terraform-aws-eks VS checkov

cloudposse module was popular but most have moved to https://github.com/terraform-aws-modules/terraform-aws-eks also eks blueprints will be moving to this module. use eks blueprints v5

That's a very simplistic view. Let's do a small thought exercise. Is this module not infrastructure?

I think there is an issue with the module eks : https://github.com/terraform-aws-modules/terraform-aws-eks

module "eks" { source = "terraform-aws-modules/eks/aws" cluster_name = var.cluster_name cluster_version = var.kubernetes_version cluster_endpoint_private_access = true cluster_endpoint_public_access = true cluster_addons = { coredns = { most_recent = true timeouts = { create = "2m" # default 20m. Times out on first launch while being effectively created } } kube-proxy = { most_recent = true } vpc-cni = { most_recent = true } aws-ebs-csi-driver = { most_recent = true } } vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets # Self managed node groups will not automatically create the aws-auth configmap so we need to create_aws_auth_configmap = true manage_aws_auth_configmap = true aws_auth_users = var.aws_auth_users enable_irsa = true node_security_group_additional_rules = { ingress_self_all = { description = "Node to node all ports/protocols" protocol = "-1" from_port = 0 to_port = 0 type = "ingress" self = true } egress_all = { # by default, only https urls can be reached from inside the cluster description = "Node all egress" protocol = "-1" from_port = 0 to_port = 0 type = "egress" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } } self_managed_node_group_defaults = { # enable discovery of autoscaling groups by cluster-autoscaler autoscaling_group_tags = { "k8s.io/cluster-autoscaler/enabled" : true, "k8s.io/cluster-autoscaler/${var.cluster_name}" : "owned", } # from https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2207#issuecomment-1220679414 # to avoid "waiting for a volume to be created, either by external provisioner "ebs.csi.aws.com" or manually created by system administrator" iam_role_additional_policies = { AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } } # possible values : https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/node_groups.tf self_managed_node_groups = { default_node_group = { create = false } # fulltime-az-a = { # name = "fulltime-az-a" # subnets = [module.vpc.private_subnets[0]] # instance_type = "t3.medium" # desired_size = 1 # bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=normal'" # } spot-az-a = { name = "spot-az-a" subnet_ids = [module.vpc.private_subnets[0]] # only one subnet to simplify PV usage # availability_zones = ["${var.region}a"] # conflict with previous option. TODO try subnet_ids=null at creation (because at modification it fails) desired_size = 2 min_size = 1 max_size = 10 bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'" use_mixed_instances_policy = true mixed_instances_policy = { instances_distribution = { on_demand_base_capacity = 0 on_demand_percentage_above_base_capacity = 0 spot_allocation_strategy = "lowest-price" # "capacity-optimized" described here : https://aws.amazon.com/blogs/compute/introducing-the-capacity-optimized-allocation-strategy-for-amazon-ec2-spot-instances/ } override = [ { instance_type = "t3.xlarge" weighted_capacity = "1" }, { instance_type = "t3a.xlarge" weighted_capacity = "1" }, ] } } } tags = local.tags }

If you want somewhat viable setup - I'd go for terraform-aws-modules (Anton did an awesome job), and aws-ia blueprints, especially those multi-tenant ones.

‏https://github.com/terraform-aws-modules/terraform-aws-eks

I tried using explicit depends_on between my modules but this practise is not recommended since it cause issues during planning.

If you use https://github.com/terraform-aws-modules/terraform-aws-eks it is designed to upgrade the components in the correct order when the cluster version is changed

1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

‍Checkov is another great tool that examines your Terraform files (.tf), parsing the configurations and evaluating them against a comprehensive set of predefined policies. It scans Terraform-managed infrastructure and detects misconfigurations that could lead to security issues or non-compliance with best practices and regulations.

Bridgecrew — Infrastructure as code (IaC) security powered by the open source tool - Checkov. The core Bridgecrew platform is free for up to 50 IaC resources.

Kustomize: It provides a solution to customize the Kubernetes resource base configuration and differential configuration without template and DSL. It does not solve the constraint problem itself, but needs to cooperate with a large number of additional tools to check constraints, such as Kube-linter, Checkov and kubescape.

Checkov is a versatile static code analysis tool designed for infrastructure as code (IaC) and software composition analysis (SCA). It supports a wide range of technologies, including Terraform, CloudFormation, Kubernetes, Docker, and others, to detect security and compliance issues through graph-based scanning. Checkov also performs SCA scans, identifying vulnerabilities in open source packages and images by checking for Common Vulnerabilities and Exposures (CVEs). Additionally, it is integrated into Prisma Cloud Application Security, a platform that helps developers secure cloud resources and infrastructure-as-code files, enabling the identification, rectification, and prevention of misconfigurations throughout the development lifecycle.

For your Dockerfiles, you can also scan them. There are lots of tools that can check your Dockerfiles. They will validate if Dockerfile is compliant with Docker best practices such as not using root user, making sure a health check exists, and not exposing the SSH port. You can use Snyk and Checkov.

You could try https://www.checkov.io/

We use https://www.checkov.io/ for this, it's very simple to get started with and works really well as PR quality gate

Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)