search

int128 / terraform-aws-nat-instance

Terraform module to provision a NAT Instance using an Auto Scaling Group and Spot Instance from $1/month
https://registry.terraform.io/modules/int128/nat-instance/aws/
Apache License 2.0
175 stars 90 forks source link

instance metadata with tokens #48

Open syscod3 opened 2 years ago

syscod3 commented 2 years ago

Hi! tfsec complains (rightly so) about the following:

Result #3 HIGH Launch template does not require IMDS access to require a token
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 .terraform/modules/nat_instance/main.tf Lines 67-115
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   67  │ resource "aws_launch_template" "this" {
   68  │   name_prefix = var.name
   69  │   image_id    = var.image_id != "" ? var.image_id : data.aws_ami.this.id
   70  │   key_name    = var.key_name
   71  │
   72  │   iam_instance_profile {
   73  │     arn = aws_iam_instance_profile.this.arn
   74  │   }
   75  │
   76  │   network_interfaces {
   77  │     associate_public_ip_address = true
   78  │     security_groups             = [aws_security_group.this.id]
   79  │     delete_on_termination       = true
   80  │   }
   81  │
   82  │   tag_specifications {
   83  │     resource_type = "instance"
   84  │     tags          = local.common_tags
   85  │   }
   86  │
   87  │   user_data = base64encode(join("\n", [
   88  │     "#cloud-config",
   89  │     yamlencode({
   90  │       # https://cloudinit.readthedocs.io/en/latest/topics/modules.html
   91  │       write_files : concat([
   92  │         {
   93  │           path : "/opt/nat/runonce.sh",
   94  │           content : templatefile("${path.module}/runonce.sh", { eni_id = aws_network_interface.this.id }),
   95  │           permissions : "0755",
   96  │         },
   97  │         {
   98  │           path : "/opt/nat/snat.sh",
   99  │           content : file("${path.module}/snat.sh"),
  100  │           permissions : "0755",
  101  │         },
  102  │         {
  103  │           path : "/etc/systemd/system/snat.service",
  104  │           content : file("${path.module}/snat.service"),
  105  │         },
  106  │       ], var.user_data_write_files),
  107  │       runcmd : concat([
  108  │         ["/opt/nat/runonce.sh"],
  109  │       ], var.user_data_runcmd),
  110  │     })
  111  │   ]))
  112  │
  113  │   description = "Launch template for NAT instance ${var.name}"
  114  │   tags        = local.common_tags
  115  │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-autoscaling-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/autoscaling/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options