tflint-ruleset-aws-cis

command module
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2023 License: Apache-2.0 Imports: 3 Imported by: 0

README

TFLint Ruleset CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark Version

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

This repository is a WIP. It only contains one single rule so far, to validate Security Groups, that is hard to enforce in any other way (see Rules section). In the future, we may add other CIS AWS Foundations Benchmark rules.

Requirements

  • TFLint v0.40+
  • Go v1.19

Installation

You can install the plugin with tflint --init. Declare a config in .tflint.hcl as follows:

plugin "aws-cis" {
  enabled = true

  version = "<VERSION>"
  source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Rules

Name Description Severity Enabled CIS Recommendation
aws_security_group_rule_invalid_cidr_block Ensure that SG rules do not allow public access to remote administration ports ERROR 5.2 and 5.3

Terragrunt

An effective way to enforce these rules is to add them to your Terragrunt configuration using Before Hooks.

terraform {
  before_hook "before_hook" {
    commands     = ["apply", "plan"]
    execute      = ["tflint"]
  }
}

In the root of the Terragrunt project, add a .tflint.hcl file, replacing <VERSION> below with the latest version from the releases page:

plugin "aws" {
    enabled = true
    version = "<VERSION>"
    source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Running locally

Building the plugin

Clone the repository locally and run the following command:

$ make

You can easily install the built plugin with the following:

$ make install

You can run the built plugin like the following:

$ cat << EOS > .tflint.hcl
plugin "aws-cis" {
  enabled = true
}
EOS
$ tflint
Manual release

In order to release the binaries, this project uses goreleaser (install instructions).

Export the variable GPG_FINGERPRINT in order to sign the release, and GITHUB_TOKEN so the binaries can be uploaded to GitHub. The release should run locally from the tag that will have the release.

git checkout <TAG FOR THE RELEASE, e.g. v0.40.0>

export GPG_FINGERPRINT=<FINGERPRINT_ID>
export GITHUB_TOKEN=<TOKEN>

goreleaser release

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.