Open syscod3 opened 2 years ago
Hi! tfsec complains (rightly so) about the following:
Result #3 HIGH Launch template does not require IMDS access to require a token ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── .terraform/modules/nat_instance/main.tf Lines 67-115 ───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 67 │ resource "aws_launch_template" "this" { 68 │ name_prefix = var.name 69 │ image_id = var.image_id != "" ? var.image_id : data.aws_ami.this.id 70 │ key_name = var.key_name 71 │ 72 │ iam_instance_profile { 73 │ arn = aws_iam_instance_profile.this.arn 74 │ } 75 │ 76 │ network_interfaces { 77 │ associate_public_ip_address = true 78 │ security_groups = [aws_security_group.this.id] 79 │ delete_on_termination = true 80 │ } 81 │ 82 │ tag_specifications { 83 │ resource_type = "instance" 84 │ tags = local.common_tags 85 │ } 86 │ 87 │ user_data = base64encode(join("\n", [ 88 │ "#cloud-config", 89 │ yamlencode({ 90 │ # https://cloudinit.readthedocs.io/en/latest/topics/modules.html 91 │ write_files : concat([ 92 │ { 93 │ path : "/opt/nat/runonce.sh", 94 │ content : templatefile("${path.module}/runonce.sh", { eni_id = aws_network_interface.this.id }), 95 │ permissions : "0755", 96 │ }, 97 │ { 98 │ path : "/opt/nat/snat.sh", 99 │ content : file("${path.module}/snat.sh"), 100 │ permissions : "0755", 101 │ }, 102 │ { 103 │ path : "/etc/systemd/system/snat.service", 104 │ content : file("${path.module}/snat.service"), 105 │ }, 106 │ ], var.user_data_write_files), 107 │ runcmd : concat([ 108 │ ["/opt/nat/runonce.sh"], 109 │ ], var.user_data_runcmd), 110 │ }) 111 │ ])) 112 │ 113 │ description = "Launch template for NAT instance ${var.name}" 114 │ tags = local.common_tags 115 │ } ───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ID aws-autoscaling-enforce-http-token-imds Impact Instance metadata service can be interacted with freely Resolution Enable HTTP token requirement for IMDS More Information - https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/autoscaling/enforce-http-token-imds/ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
Hi! tfsec complains (rightly so) about the following: