Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gruntwork-io/tflint-ruleset-aws-cis
Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.
https://github.com/gruntwork-io/tflint-ruleset-aws-cis
aws cis devops terraform tflint
Last synced: about 12 hours ago
JSON representation
Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.
- Host: GitHub
- URL: https://github.com/gruntwork-io/tflint-ruleset-aws-cis
- Owner: gruntwork-io
- License: apache-2.0
- Created: 2023-01-05T16:37:20.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-02-18T03:33:38.000Z (over 1 year ago)
- Last Synced: 2024-09-23T04:32:57.233Z (4 days ago)
- Topics: aws, cis, devops, terraform, tflint
- Language: Go
- Homepage: https://gruntwork.io/achieve-compliance/
- Size: 55.7 KB
- Stars: 11
- Watchers: 13
- Forks: 5
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# TFLint Ruleset CIS AWS Foundations Benchmark
Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from [Gruntwork's CIS Service Catalog](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog).
> :warning: **This repository is a WIP. It only contains one single rule so far, to validate Security Groups, that is hard to enforce in any other way ([see Rules section](#rules)). In the future, we may add other CIS AWS Foundations Benchmark rules.**
## Requirements
- TFLint v0.40+
- Go v1.19
## Installation
You can install the plugin with `tflint --init`. Declare a config in `.tflint.hcl` as follows:
```hcl
plugin "aws-cis" {
enabled = true
version = ""
source = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}
```
## Rules
| Name | Description |Severity|Enabled| CIS Recommendation |
|--------------------------------------------|------------------------------------------------------------------------------------| --- | --- |--------------------|
| aws_security_group_rule_invalid_cidr_block | Ensure that SG rules do not allow public access to remote administration ports |ERROR|✔| 5.2 and 5.3 |
## Terragrunt
An effective way to enforce these rules is to add them to your Terragrunt configuration using [Before Hooks](https://terragrunt.gruntwork.io/docs/features/hooks/#tflint-hook).
```hcl
terraform {
before_hook "before_hook" {
commands = ["apply", "plan"]
execute = ["tflint"]
}
}
```
In the root of the Terragrunt project, add a `.tflint.hcl` file, replacing `` below with the latest version from the [releases page](https://github.com/gruntwork-io/tflint-ruleset-aws-cis/releases):
```hcl
plugin "aws" {
enabled = true
version = ""
source = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}
```
## Running locally
### Building the plugin
Clone the repository locally and run the following command:
```
$ make
```
You can easily install the built plugin with the following:
```
$ make install
```
You can run the built plugin like the following:
```bash
$ cat << EOS > .tflint.hcl
plugin "aws-cis" {
enabled = true
}
EOS
$ tflint
```
### Manual release
**NOTE:** This project doesn't have automated releases at the moment (due to limitations of our GitHub org with GitHub actions) and does not sign the binaries (as `tflint` doesn't currently check signatures for plugins). [See this Slack thread for more info](https://gruntwork-io.slack.com/archives/C046S2PDWP8/p1672915001156189).
In order to release the binaries, this project uses [goreleaser](https://goreleaser.com/) ([install instructions](https://goreleaser.com/install/)).
Export the variable `GITHUB_TOKEN` so the binaries can be uploaded to GitHub. The release should run locally from the tag that will have the release.
```
git checkout
export GITHUB_TOKEN=
goreleaser release
```