Merge pull request #446 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_SAST_Ignore_Comments

Add tfsec Ignore Comments

base/CA_Infrastructure/root_CA/crl.tf

@@ -1,3 +1,5 @@
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
+#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "crl" {
   bucket = "xdr-root-crl"
 
@@ -16,7 +18,7 @@ resource "aws_s3_bucket_versioning" "s3_version_crl" {
 }
 
 # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
-#resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
+# resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
 #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
 #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
 #}
@@ -84,7 +86,7 @@ resource "aws_s3_bucket_policy" "crl" {
 }
 
 # We want the CRL publicly accessible for zero trust websites and such.
-#resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
+# resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
 #  bucket                  = aws_s3_bucket.crl.id
 #  block_public_acls       = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/
 #  block_public_policy     = true

base/CA_Infrastructure/subordinate_CAs/crl.tf

@@ -1,3 +1,5 @@
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls 
+#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "crl" {
   provider = aws.common # COMMON SERVICES
   bucket   = "xdr-subordinate-crl"
@@ -18,7 +20,7 @@ resource "aws_s3_bucket_versioning" "s3_version_subordinate_crl" {
 }
 
 # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
-#resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
+# resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
 #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
 #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
 #}
@@ -80,7 +82,7 @@ resource "aws_s3_bucket_policy" "crl" {
 }
 
 # Publicly available CRL so clients can validate
-#resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
+# resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
 #  provider = aws.common # COMMON SERVICES
 #  bucket                  = aws_s3_bucket.crl.id
 #  block_public_acls       = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/

base/_archive/cisco_vpn/security-groups.tf

@@ -10,7 +10,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.outside.id
 }
 
@@ -19,7 +19,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.outside.id
 }
 
@@ -28,7 +28,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.outside.id
 }
 
@@ -37,7 +37,7 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.outside.id
 }
 
@@ -46,7 +46,7 @@ resource "aws_security_group_rule" "vpn-out" {
   from_port         = -1
   to_port           = -1
   protocol          = -1
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.outside.id
 }
 

base/account_standards/config.tf

@@ -16,6 +16,7 @@ data "aws_iam_policy_document" "awsconfig" {
     effect  = "Allow"
     actions = ["s3:PutObject"]
     resources = [
+      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
     ]
     condition {
@@ -29,6 +30,7 @@ data "aws_iam_policy_document" "awsconfig" {
     effect  = "Allow"
     actions = ["s3:GetBucketAcl"]
     resources = [
+      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
     ]
   }
@@ -44,6 +46,7 @@ data "aws_iam_policy_document" "awsconfig" {
     sid    = "PermissionsForRuleChecks"
     effect = "Allow"
     actions = [
+      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "kms:DescribeKey"
     ]
     resources = ["*"]

base/account_standards/iam.tf

@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
   statement {
     sid       = "GetFromTheBucket"
     effect    = "Allow"
-    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"]
+    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
 
     actions = [
       "s3:GetObject",

base/aws_client_vpn/security-groups.tf

@@ -10,7 +10,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -19,7 +19,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -28,7 +28,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -37,7 +37,7 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -46,6 +46,6 @@ resource "aws_security_group_rule" "vpn-out" {
   from_port         = -1
   to_port           = -1
   protocol          = -1
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }

base/bastion/main.tf

@@ -256,7 +256,7 @@ resource "aws_security_group_rule" "http-out" {
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
@@ -265,6 +265,6 @@ resource "aws_security_group_rule" "https-out" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.bastion_security_group.id
 }

base/codebuild_ecr_base/s3.tf

@@ -1,4 +1,6 @@
 #S3 bucket for codebuild output
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
+#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "artifacts" {
   bucket        = "xdr-codebuild-artifacts"
   force_destroy = true

base/codebuild_lcp_magic_machine/security-group.tf

@@ -27,7 +27,7 @@ resource "aws_security_group_rule" "this" {
 
 resource "aws_security_group_rule" "allow_outbound_mm" {
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -45,7 +45,7 @@ resource "aws_security_group" "codebuild" {
 
 resource "aws_security_group_rule" "allow_outbound" {
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"

