chore(security): harden RDS, EC2, security groups, OIDC, and deployment workflows#94
Open
alismx wants to merge 15 commits into
Open
chore(security): harden RDS, EC2, security groups, OIDC, and deployment workflows#94alismx wants to merge 15 commits into
alismx wants to merge 15 commits into
Conversation
- Add permissions: read-all to tflint and trivy GitHub workflows - Add descriptive comments to all AWS security group rules - Update ECS module source to latest commit - Include service discovery permission in OIDC policy - Fix alignment in main.tf variable assignments
- Add CKV_GHA_7 skip comments to deployment workflows - Explains ephemeral environment creation pattern
Move checkov skip comments inside resource blocks so they are recognized. Previously placed above data source declarations — never registered as skipped.
Contributor
|
Looks like there are some issues in the scan that still need to be addressed? |
…s and IAM policies - Add explicit descriptions to security group ingress/egress rules for VPC, PostgreSQL, SQLServer, and DB setup - Add checkov skip comments with justification to IAM policy documents for deployment role - Add missing servicediscovery actions to scoped IAM policies - Add permissions: read-all to tflint and trivy workflows
… IMDSv2, and encrypted root
…s to IAM policies Add descriptive descriptions to RDS security groups and ingress/egress rules. Add checkov skip comments to IAM policy documents for deployment roles.
Bump terraform-aws-dibbs-ecr-viewer module from 8e1ee72 to cfb946b. Align root_block_device spacing in database_setup.tf.
laura-puerto-skylight
approved these changes
May 5, 2026
laura-puerto-skylight
left a comment
Contributor
There was a problem hiding this comment.
Seems ok to me, do you have a task to address the remaining TODOs?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens RDS, EC2, security groups, OIDC IAM policies, and deployment workflows with checkov skip descriptions, security group descriptions, IAM policy skip comments, EBS encryption, IMDSv2, and enhanced ECR scanning.
Changes
.github/workflows/*.yaml: Added checkov skip forCKV_GHA_7on deployment workflows. Addedpermissions: read-allto tflint and trivy workflows.terraform/implementation/ecs/main.tf: Enabled enhanced ECR registry scanning. Bumped ecs-viewer module ref tocfb946b.terraform/modules/db/database_setup.tf: Added checkov skips and descriptions to ephemeral DB setup security groups and instances. Added IMDSv2, encryption, and monitoring.terraform/modules/db/postgresql.tf: Added descriptions to security groups/ingress/egress. Enabled IAM DB auth, storage encryption, monitoring, performance insights, and auto minor version upgrade. Added checkov skips for secrets rotation and KMS.terraform/modules/db/sqlserver.tf: Same hardening as postgresql.tf — descriptions, IAM DB auth, encryption, monitoring, performance insights.terraform/modules/oidc/_data.tf: Added checkov skip descriptions for IAM deployment role OIDC assume role and wildcard policies. Addedservicediscoveryactions to scoped policies.terraform/modules/tfstate/main.tf: Added checkov skip comments for S3 bucket best practices (access logging, lifecycle, replication, event notifications).Why
This branch accumulates security hardening across all Terraform modules: inline checkov skip descriptions with rationale, explicit security group rule descriptions, IMDSv2/enhanced encryption on RDS and EC2, IAM DB authentication, and broader observability (monitoring intervals, performance insights).
Testing