resolve issues reported by Trivy

RADAR-base · Jan 6, 2025 · 97e4f4a · 97e4f4a
1 parent 476e83d
commit 97e4f4a
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 34 deletions.
diff --git a/config/README.md b/config/README.md
@@ -29,6 +29,7 @@
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.msk_broker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_db_instance.radar_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
 | [aws_db_subnet_group.rds_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_eip.cluster_loadbalancer_eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
@@ -96,6 +97,7 @@
 | <a name="input_enable_karpenter"></a> [enable\_karpenter](#input\_enable\_karpenter) | Do you need Karpenter? [true, false] | `bool` | n/a | yes |
 | <a name="input_enable_metrics"></a> [enable\_metrics](#input\_enable\_metrics) | Do you need Metrics Server? [true, false] | `bool` | n/a | yes |
 | <a name="input_enable_msk"></a> [enable\_msk](#input\_enable\_msk) | Do you need MSK? [true, false] | `bool` | n/a | yes |
+| <a name="input_enable_msk_logging"></a> [enable\_msk\_logging](#input\_enable\_msk\_logging) | Do you need logging on MSK brokers? [true, false] | `bool` | n/a | yes |
 | <a name="input_enable_rds"></a> [enable\_rds](#input\_enable\_rds) | Do you need RDS? [true, false] | `bool` | n/a | yes |
 | <a name="input_enable_route53"></a> [enable\_route53](#input\_enable\_route53) | Do you need Route53? [true, false] | `bool` | n/a | yes |
 | <a name="input_enable_s3"></a> [enable\_s3](#input\_enable\_s3) | Do you need S3? [true, false] | `bool` | n/a | yes |

diff --git a/config/msk.tf b/config/msk.tf
@@ -74,8 +74,13 @@ zookeeper.session.timeout.ms=18000
 PROPERTIES
 }
 
-#trivy:ignore:AVD-AWS-0074 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0179 Temporarly skip these checks
+resource "aws_cloudwatch_log_group" "msk_broker" {
+  count = var.enable_msk_logging ? 1 : 0
+  name  = "${var.eks_cluster_name}-msk-broker-logs"
+}
+
+#trivy:ignore:AVD-AWS-0074 Logging on MSK brokers can be enabled by setting var.enable_msk_logging to true
+#trivy:ignore:AVD-AWS-0179 By default an AWS-managed KMS key is used to encrypt MSK data at rest
 resource "aws_msk_cluster" "msk_cluster" {
   count = var.enable_msk ? 1 : 0
 
@@ -99,6 +104,7 @@ resource "aws_msk_cluster" "msk_cluster" {
   encryption_info {
     encryption_in_transit {
       client_broker = "TLS"
+      in_cluster    = true
     }
   }
 
@@ -125,6 +131,18 @@ resource "aws_msk_cluster" "msk_cluster" {
     arn      = aws_msk_configuration.msk_configuration[0].arn
     revision = 1
   }
+
+  dynamic "logging_info" {
+    for_each = var.enable_msk_logging ? [1] : []
+    content {
+      broker_logs {
+        cloudwatch_logs {
+          enabled   = var.enable_msk_logging
+          log_group = aws_cloudwatch_log_group.msk_broker.name
+        }
+      }
+    }
+  }
 }
 
 output "radar_base_msk_bootstrap_brokers" {

diff --git a/config/rds.tf b/config/rds.tf
@@ -36,29 +36,29 @@ resource "aws_security_group" "rds_access" {
 
 }
 
-#trivy:ignore:AVD-AWS-0077 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0177 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0176 Temporarly skip these checks
 resource "aws_db_instance" "radar_postgres" {
   count = var.enable_rds ? 1 : 0
 
-  identifier                   = "${var.eks_cluster_name}-postgres"
-  db_name                      = "radarbase"
-  engine                       = "postgres"
-  engine_version               = var.postgres_version
-  instance_class               = "db.t4g.micro"
-  username                     = "postgres"
-  password                     = var.radar_postgres_password
-  allocated_storage            = 5
-  storage_type                 = "standard"
-  storage_encrypted            = true
-  skip_final_snapshot          = true
-  publicly_accessible          = false
-  multi_az                     = false
-  db_subnet_group_name         = aws_db_subnet_group.rds_subnet[0].name
-  vpc_security_group_ids       = [aws_security_group.rds_access[0].id]
-  performance_insights_enabled = true
-  copy_tags_to_snapshot        = true
+  identifier                          = "${var.eks_cluster_name}-postgres"
+  db_name                             = "radarbase"
+  engine                              = "postgres"
+  engine_version                      = var.postgres_version
+  instance_class                      = "db.t4g.micro"
+  username                            = "postgres"
+  password                            = var.radar_postgres_password
+  allocated_storage                   = 5
+  storage_type                        = "standard"
+  storage_encrypted                   = true
+  skip_final_snapshot                 = true
+  publicly_accessible                 = false
+  multi_az                            = false
+  db_subnet_group_name                = aws_db_subnet_group.rds_subnet[0].name
+  vpc_security_group_ids              = [aws_security_group.rds_access[0].id]
+  performance_insights_enabled        = true
+  copy_tags_to_snapshot               = true
+  backup_retention_period             = 7
+  iam_database_authentication_enabled = true
+  deletion_protection                 = true # This needs to be set to false before you really want to delete the database with "terraform destroy"
 
   tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-postgres" }), var.common_tags)
 

diff --git a/config/terraform.tfvars b/config/terraform.tfvars
@@ -1,12 +1,13 @@
-AWS_REGION       = "eu-west-2"
-environment      = "dev"
-domain_name      = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" }
-with_dmz_pods    = false
-enable_metrics   = false
-enable_karpenter = false
-enable_msk       = false
-enable_rds       = false
-enable_route53   = false
-enable_ses       = false
-enable_s3        = false
-enable_eip       = false
+AWS_REGION         = "eu-west-2"
+environment        = "dev"
+domain_name        = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" }
+with_dmz_pods      = false
+enable_metrics     = false
+enable_karpenter   = false
+enable_msk         = false
+enable_msk_logging = false
+enable_rds         = false
+enable_route53     = false
+enable_ses         = false
+enable_s3          = false
+enable_eip         = false
diff --git a/config/variables.tf b/config/variables.tf
@@ -131,6 +131,11 @@ variable "enable_msk" {
   description = "Do you need MSK? [true, false]"
 }
 
+variable "enable_msk_logging" {
+  type        = bool
+  description = "Do you need logging on MSK brokers? [true, false]"
+}
+
 variable "enable_rds" {
   type        = bool
   description = "Do you need RDS? [true, false]"