base/customer_portal/elb.tf

@@ -5,7 +5,7 @@
 resource "aws_alb" "portal" {
   name            = "portal-alb-${var.environment}"
   security_groups = [aws_security_group.customer_portal_alb.id, ]
-  internal        = false
+  internal        = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets         = var.public_subnets
 
   tags = merge(var.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })

base/customer_portal/main.tf

@@ -259,7 +259,7 @@ resource "aws_security_group_rule" "customer_portal_http_outbound" {
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 
@@ -268,7 +268,7 @@ resource "aws_security_group_rule" "customer_portal_https_outbound" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 
@@ -277,7 +277,7 @@ resource "aws_security_group_rule" "customer_portal_smtps_outbound" {
   from_port         = 465
   to_port           = 465
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 

base/customer_portal_lambda/sqs.tf

@@ -62,6 +62,7 @@ data "aws_iam_policy_document" "sqs_kms_policy" {
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
+    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = ["*"]
   }
   # allow account to modify/manage key

base/dns/resolver_instance/main.tf

@@ -224,7 +224,7 @@ resource "aws_security_group_rule" "dns_outbound_tcp" {
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.dns_security_group.id
 }
 
@@ -233,6 +233,6 @@ resource "aws_security_group_rule" "dns_outbound_udp" {
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.dns_security_group.id
 }

base/interconnects/security-groups.tf

@@ -29,7 +29,7 @@ resource "aws_security_group_rule" "ipsec_l2tp_ingress" {
   from_port         = 1701
   to_port           = 1701
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.interconnects_sg.id
 }
 
@@ -38,7 +38,7 @@ resource "aws_security_group_rule" "ipsec_ike_ingress" {
   from_port         = 500
   to_port           = 500
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.interconnects_sg.id
 }
 
@@ -47,7 +47,7 @@ resource "aws_security_group_rule" "ipsec_ike_nat_t_ingress" {
   from_port         = 4500
   to_port           = 4500
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.interconnects_sg.id
 }
 
@@ -56,6 +56,6 @@ resource "aws_security_group_rule" "ipsec_egress" {
   from_port         = 0 # all ports
   to_port           = 0 # all ports
   protocol          = "all"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.interconnects_sg.id
 }

base/mailrelay/main.tf

@@ -58,6 +58,6 @@ resource "aws_security_group_rule" "submission-out" {
   from_port         = 587
   to_port           = 587
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.mailrelay_security_group.id
 }

base/nessus/instance_nessus_manager/nlb.tf

@@ -19,7 +19,7 @@ module "public_dns_record_nessus-manager-nlb" {
 resource "aws_lb" "external" {
   name               = "nessus-manager-external-nlb"
   load_balancer_type = "network"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure for LCP connection
   subnets            = var.public_subnets
 
   access_logs {

base/nessus/instance_nessus_scanner/securitygroup-server.tf

@@ -83,7 +83,7 @@ resource "aws_security_group_rule" "nessus_scanner_inbound_scan_ourselves" {
 resource "aws_security_group_rule" "nessus_scanner_outbound_all_ports" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = -1
   to_port           = -1
   protocol          = "all"

base/openvpn/elb.tf

@@ -1,6 +1,6 @@
 resource "aws_lb" "openvpn-nlb" {
   name               = "${var.instance_name}-nlb"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public:exp:2022-08-01
   load_balancer_type = "network"
   # Not supported for NLB
   #security_groups    = [aws_security_group.openvpn-nlb-sg.id]

base/openvpn/security-groups.tf

@@ -11,7 +11,7 @@ resource "aws_security_group_rule" "openvpn-in" {
   to_port   = 1194
   protocol  = "udp"
   # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr:exp:2022-08-01
   security_group_id = aws_security_group.openvpn_security_group.id
 }
 
@@ -21,7 +21,7 @@ resource "aws_security_group_rule" "openvpn-https-in" {
   to_port   = 443
   protocol  = "tcp"
   # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr:exp:2022-08-01
   security_group_id = aws_security_group.openvpn_security_group.id
 }
 
@@ -116,6 +116,6 @@ resource "aws_security_group_rule" "openvpn-ldap-out" {
   to_port   = 636
   protocol  = "tcp"
   # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.openvpn_security_group.id
 }

base/palo_alto/bootstrap/main.tf

@@ -1,3 +1,5 @@
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
+#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "bucket" {
   count = var.palo_alto_count
 
@@ -45,7 +47,7 @@ resource "aws_s3_bucket_object" "init_cfg" {
 }
 
 # No bootstrap configuration, as we're registered to panorama
-#resource "aws_s3_bucket_object" "bootstrap_xml" {
+# resource "aws_s3_bucket_object" "bootstrap_xml" {
 #  count = var.palo_alto_count
 #  bucket = aws_s3_bucket.bucket[count.index].id
 #  key    = "config/bootstrap.xml"

base/phantom/securitygroup-server.tf

@@ -68,7 +68,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_postgres" {
 resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -78,7 +78,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
 resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -88,7 +88,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
 resource "aws_security_group_rule" "phantom_server_outbound_http" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -98,7 +98,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_http" {
 resource "aws_security_group_rule" "phantom_server_outbound_https" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"

base/proxy_server/main.tf

@@ -201,7 +201,7 @@ resource "aws_security_group_rule" "http-out" {
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.proxy_server_security_group.id
 }
 
@@ -211,7 +211,7 @@ resource "aws_security_group_rule" "https-out" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.proxy_server_security_group.id
 }
 

base/rhsso/nlb.tf

@@ -18,7 +18,7 @@ module "public_dns_record" {
 resource "aws_lb" "external" {
   name               = "rhsso-external-nlb"
   load_balancer_type = "network"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public:exp:2022-08-01
   subnets            = var.public_subnets
 
   access_logs {

base/rhsso/security-groups.tf

@@ -52,7 +52,7 @@ resource "aws_security_group_rule" "outbound_http" {
   to_port           = 80
   protocol          = "tcp"
   security_group_id = aws_security_group.instance.id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
 }
 
 #resource "aws_security_group_rule" "instance-http-in" {
@@ -121,7 +121,7 @@ resource "aws_security_group_rule" "instance-alt-https-in-from-nlb" {
   from_port         = "8443"
   to_port           = "8443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.instance.id
 }
 

base/salt_master_inventory_role/inventory_role.tf

@@ -95,6 +95,6 @@ data "aws_iam_policy_document" "salt_master_inventory_policy_doc" {
       "rds:DescribeDBInstances",
       "rds:ListTagsForResource"
     ]
-    resources = ["*"]
+    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
   }
 }

base/salt_master_inventory_role/user.tf

@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "salt_master_policy_doc" {
       "secretsmanager:DescribeSecret",
       "secretsmanager:ListSecretVersionIds"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = [
       "arn:${var.aws_partition}:secretsmanager:*:*:secret:saltmaster/*"
     ]
@@ -66,7 +66,7 @@ data "aws_iam_policy_document" "salt_master_policy_doc" {
     actions = [
       "sts:AssumeRole"
     ]
-
+    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = [
       "arn:${var.aws_partition}:iam::*:role/service/salt-master-inventory-role",
 

base/shared_ami_key/main.tf

@@ -53,6 +53,8 @@ module "shared_ami_key" {
   remote_account_arns = local.account_arns
 }
 
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
+#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "xdr-shared-amis" {
   bucket = var.ami_bucket_name
 

base/splunk_servers/alsi/elb-elastic.tf

@@ -1,7 +1,7 @@
 resource "aws_lb" "alsi-alb-elastic" {
   count              = var.alsi_elastic_alb ? 1 : 0
   name               = "${var.prefix}-alsi-alb-elastic"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   load_balancer_type = "application"
   # Not supported for NLB
   security_groups = [aws_security_group.alsi-alb-elastic-sg.id]

base/splunk_servers/alsi/elb-hec.tf

@@ -1,7 +1,7 @@
 resource "aws_lb" "alsi-alb-hec" {
   count              = var.alsi_hec_alb ? 1 : 0
   name               = "${var.prefix}-alsi-alb-hec"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   load_balancer_type = "application"
   # Not supported for NLB
   security_groups = [aws_security_group.alsi-alb-hec-sg.id]

