Repository | Azure / terraform-azurerm-compute |
Description | Terraform Azure RM Compute Module |
Stars | 164 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:54:26,399 [MainThread ] [WARNI] Failed to download module Azure/vnet/azurerm:4.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 100, Failed checks: 36, Skipped checks: 0
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.debian2
File: /examples/complete/main.tf:134-166
134 | resource "azurerm_storage_account" "debian2" {
135 | account_replication_type = "LRS"
136 | account_tier = "Standard"
137 | location = var.location_alt
138 | name = "bootdiag${random_string.storage_account.result}"
139 | resource_group_name = azurerm_resource_group.test.name
140 | account_kind = "StorageV2"
141 | min_tls_version = "TLS1_2"
142 | public_network_access_enabled = false
143 |
144 | customer_managed_key {
145 | key_vault_key_id = azurerm_key_vault_key.des_key.id
146 | user_assigned_identity_id = azurerm_user_assigned_identity.storage_account.id
147 | }
148 | identity {
149 | type = "UserAssigned"
150 | identity_ids = [azurerm_user_assigned_identity.storage_account.id]
151 | }
152 | network_rules {
153 | default_action = "Deny"
154 | }
155 | queue_properties {
156 | logging {
157 | delete = true
158 | read = true
159 | version = "1.0"
160 | write = true
161 | retention_policy_days = 1
162 | }
163 | }
164 |
165 | depends_on = [azurerm_key_vault_access_policy.storage_account]
166 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.debian2
File: /examples/complete/main.tf:134-166
134 | resource "azurerm_storage_account" "debian2" {
135 | account_replication_type = "LRS"
136 | account_tier = "Standard"
137 | location = var.location_alt
138 | name = "bootdiag${random_string.storage_account.result}"
139 | resource_group_name = azurerm_resource_group.test.name
140 | account_kind = "StorageV2"
141 | min_tls_version = "TLS1_2"
142 | public_network_access_enabled = false
143 |
144 | customer_managed_key {
145 | key_vault_key_id = azurerm_key_vault_key.des_key.id
146 | user_assigned_identity_id = azurerm_user_assigned_identity.storage_account.id
147 | }
148 | identity {
149 | type = "UserAssigned"
150 | identity_ids = [azurerm_user_assigned_identity.storage_account.id]
151 | }
152 | network_rules {
153 | default_action = "Deny"
154 | }
155 | queue_properties {
156 | logging {
157 | delete = true
158 | read = true
159 | version = "1.0"
160 | write = true
161 | retention_policy_days = 1
162 | }
163 | }
164 |
165 | depends_on = [azurerm_key_vault_access_policy.storage_account]
166 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.debian2
File: /examples/complete/main.tf:134-166
134 | resource "azurerm_storage_account" "debian2" {
135 | account_replication_type = "LRS"
136 | account_tier = "Standard"
137 | location = var.location_alt
138 | name = "bootdiag${random_string.storage_account.result}"
139 | resource_group_name = azurerm_resource_group.test.name
140 | account_kind = "StorageV2"
141 | min_tls_version = "TLS1_2"
142 | public_network_access_enabled = false
143 |
144 | customer_managed_key {
145 | key_vault_key_id = azurerm_key_vault_key.des_key.id
146 | user_assigned_identity_id = azurerm_user_assigned_identity.storage_account.id
147 | }
148 | identity {
149 | type = "UserAssigned"
150 | identity_ids = [azurerm_user_assigned_identity.storage_account.id]
151 | }
152 | network_rules {
153 | default_action = "Deny"
154 | }
155 | queue_properties {
156 | logging {
157 | delete = true
158 | read = true
159 | version = "1.0"
160 | write = true
161 | retention_policy_days = 1
162 | }
163 | }
164 |
165 | depends_on = [azurerm_key_vault_access_policy.storage_account]
166 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.debianservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.debianservers2.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.ubuntuservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.windowsservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.debianservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.debianservers.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.debianservers2.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.debianservers2.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.ubuntuservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.ubuntuservers.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.windowsservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.windowsservers.azurerm_virtual_machine.vm_windows
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.debian2
File: /examples/complete/main.tf:134-166
134 | resource "azurerm_storage_account" "debian2" {
135 | account_replication_type = "LRS"
136 | account_tier = "Standard"
137 | location = var.location_alt
138 | name = "bootdiag${random_string.storage_account.result}"
139 | resource_group_name = azurerm_resource_group.test.name
140 | account_kind = "StorageV2"
141 | min_tls_version = "TLS1_2"
142 | public_network_access_enabled = false
143 |
144 | customer_managed_key {
145 | key_vault_key_id = azurerm_key_vault_key.des_key.id
146 | user_assigned_identity_id = azurerm_user_assigned_identity.storage_account.id
147 | }
148 | identity {
149 | type = "UserAssigned"
150 | identity_ids = [azurerm_user_assigned_identity.storage_account.id]
151 | }
152 | network_rules {
153 | default_action = "Deny"
154 | }
155 | queue_properties {
156 | logging {
157 | delete = true
158 | read = true
159 | version = "1.0"
160 | write = true
161 | retention_policy_days = 1
162 | }
163 | }
164 |
165 | depends_on = [azurerm_key_vault_access_policy.storage_account]
166 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.debianservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.debianservers2.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.ubuntuservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.windowsservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.debianservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.debianservers2.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.ubuntuservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.windowsservers.azurerm_virtual_machine.vm_linux
File: /main.tf:59-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.windowsservers.azurerm_virtual_machine.vm_windows
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.debianservers.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.debianservers2.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.ubuntuservers.azurerm_virtual_machine.vm_windows[0]
File: /main.tf:201-319
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.debianservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.debianservers2.azurerm_storage_account.vm_sa
File: /main.tf:34-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.ubuntuservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.windowsservers.azurerm_storage_account.vm_sa
File: /main.tf:34-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
34 | resource "azurerm_storage_account" "vm_sa" {
35 | count = var.boot_diagnostics && var.external_boot_diagnostics_storage == null ? 1 : 0
36 |
37 | account_replication_type = element(split("_", var.boot_diagnostics_sa_type), 1)
38 | account_tier = element(split("_", var.boot_diagnostics_sa_type), 0)
39 | location = local.location
40 | name = "bootdiag${lower(random_id.vm_sa.hex)}"
41 | resource_group_name = var.resource_group_name
42 | tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
43 | avm_git_commit = "634363ec15f9f4252ff016369744cb9539480a22"
44 | avm_git_file = "main.tf"
45 | avm_git_last_modified_at = "2022-11-28 08:50:01"
46 | avm_git_org = "Azure"
47 | avm_git_repo = "terraform-azurerm-compute"
48 | avm_yor_trace = "01158619-7824-4f16-8f7f-6ebecb92048a"
49 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */), (/**/ (var.tracing_tags_enabled ? { for k, v in /* */ {
50 | avm_yor_name = "vm_sa"
51 | } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /* */))
52 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet[0]
File: /examples/complete/main.tf:21-29
21 | resource "azurerm_subnet" "subnet" {
22 | count = 3
23 |
24 | # tflint-ignore: terraform_count_index_usage
25 | address_prefixes = [cidrsubnet(local.vnet_address_space, 8, count.index)]
26 | name = "host${random_id.ip_dns.hex}-sn-${count.index + 1}"
27 | resource_group_name = azurerm_resource_group.test.name
28 | virtual_network_name = azurerm_virtual_network.vnet.name
29 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet[1]
File: /examples/complete/main.tf:21-29
21 | resource "azurerm_subnet" "subnet" {
22 | count = 3
23 |
24 | # tflint-ignore: terraform_count_index_usage
25 | address_prefixes = [cidrsubnet(local.vnet_address_space, 8, count.index)]
26 | name = "host${random_id.ip_dns.hex}-sn-${count.index + 1}"
27 | resource_group_name = azurerm_resource_group.test.name
28 | virtual_network_name = azurerm_virtual_network.vnet.name
29 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet[2]
File: /examples/complete/main.tf:21-29
21 | resource "azurerm_subnet" "subnet" {
22 | count = 3
23 |
24 | # tflint-ignore: terraform_count_index_usage
25 | address_prefixes = [cidrsubnet(local.vnet_address_space, 8, count.index)]
26 | name = "host${random_id.ip_dns.hex}-sn-${count.index + 1}"
27 | resource_group_name = azurerm_resource_group.test.name
28 | virtual_network_name = azurerm_virtual_network.vnet.name
29 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: azurerm_key_vault.test
File: /examples/complete/key_vault.tf:15-31
15 | resource "azurerm_key_vault" "test" {
16 | location = var.location_alt
17 | name = "test${random_id.ip_dns.hex}kv"
18 | resource_group_name = azurerm_resource_group.test.name
19 | sku_name = "premium"
20 | tenant_id = data.azurerm_client_config.current.tenant_id
21 | enabled_for_deployment = true
22 | enabled_for_disk_encryption = true
23 | purge_protection_enabled = true
24 | soft_delete_retention_days = 7
25 |
26 | network_acls {
27 | bypass = "AzureServices"
28 | default_action = "Deny"
29 | ip_rules = [local.public_ip]
30 | }
31 | }
github_actions scan results:
Passed checks: 75, Failed checks: 5, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Pre Pull Request Check)
File: /.github/workflows/pr-check.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Weekly E2E Test Check)
File: /.github/workflows/weekly-e2e.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(E2E Test)
File: /.github/workflows/acc-test.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Post Push)
File: /.github/workflows/post-push.yaml:10-11
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Comment on PR)
File: /.github/workflows/breaking-change-detect.yaml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools