META-INF.rewrite.aws.yml Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of rewrite-terraform Show documentation

Refactor Terraform. Automatically.

There is a newer version: 2.7.0

# # Copyright 2021 the original author or authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 #

# Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.AWSBestPractices displayName: Best practices for AWS description: Securely operate on Amazon Web Services. tags: - terraform - AWS recipeList: - org.openrewrite.terraform.aws.EncryptEBSVolumes - org.openrewrite.terraform.aws.EncryptEBSSnapshots - org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainEncryptionForDataAtRestIsEnabled - org.openrewrite.terraform.aws.EnsureAWSElasticsearchHasNodeToNodeEncryptionEnabled - org.openrewrite.terraform.aws.EnsureAWSCMKRotationIsEnabled - org.openrewrite.terraform.aws.EncryptEBSVolumeLaunchConfiguration - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyExpiresPasswordsWithin90DaysOrLess - org.openrewrite.terraform.aws.EnsureAWSIAMPasswordPolicyHasAMinimumOf14Characters - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneLowercaseLetter - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneNumber - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyPreventsPasswordReuse - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneSymbol - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneUppercaseLetter - org.openrewrite.terraform.aws.EncryptRDSClusters - org.openrewrite.terraform.aws.EnsureAWSRDSDatabaseInstanceIsNotPubliclyAccessible # - org.openrewrite.terraform.aws.EnsureTheS3BucketHasAccessLoggingEnabled # leaving out of default pool, unsure, todo - org.openrewrite.terraform.aws.EnsureDataStoredInAnS3BucketIsSecurelyEncryptedAtRest - org.openrewrite.terraform.aws.EnsureAWSS3ObjectVersioningIsEnabled - org.openrewrite.terraform.aws.EnableDynamoDbPITR - org.openrewrite.terraform.aws.EncryptElastiCacheRedisAtRest - org.openrewrite.terraform.aws.EncryptElastiCacheRedisInTransit - org.openrewrite.terraform.aws.EnableECRScanOnPush - org.openrewrite.terraform.aws.UseHttpsForCloudfrontDistribution - org.openrewrite.terraform.aws.EnsureCloudTrailLogFileValidationIsEnabled - org.openrewrite.terraform.aws.EnsureAmazonEKSControlPlaneLoggingEnabledForAllLogTypes - org.openrewrite.terraform.aws.EnsureAWSEKSClusterEndpointAccessIsPubliclyDisabled - org.openrewrite.terraform.aws.EnsureAWSEFSWithEncryptionForDataAtRestIsEnabled - org.openrewrite.terraform.aws.EnsureKinesisStreamIsSecurelyEncrypted - org.openrewrite.terraform.aws.EncryptNeptuneStorage - org.openrewrite.terraform.aws.EncryptDAXStorage - org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionsHaveTracingEnabled - org.openrewrite.terraform.aws.ImmutableECRTags - org.openrewrite.terraform.aws.EncryptRedshift - org.openrewrite.terraform.aws.EncryptDocumentDB - org.openrewrite.terraform.aws.DisableInstanceMetadataServiceV1 - org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainsHaveEnforceHTTPSEnabled - org.openrewrite.terraform.aws.EncryptAuroraClusters - org.openrewrite.terraform.aws.EncryptEFSVolumesInECSTaskDefinitionsInTransit - org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionIsConfiguredForFunctionLevelConcurrentExecutionLimit - org.openrewrite.terraform.aws.EnsureEnhancedMonitoringForAmazonRDSInstancesIsEnabled - org.openrewrite.terraform.aws.EnableApiGatewayCaching - org.openrewrite.terraform.aws.EnsureDetailedMonitoringForEC2InstancesIsEnabled - org.openrewrite.terraform.aws.EnsureRespectiveLogsOfAmazonRDSAreEnabled - org.openrewrite.terraform.aws.EnsureVPCSubnetsDoNotAssignPublicIPByDefault - org.openrewrite.terraform.aws.EnsureEC2IsEBSOptimized - org.openrewrite.terraform.aws.EnsureECRRepositoriesAreEncrypted - org.openrewrite.terraform.aws.EncryptCodeBuild - org.openrewrite.terraform.aws.EnsureRDSInstancesHaveMultiAZEnabled - org.openrewrite.terraform.aws.EnsureRDSDatabaseHasIAMAuthenticationEnabled --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptEBSVolumes displayName: Encrypt EBS volumes description: Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed. AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss. tags: - terraform - AWS - CKV_AWS_3 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ebs_volume content: encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptEBSSnapshots displayName: Encrypt EBS snapshots description: EBS snapshots should be encrypted, as they often include sensitive information, customer PII or CPNI. tags: - terraform - AWS - CKV_AWS_4 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ebs_snapshot content: encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainEncryptionForDataAtRestIsEnabled displayName: Ensure AWS Elasticsearch domain encryption for data at rest is enabled description: Ensure AWS Elasticsearch domain encryption for data at rest is enabled. tags: - terraform - AWS - CKV_AWS_5 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_elasticsearch_domain content: |- encrypt_at_rest { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSElasticsearchHasNodeToNodeEncryptionEnabled displayName: Ensure AWS Elasticsearch has node-to-node encryption enabled description: Ensure AWS Elasticsearch has node-to-node encryption enabled. tags: - terraform - AWS - CKV_AWS_6 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_elasticsearch_domain content: |- node_to_node_encryption { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSCMKRotationIsEnabled displayName: Ensure AWS CMK rotation is enabled description: Ensure AWS CMK rotation is enabled. tags: - terraform - AWS - CKV_AWS_7 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_kms_key content: enable_key_rotation = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptEBSVolumeLaunchConfiguration displayName: Encrypt EBS volume launch configurations description: EBS volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted. tags: - terraform - AWS - CKV_AWS_8 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_launch_configuration content: |- root_block_device { encrypted = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyExpiresPasswordsWithin90DaysOrLess displayName: Ensure IAM password policy expires passwords within 90 days or less description: Ensure IAM password policy expires passwords within 90 days or less. tags: - terraform - AWS - CKV_AWS_9 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: max_password_age = 90 --- type: specs.openrewrite.org/v1beta/recipe # note, as with other recipes here (basically anything that makes a statement about "X-days or less", etc.), # this needs to be able to check whether the current value is in compliance with the stated policy. # for the time being, we only care about whether a "minimum_password_length" is defined at all. todo name: org.openrewrite.terraform.aws.EnsureAWSIAMPasswordPolicyHasAMinimumOf14Characters displayName: Ensure AWS IAM password policy has a minimum of 14 characters description: Ensure AWS IAM password policy has a minimum of 14 characters. tags: - terraform - AWS - CKV_AWS_10 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: minimum_password_length = 14 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneLowercaseLetter displayName: Ensure IAM password policy requires at least one lowercase letter description: Ensure IAM password policy requires at least one lowercase letter. tags: - terraform - AWS - CKV_AWS_11 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: require_lowercase_characters = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneNumber displayName: Ensure IAM password policy requires at least one number description: Ensure IAM password policy requires at least one number. tags: - terraform - AWS - CKV_AWS_12 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: require_numbers = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyPreventsPasswordReuse displayName: Ensure IAM password policy prevents password reuse description: Ensure IAM password policy prevents password reuse. tags: - terraform - AWS - CKV_AWS_13 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: password_reuse_prevention = 24 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneSymbol displayName: Ensure IAM password policy requires at least one symbol description: Ensure IAM password policy requires at least one symbol. tags: - terraform - AWS - CKV_AWS_14 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: require_symbols = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneUppercaseLetter displayName: Ensure IAM password policy requires at least one uppercase letter description: Ensure IAM password policy requires at least one uppercase letter. tags: - terraform - AWS - CKV_AWS_15 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_iam_account_password_policy content: require_uppercase_characters = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptRDSClusters displayName: Encrypt RDS clusters description: Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption. tags: - terraform - AWS - CKV_AWS_16 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: storage_encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSRDSDatabaseInstanceIsNotPubliclyAccessible displayName: Ensure AWS RDS database instance is not publicly accessible description: Ensure AWS RDS database instance is not publicly accessible. tags: - terraform - AWS - CKV_AWS_17 # questionable, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: publicly_accessible = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureTheS3BucketHasAccessLoggingEnabled displayName: Ensure the S3 bucket has access logging enabled description: Ensure the S3 bucket has access logging enabled. tags: - terraform - AWS - CKV_AWS_18 # handling of variable names, for the moment leaving it as content to be filled-in by users, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_s3_bucket content: |- logging { target_bucket = var.target_bucket target_prefix = "log/${var.s3_bucket_name}" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureDataStoredInAnS3BucketIsSecurelyEncryptedAtRest displayName: Ensure data stored in an S3 bucket is securely encrypted at rest description: Ensure data stored in an S3 bucket is securely encrypted at rest. tags: - terraform - AWS - CKV_AWS_19 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_s3_bucket content: |- server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSS3ObjectVersioningIsEnabled displayName: Ensure AWS S3 object versioning is enabled description: Ensure AWS S3 object versioning is enabled. tags: - terraform - AWS - CKV_AWS_21 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_s3_bucket content: |- versioning { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnableDynamoDbPITR displayName: Enable point-in-time recovery for DynamoDB description: DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations. tags: - terraform - AWS - CKV_AWS_28 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_dynamodb_table content: |- point_in_time_recovery { enabled = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptElastiCacheRedisAtRest displayName: Encrypt ElastiCache Redis at rest description: ElastiCache for Redis offers default encryption at rest as a service. tags: - terraform - AWS - CKV_AWS_29 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_elasticache_replication_group content: at_rest_encryption_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptElastiCacheRedisInTransit displayName: Encrypt ElastiCache Redis in transit description: ElastiCache for Redis offers optional encryption in transit. In-transit encryption provides an additional layer of data protection when transferring data over standard HTTPS protocol. tags: - terraform - AWS - CKV_AWS_30 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_elasticache_replication_group content: transit_encryption_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnableECRScanOnPush displayName: Scan images pushed to ECR description: ECR Image Scanning assesses and identifies operating system vulnerabilities. Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production. tags: - terraform - AWS - CKV_AWS_33 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ecr_repository content: |- image_scanning_configuration { scan_on_push = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.UseHttpsForCloudfrontDistribution displayName: Use HTTPS for Cloudfront distribution description: Secure communication by default. tags: - terraform - AWS - CKV_AWS_34 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_cloudfront_distribution content: viewer_protocol_policy = "https-only" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureCloudTrailLogFileValidationIsEnabled displayName: Ensure CloudTrail log file validation is enabled description: Ensure CloudTrail log file validation is enabled. tags: - terraform - AWS - CKV_AWS_36 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_cloudtrail content: enable_log_file_validation = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAmazonEKSControlPlaneLoggingEnabledForAllLogTypes displayName: Ensure Amazon EKS control plane logging enabled for all log types description: Ensure Amazon EKS control plane logging enabled for all log types. tags: - terraform - AWS - CKV_AWS_37 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_eks_cluster content: enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSEKSClusterEndpointAccessIsPubliclyDisabled displayName: Ensure AWS EKS cluster endpoint access is publicly disabled description: Ensure AWS EKS cluster endpoint access is publicly disabled. tags: - terraform - AWS - CKV_AWS_39 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_eks_cluster content: |- vpc_config { endpoint_public_access = false } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSEFSWithEncryptionForDataAtRestIsEnabled displayName: Ensure AWS EFS with encryption for data at rest is enabled description: Ensure AWS EFS with encryption for data at rest is enabled. tags: - terraform - AWS - CKV_AWS_42 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_efs_file_system content: encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureKinesisStreamIsSecurelyEncrypted displayName: Ensure Kinesis Stream is securely encrypted description: Ensure Kinesis Stream is securely encrypted. tags: - terraform - AWS - CKV_AWS_43 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_kinesis_stream content: encryption_type = "KMS" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptNeptuneStorage displayName: Encrypt Neptune storage description: Encryption of Neptune storage protects data and metadata against unauthorized access. tags: - terraform - AWS - CKV_AWS_44 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_neptune_cluster content: storage_encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptDAXStorage displayName: Encrypt DAX storage at rest description: DAX encryption at rest automatically integrates with AWS KMS for managing the single service default key used to encrypt clusters. tags: - terraform - AWS - CKV_AWS_47 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_dax_cluster content: server_side_encryption = enabled --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionsHaveTracingEnabled displayName: Ensure AWS Lambda functions have tracing enabled description: Ensure AWS Lambda functions have tracing enabled. tags: - terraform - AWS - CKV_AWS_50 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_lambda_function content: |- tracing_config { mode = "Active" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.ImmutableECRTags displayName: Make ECR tags immutable description: Amazon ECR supports immutable tags, preventing image tags from being overwritten. In the past, ECR tags could have been overwritten, this could be overcome by requiring users to uniquely identify an image using a naming convention. tags: - terraform - AWS - CKV_AWS_51 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ecr_repository content: image_tag_mutability = "IMMUTABLE" --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptRedshift displayName: Encrypt Redshift storage at rest description: Redshift clusters should be securely encrypted at rest. tags: - terraform - AWS - CKV_AWS_64 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_redshift_cluster content: encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptDocumentDB displayName: Encrypt DocumentDB storage description: The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage. tags: - terraform - AWS - CKV_AWS_74 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_docdb_cluster content: storage_encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.DisableInstanceMetadataServiceV1 displayName: Disable Instance Metadata Service version 1 description: As a request/response method IMDSv1 is prone to local misconfigurations. tags: - terraform - AWS - CKV_AWS_79 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_instance content: |- metadata_options { http_endpoint = "enabled" http_tokens = "required" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainsHaveEnforceHTTPSEnabled displayName: Ensure AWS Elasticsearch domains have `EnforceHTTPS` enabled description: Ensure AWS Elasticsearch domains have `EnforceHTTPS` enabled. tags: - terraform - AWS - CKV_AWS_83 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_elasticsearch_domain content: |- domain_endpoint_options { enforce_https = true } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptAuroraClusters displayName: Encrypt Aurora clusters description: Native Aurora encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption. tags: - terraform - AWS - CKV_AWS_96 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_rds_cluster content: storage_encrypted = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptEFSVolumesInECSTaskDefinitionsInTransit displayName: Encrypt EFS Volumes in ECS Task Definitions in transit description: Enable attached EFS definitions in ECS tasks to use encryption in transit. tags: - terraform - AWS - CKV_AWS_97 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ecs_task_definition content: |- volume { transit_encryption = "ENABLED" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionIsConfiguredForFunctionLevelConcurrentExecutionLimit displayName: Ensure AWS Lambda function is configured for function-level concurrent execution limit description: Ensure AWS Lambda function is configured for function-level concurrent execution limit. tags: - terraform - AWS - CKV_AWS_115 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_lambda_function content: reserved_concurrent_executions = 0 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureEnhancedMonitoringForAmazonRDSInstancesIsEnabled displayName: Ensure enhanced monitoring for Amazon RDS instances is enabled description: Ensure enhanced monitoring for Amazon RDS instances is enabled. tags: - terraform - AWS - CKV_AWS_118 # questionable, todo recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: monitoring_interval = 5 --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnableApiGatewayCaching displayName: Enable API gateway caching description: Enable caching for all methods of API Gateway. tags: - terraform - AWS - CKV_AWS_120 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_api_gateway_rest_api content: cache_cluster_enabled = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureDetailedMonitoringForEC2InstancesIsEnabled displayName: Ensure detailed monitoring for EC2 instances is enabled description: Ensure detailed monitoring for EC2 instances is enabled. tags: - terraform - AWS - CKV_AWS_126 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_instance content: monitoring = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureRespectiveLogsOfAmazonRDSAreEnabled displayName: Ensure respective logs of Amazon RDS are enabled description: Ensure respective logs of Amazon RDS are enabled. tags: - terraform - AWS - CKV_AWS_129 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"] --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureVPCSubnetsDoNotAssignPublicIPByDefault displayName: Ensure VPC subnets do not assign public IP by default description: Ensure VPC subnets do not assign public IP by default. tags: - terraform - AWS - CKV_AWS_130 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_subnet content: map_public_ip_on_launch = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureEC2IsEBSOptimized displayName: Ensure EC2 is EBS optimized description: Ensure EC2 is EBS optimized. tags: - terraform - AWS - CKV_AWS_135 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_instance content: ebs_optimized = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureECRRepositoriesAreEncrypted displayName: Ensure ECR repositories are encrypted description: Ensure ECR repositories are encrypted. tags: - terraform - AWS - CKV_AWS_136 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_ecr_repository content: |- encryption_configuration { encryption_type = "KMS" } --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EncryptCodeBuild displayName: Encrypt CodeBuild projects description: Build artifacts, such as a cache, logs, exported raw test report data files, and build results, are encrypted by default using CMKs for Amazon S3 that are managed by the AWS Key Management Service. tags: - terraform - AWS - CKV_AWS_147 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_codebuild_project content: encryption_disabled = false --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureRDSInstancesHaveMultiAZEnabled displayName: Ensure RDS instances have Multi-AZ enabled description: Ensure RDS instances have Multi-AZ enabled. tags: - terraform - AWS - CKV_AWS_157 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: multi_az = true --- type: specs.openrewrite.org/v1beta/recipe name: org.openrewrite.terraform.aws.EnsureRDSDatabaseHasIAMAuthenticationEnabled displayName: Ensure RDS database has IAM authentication enabled description: Ensure RDS database has IAM authentication enabled. tags: - terraform - AWS - CKV_AWS_161 recipeList: - org.openrewrite.terraform.AddConfiguration: resourceName: aws_db_instance content: iam_database_authentication_enabled = true