Repository | Azure-Samples / private-aks-cluster-terraform-devops |
Description | This sample shows how to create a private AKS cluster using Terraform and Azure DevOps. |
Stars | 128 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 52, Failed checks: 54, Skipped checks: 0
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Calling File: /agent/main.tf:35-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: module.virtual_machine.azurerm_network_security_group.nsg
File: /agent/modules/virtual_machine/main.tf:27-50
Calling File: /agent/main.tf:56-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
27 | resource "azurerm_network_security_group" "nsg" {
28 | name = "${var.name}Nsg"
29 | location = var.location
30 | resource_group_name = var.resource_group_name
31 | tags = var.tags
32 |
33 | security_rule {
34 | name = "SSH"
35 | priority = 1001
36 | direction = "Inbound"
37 | access = "Allow"
38 | protocol = "Tcp"
39 | source_port_range = "*"
40 | destination_port_range = "22"
41 | source_address_prefix = "*"
42 | destination_address_prefix = "*"
43 | }
44 |
45 | lifecycle {
46 | ignore_changes = [
47 | tags
48 | ]
49 | }
50 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.virtual_machine.azurerm_linux_virtual_machine.virtual_machine
File: /agent/modules/virtual_machine/main.tf:78-120
Calling File: /agent/main.tf:56-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
78 | resource "azurerm_linux_virtual_machine" "virtual_machine" {
79 | name = var.name
80 | location = var.location
81 | resource_group_name = var.resource_group_name
82 | network_interface_ids = [azurerm_network_interface.nic.id]
83 | size = var.size
84 | computer_name = var.name
85 | admin_username = var.vm_user
86 | tags = var.tags
87 |
88 | os_disk {
89 | name = "${var.name}OsDisk"
90 | caching = "ReadWrite"
91 | storage_account_type = var.os_disk_storage_account_type
92 | }
93 |
94 | admin_ssh_key {
95 | username = var.vm_user
96 | public_key = var.admin_ssh_public_key
97 | }
98 |
99 | source_image_reference {
100 | offer = lookup(var.os_disk_image, "offer", null)
101 | publisher = lookup(var.os_disk_image, "publisher", null)
102 | sku = lookup(var.os_disk_image, "sku", null)
103 | version = lookup(var.os_disk_image, "version", null)
104 | }
105 |
106 | boot_diagnostics {
107 | storage_account_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account
108 | }
109 |
110 | lifecycle {
111 | ignore_changes = [
112 | tags
113 | ]
114 | }
115 |
116 | depends_on = [
117 | azurerm_network_interface.nic,
118 | azurerm_network_security_group.nsg
119 | ]
120 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_117: "Ensure that AKS uses disk encryption set"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-uses-disk-encryption-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_7: "Ensure AKS cluster has Network Policy configured"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_170: "Ensure that AKS use the Paid Sku for its SLA"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_141: "Ensure AKS local admin account is disabled"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-kubernetes-service-aks-local-admin-account-is-disabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.aks_cluster.azurerm_kubernetes_cluster.aks_cluster
File: /terraform/modules/aks/main.tf:25-112
Calling File: /terraform/main.tf:165-212
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.container_registry.azurerm_container_registry.acr
File: /terraform/modules/container_registry/main.tf:11-40
Calling File: /terraform/main.tf:153-163
11 | resource "azurerm_container_registry" "acr" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 | location = var.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = var.tags
18 |
19 | identity {
20 | type = "UserAssigned"
21 | identity_ids = [
22 | azurerm_user_assigned_identity.acr_identity.id
23 | ]
24 | }
25 |
26 | dynamic "georeplications" {
27 | for_each = var.georeplication_locations
28 |
29 | content {
30 | location = georeplications.value
31 | tags = var.tags
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [
37 | tags
38 | ]
39 | }
40 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.container_registry.azurerm_container_registry.acr
File: /terraform/modules/container_registry/main.tf:11-40
Calling File: /terraform/main.tf:153-163
11 | resource "azurerm_container_registry" "acr" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 | location = var.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = var.tags
18 |
19 | identity {
20 | type = "UserAssigned"
21 | identity_ids = [
22 | azurerm_user_assigned_identity.acr_identity.id
23 | ]
24 | }
25 |
26 | dynamic "georeplications" {
27 | for_each = var.georeplication_locations
28 |
29 | content {
30 | location = georeplications.value
31 | tags = var.tags
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [
37 | tags
38 | ]
39 | }
40 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.container_registry.azurerm_container_registry.acr
File: /terraform/modules/container_registry/main.tf:11-40
Calling File: /terraform/main.tf:153-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
11 | resource "azurerm_container_registry" "acr" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 | location = var.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = var.tags
18 |
19 | identity {
20 | type = "UserAssigned"
21 | identity_ids = [
22 | azurerm_user_assigned_identity.acr_identity.id
23 | ]
24 | }
25 |
26 | dynamic "georeplications" {
27 | for_each = var.georeplication_locations
28 |
29 | content {
30 | location = georeplications.value
31 | tags = var.tags
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [
37 | tags
38 | ]
39 | }
40 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.container_registry.azurerm_container_registry.acr
File: /terraform/modules/container_registry/main.tf:11-40
Calling File: /terraform/main.tf:153-163
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
11 | resource "azurerm_container_registry" "acr" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 | location = var.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = var.tags
18 |
19 | identity {
20 | type = "UserAssigned"
21 | identity_ids = [
22 | azurerm_user_assigned_identity.acr_identity.id
23 | ]
24 | }
25 |
26 | dynamic "georeplications" {
27 | for_each = var.georeplication_locations
28 |
29 | content {
30 | location = georeplications.value
31 | tags = var.tags
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [
37 | tags
38 | ]
39 | }
40 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.container_registry.azurerm_container_registry.acr
File: /terraform/modules/container_registry/main.tf:11-40
Calling File: /terraform/main.tf:153-163
11 | resource "azurerm_container_registry" "acr" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 | location = var.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = var.tags
18 |
19 | identity {
20 | type = "UserAssigned"
21 | identity_ids = [
22 | azurerm_user_assigned_identity.acr_identity.id
23 | ]
24 | }
25 |
26 | dynamic "georeplications" {
27 | for_each = var.georeplication_locations
28 |
29 | content {
30 | location = georeplications.value
31 | tags = var.tags
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [
37 | tags
38 | ]
39 | }
40 | }
Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
FAILED for resource: module.firewall.azurerm_firewall.firewall
File: /terraform/modules/firewall/main.tf:27-51
Calling File: /terraform/main.tf:117-130
27 | resource "azurerm_firewall" "firewall" {
28 | name = var.name
29 | resource_group_name = var.resource_group_name
30 | location = var.location
31 | zones = var.zones
32 | threat_intel_mode = var.threat_intel_mode
33 | sku_name = var.sku_name
34 | sku_tier = var.sku_tier
35 | firewall_policy_id = azurerm_firewall_policy.policy.id
36 | tags = var.tags
37 |
38 |
39 | ip_configuration {
40 | name = "fw_ip_config"
41 | subnet_id = var.subnet_id
42 | public_ip_address_id = azurerm_public_ip.pip.id
43 | }
44 |
45 | lifecycle {
46 | ignore_changes = [
47 | tags,
48 |
49 | ]
50 | }
51 | }
Check: CKV_AZURE_220: "Ensure Firewall policy has IDPS mode as deny"
FAILED for resource: module.firewall.azurerm_firewall_policy.policy
File: /terraform/modules/firewall/main.tf:53-63
Calling File: /terraform/main.tf:117-130
53 | resource "azurerm_firewall_policy" "policy" {
54 | name = "${var.name}Policy"
55 | resource_group_name = var.resource_group_name
56 | location = var.location
57 |
58 | lifecycle {
59 | ignore_changes = [
60 | tags
61 | ]
62 | }
63 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
File: /terraform/modules/key_vault/main.tf:11-41
Calling File: /terraform/main.tf:307-325
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
11 | resource "azurerm_key_vault" "key_vault" {
12 | name = var.name
13 | location = var.location
14 | resource_group_name = var.resource_group_name
15 | tenant_id = var.tenant_id
16 | sku_name = var.sku_name
17 | tags = var.tags
18 | enabled_for_deployment = var.enabled_for_deployment
19 | enabled_for_disk_encryption = var.enabled_for_disk_encryption
20 | enabled_for_template_deployment = var.enabled_for_template_deployment
21 | enable_rbac_authorization = var.enable_rbac_authorization
22 | purge_protection_enabled = var.purge_protection_enabled
23 | soft_delete_retention_days = var.soft_delete_retention_days
24 |
25 | timeouts {
26 | delete = "60m"
27 | }
28 |
29 | network_acls {
30 | bypass = var.bypass
31 | default_action = var.default_action
32 | ip_rules = var.ip_rules
33 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
34 | }
35 |
36 | lifecycle {
37 | ignore_changes = [
38 | tags
39 | ]
40 | }
41 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
File: /terraform/modules/key_vault/main.tf:11-41
Calling File: /terraform/main.tf:307-325
11 | resource "azurerm_key_vault" "key_vault" {
12 | name = var.name
13 | location = var.location
14 | resource_group_name = var.resource_group_name
15 | tenant_id = var.tenant_id
16 | sku_name = var.sku_name
17 | tags = var.tags
18 | enabled_for_deployment = var.enabled_for_deployment
19 | enabled_for_disk_encryption = var.enabled_for_disk_encryption
20 | enabled_for_template_deployment = var.enabled_for_template_deployment
21 | enable_rbac_authorization = var.enable_rbac_authorization
22 | purge_protection_enabled = var.purge_protection_enabled
23 | soft_delete_retention_days = var.soft_delete_retention_days
24 |
25 | timeouts {
26 | delete = "60m"
27 | }
28 |
29 | network_acls {
30 | bypass = var.bypass
31 | default_action = var.default_action
32 | ip_rules = var.ip_rules
33 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
34 | }
35 |
36 | lifecycle {
37 | ignore_changes = [
38 | tags
39 | ]
40 | }
41 | }
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.node_pool.azurerm_kubernetes_cluster_node_pool.node_pool
File: /terraform/modules/node_pool/main.tf:11-41
Calling File: /terraform/main.tf:281-305
11 | resource "azurerm_kubernetes_cluster_node_pool" "node_pool" {
12 | kubernetes_cluster_id = var.kubernetes_cluster_id
13 | name = var.name
14 | vm_size = var.vm_size
15 | mode = var.mode
16 | node_labels = var.node_labels
17 | node_taints = var.node_taints
18 | zones = var.availability_zones
19 | vnet_subnet_id = var.vnet_subnet_id
20 | pod_subnet_id = var.pod_subnet_id
21 | enable_auto_scaling = var.enable_auto_scaling
22 | enable_host_encryption = var.enable_host_encryption
23 | enable_node_public_ip = var.enable_node_public_ip
24 | proximity_placement_group_id = var.proximity_placement_group_id
25 | orchestrator_version = var.orchestrator_version
26 | max_pods = var.max_pods
27 | max_count = var.max_count
28 | min_count = var.min_count
29 | node_count = var.node_count
30 | os_disk_size_gb = var.os_disk_size_gb
31 | os_disk_type = var.os_disk_type
32 | os_type = var.os_type
33 | priority = var.priority
34 | tags = var.tags
35 |
36 | lifecycle {
37 | ignore_changes = [
38 | tags
39 | ]
40 | }
41 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Calling File: /terraform/main.tf:237-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: module.virtual_machine.azurerm_network_security_group.nsg
File: /terraform/modules/virtual_machine/main.tf:27-50
Calling File: /terraform/main.tf:257-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
27 | resource "azurerm_network_security_group" "nsg" {
28 | name = "${var.name}Nsg"
29 | location = var.location
30 | resource_group_name = var.resource_group_name
31 | tags = var.tags
32 |
33 | security_rule {
34 | name = "SSH"
35 | priority = 1001
36 | direction = "Inbound"
37 | access = "Allow"
38 | protocol = "Tcp"
39 | source_port_range = "*"
40 | destination_port_range = "22"
41 | source_address_prefix = "*"
42 | destination_address_prefix = "*"
43 | }
44 |
45 | lifecycle {
46 | ignore_changes = [
47 | tags
48 | ]
49 | }
50 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.virtual_machine.azurerm_linux_virtual_machine.virtual_machine
File: /terraform/modules/virtual_machine/main.tf:78-120
Calling File: /terraform/main.tf:257-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
78 | resource "azurerm_linux_virtual_machine" "virtual_machine" {
79 | name = var.name
80 | location = var.location
81 | resource_group_name = var.resource_group_name
82 | network_interface_ids = [azurerm_network_interface.nic.id]
83 | size = var.size
84 | computer_name = var.name
85 | admin_username = var.vm_user
86 | tags = var.tags
87 |
88 | os_disk {
89 | name = "${var.name}OsDisk"
90 | caching = "ReadWrite"
91 | storage_account_type = var.os_disk_storage_account_type
92 | }
93 |
94 | admin_ssh_key {
95 | username = var.vm_user
96 | public_key = var.admin_ssh_public_key
97 | }
98 |
99 | source_image_reference {
100 | offer = lookup(var.os_disk_image, "offer", null)
101 | publisher = lookup(var.os_disk_image, "publisher", null)
102 | sku = lookup(var.os_disk_image, "sku", null)
103 | version = lookup(var.os_disk_image, "version", null)
104 | }
105 |
106 | boot_diagnostics {
107 | storage_account_uri = var.boot_diagnostics_storage_account == "" ? null : var.boot_diagnostics_storage_account
108 | }
109 |
110 | lifecycle {
111 | ignore_changes = [
112 | tags
113 | ]
114 | }
115 |
116 | depends_on = [
117 | azurerm_network_interface.nic,
118 | azurerm_network_security_group.nsg
119 | ]
120 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.core-container
File: /storage-account/az-remote-backend-main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
43 | resource "azurerm_storage_container" "core-container" {
44 | depends_on = [azurerm_storage_account.state-sta]
45 | name = "core-tfstate"
46 | storage_account_name = azurerm_storage_account.state-sta.name
47 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.virtual_machine.azurerm_network_interface.nic
File: /agent/modules/virtual_machine/main.tf:52-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
52 | resource "azurerm_network_interface" "nic" {
53 | name = "${var.name}Nic"
54 | location = var.location
55 | resource_group_name = var.resource_group_name
56 | tags = var.tags
57 |
58 | ip_configuration {
59 | name = "Configuration"
60 | subnet_id = var.subnet_id
61 | private_ip_address_allocation = "Dynamic"
62 | public_ip_address_id = try(azurerm_public_ip.public_ip[0].id, "")
63 | }
64 |
65 | lifecycle {
66 | ignore_changes = [
67 | tags
68 | ]
69 | }
70 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.virtual_machine.azurerm_network_interface.nic
File: /terraform/modules/virtual_machine/main.tf:52-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
52 | resource "azurerm_network_interface" "nic" {
53 | name = "${var.name}Nic"
54 | location = var.location
55 | resource_group_name = var.resource_group_name
56 | tags = var.tags
57 |
58 | ip_configuration {
59 | name = "Configuration"
60 | subnet_id = var.subnet_id
61 | private_ip_address_allocation = "Dynamic"
62 | public_ip_address_id = try(azurerm_public_ip.public_ip[0].id, null)
63 | }
64 |
65 | lifecycle {
66 | ignore_changes = [
67 | tags
68 | ]
69 | }
70 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /agent/modules/storage_account/main.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.state-sta
File: /storage-account/az-remote-backend-main.tf:24-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
24 | resource "azurerm_storage_account" "state-sta" {
25 | depends_on = [azurerm_resource_group.state-rg]
26 | name = "${lower(var.company)}tf${random_string.tf-name.result}"
27 | resource_group_name = azurerm_resource_group.state-rg.name
28 | location = azurerm_resource_group.state-rg.location
29 | account_kind = "StorageV2"
30 | account_tier = "Standard"
31 | access_tier = "Hot"
32 | account_replication_type = "ZRS"
33 | enable_https_traffic_only = true
34 |
35 | lifecycle {
36 | prevent_destroy = true
37 | }
38 | tags = {
39 | environment = var.environment
40 | }
41 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account
File: /terraform/modules/storage_account/main.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
11 | resource "azurerm_storage_account" "storage_account" {
12 | name = var.name
13 | resource_group_name = var.resource_group_name
14 |
15 | location = var.location
16 | account_kind = var.account_kind
17 | account_tier = var.account_tier
18 | account_replication_type = var.replication_type
19 | is_hns_enabled = var.is_hns_enabled
20 | tags = var.tags
21 |
22 | network_rules {
23 | default_action = (length(var.ip_rules) + length(var.virtual_network_subnet_ids)) > 0 ? "Deny" : var.default_action
24 | ip_rules = var.ip_rules
25 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
26 | }
27 |
28 | identity {
29 | type = "SystemAssigned"
30 | }
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | tags
35 | ]
36 | }
37 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.hub_network.azurerm_subnet.subnet["AzureFirewallSubnet"]
File: /terraform/modules/virtual_network/main.tf:25-34
25 | resource "azurerm_subnet" "subnet" {
26 | for_each = { for subnet in var.subnets : subnet.name => subnet }
27 |
28 | name = each.key
29 | resource_group_name = var.resource_group_name
30 | virtual_network_name = azurerm_virtual_network.vnet.name
31 | address_prefixes = each.value.address_prefixes
32 | enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
33 | enforce_private_link_service_network_policies = each.value.enforce_private_link_service_network_policies
34 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.aks_network.azurerm_subnet.subnet
File: /terraform/modules/virtual_network/main.tf:25-34
25 | resource "azurerm_subnet" "subnet" {
26 | for_each = { for subnet in var.subnets : subnet.name => subnet }
27 |
28 | name = each.key
29 | resource_group_name = var.resource_group_name
30 | virtual_network_name = azurerm_virtual_network.vnet.name
31 | address_prefixes = each.value.address_prefixes
32 | enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
33 | enforce_private_link_service_network_policies = each.value.enforce_private_link_service_network_policies
34 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.hub_network.azurerm_subnet.subnet["AzureBastionSubnet"]
File: /terraform/modules/virtual_network/main.tf:25-34
25 | resource "azurerm_subnet" "subnet" {
26 | for_each = { for subnet in var.subnets : subnet.name => subnet }
27 |
28 | name = each.key
29 | resource_group_name = var.resource_group_name
30 | virtual_network_name = azurerm_virtual_network.vnet.name
31 | address_prefixes = each.value.address_prefixes
32 | enforce_private_link_endpoint_network_policies = each.value.enforce_private_link_endpoint_network_policies
33 | enforce_private_link_service_network_policies = each.value.enforce_private_link_service_network_policies
34 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.key_vault.azurerm_key_vault.key_vault
File: /terraform/modules/key_vault/main.tf:11-41
11 | resource "azurerm_key_vault" "key_vault" {
12 | name = var.name
13 | location = var.location
14 | resource_group_name = var.resource_group_name
15 | tenant_id = var.tenant_id
16 | sku_name = var.sku_name
17 | tags = var.tags
18 | enabled_for_deployment = var.enabled_for_deployment
19 | enabled_for_disk_encryption = var.enabled_for_disk_encryption
20 | enabled_for_template_deployment = var.enabled_for_template_deployment
21 | enable_rbac_authorization = var.enable_rbac_authorization
22 | purge_protection_enabled = var.purge_protection_enabled
23 | soft_delete_retention_days = var.soft_delete_retention_days
24 |
25 | timeouts {
26 | delete = "60m"
27 | }
28 |
29 | network_acls {
30 | bypass = var.bypass
31 | default_action = var.default_action
32 | ip_rules = var.ip_rules
33 | virtual_network_subnet_ids = var.virtual_network_subnet_ids
34 | }
35 |
36 | lifecycle {
37 | ignore_changes = [
38 | tags
39 | ]
40 | }
41 | }
dockerfile scan results:
Passed checks: 57, Failed checks: 2, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /source/Dockerfile.
File: /source/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
2 |
3 | FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
4 | WORKDIR /app
5 | EXPOSE 80
6 | EXPOSE 443
7 |
8 | FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
9 | WORKDIR /src
10 | COPY ["SyntheticApi.csproj", ""]
11 | RUN dotnet restore "./SyntheticApi.csproj"
12 | COPY . .
13 | WORKDIR "/src/."
14 | RUN dotnet build "SyntheticApi.csproj" -c Release -o /app/build
15 |
16 | FROM build AS publish
17 | RUN dotnet publish "SyntheticApi.csproj" -c Release -o /app/publish
18 |
19 | FROM base AS final
20 | WORKDIR /app
21 | COPY --from=publish /app/publish .
22 | ENTRYPOINT ["dotnet", "SyntheticApi.dll"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /source/Dockerfile.
File: /source/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
2 |
3 | FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base
4 | WORKDIR /app
5 | EXPOSE 80
6 | EXPOSE 443
7 |
8 | FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build
9 | WORKDIR /src
10 | COPY ["SyntheticApi.csproj", ""]
11 | RUN dotnet restore "./SyntheticApi.csproj"
12 | COPY . .
13 | WORKDIR "/src/."
14 | RUN dotnet build "SyntheticApi.csproj" -c Release -o /app/build
15 |
16 | FROM build AS publish
17 | RUN dotnet publish "SyntheticApi.csproj" -c Release -o /app/publish
18 |
19 | FROM base AS final
20 | WORKDIR /app
21 | COPY --from=publish /app/publish .
22 | ENTRYPOINT ["dotnet", "SyntheticApi.dll"]
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools