HTTPS inbound from Internet"
   type              = "ingress"
+  description       = "HTTPS - Inbound from Internet"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -132,8 +132,8 @@ resource "aws_security_group_rule" "https_from_local" {
 # EGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vmray_alb_to_server" {
-  description              = "HTTPS to the Server"
   type                     = "egress"
+  description              = "HTTPS to the Server"
   from_port                = "443"
   to_port                  = "443"
   protocol                 = "tcp"

base/vmray_instances/iam.tf

@@ -19,6 +19,7 @@ data "aws_iam_policy_document" "policy_auth_s3" {
     ]
   }
 
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
   statement {
     sid       = ""
     effect    = "Allow"
@@ -43,6 +44,7 @@ resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
 }
 
 // Allow use of the key
+# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
 data "aws_iam_policy_document" "policy_kms" {
   statement {
     sid       = "AllowKMSUse"

base/vmray_instances/security-groups.tf

@@ -3,17 +3,23 @@
 # Server to workers on 5900-5999 (VNC)
 # Workers to server on 80 and 443
 
-# Server
+#----------------------------------------------------------------------------
+# VMRAY Server ALB Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "vmray_server_sg" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to VMRAY Server
   name        = "vmray_server_sg"
   description = "Security Rules Specific to VMRay"
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vmray_server_http_in_from_workers" {
-  description              = "Allow inbound port 80 for redirect from other vmray servers"
   type                     = "ingress"
+  description              = "HTTP - Inbound port 80 for redirect from other VMRAY Servers"
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -22,8 +28,8 @@ resource "aws_security_group_rule" "vmray_server_http_in_from_workers" {
 }
 
 resource "aws_security_group_rule" "vmray_server_https_in_from_workers" {
-  description              = "Allow inbound https for interserver communication from other vmray servers"
   type                     = "ingress"
+  description              = "HTTPS - Inbound for interserver communication from other VMRAY Servers"
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
@@ -32,8 +38,8 @@ resource "aws_security_group_rule" "vmray_server_https_in_from_workers" {
 }
 
 resource "aws_security_group_rule" "vmray_server_https_in" {
-  description = "Allow https ingress from the VPN"
   type        = "ingress"
+  description = "HTTPS - Inbound - from the VPN"
   from_port   = 443
   to_port     = 443
   protocol    = "tcp"
@@ -42,10 +48,13 @@ resource "aws_security_group_rule" "vmray_server_https_in" {
   security_group_id        = aws_security_group.vmray_server_sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 ## VMRay Does DNS Lookups to the Local Network
 resource "aws_security_group_rule" "vmray_server_tcpdns_out" {
-  description       = "Allow DNS lookups to the local DNS server"
   type              = "egress"
+  description       = "DNS TCP - Outbound - lookups to the local DNS server"
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -54,8 +63,8 @@ resource "aws_security_group_rule" "vmray_server_tcpdns_out" {
 }
 
 resource "aws_security_group_rule" "vmray_server_udpdns_out" {
-  description       = "Allow DNS lookups to the local DNS server"
   type              = "egress"
+  description       = "DNS UDP - Outbound - lookups to the local DNS server"
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -63,31 +72,29 @@ resource "aws_security_group_rule" "vmray_server_udpdns_out" {
   security_group_id = aws_security_group.vmray_server_sg.id
 }
 
-# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
 resource "aws_security_group_rule" "vmray_server_http_out" {
-  description       = "VMRay requires direct HTTP outbound"
   type              = "egress"
+  description       = "HTTP - Outbound - VMRay requirement"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
   security_group_id = aws_security_group.vmray_server_sg.id
 }
 
-# tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
 resource "aws_security_group_rule" "vmray_server_https_out" {
-  description       = "VMRay requires direct HTTPS outbound"
   type              = "egress"
+  description       = "HTTPS - Outbound - VMRay requirement"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
   security_group_id = aws_security_group.vmray_server_sg.id
 }
 
 resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
-  description              = "VMRay uses VNC for client machine access."
   type                     = "egress"
+  description              = "VMRay uses VNC for client machine access."
   from_port                = 5900
   to_port                  = 5999
   protocol                 = "tcp"
@@ -95,14 +102,20 @@ resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
   security_group_id        = aws_security_group.vmray_server_sg.id
 }
 
-# Workers
+#----------------------------------------------------------------------------
+# VMRAY Worker ALB Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "vmray_worker_sg" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached to VMRAY worker
   name        = "vmray_worker_sg"
   description = "Security Rules for the VMRay Worker Nodes"
   vpc_id      = var.vpc_id
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" {
   description              = "VMRay uses VNC for client machine access."
   type                     = "ingress"
@@ -123,9 +136,12 @@ resource "aws_security_group_rule" "vmwary_worker_vnc_from_access" {
   security_group_id = aws_security_group.vmray_worker_sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "vmray_worker_tcpdns_out" {
-  description       = "VMRay does DNS lookups to an instance in  the local vpc."
   type              = "egress"
+  description       = "VMRay DNS TCP - Outbound to instance in local vpc."
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -134,8 +150,8 @@ resource "aws_security_group_rule" "vmray_worker_tcpdns_out" {
 }
 
 resource "aws_security_group_rule" "vmray_worker_udpdns_out" {
-  description       = "VMRay does DNS lookups to an instance in  the local vpc."
   type              = "egress"
+  description       = "VMRay DNS UDP - Outbound to instance in local vpc."
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -145,8 +161,8 @@ resource "aws_security_group_rule" "vmray_worker_udpdns_out" {
 
 # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
 resource "aws_security_group_rule" "vmray_worker_http_out" {
-  description       = "VMRay requires direct HTTP access."
   type              = "egress"
+  description       = "HTTP - Outbound - VMRay requires direct HTTP access."
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -156,8 +172,8 @@ resource "aws_security_group_rule" "vmray_worker_http_out" {
 
 # tfsec:ignore:aws-vpc-no-public-egress-sgr VMRay Requires Direct Internet Access
 resource "aws_security_group_rule" "vmray_worker_https_out" {
-  description       = "VMRay requires direct HTTPS access."
   type              = "egress"
+  description       = "HTTPS - Outbound - VMRay requires direct HTTPS access."
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -166,8 +182,8 @@ resource "aws_security_group_rule" "vmray_worker_https_out" {
 }
 
 resource "aws_security_group_rule" "vmray_worker_http_to_server" {
-  description              = "VMRay worker communicates with the server."
   type                     = "egress"
+  description              = "HTTP - VMRay worker communicates with the server."
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -176,8 +192,8 @@ resource "aws_security_group_rule" "vmray_worker_http_to_server" {
 }
 
 resource "aws_security_group_rule" "vmray_worker_https_to_server" {
-  description              = "VMRay worker communicates with the server."
   type                     = "egress"
+  description              = "HTTPS - VMRay worker communicates with the server."
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"

submodules/load_balancer/public_alb/security_groups.tf

@@ -1,5 +1,5 @@
 #----------------------------------------------------------------------------
-# ALB Security Group
+# Load Balancer ALB Security Group
 #----------------------------------------------------------------------------
 resource "aws_security_group" "alb" {
   vpc_id      = var.vpc_id
@@ -12,8 +12,8 @@ resource "aws_security_group" "alb" {
 # INGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http_from_internet" {
-  description       = "HTTP inbound from Internet"
   type              = "ingress"
+  description       = "HTTP - Inbound from Internet"
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
@@ -22,8 +22,8 @@ resource "aws_security_group_rule" "http_from_internet" {
 }
 
 resource "aws_security_group_rule" "https_from_internet" {
-  description       = "HTTPS inbound from Internet"
   type              = "ingress"
+  description       = "HTTPS - Inbound from Internet"
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
@@ -35,8 +35,8 @@ resource "aws_security_group_rule" "https_from_internet" {
 # EGRESS
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alb_to_server" {
-  description              = "${var.hostname} to the Server"
   type                     = "egress"
+  description              = "${var.hostname} to the Server"
   from_port                = var.server_port
   to_port                  = var.server_port
   protocol                 = "tcp"
@@ -48,8 +48,8 @@ resource "aws_security_group_rule" "alb_to_server" {
 # Server Security Group
 #----------------------------------------------------------------------------
 resource "aws_security_group_rule" "server_from_alb" {
-  description              = "ALB to ${var.hostname}"
   type                     = "ingress"
+  description              = "ALB to ${var.hostname}"
   from_port                = var.server_port
   to_port                  = var.server_port
   protocol                 = "tcp"

submodules/load_balancer/static_nlb_to_alb/security-groups.tf

@@ -64,6 +64,7 @@ resource "aws_security_group_rule" "alb_to_health" {
 # Extra ALB Security Groups
 #----------------------------------------------------------------------------
 resource "aws_security_group" "extra_security_groups" {
+	# checkov:skip=CKV2_AWS_5: this SG is redundancy
   count       = var.extra_security_groups
   vpc_id      = var.vpc_id
   name_prefix = "${var.name}-alb-sg-external-extra-${count.index}"

submodules/security_group/typical_host/main.tf

@@ -20,14 +20,20 @@ locals {
   vpc_name = lookup(data.aws_vpc.this.tags, "Name", data.aws_vpc.this.cidr_block)
 }
 
+#----------------------------------------------------------------------------
+# Typical-Host Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "security_group" {
+	# checkov:skip=CKV2_AWS_5: this SG is attached
   name        = "typical-host"
   description = "Required typical-host SG for VPC ${local.vpc_name} (${var.vpc_id})"
   vpc_id      = var.vpc_id
   tags        = merge(var.tags, { "Name" = "typical-host", "vpc_name" = local.vpc_name })
 }
 
-## Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "scanner_access" {
   security_group_id = aws_security_group.security_group.id
   type              = "ingress"
@@ -73,7 +79,9 @@ resource "aws_security_group_rule" "ping_inbound" {
   cidr_blocks       = ["10.0.0.0/8"]
 }
 
-## Outbound:
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ping_outbound" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
@@ -87,7 +95,7 @@ resource "aws_security_group_rule" "ping_outbound" {
 resource "aws_security_group_rule" "github_access_ssh" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound GitHub"
+  description       = "SSH - Outbound GitHub"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -98,7 +106,7 @@ resource "aws_security_group_rule" "github_access_ssh" {
 resource "aws_security_group_rule" "github_access_http" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound GitHub"
+  description       = "HTTP - Outbound GitHub"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -109,7 +117,7 @@ resource "aws_security_group_rule" "github_access_http" {
 resource "aws_security_group_rule" "github_access_https" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound GitHub"
+  description       = "HTTPS - Outbound GitHub"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -120,7 +128,7 @@ resource "aws_security_group_rule" "github_access_https" {
 resource "aws_security_group_rule" "dns_access_tcp" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound TCP DNS"
+  description       = "DNS TCP - Outbound"
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -131,7 +139,7 @@ resource "aws_security_group_rule" "dns_access_tcp" {
 resource "aws_security_group_rule" "dns_access_udp" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound UDP DNS"
+  description       = "DNS UDP - Outbound"
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -175,7 +183,7 @@ resource "aws_security_group_rule" "outbound_to_salt_masters" {
 resource "aws_security_group_rule" "outbound_to_web_servers_80" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Connect to Repo Servers"
+  description       = "HTTP - Outbound - Connect to Repo Servers"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -186,7 +194,7 @@ resource "aws_security_group_rule" "outbound_to_web_servers_80" {
 resource "aws_security_group_rule" "outbound_to_web_servers_443" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Connect to Repo Servers"
+  description       = "HTTPS - Outbound - Connect to Repo Servers"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -198,7 +206,7 @@ resource "aws_security_group_rule" "outbound_to_web_servers_443" {
 resource "aws_security_group_rule" "outbound_to_local_vpc_80" {
   security_group_id        = aws_security_group.security_group.id
   type                     = "egress"
-  description              = "Connect to VPC Endpoints"
+  description              = "HTTP - Connect to VPC Endpoints"
   from_port                = 80
   to_port                  = 80
   protocol                 = "tcp"
@@ -208,7 +216,7 @@ resource "aws_security_group_rule" "outbound_to_local_vpc_80" {
 resource "aws_security_group_rule" "outbound_to_local_vpc_443" {
   security_group_id        = aws_security_group.security_group.id
   type                     = "egress"
-  description              = "Connect to VPC Endpoints"
+  description              = "HTTPS - Connect to VPC Endpoints"
   from_port                = 443
   to_port                  = 443
   protocol                 = "tcp"
@@ -218,7 +226,7 @@ resource "aws_security_group_rule" "outbound_to_local_vpc_443" {
 resource "aws_security_group_rule" "outbound_to_mailrelay_25" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound Email to mailrelay"
+  description       = "SMTP - Outbound Email to mailrelay"
   from_port         = 25
   to_port           = 25
   protocol          = "tcp"
@@ -229,7 +237,7 @@ resource "aws_security_group_rule" "outbound_to_mailrelay_25" {
 resource "aws_security_group_rule" "outbound_to_mailrelay_587" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound Email to mailrelay"
+  description       = "Submission SMTP-S - Outbound Email to mailrelay"
   from_port         = 587
   to_port           = 587
   protocol          = "tcp"
@@ -251,7 +259,7 @@ resource "aws_security_group_rule" "outbound_to_ec2_s3_endpoint" {
 resource "aws_security_group_rule" "outbound_to_ec2_dynamodb_endpoint" {
   security_group_id = aws_security_group.security_group.id
   type              = "egress"
-  description       = "Outbound to dynamodb endpoint"
+  description       = "Outbound to DynamoDB endpoint"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"

thirdparty/terraform-aws-github-runner/modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -7,7 +7,9 @@ locals {
   }
 }
 
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "syncer" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   s3_bucket         = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
   s3_key            = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
   s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null

thirdparty/terraform-aws-github-runner/modules/runners/pool/main.tf

@@ -1,4 +1,6 @@
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "pool" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
 
   s3_bucket         = var.config.lambda.s3_bucket != null ? var.config.lambda.s3_bucket : null
   s3_key            = var.config.lambda.s3_key != null ? var.config.lambda.s3_key : null

thirdparty/terraform-aws-github-runner/modules/runners/scale-down.tf

@@ -5,7 +5,10 @@ locals {
     "linux"   = 5
   }
 }
+
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "scale_down" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   s3_bucket         = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
   s3_key            = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
   s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null

thirdparty/terraform-aws-github-runner/modules/runners/scale-up.tf

@@ -1,4 +1,6 @@
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "scale_up" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   s3_bucket                      = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
   s3_key                         = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
   s3_object_version              = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null

thirdparty/terraform-aws-github-runner/modules/webhook/webhook.tf

@@ -1,4 +1,6 @@
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "webhook" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   s3_bucket         = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
   s3_key            = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
   s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null

thirdparty/terraform-aws-kinesis-firehose-splunk/main.tf

@@ -250,7 +250,9 @@ resource "aws_iam_role_policy_attachment" "lambda_policy_role_attachment" {
 
 # Create the lambda function
 # The lambda function to transform data from compressed format in Cloudwatch to something Splunk can handle (uncompressed)
+# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
 resource "aws_lambda_function" "firehose_lambda_transform" {
+	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
   function_name    = var.lambda_function_name
   description      = "Transform data from CloudWatch format to Splunk compatible format"
   filename         = data.archive_file.lambda_function.output_path