base/splunk_servers/alsi/nlb-splunk.tf

@@ -12,7 +12,7 @@ resource "aws_lb" "alsi_splunk_nlb" {
   count              = var.alsi_splunk_nlb ? 1 : 0
   tags               = merge(var.standard_tags, var.tags, { "Name" : "${var.prefix}-alsi-splunk" })
   name               = "${var.prefix}-alsi-splunk-nlb"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
   load_balancer_type = "network"
   #subnets            = data.terraform_remote_state.infra.subnets
 

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -78,7 +78,7 @@ resource "aws_elb" "hec_classiclb" {
   name            = "${var.prefix}-legacy-hec-classic"
   security_groups = [data.aws_security_group.hec_elb_security_group.id]
   subnets         = var.public_subnets
-  internal        = false
+  internal        = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
 
   listener {
     instance_port      = 8088

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -116,7 +116,7 @@ resource "aws_lb" "hec" {
   load_balancer_type = "application"
   security_groups    = [data.aws_security_group.hec_elb_security_group.id]
   subnets            = var.public_subnets
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
 }
 
 resource "aws_lb_listener" "hec_443" {

base/teleport-single-instance/alb.tf

@@ -5,7 +5,7 @@
 resource "aws_alb" "external" {
   name               = "${var.instance_name}-alb-external-${var.environment}"
   security_groups    = [aws_security_group.alb_server_external.id]
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets            = var.subnets
   load_balancer_type = "application"
 
@@ -136,7 +136,7 @@ resource "aws_security_group_rule" "alb-http-in" {
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 
@@ -146,7 +146,7 @@ resource "aws_security_group_rule" "alb-https-in" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 
@@ -156,7 +156,7 @@ resource "aws_security_group_rule" "alb-3080-in" {
   from_port         = "3080"
   to_port           = "3080"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 

base/teleport-single-instance/nlb.tf

@@ -1,6 +1,6 @@
 resource "aws_lb" "nlb" {
   name               = "${var.instance_name}-nlb"
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
   load_balancer_type = "network"
   # Not supported for NLB
   #security_groups    = [aws_security_group.nlb-sg.id]

base/teleport-single-instance/security-groups.tf

@@ -43,7 +43,7 @@ resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
   from_port         = "3023"
   to_port           = "3026"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -73,7 +73,7 @@ resource "aws_security_group_rule" "instance-teleport-out-ssh" {
   from_port         = "22"
   to_port           = "22"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -83,7 +83,7 @@ resource "aws_security_group_rule" "instance-teleport-out-teleport" {
   from_port         = "3022"
   to_port           = "3026"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -93,6 +93,6 @@ resource "aws_security_group_rule" "instance-teleport-out-https" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }

submodules/load_balancer/public_alb/elb.tf

@@ -4,7 +4,7 @@
 resource "aws_lb" "server_external" {
   name_prefix        = local.prefix
   security_groups    = [aws_security_group.alb.id]
-  internal           = false
+  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets            = var.subnets
   load_balancer_type = "application"
 

submodules/load_balancer/public_alb/security_groups.tf

@@ -17,7 +17,7 @@ resource "aws_security_group_rule" "http_from_internet" {
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
-  cidr_blocks       = var.inbound_cidrs
+  cidr_blocks       = var.inbound_cidrs #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb.id
 }
 
@@ -27,7 +27,7 @@ resource "aws_security_group_rule" "https_from_internet" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = var.inbound_cidrs
+  cidr_blocks       = var.inbound_cidrs #tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb.id
 }
 

thirdparty/terraform-aws-kinesis-firehose-splunk/main.tf

@@ -47,8 +47,10 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
   tags = var.tags
 }
 
-# S3 Bucket for Kinesis Firehose s3_backup_mode
-# tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+#S3 Bucket for Kinesis Firehose s3_backup_mode
+#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-block-public-acls 
+#tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-no-public-buckets
+#Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" {
   bucket = var.s3_bucket_name