Skip to content

Instantly share code, notes, and snippets.

View schosterbarak's full-sized avatar
🦌

Barak Schoster Goihman schosterbarak

🦌
101 followers · 21 following
View GitHub Profile
@schosterbarak
schosterbarak / github access
Created May 8, 2022 08:08
name: AWS example workflow
on:
push
env:
BUCKET_NAME : "<example-bucket-name>"
AWS_REGION : "<example-aws-region>"
# permission can be added at job level or workflow level
permissions:
id-token: write
contents: read # This is required for actions/checkout
@schosterbarak
schosterbarak / main.tf
Last active March 9, 2022 17:33
module "old_s3_bucket_module_version" {
source = "cloudposse/s3-bucket/aws"
version = "0.2.1"
acl = "private"
enabled = true
user_enabled = true
versioning_enabled = false
allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
name = "app"
stage = "test"
@schosterbarak
schosterbarak / s3_module_version.py
Created March 1, 2022 19:10
from packaging import version as v
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
class S3ModuleVersionCheck(BaseModuleCheck):
def __init__(self):
name = "Ensure S3 module is from version 0.47.0"
id = "CKV_TF_MODULE_1"
@schosterbarak
schosterbarak / immutable_module.py
Created March 1, 2022 19:08
import re
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
MODULE_GIT_VERSION_PATTERN = re.compile(r"git::https?:\/\/[^\/]+\/.+.git\?ref=(\b[0-9a-f]{5,40}\b)")
class ModuleSourceHashCheck(BaseModuleCheck):
def __init__(self):
@schosterbarak
schosterbarak / main.tf
Last active March 1, 2022 19:02
module "not_immutable_s3_bucket" {
source = "example/s3-bucket/aws"
version = "0.3.4"
acl = "private"
enabled = true
user_enabled = true
versioning_enabled = false
allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
name = "app"
stage = "test"
@schosterbarak
schosterbarak / main.tf
Created March 1, 2022 18:39
resource "aws_ssm_parameter" "param" {
name = var.parameter_name
type = "SecureString"
value = random_password.password.result
}
resource "random_password" "password" {
length = 16
special = true
override_special = "_%@"
@schosterbarak
schosterbarak / HTTPNotSendingPasswords.yaml
Created March 1, 2022 18:35
metadata:
id: "CKV2_AWS_36"
name: "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP"
category: "SUPPLY_CHAIN"
# inspired by: https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/
definition:
or:
- and:
- cond_type: connection
operator: exists
@schosterbarak
schosterbarak / ExternalData.py
Created March 1, 2022 18:28
from typing import Dict, List, Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.data.base_check import BaseDataCheck
class ExternalData(BaseDataCheck):
def __init__(self) -> None:
name = 'Ensure terraform external data blocks runs vetted code'
id = "CKV_TF_DATA_EXTERNAL_1"
@schosterbarak
schosterbarak / emr.tf
Last active April 22, 2022 13:21
resource "aws_emr_cluster" "production_data_engineering" {
name = "emr-test-arn"
release_label = "emr-4.6.0"
applications = ["Spark"]
ec2_attributes {
emr_managed_master_security_group = aws_security_group.dev.id
emr_managed_slave_security_group = aws_security_group.dev.id
instance_profile = "connected_to_aws_iam_instance_profile"
}
@schosterbarak
schosterbarak / cfn_iam_policy.tf
Created November 22, 2021 16:22
AWSTemplateFormatVersion: 2010-09-09
Description: IAM policy
Resources:
ExamplePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement: