Updated security groups to fix trivy low issue

RussellGilmore · RussellGilmore · commit 6a73ce8ff7d2 · 2025-06-11T20:07:01.000-04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,6 +11,9 @@ repos:
     hooks:
       - id: terraform_fmt
         name: Terraform Formatter
+      - id: terraform_trivy
+        name: Terraform Trivy Security Scan
+        files: ^red-instance/.*\.tf$
   - repo: https://github.com/terraform-docs/terraform-docs
     rev: v0.20.0
     hooks:
diff --git a/README.md b/README.md
@@ -83,7 +83,7 @@ No modules.
 | <a name="input_dns_name"></a> [dns\_name](#input\_dns\_name) | The DNS name to use for the public DNS record | `string` | `""` | no |
 | <a name="input_enable_public_dns"></a> [enable\_public\_dns](#input\_enable\_public\_dns) | Controls whether a public DNS record should be created | `bool` | `false` | no |
 | <a name="input_enable_s3_bucket_policy"></a> [enable\_s3\_bucket\_policy](#input\_enable\_s3\_bucket\_policy) | Controls whether an S3 bucket policy should be attached to the instance role | `bool` | `false` | no |
-| <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | List of ingress rules | <pre>list(object({<br/>    from_port   = number<br/>    to_port     = number<br/>    protocol    = string<br/>    cidr_blocks = list(string)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "cidr_blocks": [<br/>      "0.0.0.0/0"<br/>    ],<br/>    "from_port": 22,<br/>    "protocol": "tcp",<br/>    "to_port": 22<br/>  }<br/>]</pre> | no |
+| <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | List of ingress rules | <pre>list(object({<br/>    description = string<br/>    from_port   = number<br/>    to_port     = number<br/>    protocol    = string<br/>    cidr_blocks = list(string)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "cidr_blocks": [<br/>      "0.0.0.0/0"<br/>    ],<br/>    "description": "Allow SSH access",<br/>    "from_port": 22,<br/>    "protocol": "tcp",<br/>    "to_port": 22<br/>  }<br/>]</pre> | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the instance | `string` | n/a | yes |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The instance type to use for the instance | `string` | `"t4g.small"` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Set the project name. | `string` | n/a | yes |
diff --git a/red-instance/main.tf b/red-instance/main.tf
@@ -39,6 +39,7 @@ resource "aws_security_group" "allow_ssh" {
   dynamic "ingress" {
     for_each = var.ingress_rules
     content {
+      description = ingress.value.description
       from_port   = ingress.value.from_port
       to_port     = ingress.value.to_port
       protocol    = ingress.value.protocol
diff --git a/red-instance/variables.tf b/red-instance/variables.tf
@@ -68,13 +68,15 @@ variable "volume_size" {
 variable "ingress_rules" {
   description = "List of ingress rules"
   type = list(object({
+    description = string
     from_port   = number
     to_port     = number
     protocol    = string
     cidr_blocks = list(string)
   }))
   default = [
     {
+      description = "Allow SSH access"
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
diff --git a/tests/dns-only/main.tf b/tests/dns-only/main.tf
@@ -42,6 +42,7 @@ module "red-instance" {
   # Only allow SSH access
   ingress_rules = [
     {
+      description = "Allow SSH access from anywhere"
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
diff --git a/tests/full-force/main.tf b/tests/full-force/main.tf
@@ -42,24 +42,28 @@ module "red-instance" {
   # Comprehensive security group rules
   ingress_rules = [
     {
+      description = "Allow SSH access from the VPC"
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
       cidr_blocks = ["10.0.0.0/16"]
     },
     {
+      description = "Allow HTTP access from anywhere"
       from_port   = 80
       to_port     = 80
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     },
     {
+      description = "Allow HTTPS access from anywhere"
       from_port   = 443
       to_port     = 443
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     },
     {
+      description = "Allow custom application traffic"
       from_port   = 8000
       to_port     = 9000
       protocol    = "tcp"
diff --git a/tests/manual/disabled/main.tf b/tests/manual/disabled/main.tf
@@ -7,12 +7,14 @@ module "red-instance" {
   region       = "us-east-1"
   ingress_rules = [
     {
+      description = "Allow SSH access from anywhere"
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     },
     {
+      description = "Allow HTTP access from anywhere"
       from_port   = 80
       to_port     = 80
       protocol    = "tcp"
diff --git a/tests/manual/enabled/main.tf b/tests/manual/enabled/main.tf
@@ -5,12 +5,14 @@ module "red-instance" {
   region       = "us-east-1"
   ingress_rules = [
     {
+      description = "Allow SSH access from anywhere"
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     },
     {
+      description = "Allow HTTP access from anywhere"
       from_port   = 80
       to_port     = 80
       protocol    = "tcp"

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ module "red-instance" {`
`42`	`42`	`# Only allow SSH access`
`43`	`43`	`ingress_rules = [`
`44`	`44`	`{`
	`45`	`+ description = "Allow SSH access from anywhere"`
`45`	`46`	`from_port = 22`
`46`	`47`	`to_port = 22`
`47`	`48`	`protocol = "tcp"`