SPHTech-Platform · smoneyan · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
@@ -1,5 +1,6 @@
 resource "aws_security_group" "ecs_sg" {
   #checkov:skip=CKV2_AWS_5:Security group is attached to another resource
+  #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
   name        = "ecs-sg-${var.name}"
   description = "Allow inbound traffic"
   vpc_id      = data.aws_vpc.default.id
@@ -38,6 +39,7 @@ resource "aws_security_group" "lb_public_sg" {
 }
 
 resource "aws_security_group_rule" "lb_sg_allow_all" {
+  #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
   description       = "Allow all outbound traffic"
   type              = "egress"
   from_port         = 0

@@ -1,5 +1,6 @@
 resource "aws_security_group" "ecs_sg" {
   #checkov:skip=CKV2_AWS_5:Security group is attached to another resource
+  #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
   name        = "ecs-sg-${var.name}"
   description = "Allow inbound traffic"
   vpc_id      = data.aws_vpc.default.id
@@ -38,6 +39,7 @@ resource "aws_security_group" "lb_public_sg" {
 }
 
 resource "aws_security_group_rule" "lb_sg_allow_all" {
+  #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
   description       = "Allow all outbound traffic"
   type              = "egress"
   from_port         = 0

@@ -9,20 +9,22 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.38.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.83.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_iam_assumable_role"></a> [iam\_assumable\_role](#module\_iam\_assumable\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 4.13.0 |
 | <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 4.13.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_iam_instance_profile.iam_instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

@@ -0,0 +1,15 @@
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_role_arns
+    }
+
+    principals {
+      type        = "Service"
+      identifiers = var.trusted_role_services
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
@@ -1,18 +1,21 @@
-module "iam_assumable_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "~> 4.13.0"
+resource "aws_iam_role" "iam_role" {
+  name = var.role_name
 
-  trusted_role_arns       = var.trusted_role_arns
-  trusted_role_services   = var.trusted_role_services
-  custom_role_policy_arns = var.custom_role_policy_arns
+  force_detach_policies = true
+  assume_role_policy    = data.aws_iam_policy_document.assume_role_policy.json
+  managed_policy_arns   = var.custom_role_policy_arns
 
-  create_role             = true
-  create_instance_profile = var.create_instance_profile
-  role_requires_mfa       = false
+  tags = merge(var.tags, { "Name" = var.role_name })
+}
 
-  role_name = var.role_name
+resource "aws_iam_instance_profile" "iam_instance_role" {
+  count = var.create_instance_profile ? 1 : 0
 
-  tags = merge(var.tags, { "Name" = var.role_name })
+  name = var.role_name
+  path = "/"
+  role = aws_iam_role.iam_role.name
+
+  tags = var.tags
 }
 
 module "iam_policy" {
@@ -30,6 +33,6 @@ module "iam_policy" {
 resource "aws_iam_role_policy_attachment" "attach" {
   count = length(var.policy) > 0 ? 1 : 0
 
-  role       = module.iam_assumable_role.iam_role_name
+  role       = aws_iam_role.iam_role.name
   policy_arn = module.iam_policy.arn
 }
@@ -0,0 +1,9 @@
+moved {
+  from = module.iam_assumable_role.aws_iam_role.this
+  to   = aws_iam_role.iam_role
+}
+
+moved {
+  from = module.iam_assumable_role.aws_iam_instance_profile.this
+  to   = aws_iam_instance_profile.iam_instance_role
+}
@@ -1,21 +1,21 @@
 output "iam_role_arn" {
   description = "ARN of IAM role"
-  value       = try(module.iam_assumable_role.iam_role_arn, "")
+  value       = try(aws_iam_role.iam_role.arn, "")
 }
 
 output "iam_role_name" {
   description = "Name of IAM role"
-  value       = try(module.iam_assumable_role.iam_role_name, "")
+  value       = try(aws_iam_role.iam_role.name, "")
 }
 
 output "iam_instance_profile_arn" {
   description = "ARN of IAM instance profile"
-  value       = try(module.iam_assumable_role.iam_instance_profile_arn, "")
+  value       = try(aws_iam_instance_profile.iam_instance_role[0].arn, "")
 }
 
 output "iam_instance_profile_name" {
   description = "Name of IAM instance profile"
-  value       = try(module.iam_assumable_role.iam_instance_profile_name, "")
+  value       = try(aws_iam_instance_profile.iam_instance_role[0].name, "")
 }
 
 output "iam_policy_id" {

@@ -10,7 +10,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.38.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.83.1 |
 
 ## Modules
 

@@ -73,6 +73,7 @@ data "aws_ecs_task_definition" "this" {
 
 resource "aws_ecs_service" "this" {
   #checkov:skip=CKV_AWS_332: Already defaulting to latest FARGATE platform version
+  #checkov:skip=CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
 
   name    = var.name
   cluster = var.cluster_id