Added compliance scanning, updated README (#9)

nullstone-modules · Aug 8, 2023 · 0536386 · 0536386
1 parent 1735229
commit 0536386
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 2 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,8 @@ on:
     tags:
       - 'v*'
 
+permissions: read-all
+
 env:
   NULLSTONE_ORG: nullstone
   NULLSTONE_API_KEY: ${{ secrets.NULLSTONE_API_KEY }}
@@ -20,6 +22,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: Run Bridgecrew
+        id: Bridgecrew
+        uses: bridgecrewio/bridgecrew-action@master
+        with:
+          api-key: ${{ secrets.BC_API_KEY }}
+
       - name: Set up Nullstone
         uses: nullstone-io/setup-nullstone-action@v0
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+# 0.6.0 (Aug 08, 2023)
+* Added compliance scanning.
+* Update `README.md` with application management info.
+* Configured root file system as read-only.
+* Configured requested resources.
+* Dropped additional capabilities from the container.
+* Configure liveness probe.
+
 # 0.5.9 (Jun 23, 2023)
 * Added optional `var.command` for overriding image CMD.
 

diff --git a/README.md b/README.md
@@ -1,3 +1,51 @@
-# gcp-gke-service
+# Google Kubernetes Engine Service
 
-Nullstone module to launch a GKE container on GCP.
+This app module is used to create a long-running service such as an API, Web App, or Background Worker.
+
+## When to use
+
+GKE Service is a great choice for APIs, Web Apps, or Background Workers and you do not want to manage a Kubernetes cluster.
+
+## Security & Compliance
+
+Security scanning is graciously provided by [Bridgecrew](https://bridgecrew.io/).
+Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
+
+![Infrastructure Security](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/general)
+![CIS AWS V1.3](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/cis_aws_13)
+![PCI-DSS V3.2](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/pci)
+![NIST-800-53](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/nist)
+![ISO27001](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/iso)
+![SOC2](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/soc2)
+![HIPAA](https://www.bridgecrew.cloud/badges/github/nullstone-modules/gcp-gke-service/hipaa)
+
+## Platform
+
+This module uses [GCP GKE](https://cloud.google.com/kubernetes-engine), which is a technology that allows you to run Kubernetes container applications without managing servers. 
+
+## Network Access
+
+When the service is provisioned, it is placed into private subnets on the connected network.
+As a result, the Fargate Service can route to services on the private network *and* is accessible on the private network.
+
+## Public Access
+
+To enable public access to the service, add an `Ingress` capability.
+
+In most cases, a `Load Balancer` capability is the best choice for exposing as it enables rollout deployments with no downtime.
+Additionally, a `Load Balancer` allows you to split traffic between more than 1 task based on load.
+
+## Logs
+
+Logs are automatically emitted to AWS Cloudwatch Log Group: `/<task-name>`.
+To access through the Nullstone CLI, use `nullstone logs` CLI command. (See [`logs`](https://docs.nullstone.io/getting-started/cli/docs.html#logs) for more information)
+
+## Secrets
+
+Nullstone automatically injects secrets into your GKE Service through environment variables.
+(They are stored in GCP Secrets Manager and injected by Kubernetes during launch.)
+
+## File system
+
+The root file system is configured to be read-only to prevent an attacker from making permanent local changes and prevents binaries from being written to the local filesystem.
+To create a persistent file system, add a `Datastore` to attach volumes or object storage.
diff --git a/deployment.tf b/deployment.tf
@@ -4,6 +4,8 @@ locals {
 }
 
 resource "kubernetes_deployment_v1" "this" {
+  #bridgecrew:skip=CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables". Secrets are provided as env vars for easier integration.
+  #bridgecrew:skip=CKV_K8S_43: "Image should use digest". Image digest is not available yet.
   wait_for_rollout = false
 
   metadata {
@@ -34,13 +36,40 @@ resource "kubernetes_deployment_v1" "this" {
           image = "${local.service_image}:${local.app_version}"
           args  = local.command
 
+          security_context {
+            read_only_root_filesystem = true
+
+            capabilities {
+              drop = ["ALL"]
+            }
+          }
+
           resources {
+            requests = {
+              cpu    = var.cpu
+              memory = var.memory
+            }
+
             limits = {
               cpu    = var.cpu
               memory = var.memory
             }
           }
 
+          liveness_probe {
+            failure_threshold     = 3
+            success_threshold     = 1
+            initial_delay_seconds = 0
+            period_seconds        = 10
+            timeout_seconds       = 1
+
+            http_get {
+              scheme = "HTTP"
+              path   = "/"
+              port   = var.port
+            }
+          }
+
           readiness_probe {
             failure_threshold     = 3
             success_threshold     = 1