Create aks2.tf #2
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / defsec
Ensure AKS cluster has Network Policy configured
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / defsec
Ensure AKS has an API Server Authorized IP Ranges enabled
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check warning
Code scanning / defsec
Ensure AKS logging to Azure Monitoring is Configured
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / defsec
Ensure RBAC is enabled on AKS clusters
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure ephemeral disks are used for OS disks
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure AKS logging to Azure Monitoring is Configured
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure AKS has an API Server Authorized IP Ranges enabled
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure that AKS use the Paid Sku for its SLA
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure AKS cluster has Network Policy configured
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure that only critical system pods run on system nodes
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure that AKS uses disk encryption set
Comment on lines
+1
to
+25
| resource azurerm_kubernetes_cluster "k8s_cluster" { | ||
| dns_prefix = "terragoat-${var.environment}" | ||
| location = var.location | ||
| name = "terragoat-aks-${var.environment}" | ||
| resource_group_name = azurerm_resource_group.example.name | ||
| identity { | ||
| type = "SystemAssigned" | ||
| } | ||
| default_node_pool { | ||
| name = "default" | ||
| vm_size = "Standard_D2_v2" | ||
| node_count = 2 | ||
| } | ||
| addon_profile { | ||
| oms_agent { | ||
| enabled = false | ||
| } | ||
| kube_dashboard { | ||
| enabled = true | ||
| } | ||
| } | ||
| role_based_access_control { | ||
| enabled = false | ||
| } | ||
| } |
Check failure
Code scanning / bridgecrew
Ensure AKS cluster has Azure CNI networking enabled
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.