Experience Builder


Terraform

< Back

Repository
Azure-Samples / private-aks-cluster-terraform-devops
Description

This sample shows how to create a private AKS cluster using Terraform and Azure DevOps.

Stars

 128

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      terraform scan results:
    
    Passed checks: 52, Failed checks: 54, Skipped checks: 0
    
    Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Calling File: /agent/main.tf:35-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
    	FAILED for resource: module.virtual_machine.azurerm_network_security_group.nsg
    	File: /agent/modules/virtual_machine/main.tf:27-50
    	Calling File: /agent/main.tf:56-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
    
    		27 | resource "azurerm_network_security_group" "nsg" {
    		28 |   name                = "${var.name}Nsg"
    		29 |   location            = var.location
    		30 |   resource_group_name = var.resource_group_name
    		31 |   tags                = var.tags
    		32 | 
    		33 |   security_rule {
    		34 |     name                       = "SSH"
    		35 |     priority                   = 1001
    		36 |     direction                  = "Inbound"
    		37 |     access                     = "Allow"
    		38 |     protocol                   = "Tcp"
    		39 |     source_port_range          = "*"
    		40 |     destination_port_range     = "22"
    		41 |     source_address_prefix      = "*"
    		42 |     destination_address_prefix = "*"
    		43 |   }
    		44 | 
    		45 |   lifecycle {
    		46 |     ignore_changes = [
    		47 |         tags
    		48 |     ]
    		49 |   }
    		50 | }
    
    Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
    	FAILED for resource: module.virtual_machine.azurerm_linux_virtual_machine.virtual_machine
    	File: /agent/modules/virtual_machine/main.tf:78-120
    	Calling File: /agent/main.tf:56-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
    
    		78  | resource "azurerm_linux_virtual_machine" "virtual_machine" {
    		79  |   name                          = var.name
    		80  |   location                      = var.location
    		81  |   resource_group_name           = var.resource_group_name
    		82  |   network_interface_ids         = [azurerm_network_interface.nic.id]
    		83  |   size                          = var.size
    		84  |   computer_name                 = var.name
    		85  |   admin_username                = var.vm_user
    		86  |   tags                          = var.tags
    		87  | 
    		88  |   os_disk {
    		89  |     name                 = "${var.name}OsDisk"
    		90  |     caching              = "ReadWrite"
    		91  |     storage_account_type = var.os_disk_storage_account_type
    		92  |   }
    		93  | 
    		94  |   admin_ssh_key {
    		95  |     username   = var.vm_user
    		96  |     public_key = var.admin_ssh_public_key
    		97  |   }
    		98  | 
    		99  |   source_image_reference {
    		100 |     offer     = lookup(var.os_disk_image, "offer", null)
    		101 |     publisher = lookup(var.os_disk_image, "publisher", null)
    		102 |     sku       = lookup(var.os_disk_image, "sku", null)
    		103 |     version   = lookup(var.os_disk_image, "version", null)
    		104 |   }
    		105 | 
    		106 |   boot_diagnostics {
    		107 |     storage_account_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account
    		108 |   }
    		109 | 
    		110 |   lifecycle {
    		111 |     ignore_changes = [
    		112 |         tags
    		113 |     ]
    		114 |   }
    		115 | 
    		116 |   depends_on = [
    		117 |     azurerm_network_interface.nic,
    		118 |     azurerm_network_security_group.nsg
    		119 |   ]
    		120 | }
    
    Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_117: "Ensure that AKS uses disk encryption set"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-uses-disk-encryption-set.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_7: "Ensure AKS cluster has Network Policy configured"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-4.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_170: "Ensure that AKS use the Paid Sku for its SLA"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_141: "Ensure AKS local admin account is disabled"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-kubernetes-service-aks-local-admin-account-is-disabled.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
    	FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
    	File: /terraform/modules/aks/main.tf:25-112
    	Calling File: /terraform/main.tf:165-212
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
    	FAILED for resource: module.container_registry.azurerm_container_registry.acr
    	File: /terraform/modules/container_registry/main.tf:11-40
    	Calling File: /terraform/main.tf:153-163
    
    		11 | resource "azurerm_container_registry" "acr" {
    		12 |   name                     = var.name
    		13 |   resource_group_name      = var.resource_group_name
    		14 |   location                 = var.location
    		15 |   sku                      = var.sku  
    		16 |   admin_enabled            = var.admin_enabled
    		17 |   tags                     = var.tags
    		18 | 
    		19 |   identity {
    		20 |     type = "UserAssigned"
    		21 |     identity_ids = [
    		22 |       azurerm_user_assigned_identity.acr_identity.id
    		23 |     ]
    		24 |   }
    		25 | 
    		26 |   dynamic "georeplications" {
    		27 |     for_each = var.georeplication_locations
    		28 | 
    		29 |     content {
    		30 |       location = georeplications.value
    		31 |       tags     = var.tags
    		32 |     }
    		33 |   }
    		34 | 
    		35 |   lifecycle {
    		36 |       ignore_changes = [
    		37 |           tags
    		38 |       ]
    		39 |   }
    		40 | }
    
    Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
    	FAILED for resource: module.container_registry.azurerm_container_registry.acr
    	File: /terraform/modules/container_registry/main.tf:11-40
    	Calling File: /terraform/main.tf:153-163
    
    		11 | resource "azurerm_container_registry" "acr" {
    		12 |   name                     = var.name
    		13 |   resource_group_name      = var.resource_group_name
    		14 |   location                 = var.location
    		15 |   sku                      = var.sku  
    		16 |   admin_enabled            = var.admin_enabled
    		17 |   tags                     = var.tags
    		18 | 
    		19 |   identity {
    		20 |     type = "UserAssigned"
    		21 |     identity_ids = [
    		22 |       azurerm_user_assigned_identity.acr_identity.id
    		23 |     ]
    		24 |   }
    		25 | 
    		26 |   dynamic "georeplications" {
    		27 |     for_each = var.georeplication_locations
    		28 | 
    		29 |     content {
    		30 |       location = georeplications.value
    		31 |       tags     = var.tags
    		32 |     }
    		33 |   }
    		34 | 
    		35 |   lifecycle {
    		36 |       ignore_changes = [
    		37 |           tags
    		38 |       ]
    		39 |   }
    		40 | }
    
    Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
    	FAILED for resource: module.container_registry.azurerm_container_registry.acr
    	File: /terraform/modules/container_registry/main.tf:11-40
    	Calling File: /terraform/main.tf:153-163
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
    
    		11 | resource "azurerm_container_registry" "acr" {
    		12 |   name                     = var.name
    		13 |   resource_group_name      = var.resource_group_name
    		14 |   location                 = var.location
    		15 |   sku                      = var.sku  
    		16 |   admin_enabled            = var.admin_enabled
    		17 |   tags                     = var.tags
    		18 | 
    		19 |   identity {
    		20 |     type = "UserAssigned"
    		21 |     identity_ids = [
    		22 |       azurerm_user_assigned_identity.acr_identity.id
    		23 |     ]
    		24 |   }
    		25 | 
    		26 |   dynamic "georeplications" {
    		27 |     for_each = var.georeplication_locations
    		28 | 
    		29 |     content {
    		30 |       location = georeplications.value
    		31 |       tags     = var.tags
    		32 |     }
    		33 |   }
    		34 | 
    		35 |   lifecycle {
    		36 |       ignore_changes = [
    		37 |           tags
    		38 |       ]
    		39 |   }
    		40 | }
    
    Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
    	FAILED for resource: module.container_registry.azurerm_container_registry.acr
    	File: /terraform/modules/container_registry/main.tf:11-40
    	Calling File: /terraform/main.tf:153-163
    	Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
    
    		11 | resource "azurerm_container_registry" "acr" {
    		12 |   name                     = var.name
    		13 |   resource_group_name      = var.resource_group_name
    		14 |   location                 = var.location
    		15 |   sku                      = var.sku  
    		16 |   admin_enabled            = var.admin_enabled
    		17 |   tags                     = var.tags
    		18 | 
    		19 |   identity {
    		20 |     type = "UserAssigned"
    		21 |     identity_ids = [
    		22 |       azurerm_user_assigned_identity.acr_identity.id
    		23 |     ]
    		24 |   }
    		25 | 
    		26 |   dynamic "georeplications" {
    		27 |     for_each = var.georeplication_locations
    		28 | 
    		29 |     content {
    		30 |       location = georeplications.value
    		31 |       tags     = var.tags
    		32 |     }
    		33 |   }
    		34 | 
    		35 |   lifecycle {
    		36 |       ignore_changes = [
    		37 |           tags
    		38 |       ]
    		39 |   }
    		40 | }
    
    Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
    	FAILED for resource: module.container_registry.azurerm_container_registry.acr
    	File: /terraform/modules/container_registry/main.tf:11-40
    	Calling File: /terraform/main.tf:153-163
    
    		11 | resource "azurerm_container_registry" "acr" {
    		12 |   name                     = var.name
    		13 |   resource_group_name      = var.resource_group_name
    		14 |   location                 = var.location
    		15 |   sku                      = var.sku  
    		16 |   admin_enabled            = var.admin_enabled
    		17 |   tags                     = var.tags
    		18 | 
    		19 |   identity {
    		20 |     type = "UserAssigned"
    		21 |     identity_ids = [
    		22 |       azurerm_user_assigned_identity.acr_identity.id
    		23 |     ]
    		24 |   }
    		25 | 
    		26 |   dynamic "georeplications" {
    		27 |     for_each = var.georeplication_locations
    		28 | 
    		29 |     content {
    		30 |       location = georeplications.value
    		31 |       tags     = var.tags
    		32 |     }
    		33 |   }
    		34 | 
    		35 |   lifecycle {
    		36 |       ignore_changes = [
    		37 |           tags
    		38 |       ]
    		39 |   }
    		40 | }
    
    Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
    	FAILED for resource: module.firewall.azurerm_firewall.firewall
    	File: /terraform/modules/firewall/main.tf:27-51
    	Calling File: /terraform/main.tf:117-130
    
    		27 | resource "azurerm_firewall" "firewall" {
    		28 |   name                = var.name
    		29 |   resource_group_name = var.resource_group_name
    		30 |   location            = var.location
    		31 |   zones               = var.zones
    		32 |   threat_intel_mode   = var.threat_intel_mode
    		33 |   sku_name            = var.sku_name
    		34 |   sku_tier            = var.sku_tier
    		35 |   firewall_policy_id  = azurerm_firewall_policy.policy.id
    		36 |   tags                = var.tags
    		37 | 
    		38 | 
    		39 |   ip_configuration {
    		40 |     name                 = "fw_ip_config"
    		41 |     subnet_id            = var.subnet_id
    		42 |     public_ip_address_id = azurerm_public_ip.pip.id
    		43 |   }
    		44 | 
    		45 |   lifecycle {
    		46 |     ignore_changes = [
    		47 |       tags,
    		48 |       
    		49 |     ]
    		50 |   }
    		51 | }
    
    Check: CKV_AZURE_220: "Ensure Firewall policy has IDPS mode as deny"
    	FAILED for resource: module.firewall.azurerm_firewall_policy.policy
    	File: /terraform/modules/firewall/main.tf:53-63
    	Calling File: /terraform/main.tf:117-130
    
    		53 | resource "azurerm_firewall_policy" "policy" {
    		54 |   name                = "${var.name}Policy"
    		55 |   resource_group_name = var.resource_group_name
    		56 |   location            = var.location
    		57 | 
    		58 |   lifecycle {
    		59 |     ignore_changes = [
    		60 |       tags
    		61 |     ]
    		62 |   }
    		63 | }
    
    Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
    	FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
    	File: /terraform/modules/key_vault/main.tf:11-41
    	Calling File: /terraform/main.tf:307-325
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
    
    		11 | resource "azurerm_key_vault" "key_vault" {
    		12 |   name                            = var.name
    		13 |   location                        = var.location
    		14 |   resource_group_name             = var.resource_group_name
    		15 |   tenant_id                       = var.tenant_id
    		16 |   sku_name                        = var.sku_name
    		17 |   tags                            = var.tags
    		18 |   enabled_for_deployment          = var.enabled_for_deployment
    		19 |   enabled_for_disk_encryption     = var.enabled_for_disk_encryption
    		20 |   enabled_for_template_deployment = var.enabled_for_template_deployment
    		21 |   enable_rbac_authorization       = var.enable_rbac_authorization
    		22 |   purge_protection_enabled        = var.purge_protection_enabled
    		23 |   soft_delete_retention_days      = var.soft_delete_retention_days
    		24 |   
    		25 |   timeouts {
    		26 |     delete = "60m"
    		27 |   }
    		28 | 
    		29 |   network_acls {
    		30 |     bypass                     = var.bypass
    		31 |     default_action             = var.default_action
    		32 |     ip_rules                   = var.ip_rules
    		33 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		34 |   }
    		35 | 
    		36 |   lifecycle {
    		37 |       ignore_changes = [
    		38 |           tags
    		39 |       ]
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
    	FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
    	File: /terraform/modules/key_vault/main.tf:11-41
    	Calling File: /terraform/main.tf:307-325
    
    		11 | resource "azurerm_key_vault" "key_vault" {
    		12 |   name                            = var.name
    		13 |   location                        = var.location
    		14 |   resource_group_name             = var.resource_group_name
    		15 |   tenant_id                       = var.tenant_id
    		16 |   sku_name                        = var.sku_name
    		17 |   tags                            = var.tags
    		18 |   enabled_for_deployment          = var.enabled_for_deployment
    		19 |   enabled_for_disk_encryption     = var.enabled_for_disk_encryption
    		20 |   enabled_for_template_deployment = var.enabled_for_template_deployment
    		21 |   enable_rbac_authorization       = var.enable_rbac_authorization
    		22 |   purge_protection_enabled        = var.purge_protection_enabled
    		23 |   soft_delete_retention_days      = var.soft_delete_retention_days
    		24 |   
    		25 |   timeouts {
    		26 |     delete = "60m"
    		27 |   }
    		28 | 
    		29 |   network_acls {
    		30 |     bypass                     = var.bypass
    		31 |     default_action             = var.default_action
    		32 |     ip_rules                   = var.ip_rules
    		33 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		34 |   }
    		35 | 
    		36 |   lifecycle {
    		37 |       ignore_changes = [
    		38 |           tags
    		39 |       ]
    		40 |   }
    		41 | }
    
    Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
    	FAILED for resource: module.node_pool.azurerm_kubernetes_cluster_node_pool.node_pool
    	File: /terraform/modules/node_pool/main.tf:11-41
    	Calling File: /terraform/main.tf:281-305
    
    		11 | resource "azurerm_kubernetes_cluster_node_pool" "node_pool" {
    		12 |   kubernetes_cluster_id        = var.kubernetes_cluster_id
    		13 |   name                         = var.name
    		14 |   vm_size                      = var.vm_size
    		15 |   mode                         = var.mode
    		16 |   node_labels                  = var.node_labels
    		17 |   node_taints                  = var.node_taints
    		18 |   zones                        = var.availability_zones
    		19 |   vnet_subnet_id               = var.vnet_subnet_id
    		20 |   pod_subnet_id                = var.pod_subnet_id
    		21 |   enable_auto_scaling          = var.enable_auto_scaling
    		22 |   enable_host_encryption       = var.enable_host_encryption
    		23 |   enable_node_public_ip        = var.enable_node_public_ip
    		24 |   proximity_placement_group_id = var.proximity_placement_group_id
    		25 |   orchestrator_version         = var.orchestrator_version
    		26 |   max_pods                     = var.max_pods
    		27 |   max_count                    = var.max_count
    		28 |   min_count                    = var.min_count
    		29 |   node_count                   = var.node_count
    		30 |   os_disk_size_gb              = var.os_disk_size_gb
    		31 |   os_disk_type                 = var.os_disk_type
    		32 |   os_type                      = var.os_type
    		33 |   priority                     = var.priority
    		34 |   tags                         = var.tags
    		35 | 
    		36 |   lifecycle {
    		37 |     ignore_changes = [
    		38 |         tags
    		39 |     ]
    		40 |   }
    		41 | }
    Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Calling File: /terraform/main.tf:237-245
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
    	FAILED for resource: module.virtual_machine.azurerm_network_security_group.nsg
    	File: /terraform/modules/virtual_machine/main.tf:27-50
    	Calling File: /terraform/main.tf:257-279
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
    
    		27 | resource "azurerm_network_security_group" "nsg" {
    		28 |   name                = "${var.name}Nsg"
    		29 |   location            = var.location
    		30 |   resource_group_name = var.resource_group_name
    		31 |   tags                = var.tags
    		32 | 
    		33 |   security_rule {
    		34 |     name                       = "SSH"
    		35 |     priority                   = 1001
    		36 |     direction                  = "Inbound"
    		37 |     access                     = "Allow"
    		38 |     protocol                   = "Tcp"
    		39 |     source_port_range          = "*"
    		40 |     destination_port_range     = "22"
    		41 |     source_address_prefix      = "*"
    		42 |     destination_address_prefix = "*"
    		43 |   }
    		44 | 
    		45 |   lifecycle {
    		46 |     ignore_changes = [
    		47 |         tags
    		48 |     ]
    		49 |   }
    		50 | }
    
    Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
    	FAILED for resource: module.virtual_machine.azurerm_linux_virtual_machine.virtual_machine
    	File: /terraform/modules/virtual_machine/main.tf:78-120
    	Calling File: /terraform/main.tf:257-279
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
    
    		78  | resource "azurerm_linux_virtual_machine" "virtual_machine" {
    		79  |   name                          = var.name
    		80  |   location                      = var.location
    		81  |   resource_group_name           = var.resource_group_name
    		82  |   network_interface_ids         = [azurerm_network_interface.nic.id]
    		83  |   size                          = var.size
    		84  |   computer_name                 = var.name
    		85  |   admin_username                = var.vm_user
    		86  |   tags                          = var.tags
    		87  | 
    		88  |   os_disk {
    		89  |     name                 = "${var.name}OsDisk"
    		90  |     caching              = "ReadWrite"
    		91  |     storage_account_type = var.os_disk_storage_account_type
    		92  |   }
    		93  | 
    		94  |   admin_ssh_key {
    		95  |     username   = var.vm_user
    		96  |     public_key = var.admin_ssh_public_key
    		97  |   }
    		98  | 
    		99  |   source_image_reference {
    		100 |     offer     = lookup(var.os_disk_image, "offer", null)
    		101 |     publisher = lookup(var.os_disk_image, "publisher", null)
    		102 |     sku       = lookup(var.os_disk_image, "sku", null)
    		103 |     version   = lookup(var.os_disk_image, "version", null)
    		104 |   }
    		105 | 
    		106 |   boot_diagnostics {
    		107 |     storage_account_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account
    		108 |   }
    		109 | 
    		110 |   lifecycle {
    		111 |     ignore_changes = [
    		112 |         tags
    		113 |     ]
    		114 |   }
    		115 | 
    		116 |   depends_on = [
    		117 |     azurerm_network_interface.nic,
    		118 |     azurerm_network_security_group.nsg
    		119 |   ]
    		120 | }
    
    Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
    	FAILED for resource: azurerm_storage_container.core-container
    	File: /storage-account/az-remote-backend-main.tf:43-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
    
    		43 | resource "azurerm_storage_container" "core-container" {
    		44 |   depends_on = [azurerm_storage_account.state-sta]
    		45 |   name = "core-tfstate"
    		46 |   storage_account_name = azurerm_storage_account.state-sta.name
    		47 | }
    Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
    	FAILED for resource: module.virtual_machine.azurerm_network_interface.nic
    	File: /agent/modules/virtual_machine/main.tf:52-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
    
    		52 | resource "azurerm_network_interface" "nic" {
    		53 |   name                = "${var.name}Nic"
    		54 |   location            = var.location
    		55 |   resource_group_name = var.resource_group_name
    		56 |   tags                = var.tags
    		57 | 
    		58 |   ip_configuration {
    		59 |     name                          = "Configuration"
    		60 |     subnet_id                     = var.subnet_id
    		61 |     private_ip_address_allocation = "Dynamic"
    		62 |     public_ip_address_id          = try(azurerm_public_ip.public_ip[0].id, "")
    		63 |   }
    		64 | 
    		65 |   lifecycle {
    		66 |     ignore_changes = [
    		67 |       tags
    		68 |     ]
    		69 |   }
    		70 | }
    
    Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
    	FAILED for resource: module.virtual_machine.azurerm_network_interface.nic
    	File: /terraform/modules/virtual_machine/main.tf:52-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
    
    		52 | resource "azurerm_network_interface" "nic" {
    		53 |   name                = "${var.name}Nic"
    		54 |   location            = var.location
    		55 |   resource_group_name = var.resource_group_name
    		56 |   tags                = var.tags
    		57 | 
    		58 |   ip_configuration {
    		59 |     name                          = "Configuration"
    		60 |     subnet_id                     = var.subnet_id
    		61 |     private_ip_address_allocation = "Dynamic"
    		62 |     public_ip_address_id          = try(azurerm_public_ip.public_ip[0].id, null)
    		63 |   }
    		64 | 
    		65 |   lifecycle {
    		66 |     ignore_changes = [
    		67 |       tags
    		68 |     ]
    		69 |   }
    		70 | }
    
    Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /agent/modules/storage_account/main.tf:11-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
    	FAILED for resource: azurerm_storage_account.state-sta
    	File: /storage-account/az-remote-backend-main.tf:24-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
    
    		24 | resource "azurerm_storage_account" "state-sta" {
    		25 |   depends_on = [azurerm_resource_group.state-rg]
    		26 |   name = "${lower(var.company)}tf${random_string.tf-name.result}"
    		27 |   resource_group_name = azurerm_resource_group.state-rg.name
    		28 |   location = azurerm_resource_group.state-rg.location
    		29 |   account_kind = "StorageV2"
    		30 |   account_tier = "Standard"
    		31 |   access_tier = "Hot"
    		32 |   account_replication_type = "ZRS"
    		33 |   enable_https_traffic_only = true
    		34 |    
    		35 |   lifecycle {
    		36 |     prevent_destroy = true
    		37 |   }
    		38 |   tags = {
    		39 |     environment = var.environment
    		40 |   }
    		41 | }
    
    Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
    	FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
    	File: /terraform/modules/storage_account/main.tf:11-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
    
    		11 | resource "azurerm_storage_account" "storage_account" {
    		12 |   name                = var.name
    		13 |   resource_group_name = var.resource_group_name
    		14 | 
    		15 |   location                 = var.location
    		16 |   account_kind             = var.account_kind
    		17 |   account_tier             = var.account_tier
    		18 |   account_replication_type = var.replication_type
    		19 |   is_hns_enabled           = var.is_hns_enabled
    		20 |   tags                     = var.tags
    		21 | 
    		22 |   network_rules {
    		23 |     default_action             = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
    		24 |     ip_rules                   = var.ip_rules
    		25 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		26 |   }
    		27 | 
    		28 |   identity {
    		29 |     type = "SystemAssigned"
    		30 |   }
    		31 | 
    		32 |   lifecycle {
    		33 |     ignore_changes = [
    		34 |         tags
    		35 |     ]
    		36 |   }
    		37 | }
    Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
    	FAILED for resource: module.hub_network.azurerm_subnet.subnet["AzureFirewallSubnet"]
    	File: /terraform/modules/virtual_network/main.tf:25-34
    
    		25 | resource "azurerm_subnet" "subnet" {
    		26 |   for_each = { for subnet in var.subnets : subnet.name => subnet }
    		27 | 
    		28 |   name                                           = each.key
    		29 |   resource_group_name                            = var.resource_group_name
    		30 |   virtual_network_name                           = azurerm_virtual_network.vnet.name
    		31 |   address_prefixes                               = each.value.address_prefixes
    		32 |   enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
    		33 |   enforce_private_link_service_network_policies  = each.value.enforce_private_link_service_network_policies
    		34 | }
    
    Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
    	FAILED for resource: module.aks_network.azurerm_subnet.subnet
    	File: /terraform/modules/virtual_network/main.tf:25-34
    
    		25 | resource "azurerm_subnet" "subnet" {
    		26 |   for_each = { for subnet in var.subnets : subnet.name => subnet }
    		27 | 
    		28 |   name                                           = each.key
    		29 |   resource_group_name                            = var.resource_group_name
    		30 |   virtual_network_name                           = azurerm_virtual_network.vnet.name
    		31 |   address_prefixes                               = each.value.address_prefixes
    		32 |   enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
    		33 |   enforce_private_link_service_network_policies  = each.value.enforce_private_link_service_network_policies
    		34 | }
    
    Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
    	FAILED for resource: module.hub_network.azurerm_subnet.subnet["AzureBastionSubnet"]
    	File: /terraform/modules/virtual_network/main.tf:25-34
    
    		25 | resource "azurerm_subnet" "subnet" {
    		26 |   for_each = { for subnet in var.subnets : subnet.name => subnet }
    		27 | 
    		28 |   name                                           = each.key
    		29 |   resource_group_name                            = var.resource_group_name
    		30 |   virtual_network_name                           = azurerm_virtual_network.vnet.name
    		31 |   address_prefixes                               = each.value.address_prefixes
    		32 |   enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
    		33 |   enforce_private_link_service_network_policies  = each.value.enforce_private_link_service_network_policies
    		34 | }
    
    Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
    	FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
    	File: /terraform/modules/key_vault/main.tf:11-41
    
    		11 | resource "azurerm_key_vault" "key_vault" {
    		12 |   name                            = var.name
    		13 |   location                        = var.location
    		14 |   resource_group_name             = var.resource_group_name
    		15 |   tenant_id                       = var.tenant_id
    		16 |   sku_name                        = var.sku_name
    		17 |   tags                            = var.tags
    		18 |   enabled_for_deployment          = var.enabled_for_deployment
    		19 |   enabled_for_disk_encryption     = var.enabled_for_disk_encryption
    		20 |   enabled_for_template_deployment = var.enabled_for_template_deployment
    		21 |   enable_rbac_authorization       = var.enable_rbac_authorization
    		22 |   purge_protection_enabled        = var.purge_protection_enabled
    		23 |   soft_delete_retention_days      = var.soft_delete_retention_days
    		24 |   
    		25 |   timeouts {
    		26 |     delete = "60m"
    		27 |   }
    		28 | 
    		29 |   network_acls {
    		30 |     bypass                     = var.bypass
    		31 |     default_action             = var.default_action
    		32 |     ip_rules                   = var.ip_rules
    		33 |     virtual_network_subnet_ids = var.virtual_network_subnet_ids
    		34 |   }
    		35 | 
    		36 |   lifecycle {
    		37 |       ignore_changes = [
    		38 |           tags
    		39 |       ]
    		40 |   }
    		41 | }
    
    dockerfile scan results:
    
    Passed checks: 57, Failed checks: 2, Skipped checks: 0
    
    Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
    	FAILED for resource: /source/Dockerfile.
    	File: /source/Dockerfile:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
    
    		1  | #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
    		2  | 
    		3  | FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
    		4  | WORKDIR /app
    		5  | EXPOSE 80
    		6  | EXPOSE 443
    		7  | 
    		8  | FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
    		9  | WORKDIR /src
    		10 | COPY ["SyntheticApi.csproj", ""]
    		11 | RUN dotnet restore "./SyntheticApi.csproj"
    		12 | COPY . .
    		13 | WORKDIR "/src/."
    		14 | RUN dotnet build "SyntheticApi.csproj" -c Release -o /app/build
    		15 | 
    		16 | FROM build AS publish
    		17 | RUN dotnet publish "SyntheticApi.csproj" -c Release -o /app/publish
    		18 | 
    		19 | FROM base AS final
    		20 | WORKDIR /app
    		21 | COPY --from=publish /app/publish .
    		22 | ENTRYPOINT ["dotnet", "SyntheticApi.dll"]
    Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
    	FAILED for resource: /source/Dockerfile.
    	File: /source/Dockerfile:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
    
    		1  | #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
    		2  | 
    		3  | FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
    		4  | WORKDIR /app
    		5  | EXPOSE 80
    		6  | EXPOSE 443
    		7  | 
    		8  | FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
    		9  | WORKDIR /src
    		10 | COPY ["SyntheticApi.csproj", ""]
    		11 | RUN dotnet restore "./SyntheticApi.csproj"
    		12 | COPY . .
    		13 | WORKDIR "/src/."
    		14 | RUN dotnet build "SyntheticApi.csproj" -c Release -o /app/build
    		15 | 
    		16 | FROM build AS publish
    		17 | RUN dotnet publish "SyntheticApi.csproj" -c Release -o /app/publish
    		18 | 
    		19 | FROM base AS final
    		20 | WORKDIR /app
    		21 | COPY --from=publish /app/publish .
    		22 | ENTRYPOINT ["dotnet", "SyntheticApi.dll"]
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: