Skip to content

gruntwork-io/tflint-ruleset-aws-cis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

.github/workflows

.github/workflows

 
 

docs

docs

 
 

rules

rules

 
 

.gitignore

.gitignore

 
 

.goreleaser.yml

.goreleaser.yml

 
 

LICENSE.txt

LICENSE.txt

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

TFLint Ruleset CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark Version https://gruntwork.io/?ref=repo_cis_compliance_aws"

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

⚠️ This repository is a WIP. It only contains one single rule so far, to validate Security Groups, that is hard to enforce in any other way (see Rules section). In the future, we may add other CIS AWS Foundations Benchmark rules.

Requirements

  • TFLint v0.40+
  • Go v1.19

Installation

You can install the plugin with tflint --init. Declare a config in .tflint.hcl as follows:

plugin "aws-cis" {
  enabled = true

  version = "<VERSION>"
  source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Rules

Name Description Severity Enabled CIS Recommendation
aws_security_group_rule_invalid_cidr_block Ensure that SG rules do not allow public access to remote administration ports ERROR 5.2 and 5.3

Terragrunt

An effective way to enforce these rules is to add them to your Terragrunt configuration using Before Hooks.

terraform {
  before_hook "before_hook" {
    commands     = ["apply", "plan"]
    execute      = ["tflint"]
  }
}

In the root of the Terragrunt project, add a .tflint.hcl file, replacing <VERSION> below with the latest version from the releases page:

plugin "aws" {
    enabled = true
    version = "<VERSION>"
    source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Running locally

Building the plugin

Clone the repository locally and run the following command:

$ make

You can easily install the built plugin with the following:

$ make install

You can run the built plugin like the following:

$ cat << EOS > .tflint.hcl
plugin "aws-cis" {
  enabled = true
}
EOS
$ tflint

Manual release

NOTE: This project doesn't have automated releases at the moment (due to limitations of our GitHub org with GitHub actions) and does not sign the binaries (as tflint doesn't currently check signatures for plugins). See this Slack thread for more info.

In order to release the binaries, this project uses goreleaser (install instructions).

Export the variable GITHUB_TOKEN so the binaries can be uploaded to GitHub. The release should run locally from the tag that will have the release.

git checkout <TAG FOR THE RELEASE, e.g. v0.40.0>

export GITHUB_TOKEN=<TOKEN>

goreleaser release

About

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

gruntwork.io/achieve-compliance/

Topics

aws devops cis terraform tflint

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

10 stars

Watchers

11 watching

Forks

4 forks
Report repository

Releases 2

v0.0.2 Latest
Jan 6, 2023
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages