Hi MOSIP team! 👋
First off, huge respect for the work you're doing. Building a robust, modular identity platform for national-scale deployment is an incredible technical achievement, and your declarative approach to infrastructure is highly appreciated.
My team at SolDevelo recently open-sourced InfraScan – an infrastructure auditor that scans Terraform and Docker configurations to catch security misconfigurations and cloud cost anti-patterns before they are deployed. We ran a baseline scan against the mosip/infra repository to test our tool against complex, multi-cloud setups and wanted to share the findings with you.
Overall, the infrastructure scored a 74% (C grade). While the foundation is strong, the scanner identified 83 potential issues (10 High, 70 Medium) in your Terraform configurations.
🔒 Security & Compliance Risks (Critical for Identity Platforms)
- Unencrypted EBS Volumes (High): The scanner flagged 4 locations in
modules/aws/aws-resource-creation/variables.tf where encrypted = false is explicitly set. For a platform handling PII, enforcing EBS encryption at rest is highly recommended.
- **Public IPs on EC2 Instances (Medium)
- **Permissive IAM Policies (Medium)
- Missing VPC Flow Logs (Medium): The main AWS VPC does not have flow logging enabled, which is often a requirement for compliance and security auditing.
💰 Cost Optimization Opportunities
- Missing AWS Budgets (High): None of the 5 AWS provider blocks configure budget alerts. Adding this is a quick win to protect deployments (especially dev/test environments) from unexpected cost overruns.
- Expensive NAT Gateways (High): A managed NAT Gateway is provisioned in the base infrastructure. Depending on the traffic patterns, using VPC endpoints for AWS services could reduce data processing fees.
- Missing Spot Instances (Medium): Dev/test clusters (
k8s_instance_type) default to on-demand pricing. Leveraging Spot instances for non-production node pools could save 50-90% on compute costs.
You can view the full, detailed breakdown of the affected files and lines of code here:
👉 https://infrascan.soldevelo.com/?scan_id=6bf4a14c-ed6b-45f0-8e23-a381845bfaab
🤖 Automating this in CI/CD
To help your contributors catch these types of misconfigurations automatically before they are merged into develop or release branches, you can integrate our open-source scanner directly into your GitHub Actions. It runs locally in the pipeline without needing any AWS credentials.
Here is a quick snippet you can adapt for your .github/workflows/:
name: InfraScan IaC Audit
on: [push, pull_request]
jobs:
infrascan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run InfraScan
run: |
docker run --rm \
-v ${{ github.workspace }}:/scan \
soldevelo/infrascan:latest \
--scanner comprehensive \
--format html \
--out /scan/infrascan-report.html \
--fail-on high_critical
- name: Upload Security Report
uses: actions/upload-artifact@v4
if: always()
with:
name: infrascan-report
path: infrascan-report.htmlYou can find the tool's source code and documentation here: https://github.com/SolDevelo/InfraScan.
We are sharing this entirely pro bono to support the MOSIP ecosystem. If your DevOps team has any questions about these findings or would like assistance implementing some of these Terraform improvements, feel free to reach out. Keep up the great work! 🚀
Hi MOSIP team! 👋
First off, huge respect for the work you're doing. Building a robust, modular identity platform for national-scale deployment is an incredible technical achievement, and your declarative approach to infrastructure is highly appreciated.
My team at SolDevelo recently open-sourced InfraScan – an infrastructure auditor that scans Terraform and Docker configurations to catch security misconfigurations and cloud cost anti-patterns before they are deployed. We ran a baseline scan against the
mosip/infrarepository to test our tool against complex, multi-cloud setups and wanted to share the findings with you.Overall, the infrastructure scored a 74% (C grade). While the foundation is strong, the scanner identified 83 potential issues (10 High, 70 Medium) in your Terraform configurations.
🔒 Security & Compliance Risks (Critical for Identity Platforms)
modules/aws/aws-resource-creation/variables.tfwhereencrypted = falseis explicitly set. For a platform handling PII, enforcing EBS encryption at rest is highly recommended.💰 Cost Optimization Opportunities
k8s_instance_type) default to on-demand pricing. Leveraging Spot instances for non-production node pools could save 50-90% on compute costs.You can view the full, detailed breakdown of the affected files and lines of code here:
👉 https://infrascan.soldevelo.com/?scan_id=6bf4a14c-ed6b-45f0-8e23-a381845bfaab
🤖 Automating this in CI/CD
To help your contributors catch these types of misconfigurations automatically before they are merged into
developor release branches, you can integrate our open-source scanner directly into your GitHub Actions. It runs locally in the pipeline without needing any AWS credentials.Here is a quick snippet you can adapt for your
.github/workflows/:You can find the tool's source code and documentation here: https://github.com/SolDevelo/InfraScan.
We are sharing this entirely pro bono to support the MOSIP ecosystem. If your DevOps team has any questions about these findings or would like assistance implementing some of these Terraform improvements, feel free to reach out. Keep up the great work! 🚀