Skip to content

chore(security): harden RDS, EC2, security groups, OIDC, and deployment workflows#94

Open
alismx wants to merge 15 commits into
mainfrom
chore/update-checkov-security
Open

chore(security): harden RDS, EC2, security groups, OIDC, and deployment workflows#94
alismx wants to merge 15 commits into
mainfrom
chore/update-checkov-security

Conversation

@alismx

@alismx alismx commented Apr 22, 2026

Copy link
Copy Markdown
Collaborator

Summary

Hardens RDS, EC2, security groups, OIDC IAM policies, and deployment workflows with checkov skip descriptions, security group descriptions, IAM policy skip comments, EBS encryption, IMDSv2, and enhanced ECR scanning.

Changes

  • .github/workflows/*.yaml: Added checkov skip for CKV_GHA_7 on deployment workflows. Added permissions: read-all to tflint and trivy workflows.
  • terraform/implementation/ecs/main.tf: Enabled enhanced ECR registry scanning. Bumped ecs-viewer module ref to cfb946b.
  • terraform/modules/db/database_setup.tf: Added checkov skips and descriptions to ephemeral DB setup security groups and instances. Added IMDSv2, encryption, and monitoring.
  • terraform/modules/db/postgresql.tf: Added descriptions to security groups/ingress/egress. Enabled IAM DB auth, storage encryption, monitoring, performance insights, and auto minor version upgrade. Added checkov skips for secrets rotation and KMS.
  • terraform/modules/db/sqlserver.tf: Same hardening as postgresql.tf — descriptions, IAM DB auth, encryption, monitoring, performance insights.
  • terraform/modules/oidc/_data.tf: Added checkov skip descriptions for IAM deployment role OIDC assume role and wildcard policies. Added servicediscovery actions to scoped policies.
  • terraform/modules/tfstate/main.tf: Added checkov skip comments for S3 bucket best practices (access logging, lifecycle, replication, event notifications).

Why

This branch accumulates security hardening across all Terraform modules: inline checkov skip descriptions with rationale, explicit security group rule descriptions, IMDSv2/enhanced encryption on RDS and EC2, IAM DB authentication, and broader observability (monitoring intervals, performance insights).

Testing

  • Tests pass

alismx and others added 7 commits April 22, 2026 15:59
- Add permissions: read-all to tflint and trivy GitHub workflows
- Add descriptive comments to all AWS security group rules
- Update ECS module source to latest commit
- Include service discovery permission in OIDC policy
- Fix alignment in main.tf variable assignments
- Add CKV_GHA_7 skip comments to deployment workflows
- Explains ephemeral environment creation pattern
Move checkov skip comments inside resource blocks so they are recognized.
Previously placed above data source declarations — never registered as skipped.
@alismx alismx changed the title chore(security): add permissions and descriptions to security hardening chore(security): add checkov skips to suppress known infrastructure warnings Apr 24, 2026
@laura-puerto-skylight

Copy link
Copy Markdown
Contributor

Looks like there are some issues in the scan that still need to be addressed?

…s and IAM policies

- Add explicit descriptions to security group ingress/egress rules for VPC, PostgreSQL, SQLServer, and DB setup
- Add checkov skip comments with justification to IAM policy documents for deployment role
- Add missing servicediscovery actions to scoped IAM policies
- Add permissions: read-all to tflint and trivy workflows
@alismx alismx changed the title chore(security): add checkov skips to suppress known infrastructure warnings chore(security): add descriptions, checkov skips, and CI permissions May 1, 2026
@alismx alismx changed the title chore(security): add descriptions, checkov skips, and CI permissions chore(security): add descriptions, checkov skips, CI permissions, and skip positioning May 4, 2026
@alismx alismx changed the title chore(security): add descriptions, checkov skips, CI permissions, and skip positioning chore(security): add descriptions, checkov skips, CI permissions, EC2 hardening, and skip positioning May 4, 2026
@alismx alismx changed the title chore(security): add descriptions, checkov skips, CI permissions, EC2 hardening, and skip positioning chore(security): add descriptions, checkov skips, CI permissions, EC2/RDS hardening, and skip positioning May 4, 2026
@alismx alismx changed the title chore(security): add descriptions, checkov skips, CI permissions, EC2/RDS hardening, and skip positioning chore(security): add descriptions, checkov skips, CI/EC2/RDS hardening, IAM DB auth, and skip positioning May 4, 2026
…s to IAM policies

Add descriptive descriptions to RDS security groups and ingress/egress rules.
Add checkov skip comments to IAM policy documents for deployment roles.
@alismx alismx changed the title chore(security): add descriptions, checkov skips, CI/EC2/RDS hardening, IAM DB auth, and skip positioning chore(security): add descriptions and checkov skips to security groups and IAM policies May 4, 2026
Bump terraform-aws-dibbs-ecr-viewer module from 8e1ee72 to cfb946b.
Align root_block_device spacing in database_setup.tf.
@alismx alismx changed the title chore(security): add descriptions and checkov skips to security groups and IAM policies chore(deps): bump ecs-viewer module ref to cfb946b and fix formatting May 4, 2026
@alismx alismx changed the title chore(deps): bump ecs-viewer module ref to cfb946b and fix formatting chore(security): harden RDS, EC2, security groups, OIDC, and deployment workflows May 4, 2026

@laura-puerto-skylight laura-puerto-skylight left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems ok to me, do you have a task to address the remaining TODOs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants