Investigate and resolve if possible Terraform related SAST vulnerabilities in Deployment
Currently in the Deployment project there are several SAST vulnerabilities.
We need to go through this list and do one of the following actions for each vulnerability:
- Fix the vulnerability by deploying a patch.
- If more work is required we can create a new issue for it.
- If it is a false positive then resolve the vulnerability.
Implementation Plan
-
Add auto_upgrade in google_container_node_pool
. This is enabled by default but our SAST analyser doesn't know it. It's a good practice to have it so that is more readable. -
Create a new issue for https://gitlab.com/gitlab-org/security-products/license-db/deployment/-/security/vulnerabilities/97903969 -
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false -
Enable CS logging on both public buckets and the internal bucket -
Enable CS versioning on both public buckets and the internal bucket -
Enable DNSSEC in Cloud DNS -
Add auto_repair to true to the google_container_node_pool
. This is already true by default. This way we improve readability.
Edited by Nick Ilieskou