diff --git a/examples/ec2/sg.tf b/examples/ec2/sg.tf
index cade265..c427b34 100644
--- a/examples/ec2/sg.tf
+++ b/examples/ec2/sg.tf
@@ -1,5 +1,6 @@
resource "aws_security_group" "ecs_sg" {
#checkov:skip=CKV2_AWS_5:Security group is attached to another resource
+ #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
name = "ecs-sg-${var.name}"
description = "Allow inbound traffic"
vpc_id = data.aws_vpc.default.id
@@ -38,6 +39,7 @@ resource "aws_security_group" "lb_public_sg" {
}
resource "aws_security_group_rule" "lb_sg_allow_all" {
+ #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
description = "Allow all outbound traffic"
type = "egress"
from_port = 0
diff --git a/examples/fargate/sg.tf b/examples/fargate/sg.tf
index cade265..c427b34 100644
--- a/examples/fargate/sg.tf
+++ b/examples/fargate/sg.tf
@@ -1,5 +1,6 @@
resource "aws_security_group" "ecs_sg" {
#checkov:skip=CKV2_AWS_5:Security group is attached to another resource
+ #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
name = "ecs-sg-${var.name}"
description = "Allow inbound traffic"
vpc_id = data.aws_vpc.default.id
@@ -38,6 +39,7 @@ resource "aws_security_group" "lb_public_sg" {
}
resource "aws_security_group_rule" "lb_sg_allow_all" {
+ #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
description = "Allow all outbound traffic"
type = "egress"
from_port = 0
diff --git a/modules/iam/README.md b/modules/iam/README.md
index e16ce3b..2262743 100644
--- a/modules/iam/README.md
+++ b/modules/iam/README.md
@@ -9,20 +9,22 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.38.0 |
+| [aws](#provider\_aws) | 5.83.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [iam\_assumable\_role](#module\_iam\_assumable\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 4.13.0 |
| [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 4.13.0 |
## Resources
| Name | Type |
|------|------|
+| [aws_iam_instance_profile.iam_instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
diff --git a/modules/iam/data.tf b/modules/iam/data.tf
new file mode 100644
index 0000000..4426b19
--- /dev/null
+++ b/modules/iam/data.tf
@@ -0,0 +1,15 @@
+data "aws_iam_policy_document" "assume_role_policy" {
+ statement {
+ effect = "Allow"
+ principals {
+ type = "AWS"
+ identifiers = var.trusted_role_arns
+ }
+
+ principals {
+ type = "Service"
+ identifiers = var.trusted_role_services
+ }
+ actions = ["sts:AssumeRole"]
+ }
+}
diff --git a/modules/iam/main.tf b/modules/iam/main.tf
index 37e7136..2113069 100644
--- a/modules/iam/main.tf
+++ b/modules/iam/main.tf
@@ -1,18 +1,21 @@
-module "iam_assumable_role" {
- source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
- version = "~> 4.13.0"
+resource "aws_iam_role" "iam_role" {
+ name = var.role_name
- trusted_role_arns = var.trusted_role_arns
- trusted_role_services = var.trusted_role_services
- custom_role_policy_arns = var.custom_role_policy_arns
+ force_detach_policies = true
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+ managed_policy_arns = var.custom_role_policy_arns
- create_role = true
- create_instance_profile = var.create_instance_profile
- role_requires_mfa = false
+ tags = merge(var.tags, { "Name" = var.role_name })
+}
- role_name = var.role_name
+resource "aws_iam_instance_profile" "iam_instance_role" {
+ count = var.create_instance_profile ? 1 : 0
- tags = merge(var.tags, { "Name" = var.role_name })
+ name = var.role_name
+ path = "/"
+ role = aws_iam_role.iam_role.name
+
+ tags = var.tags
}
module "iam_policy" {
@@ -30,6 +33,6 @@ module "iam_policy" {
resource "aws_iam_role_policy_attachment" "attach" {
count = length(var.policy) > 0 ? 1 : 0
- role = module.iam_assumable_role.iam_role_name
+ role = aws_iam_role.iam_role.name
policy_arn = module.iam_policy.arn
}
diff --git a/modules/iam/moved.tf b/modules/iam/moved.tf
new file mode 100644
index 0000000..c1d5b45
--- /dev/null
+++ b/modules/iam/moved.tf
@@ -0,0 +1,9 @@
+moved {
+ from = module.iam_assumable_role.aws_iam_role.this
+ to = aws_iam_role.iam_role
+}
+
+moved {
+ from = module.iam_assumable_role.aws_iam_instance_profile.this
+ to = aws_iam_instance_profile.iam_instance_role
+}
diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf
index 0437bb0..ffd9e26 100644
--- a/modules/iam/outputs.tf
+++ b/modules/iam/outputs.tf
@@ -1,21 +1,21 @@
output "iam_role_arn" {
description = "ARN of IAM role"
- value = try(module.iam_assumable_role.iam_role_arn, "")
+ value = try(aws_iam_role.iam_role.arn, "")
}
output "iam_role_name" {
description = "Name of IAM role"
- value = try(module.iam_assumable_role.iam_role_name, "")
+ value = try(aws_iam_role.iam_role.name, "")
}
output "iam_instance_profile_arn" {
description = "ARN of IAM instance profile"
- value = try(module.iam_assumable_role.iam_instance_profile_arn, "")
+ value = try(aws_iam_instance_profile.iam_instance_role[0].arn, "")
}
output "iam_instance_profile_name" {
description = "Name of IAM instance profile"
- value = try(module.iam_assumable_role.iam_instance_profile_name, "")
+ value = try(aws_iam_instance_profile.iam_instance_role[0].name, "")
}
output "iam_policy_id" {
diff --git a/modules/service/README.md b/modules/service/README.md
index 8a7b32d..8dc7306 100644
--- a/modules/service/README.md
+++ b/modules/service/README.md
@@ -10,7 +10,7 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.38.0 |
+| [aws](#provider\_aws) | 5.83.1 |
## Modules
diff --git a/modules/service/main.tf b/modules/service/main.tf
index bfb5332..e244f3d 100644
--- a/modules/service/main.tf
+++ b/modules/service/main.tf
@@ -73,6 +73,7 @@ data "aws_ecs_task_definition" "this" {
resource "aws_ecs_service" "this" {
#checkov:skip=CKV_AWS_332: Already defaulting to latest FARGATE platform version
+ #checkov:skip=CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
name = var.name
cluster = var.cluster_id