Experience Builder


Terraform

< Back

Repository
BigDataBoutique / elasticsearch-cloud-deploy
Description

Deploy Elasticsearch on the cloud easily

Stars

 329

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      terraform scan results:
    
    Passed checks: 113, Failed checks: 68, Skipped checks: 0, Parsing errors: 4
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-es
    	File: /terraform-aws/alb.tf:8-16
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		8  | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-es" {
    		9  |   type        = "ingress"
    		10 |   protocol    = "tcp"
    		11 |   cidr_blocks = ["0.0.0.0/0"]
    		12 |   from_port   = 9200
    		13 |   to_port     = 9200
    		14 | 
    		15 |   security_group_id = aws_security_group.elasticsearch-alb-sg.id
    		16 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-egress-rule-all
    	File: /terraform-aws/alb.tf:19-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		19 | resource "aws_security_group_rule" "elasticsearch-alb-sg-egress-rule-all" {
    		20 |   type        = "egress"
    		21 |   protocol    = "-1"
    		22 |   cidr_blocks = ["0.0.0.0/0"]
    		23 |   from_port   = 0
    		24 |   to_port     = 0
    		25 | 
    		26 |   security_group_id = aws_security_group.elasticsearch-alb-sg.id
    		27 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-cerebro[0]
    	File: /terraform-aws/alb.tf:32-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		32 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-cerebro" {
    		33 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		34 |   type        = "ingress"
    		35 |   protocol    = "tcp"
    		36 |   cidr_blocks = ["0.0.0.0/0"]
    		37 |   from_port   = 9000
    		38 |   to_port     = 9000
    		39 | 
    		40 |   security_group_id = aws_security_group.elasticsearch-alb-sg.id
    		41 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-grafana[0]
    	File: /terraform-aws/alb.tf:44-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		44 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-grafana" {
    		45 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		46 |   type        = "ingress"
    		47 |   protocol    = "tcp"
    		48 |   cidr_blocks = ["0.0.0.0/0"]
    		49 |   from_port   = 3000
    		50 |   to_port     = 3000
    		51 | 
    		52 |   security_group_id = aws_security_group.elasticsearch-alb-sg.id
    		53 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-kibana[0]
    	File: /terraform-aws/alb.tf:56-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		56 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-kibana" {
    		57 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		58 |   type        = "ingress"
    		59 |   protocol    = "tcp"
    		60 |   cidr_blocks = ["0.0.0.0/0"]
    		61 |   from_port   = 5601
    		62 |   to_port     = 5601
    		63 | 
    		64 |   security_group_id = aws_security_group.elasticsearch-alb-sg.id
    		65 | }
    
    Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
    	FAILED for resource: aws_lb.elasticsearch-alb
    	File: /terraform-aws/alb.tf:141-149
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
    
    		141 | resource "aws_lb" "elasticsearch-alb" {
    		142 |   name               = "${var.es_cluster}-alb"
    		143 |   internal           = ! var.public_facing
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.elasticsearch-alb-sg.id]
    		146 |   subnets            = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
    		147 | 
    		148 |   enable_deletion_protection = false
    		149 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.elasticsearch-alb
    	File: /terraform-aws/alb.tf:141-149
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		141 | resource "aws_lb" "elasticsearch-alb" {
    		142 |   name               = "${var.es_cluster}-alb"
    		143 |   internal           = ! var.public_facing
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.elasticsearch-alb-sg.id]
    		146 |   subnets            = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
    		147 | 
    		148 |   enable_deletion_protection = false
    		149 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.elasticsearch-alb
    	File: /terraform-aws/alb.tf:141-149
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		141 | resource "aws_lb" "elasticsearch-alb" {
    		142 |   name               = "${var.es_cluster}-alb"
    		143 |   internal           = ! var.public_facing
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.elasticsearch-alb-sg.id]
    		146 |   subnets            = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
    		147 | 
    		148 |   enable_deletion_protection = false
    		149 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.esearch
    	File: /terraform-aws/alb.tf:156-165
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		156 | resource "aws_lb_listener" "esearch" {
    		157 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		158 |   port              = "9200"
    		159 |   protocol          = "HTTP"
    		160 | 
    		161 |   default_action {
    		162 |     type             = "forward"
    		163 |     target_group_arn = aws_lb_target_group.esearch-p9200-tg.arn
    		164 |   }
    		165 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.kibana[0]
    	File: /terraform-aws/alb.tf:167-177
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		167 | resource "aws_lb_listener" "kibana" {
    		168 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		169 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		170 |   port              = "5601"
    		171 |   protocol          = "HTTP"
    		172 | 
    		173 |   default_action {
    		174 |     type             = "forward"
    		175 |     target_group_arn = aws_lb_target_group.kibana-p5601-tg[0].arn
    		176 |   }
    		177 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.grafana[0]
    	File: /terraform-aws/alb.tf:179-189
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		179 | resource "aws_lb_listener" "grafana" {
    		180 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		181 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		182 |   port              = "3000"
    		183 |   protocol          = "HTTP"
    		184 | 
    		185 |   default_action {
    		186 |     type             = "forward"
    		187 |     target_group_arn = aws_lb_target_group.grafana-p3000-tg[0].arn
    		188 |   }
    		189 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.cerebro[0]
    	File: /terraform-aws/alb.tf:191-201
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		191 | resource "aws_lb_listener" "cerebro" {
    		192 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		193 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		194 |   port              = "9000"
    		195 |   protocol          = "HTTP"
    		196 | 
    		197 |   default_action {
    		198 |     type             = "forward"
    		199 |     target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn
    		200 |   }
    		201 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.client
    	File: /terraform-aws/client.tf:9-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		9  | resource "aws_launch_template" "client" {
    		10 |   name_prefix   = "elasticsearch-${var.es_cluster}-client-nodes"
    		11 |   image_id      = data.aws_ami.kibana_client.id
    		12 |   instance_type = var.master_instance_type
    		13 |   user_data     = base64encode(data.template_file.client_userdata_script.rendered)
    		14 |   key_name      = var.key_name
    		15 | 
    		16 |   iam_instance_profile {
    		17 |     arn = aws_iam_instance_profile.elasticsearch.arn
    		18 |   }
    		19 | 
    		20 |   network_interfaces {
    		21 |     delete_on_termination       = true
    		22 |     associate_public_ip_address = false
    		23 |     security_groups = concat(
    		24 |       [aws_security_group.elasticsearch_security_group.id],
    		25 |       [aws_security_group.elasticsearch_clients_security_group.id],
    		26 |       var.additional_security_groups,
    		27 |     )
    		28 |   }
    		29 | 
    		30 |   lifecycle {
    		31 |     create_before_destroy = true
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.data
    	File: /terraform-aws/datas.tf:9-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		9  | resource "aws_launch_template" "data" {
    		10 |   name_prefix   = "elasticsearch-${var.es_cluster}-data-nodes"
    		11 |   image_id      = data.aws_ami.elasticsearch.id
    		12 |   instance_type = var.data_instance_type
    		13 |   user_data     = base64encode(data.template_file.data_userdata_script.rendered)
    		14 |   key_name      = var.key_name
    		15 | 
    		16 |   ebs_optimized = var.ebs_optimized
    		17 | 
    		18 |   iam_instance_profile {
    		19 |     arn = aws_iam_instance_profile.elasticsearch.arn
    		20 |   }
    		21 | 
    		22 |   network_interfaces {
    		23 |     delete_on_termination       = true
    		24 |     associate_public_ip_address = false
    		25 |     security_groups = concat(
    		26 |       [aws_security_group.elasticsearch_security_group.id],
    		27 |       var.additional_security_groups,
    		28 |     )
    		29 |   }
    		30 | 
    		31 |   lifecycle {
    		32 |     create_before_destroy = true
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
    	FAILED for resource: aws_ebs_volume.master
    	File: /terraform-aws/disks.tf:15-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
    
    		15 | resource "aws_ebs_volume" "master" {
    		16 |   for_each = local.master_az_flattened
    		17 | 
    		18 |   availability_zone = jsondecode(each.value)["az"]
    		19 |   size              = 10
    		20 |   type              = "gp2"
    		21 |   encrypted         = var.volume_encryption
    		22 | 
    		23 |   tags = {
    		24 |     Name            = "elasticsearch-${var.es_cluster}-master-${jsondecode(each.value)["name"]}"
    		25 |     ClusterName     = var.es_cluster
    		26 |     VolumeIndex     = jsondecode(each.value)["index"]
    		27 |     AutoAttachGroup = "master"
    		28 |   }
    		29 | }
    
    Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
    	FAILED for resource: aws_ebs_volume.data
    	File: /terraform-aws/disks.tf:31-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
    
    		31 | resource "aws_ebs_volume" "data" {
    		32 |   for_each = local.data_az_flattened
    		33 | 
    		34 |   availability_zone = jsondecode(each.value)["az"]
    		35 |   size              = var.elasticsearch_volume_size
    		36 |   type              = "gp2"
    		37 |   encrypted         = var.volume_encryption
    		38 | 
    		39 |   tags = {
    		40 |     Name            = "elasticsearch-${var.es_cluster}-data-${jsondecode(each.value)["name"]}"
    		41 |     ClusterName     = var.es_cluster
    		42 |     VolumeIndex     = jsondecode(each.value)["index"]
    		43 |     AutoAttachGroup = "data"
    		44 |   }
    		45 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.elasticsearch_security_group
    	File: /terraform-aws/main.tf:73-121
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		73  | resource "aws_security_group" "elasticsearch_security_group" {
    		74  |   name        = "elasticsearch-${var.es_cluster}-security-group"
    		75  |   description = "Elasticsearch ports with ssh"
    		76  |   vpc_id      = var.vpc_id
    		77  | 
    		78  |   tags = {
    		79  |     Name    = "${var.es_cluster}-elasticsearch"
    		80  |     cluster = var.es_cluster
    		81  |   }
    		82  | 
    		83  |   # ssh access from everywhere
    		84  |   ingress {
    		85  |     from_port   = 22
    		86  |     to_port     = 22
    		87  |     protocol    = "tcp"
    		88  |     cidr_blocks = ["0.0.0.0/0"]
    		89  |   }
    		90  | 
    		91  |   # inter-cluster communication over ports 9200-9400
    		92  |   ingress {
    		93  |     from_port = 9200
    		94  |     to_port   = 9400
    		95  |     protocol  = "tcp"
    		96  |     self      = true
    		97  |   }
    		98  | 
    		99  |   # allow inter-cluster ping
    		100 |   ingress {
    		101 |     from_port = 8
    		102 |     to_port   = 0
    		103 |     protocol  = "icmp"
    		104 |     self      = true
    		105 |   }
    		106 | 
    		107 |   # allow alb sg access
    		108 |   ingress {
    		109 |     from_port       = 9200
    		110 |     to_port         = 9200
    		111 |     protocol        = "tcp"
    		112 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		113 |   }
    		114 | 
    		115 |   egress {
    		116 |     from_port   = 0
    		117 |     to_port     = 0
    		118 |     protocol    = "-1"
    		119 |     cidr_blocks = ["0.0.0.0/0"]
    		120 |   }
    		121 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.elasticsearch_security_group
    	File: /terraform-aws/main.tf:73-121
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		73  | resource "aws_security_group" "elasticsearch_security_group" {
    		74  |   name        = "elasticsearch-${var.es_cluster}-security-group"
    		75  |   description = "Elasticsearch ports with ssh"
    		76  |   vpc_id      = var.vpc_id
    		77  | 
    		78  |   tags = {
    		79  |     Name    = "${var.es_cluster}-elasticsearch"
    		80  |     cluster = var.es_cluster
    		81  |   }
    		82  | 
    		83  |   # ssh access from everywhere
    		84  |   ingress {
    		85  |     from_port   = 22
    		86  |     to_port     = 22
    		87  |     protocol    = "tcp"
    		88  |     cidr_blocks = ["0.0.0.0/0"]
    		89  |   }
    		90  | 
    		91  |   # inter-cluster communication over ports 9200-9400
    		92  |   ingress {
    		93  |     from_port = 9200
    		94  |     to_port   = 9400
    		95  |     protocol  = "tcp"
    		96  |     self      = true
    		97  |   }
    		98  | 
    		99  |   # allow inter-cluster ping
    		100 |   ingress {
    		101 |     from_port = 8
    		102 |     to_port   = 0
    		103 |     protocol  = "icmp"
    		104 |     self      = true
    		105 |   }
    		106 | 
    		107 |   # allow alb sg access
    		108 |   ingress {
    		109 |     from_port       = 9200
    		110 |     to_port         = 9200
    		111 |     protocol        = "tcp"
    		112 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		113 |   }
    		114 | 
    		115 |   egress {
    		116 |     from_port   = 0
    		117 |     to_port     = 0
    		118 |     protocol    = "-1"
    		119 |     cidr_blocks = ["0.0.0.0/0"]
    		120 |   }
    		121 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.elasticsearch_clients_security_group
    	File: /terraform-aws/main.tf:123-165
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		123 | resource "aws_security_group" "elasticsearch_clients_security_group" {
    		124 |   name        = "elasticsearch-${var.es_cluster}-clients-security-group"
    		125 |   description = "Kibana HTTP access from outside"
    		126 |   vpc_id      = var.vpc_id
    		127 | 
    		128 |   tags = {
    		129 |     Name    = "${var.es_cluster}-kibana"
    		130 |     cluster = var.es_cluster
    		131 |   }
    		132 | 
    		133 |   # allow alb sg access
    		134 |   ingress {
    		135 |     from_port       = 9200
    		136 |     to_port         = 9200
    		137 |     protocol        = "tcp"
    		138 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		139 |   }
    		140 |   ingress {
    		141 |     from_port       = 5601
    		142 |     to_port         = 5601
    		143 |     protocol        = "tcp"
    		144 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		145 |   }
    		146 |   ingress {
    		147 |     from_port       = 3000
    		148 |     to_port         = 3000
    		149 |     protocol        = "tcp"
    		150 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		151 |   }
    		152 |   ingress {
    		153 |     from_port       = 9000
    		154 |     to_port         = 9000
    		155 |     protocol        = "tcp"
    		156 |     security_groups = [aws_security_group.elasticsearch-alb-sg.id]
    		157 |   }
    		158 | 
    		159 |   egress {
    		160 |     from_port   = 0
    		161 |     to_port     = 0
    		162 |     protocol    = "-1"
    		163 |     cidr_blocks = ["0.0.0.0/0"]
    		164 |   }
    		165 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.master
    	File: /terraform-aws/masters.tf:21-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		21 | resource "aws_launch_template" "master" {
    		22 |   name_prefix   = "elasticsearch-${var.es_cluster}-master-nodes"
    		23 |   image_id      = data.aws_ami.elasticsearch.id
    		24 |   instance_type = var.master_instance_type
    		25 |   user_data     = base64encode(data.template_file.master_userdata_script.rendered)
    		26 |   key_name      = var.key_name
    		27 | 
    		28 |   iam_instance_profile {
    		29 |     arn = aws_iam_instance_profile.elasticsearch.arn
    		30 |   }
    		31 | 
    		32 |   network_interfaces {
    		33 |     delete_on_termination       = true
    		34 |     associate_public_ip_address = false
    		35 |     security_groups = concat(
    		36 |       [aws_security_group.elasticsearch_security_group.id],
    		37 |       var.additional_security_groups,
    		38 |     )
    		39 |   }
    		40 | 
    		41 |   lifecycle {
    		42 |     create_before_destroy = true
    		43 |   }
    		44 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.bootstrap_node
    	File: /terraform-aws/masters.tf:94-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		94  | resource "aws_instance" "bootstrap_node" {
    		95  |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		96  | 
    		97  |   ami                                  = data.aws_ami.elasticsearch.id
    		98  |   instance_type                        = var.master_instance_type
    		99  |   instance_initiated_shutdown_behavior = "terminate"
    		100 | 
    		101 |   vpc_security_group_ids = concat(
    		102 |     [aws_security_group.elasticsearch_security_group.id],
    		103 |     var.additional_security_groups,
    		104 |   )
    		105 |   iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
    		106 |   user_data            = data.template_file.bootstrap_userdata_script.rendered
    		107 |   key_name             = var.key_name
    		108 |   subnet_id            = local.bootstrap_node_subnet_id
    		109 | 
    		110 |   associate_public_ip_address = false
    		111 | 
    		112 |   tags = {
    		113 |     Name        = "${var.es_cluster}-bootstrap-node"
    		114 |     Environment = var.environment
    		115 |     Cluster     = "${var.environment}-${var.es_cluster}"
    		116 |     Role        = "bootstrap"
    		117 |   }
    		118 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.bootstrap_node
    	File: /terraform-aws/masters.tf:94-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		94  | resource "aws_instance" "bootstrap_node" {
    		95  |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		96  | 
    		97  |   ami                                  = data.aws_ami.elasticsearch.id
    		98  |   instance_type                        = var.master_instance_type
    		99  |   instance_initiated_shutdown_behavior = "terminate"
    		100 | 
    		101 |   vpc_security_group_ids = concat(
    		102 |     [aws_security_group.elasticsearch_security_group.id],
    		103 |     var.additional_security_groups,
    		104 |   )
    		105 |   iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
    		106 |   user_data            = data.template_file.bootstrap_userdata_script.rendered
    		107 |   key_name             = var.key_name
    		108 |   subnet_id            = local.bootstrap_node_subnet_id
    		109 | 
    		110 |   associate_public_ip_address = false
    		111 | 
    		112 |   tags = {
    		113 |     Name        = "${var.es_cluster}-bootstrap-node"
    		114 |     Environment = var.environment
    		115 |     Cluster     = "${var.environment}-${var.es_cluster}"
    		116 |     Role        = "bootstrap"
    		117 |   }
    		118 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.bootstrap_node
    	File: /terraform-aws/masters.tf:94-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		94  | resource "aws_instance" "bootstrap_node" {
    		95  |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		96  | 
    		97  |   ami                                  = data.aws_ami.elasticsearch.id
    		98  |   instance_type                        = var.master_instance_type
    		99  |   instance_initiated_shutdown_behavior = "terminate"
    		100 | 
    		101 |   vpc_security_group_ids = concat(
    		102 |     [aws_security_group.elasticsearch_security_group.id],
    		103 |     var.additional_security_groups,
    		104 |   )
    		105 |   iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
    		106 |   user_data            = data.template_file.bootstrap_userdata_script.rendered
    		107 |   key_name             = var.key_name
    		108 |   subnet_id            = local.bootstrap_node_subnet_id
    		109 | 
    		110 |   associate_public_ip_address = false
    		111 | 
    		112 |   tags = {
    		113 |     Name        = "${var.es_cluster}-bootstrap-node"
    		114 |     Environment = var.environment
    		115 |     Cluster     = "${var.environment}-${var.es_cluster}"
    		116 |     Role        = "bootstrap"
    		117 |   }
    		118 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.bootstrap_node
    	File: /terraform-aws/masters.tf:94-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		94  | resource "aws_instance" "bootstrap_node" {
    		95  |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		96  | 
    		97  |   ami                                  = data.aws_ami.elasticsearch.id
    		98  |   instance_type                        = var.master_instance_type
    		99  |   instance_initiated_shutdown_behavior = "terminate"
    		100 | 
    		101 |   vpc_security_group_ids = concat(
    		102 |     [aws_security_group.elasticsearch_security_group.id],
    		103 |     var.additional_security_groups,
    		104 |   )
    		105 |   iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
    		106 |   user_data            = data.template_file.bootstrap_userdata_script.rendered
    		107 |   key_name             = var.key_name
    		108 |   subnet_id            = local.bootstrap_node_subnet_id
    		109 | 
    		110 |   associate_public_ip_address = false
    		111 | 
    		112 |   tags = {
    		113 |     Name        = "${var.es_cluster}-bootstrap-node"
    		114 |     Environment = var.environment
    		115 |     Cluster     = "${var.environment}-${var.es_cluster}"
    		116 |     Role        = "bootstrap"
    		117 |   }
    		118 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.single_node
    	File: /terraform-aws/singlenode.tf:9-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		9  | resource "aws_launch_template" "single_node" {
    		10 |   name_prefix   = "elasticsearch-${var.es_cluster}-single-node"
    		11 |   image_id      = data.aws_ami.kibana_client.id
    		12 |   instance_type = var.data_instance_type
    		13 |   user_data     = base64encode(data.template_file.singlenode_userdata_script.rendered)
    		14 |   key_name      = var.key_name
    		15 | 
    		16 |   ebs_optimized = var.ebs_optimized
    		17 | 
    		18 |   iam_instance_profile {
    		19 |     arn = aws_iam_instance_profile.elasticsearch.arn
    		20 |   }
    		21 | 
    		22 |   network_interfaces {
    		23 |     delete_on_termination       = true
    		24 |     associate_public_ip_address = false
    		25 |     security_groups             = [aws_security_group.elasticsearch_security_group.id, aws_security_group.elasticsearch_clients_security_group.id]
    		26 |   }
    		27 | 
    		28 |   lifecycle {
    		29 |     create_before_destroy = true
    		30 |   }
    		31 | }
    
    Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
    	FAILED for resource: aws_security_group.vpc-endpoint
    	File: /terraform-aws/vpc.tf:23-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports.html
    
    		23 | resource "aws_security_group" "vpc-endpoint" {
    		24 |   vpc_id = var.vpc_id
    		25 | 
    		26 |   ingress {
    		27 |     from_port   = 0
    		28 |     to_port     = 0
    		29 |     protocol    = "-1"
    		30 |     cidr_blocks = ["0.0.0.0/0"]
    		31 |   }
    		32 | 
    		33 |   egress {
    		34 |     from_port   = 0
    		35 |     to_port     = 0
    		36 |     protocol    = "-1"
    		37 |     cidr_blocks = ["0.0.0.0/0"]
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.vpc-endpoint
    	File: /terraform-aws/vpc.tf:23-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		23 | resource "aws_security_group" "vpc-endpoint" {
    		24 |   vpc_id = var.vpc_id
    		25 | 
    		26 |   ingress {
    		27 |     from_port   = 0
    		28 |     to_port     = 0
    		29 |     protocol    = "-1"
    		30 |     cidr_blocks = ["0.0.0.0/0"]
    		31 |   }
    		32 | 
    		33 |   egress {
    		34 |     from_port   = 0
    		35 |     to_port     = 0
    		36 |     protocol    = "-1"
    		37 |     cidr_blocks = ["0.0.0.0/0"]
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group.vpc-endpoint
    	File: /terraform-aws/vpc.tf:23-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		23 | resource "aws_security_group" "vpc-endpoint" {
    		24 |   vpc_id = var.vpc_id
    		25 | 
    		26 |   ingress {
    		27 |     from_port   = 0
    		28 |     to_port     = 0
    		29 |     protocol    = "-1"
    		30 |     cidr_blocks = ["0.0.0.0/0"]
    		31 |   }
    		32 | 
    		33 |   egress {
    		34 |     from_port   = 0
    		35 |     to_port     = 0
    		36 |     protocol    = "-1"
    		37 |     cidr_blocks = ["0.0.0.0/0"]
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: aws_security_group.vpc-endpoint
    	File: /terraform-aws/vpc.tf:23-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
    
    		23 | resource "aws_security_group" "vpc-endpoint" {
    		24 |   vpc_id = var.vpc_id
    		25 | 
    		26 |   ingress {
    		27 |     from_port   = 0
    		28 |     to_port     = 0
    		29 |     protocol    = "-1"
    		30 |     cidr_blocks = ["0.0.0.0/0"]
    		31 |   }
    		32 | 
    		33 |   egress {
    		34 |     from_port   = 0
    		35 |     to_port     = 0
    		36 |     protocol    = "-1"
    		37 |     cidr_blocks = ["0.0.0.0/0"]
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.vpc-endpoint
    	File: /terraform-aws/vpc.tf:23-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		23 | resource "aws_security_group" "vpc-endpoint" {
    		24 |   vpc_id = var.vpc_id
    		25 | 
    		26 |   ingress {
    		27 |     from_port   = 0
    		28 |     to_port     = 0
    		29 |     protocol    = "-1"
    		30 |     cidr_blocks = ["0.0.0.0/0"]
    		31 |   }
    		32 | 
    		33 |   egress {
    		34 |     from_port   = 0
    		35 |     to_port     = 0
    		36 |     protocol    = "-1"
    		37 |     cidr_blocks = ["0.0.0.0/0"]
    		38 |   }
    		39 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance_template.client
    	File: /terraform-gcp/client.tf:57-95
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		57 | resource "google_compute_instance_template" "client" {
    		58 |   provider       = google-beta
    		59 |   name_prefix    = "${var.es_cluster}-instance-template-client"
    		60 |   project        = "${var.gcp_project_id}"
    		61 |   machine_type   = "${var.master_machine_type}"
    		62 |   can_ip_forward = true
    		63 | 
    		64 |   tags = [
    		65 |     "${var.es_cluster}",
    		66 |     "es-client-node",
    		67 |     "http-server",
    		68 |     "https-server"
    		69 |   ]
    		70 | 
    		71 |   metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
    		72 | 
    		73 |   labels = {
    		74 |     environment = var.environment
    		75 |     cluster     = "${var.environment}-${var.es_cluster}"
    		76 |     role        = "client"
    		77 |   }
    		78 | 
    		79 |   disk {
    		80 |     source_image = data.google_compute_image.kibana.self_link
    		81 |     boot         = true
    		82 |   }
    		83 | 
    		84 |   network_interface {
    		85 |     network = var.cluster_network
    		86 |   }
    		87 | 
    		88 |   service_account {
    		89 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		90 |   }
    		91 | 
    		92 |   lifecycle {
    		93 |     create_before_destroy = true
    		94 |   }
    		95 | }
    Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
    	FAILED for resource: google_compute_instance_template.client
    	File: /terraform-gcp/client.tf:57-95
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
    
    		57 | resource "google_compute_instance_template" "client" {
    		58 |   provider       = google-beta
    		59 |   name_prefix    = "${var.es_cluster}-instance-template-client"
    		60 |   project        = "${var.gcp_project_id}"
    		61 |   machine_type   = "${var.master_machine_type}"
    		62 |   can_ip_forward = true
    		63 | 
    		64 |   tags = [
    		65 |     "${var.es_cluster}",
    		66 |     "es-client-node",
    		67 |     "http-server",
    		68 |     "https-server"
    		69 |   ]
    		70 | 
    		71 |   metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
    		72 | 
    		73 |   labels = {
    		74 |     environment = var.environment
    		75 |     cluster     = "${var.environment}-${var.es_cluster}"
    		76 |     role        = "client"
    		77 |   }
    		78 | 
    		79 |   disk {
    		80 |     source_image = data.google_compute_image.kibana.self_link
    		81 |     boot         = true
    		82 |   }
    		83 | 
    		84 |   network_interface {
    		85 |     network = var.cluster_network
    		86 |   }
    		87 | 
    		88 |   service_account {
    		89 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		90 |   }
    		91 | 
    		92 |   lifecycle {
    		93 |     create_before_destroy = true
    		94 |   }
    		95 | }
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance_template.client
    	File: /terraform-gcp/client.tf:57-95
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		57 | resource "google_compute_instance_template" "client" {
    		58 |   provider       = google-beta
    		59 |   name_prefix    = "${var.es_cluster}-instance-template-client"
    		60 |   project        = "${var.gcp_project_id}"
    		61 |   machine_type   = "${var.master_machine_type}"
    		62 |   can_ip_forward = true
    		63 | 
    		64 |   tags = [
    		65 |     "${var.es_cluster}",
    		66 |     "es-client-node",
    		67 |     "http-server",
    		68 |     "https-server"
    		69 |   ]
    		70 | 
    		71 |   metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
    		72 | 
    		73 |   labels = {
    		74 |     environment = var.environment
    		75 |     cluster     = "${var.environment}-${var.es_cluster}"
    		76 |     role        = "client"
    		77 |   }
    		78 | 
    		79 |   disk {
    		80 |     source_image = data.google_compute_image.kibana.self_link
    		81 |     boot         = true
    		82 |   }
    		83 | 
    		84 |   network_interface {
    		85 |     network = var.cluster_network
    		86 |   }
    		87 | 
    		88 |   service_account {
    		89 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		90 |   }
    		91 | 
    		92 |   lifecycle {
    		93 |     create_before_destroy = true
    		94 |   }
    		95 | }
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance_template.client
    	File: /terraform-gcp/client.tf:57-95
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		57 | resource "google_compute_instance_template" "client" {
    		58 |   provider       = google-beta
    		59 |   name_prefix    = "${var.es_cluster}-instance-template-client"
    		60 |   project        = "${var.gcp_project_id}"
    		61 |   machine_type   = "${var.master_machine_type}"
    		62 |   can_ip_forward = true
    		63 | 
    		64 |   tags = [
    		65 |     "${var.es_cluster}",
    		66 |     "es-client-node",
    		67 |     "http-server",
    		68 |     "https-server"
    		69 |   ]
    		70 | 
    		71 |   metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
    		72 | 
    		73 |   labels = {
    		74 |     environment = var.environment
    		75 |     cluster     = "${var.environment}-${var.es_cluster}"
    		76 |     role        = "client"
    		77 |   }
    		78 | 
    		79 |   disk {
    		80 |     source_image = data.google_compute_image.kibana.self_link
    		81 |     boot         = true
    		82 |   }
    		83 | 
    		84 |   network_interface {
    		85 |     network = var.cluster_network
    		86 |   }
    		87 | 
    		88 |   service_account {
    		89 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		90 |   }
    		91 | 
    		92 |   lifecycle {
    		93 |     create_before_destroy = true
    		94 |   }
    		95 | }
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance_template.data-voters
    	File: /terraform-gcp/datas-voters.tf:47-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		47 | resource "google_compute_instance_template" "data-voters" {
    		48 |   provider       = google-beta
    		49 |   name_prefix    = "${var.es_cluster}-instance-template-data-voters"
    		50 |   project        = var.gcp_project_id
    		51 |   machine_type   = var.data_machine_type
    		52 |   can_ip_forward = false
    		53 | 
    		54 |   tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
    		55 | 
    		56 |   metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
    		57 | 
    		58 |   labels = {
    		59 |     environment = var.environment
    		60 |     cluster     = "${var.environment}-${var.es_cluster}"
    		61 |     role        = "data-voters"
    		62 |   }
    		63 | 
    		64 |   disk {
    		65 |     source_image = data.google_compute_image.elasticsearch.self_link
    		66 |     boot         = true
    		67 |   }
    		68 | 
    		69 |   network_interface {
    		70 |     network = var.cluster_network
    		71 |   }
    		72 | 
    		73 |   service_account {
    		74 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		75 |   }
    		76 | 
    		77 |   lifecycle {
    		78 |     create_before_destroy = true
    		79 |   }
    		80 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance_template.data-voters
    	File: /terraform-gcp/datas-voters.tf:47-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		47 | resource "google_compute_instance_template" "data-voters" {
    		48 |   provider       = google-beta
    		49 |   name_prefix    = "${var.es_cluster}-instance-template-data-voters"
    		50 |   project        = var.gcp_project_id
    		51 |   machine_type   = var.data_machine_type
    		52 |   can_ip_forward = false
    		53 | 
    		54 |   tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
    		55 | 
    		56 |   metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
    		57 | 
    		58 |   labels = {
    		59 |     environment = var.environment
    		60 |     cluster     = "${var.environment}-${var.es_cluster}"
    		61 |     role        = "data-voters"
    		62 |   }
    		63 | 
    		64 |   disk {
    		65 |     source_image = data.google_compute_image.elasticsearch.self_link
    		66 |     boot         = true
    		67 |   }
    		68 | 
    		69 |   network_interface {
    		70 |     network = var.cluster_network
    		71 |   }
    		72 | 
    		73 |   service_account {
    		74 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		75 |   }
    		76 | 
    		77 |   lifecycle {
    		78 |     create_before_destroy = true
    		79 |   }
    		80 | }
    
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance_template.data-voters
    	File: /terraform-gcp/datas-voters.tf:47-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		47 | resource "google_compute_instance_template" "data-voters" {
    		48 |   provider       = google-beta
    		49 |   name_prefix    = "${var.es_cluster}-instance-template-data-voters"
    		50 |   project        = var.gcp_project_id
    		51 |   machine_type   = var.data_machine_type
    		52 |   can_ip_forward = false
    		53 | 
    		54 |   tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
    		55 | 
    		56 |   metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
    		57 | 
    		58 |   labels = {
    		59 |     environment = var.environment
    		60 |     cluster     = "${var.environment}-${var.es_cluster}"
    		61 |     role        = "data-voters"
    		62 |   }
    		63 | 
    		64 |   disk {
    		65 |     source_image = data.google_compute_image.elasticsearch.self_link
    		66 |     boot         = true
    		67 |   }
    		68 | 
    		69 |   network_interface {
    		70 |     network = var.cluster_network
    		71 |   }
    		72 | 
    		73 |   service_account {
    		74 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		75 |   }
    		76 | 
    		77 |   lifecycle {
    		78 |     create_before_destroy = true
    		79 |   }
    		80 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance_template.data
    	File: /terraform-gcp/datas.tf:46-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		46 | resource "google_compute_instance_template" "data" {
    		47 |   provider       = google-beta
    		48 |   name_prefix    = "${var.es_cluster}-instance-template-data"
    		49 |   project        = var.gcp_project_id
    		50 |   machine_type   = var.data_machine_type
    		51 |   can_ip_forward = false
    		52 | 
    		53 |   tags = ["${var.es_cluster}", "es-data-node"]
    		54 | 
    		55 |   metadata_startup_script = data.template_file.data_userdata_script.rendered
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "data"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.elasticsearch.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance_template.data
    	File: /terraform-gcp/datas.tf:46-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		46 | resource "google_compute_instance_template" "data" {
    		47 |   provider       = google-beta
    		48 |   name_prefix    = "${var.es_cluster}-instance-template-data"
    		49 |   project        = var.gcp_project_id
    		50 |   machine_type   = var.data_machine_type
    		51 |   can_ip_forward = false
    		52 | 
    		53 |   tags = ["${var.es_cluster}", "es-data-node"]
    		54 | 
    		55 |   metadata_startup_script = data.template_file.data_userdata_script.rendered
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "data"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.elasticsearch.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance_template.data
    	File: /terraform-gcp/datas.tf:46-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		46 | resource "google_compute_instance_template" "data" {
    		47 |   provider       = google-beta
    		48 |   name_prefix    = "${var.es_cluster}-instance-template-data"
    		49 |   project        = var.gcp_project_id
    		50 |   machine_type   = var.data_machine_type
    		51 |   can_ip_forward = false
    		52 | 
    		53 |   tags = ["${var.es_cluster}", "es-data-node"]
    		54 | 
    		55 |   metadata_startup_script = data.template_file.data_userdata_script.rendered
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "data"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.elasticsearch.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
    	FAILED for resource: google_storage_bucket.dev[0]
    	File: /terraform-gcp/dev.tf:1-6
    
    		1 | resource "google_storage_bucket" "dev" {
    		2 |   count         = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
    		3 |   name          = var.DEV_MODE_scripts_gcs_bucket
    		4 |   location      = var.gcp_region
    		5 |   force_destroy = true
    		6 | }
    Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
    	FAILED for resource: google_storage_bucket.dev[0]
    	File: /terraform-gcp/dev.tf:1-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
    
    		1 | resource "google_storage_bucket" "dev" {
    		2 |   count         = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
    		3 |   name          = var.DEV_MODE_scripts_gcs_bucket
    		4 |   location      = var.gcp_region
    		5 |   force_destroy = true
    		6 | }
    Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
    	FAILED for resource: google_storage_bucket.dev[0]
    	File: /terraform-gcp/dev.tf:1-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
    
    		1 | resource "google_storage_bucket" "dev" {
    		2 |   count         = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
    		3 |   name          = var.DEV_MODE_scripts_gcs_bucket
    		4 |   location      = var.gcp_region
    		5 |   force_destroy = true
    		6 | }
    Check: CKV_GCP_62: "Bucket should log access"
    	FAILED for resource: google_storage_bucket.dev[0]
    	File: /terraform-gcp/dev.tf:1-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
    
    		1 | resource "google_storage_bucket" "dev" {
    		2 |   count         = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
    		3 |   name          = var.DEV_MODE_scripts_gcs_bucket
    		4 |   location      = var.gcp_region
    		5 |   force_destroy = true
    		6 | }
    Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_disk.master
    	File: /terraform-gcp/disks.tf:33-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
    
    		33 | resource "google_compute_disk" "master" {
    		34 |   for_each = local.master_zone_flattened
    		35 | 
    		36 |   name = "elasticsearch-${var.es_cluster}-master-${jsondecode(each.value)["name"]}"
    		37 |   zone = jsondecode(each.value)["zone"]
    		38 |   size = 10
    		39 | 
    		40 |   labels = {
    		41 |     cluster-name = "${var.es_cluster}"
    		42 |     volume-index = jsondecode(each.value)["index"]
    		43 |     auto-attach-group = "master"
    		44 |   }
    		45 | }
    
    Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_disk.data
    	File: /terraform-gcp/disks.tf:47-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
    
    		47 | resource "google_compute_disk" "data" {
    		48 |   for_each = local.data_zone_flattened
    		49 | 
    		50 |   name = "elasticsearch-${var.es_cluster}-data-${jsondecode(each.value)["name"]}"
    		51 |   zone = jsondecode(each.value)["zone"]
    		52 |   size = var.elasticsearch_volume_size
    		53 | 
    		54 |   labels = {
    		55 |     cluster-name = "${var.es_cluster}"
    		56 |     volume-index = jsondecode(each.value)["index"]
    		57 |     auto-attach-group = "data"
    		58 |   }
    		59 | }
    
    Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_disk.data_voters
    	File: /terraform-gcp/disks.tf:61-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
    
    		61 | resource "google_compute_disk" "data_voters" {
    		62 |   for_each = local.data_voters_zone_flattened
    		63 | 
    		64 |   name = "elasticsearch-${var.es_cluster}-data-voters-${jsondecode(each.value)["name"]}"
    		65 |   zone = jsondecode(each.value)["zone"]
    		66 |   size = var.elasticsearch_volume_size
    		67 | 
    		68 |   labels = {
    		69 |     cluster-name = "${var.es_cluster}"
    		70 |     volume-index = jsondecode(each.value)["index"]
    		71 |     auto-attach-group = "data-voters"
    		72 |   }
    		73 | }
    
    Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
    	FAILED for resource: google_storage_bucket.snapshots[0]
    	File: /terraform-gcp/main.tf:66-70
    
    		66 | resource "google_storage_bucket" "snapshots" {
    		67 |   count = var.gcs_snapshots_bucket != "" ? 1 : 0
    		68 |   name  = var.gcs_snapshots_bucket
    		69 |   location = var.gcp_region
    		70 | }
    
    Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
    	FAILED for resource: google_storage_bucket.snapshots[0]
    	File: /terraform-gcp/main.tf:66-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
    
    		66 | resource "google_storage_bucket" "snapshots" {
    		67 |   count = var.gcs_snapshots_bucket != "" ? 1 : 0
    		68 |   name  = var.gcs_snapshots_bucket
    		69 |   location = var.gcp_region
    		70 | }
    
    Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
    	FAILED for resource: google_storage_bucket.snapshots[0]
    	File: /terraform-gcp/main.tf:66-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
    
    		66 | resource "google_storage_bucket" "snapshots" {
    		67 |   count = var.gcs_snapshots_bucket != "" ? 1 : 0
    		68 |   name  = var.gcs_snapshots_bucket
    		69 |   location = var.gcp_region
    		70 | }
    
    Check: CKV_GCP_62: "Bucket should log access"
    	FAILED for resource: google_storage_bucket.snapshots[0]
    	File: /terraform-gcp/main.tf:66-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
    
    		66 | resource "google_storage_bucket" "snapshots" {
    		67 |   count = var.gcs_snapshots_bucket != "" ? 1 : 0
    		68 |   name  = var.gcs_snapshots_bucket
    		69 |   location = var.gcp_region
    		70 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance.bootstrap_node
    	File: /terraform-gcp/masters.tf:51-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		51 | resource "google_compute_instance" "bootstrap_node" {
    		52 |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		53 | 
    		54 |   name         = "${var.es_cluster}-bootstrap-node"
    		55 |   machine_type = "${var.master_machine_type}"
    		56 |   zone         = "${var.gcp_zone}"
    		57 | 
    		58 |   tags = ["${var.es_cluster}", "es-bootstrap-node"]
    		59 | 
    		60 |   boot_disk {
    		61 |     initialize_params {
    		62 |       image = data.google_compute_image.elasticsearch.self_link
    		63 |     }
    		64 |   }
    		65 | 
    		66 |   network_interface {
    		67 |     network = var.cluster_network
    		68 |   }
    		69 | 
    		70 |   metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance.bootstrap_node
    	File: /terraform-gcp/masters.tf:51-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		51 | resource "google_compute_instance" "bootstrap_node" {
    		52 |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		53 | 
    		54 |   name         = "${var.es_cluster}-bootstrap-node"
    		55 |   machine_type = "${var.master_machine_type}"
    		56 |   zone         = "${var.gcp_zone}"
    		57 | 
    		58 |   tags = ["${var.es_cluster}", "es-bootstrap-node"]
    		59 | 
    		60 |   boot_disk {
    		61 |     initialize_params {
    		62 |       image = data.google_compute_image.elasticsearch.self_link
    		63 |     }
    		64 |   }
    		65 | 
    		66 |   network_interface {
    		67 |     network = var.cluster_network
    		68 |   }
    		69 | 
    		70 |   metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | }
    
    Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_instance.bootstrap_node
    	File: /terraform-gcp/masters.tf:51-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
    
    		51 | resource "google_compute_instance" "bootstrap_node" {
    		52 |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		53 | 
    		54 |   name         = "${var.es_cluster}-bootstrap-node"
    		55 |   machine_type = "${var.master_machine_type}"
    		56 |   zone         = "${var.gcp_zone}"
    		57 | 
    		58 |   tags = ["${var.es_cluster}", "es-bootstrap-node"]
    		59 | 
    		60 |   boot_disk {
    		61 |     initialize_params {
    		62 |       image = data.google_compute_image.elasticsearch.self_link
    		63 |     }
    		64 |   }
    		65 | 
    		66 |   network_interface {
    		67 |     network = var.cluster_network
    		68 |   }
    		69 | 
    		70 |   metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | }
    
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance.bootstrap_node
    	File: /terraform-gcp/masters.tf:51-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		51 | resource "google_compute_instance" "bootstrap_node" {
    		52 |   count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
    		53 | 
    		54 |   name         = "${var.es_cluster}-bootstrap-node"
    		55 |   machine_type = "${var.master_machine_type}"
    		56 |   zone         = "${var.gcp_zone}"
    		57 | 
    		58 |   tags = ["${var.es_cluster}", "es-bootstrap-node"]
    		59 | 
    		60 |   boot_disk {
    		61 |     initialize_params {
    		62 |       image = data.google_compute_image.elasticsearch.self_link
    		63 |     }
    		64 |   }
    		65 | 
    		66 |   network_interface {
    		67 |     network = var.cluster_network
    		68 |   }
    		69 | 
    		70 |   metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance_template.master
    	File: /terraform-gcp/masters.tf:77-110
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		77  | resource "google_compute_instance_template" "master" {
    		78  |   provider       = google-beta
    		79  |   name_prefix    = "${var.es_cluster}-instance-template-master"
    		80  |   project        = "${var.gcp_project_id}"
    		81  |   machine_type   = "${var.master_machine_type}"
    		82  |   can_ip_forward = false
    		83  | 
    		84  |   tags = ["${var.es_cluster}", "es-master-node"]
    		85  | 
    		86  |   metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
    		87  | 
    		88  |   labels = {
    		89  |     environment = var.environment
    		90  |     cluster     = "${var.environment}-${var.es_cluster}"
    		91  |     role        = "master"
    		92  |   }
    		93  | 
    		94  |   disk {
    		95  |     source_image = data.google_compute_image.elasticsearch.self_link
    		96  |     boot         = true
    		97  |   }
    		98  | 
    		99  |   network_interface {
    		100 |     network = var.cluster_network
    		101 |   }
    		102 | 
    		103 |   service_account {
    		104 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		105 |   }
    		106 | 
    		107 |   lifecycle {
    		108 |     create_before_destroy = true
    		109 |   }
    		110 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance_template.master
    	File: /terraform-gcp/masters.tf:77-110
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		77  | resource "google_compute_instance_template" "master" {
    		78  |   provider       = google-beta
    		79  |   name_prefix    = "${var.es_cluster}-instance-template-master"
    		80  |   project        = "${var.gcp_project_id}"
    		81  |   machine_type   = "${var.master_machine_type}"
    		82  |   can_ip_forward = false
    		83  | 
    		84  |   tags = ["${var.es_cluster}", "es-master-node"]
    		85  | 
    		86  |   metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
    		87  | 
    		88  |   labels = {
    		89  |     environment = var.environment
    		90  |     cluster     = "${var.environment}-${var.es_cluster}"
    		91  |     role        = "master"
    		92  |   }
    		93  | 
    		94  |   disk {
    		95  |     source_image = data.google_compute_image.elasticsearch.self_link
    		96  |     boot         = true
    		97  |   }
    		98  | 
    		99  |   network_interface {
    		100 |     network = var.cluster_network
    		101 |   }
    		102 | 
    		103 |   service_account {
    		104 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		105 |   }
    		106 | 
    		107 |   lifecycle {
    		108 |     create_before_destroy = true
    		109 |   }
    		110 | }
    
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance_template.master
    	File: /terraform-gcp/masters.tf:77-110
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		77  | resource "google_compute_instance_template" "master" {
    		78  |   provider       = google-beta
    		79  |   name_prefix    = "${var.es_cluster}-instance-template-master"
    		80  |   project        = "${var.gcp_project_id}"
    		81  |   machine_type   = "${var.master_machine_type}"
    		82  |   can_ip_forward = false
    		83  | 
    		84  |   tags = ["${var.es_cluster}", "es-master-node"]
    		85  | 
    		86  |   metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
    		87  | 
    		88  |   labels = {
    		89  |     environment = var.environment
    		90  |     cluster     = "${var.environment}-${var.es_cluster}"
    		91  |     role        = "master"
    		92  |   }
    		93  | 
    		94  |   disk {
    		95  |     source_image = data.google_compute_image.elasticsearch.self_link
    		96  |     boot         = true
    		97  |   }
    		98  | 
    		99  |   network_interface {
    		100 |     network = var.cluster_network
    		101 |   }
    		102 | 
    		103 |   service_account {
    		104 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		105 |   }
    		106 | 
    		107 |   lifecycle {
    		108 |     create_before_destroy = true
    		109 |   }
    		110 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance_template.singlenode
    	File: /terraform-gcp/singlenode.tf:43-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		43 | resource "google_compute_instance_template" "singlenode" {
    		44 |   provider = google-beta
    		45 |   name_prefix    = "${var.es_cluster}-instance-template-single"
    		46 | 
    		47 |   project      = "${var.gcp_project_id}"
    		48 |   machine_type = "${var.data_machine_type}"
    		49 | 
    		50 |   tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
    		51 | 
    		52 |   metadata = {
    		53 |     sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
    		54 |   }
    		55 |   metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "singlenode"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.kibana.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | 
    		80 | }
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance_template.singlenode
    	File: /terraform-gcp/singlenode.tf:43-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		43 | resource "google_compute_instance_template" "singlenode" {
    		44 |   provider = google-beta
    		45 |   name_prefix    = "${var.es_cluster}-instance-template-single"
    		46 | 
    		47 |   project      = "${var.gcp_project_id}"
    		48 |   machine_type = "${var.data_machine_type}"
    		49 | 
    		50 |   tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
    		51 | 
    		52 |   metadata = {
    		53 |     sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
    		54 |   }
    		55 |   metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "singlenode"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.kibana.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | 
    		80 | }
    Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
    	FAILED for resource: google_compute_instance_template.singlenode
    	File: /terraform-gcp/singlenode.tf:43-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
    
    		43 | resource "google_compute_instance_template" "singlenode" {
    		44 |   provider = google-beta
    		45 |   name_prefix    = "${var.es_cluster}-instance-template-single"
    		46 | 
    		47 |   project      = "${var.gcp_project_id}"
    		48 |   machine_type = "${var.data_machine_type}"
    		49 | 
    		50 |   tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
    		51 | 
    		52 |   metadata = {
    		53 |     sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
    		54 |   }
    		55 |   metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
    		56 | 
    		57 |   labels = {
    		58 |     environment = var.environment
    		59 |     cluster     = "${var.environment}-${var.es_cluster}"
    		60 |     role        = "singlenode"
    		61 |   }
    		62 | 
    		63 |   disk {
    		64 |     source_image = data.google_compute_image.kibana.self_link
    		65 |     boot         = true
    		66 |   }
    		67 | 
    		68 |   network_interface {
    		69 |     network = var.cluster_network
    		70 |   }
    		71 | 
    		72 |   service_account {
    		73 |     scopes = ["userinfo-email", "compute-rw", "storage-ro"]
    		74 |   }
    		75 | 
    		76 |   lifecycle {
    		77 |     create_before_destroy = true
    		78 |   }
    		79 | 
    		80 | }
    Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
    	FAILED for resource: azurerm_subnet.elasticsearch_subnet
    	File: /terraform-azure/main.tf:26-31
    
    		26 | resource "azurerm_subnet" "elasticsearch_subnet" {
    		27 |   name                 = "es-${var.es_cluster}-subnet"
    		28 |   resource_group_name  = "${azurerm_resource_group.elasticsearch.name}"
    		29 |   virtual_network_name = "${azurerm_virtual_network.elasticsearch_vnet.name}"
    		30 |   address_prefix       = "10.1.0.0/24"
    		31 | }
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.esearch
    	File: /terraform-aws/alb.tf:156-165
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		156 | resource "aws_lb_listener" "esearch" {
    		157 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		158 |   port              = "9200"
    		159 |   protocol          = "HTTP"
    		160 | 
    		161 |   default_action {
    		162 |     type             = "forward"
    		163 |     target_group_arn = aws_lb_target_group.esearch-p9200-tg.arn
    		164 |   }
    		165 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.kibana[0]
    	File: /terraform-aws/alb.tf:167-177
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		167 | resource "aws_lb_listener" "kibana" {
    		168 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		169 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		170 |   port              = "5601"
    		171 |   protocol          = "HTTP"
    		172 | 
    		173 |   default_action {
    		174 |     type             = "forward"
    		175 |     target_group_arn = aws_lb_target_group.kibana-p5601-tg[0].arn
    		176 |   }
    		177 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.grafana[0]
    	File: /terraform-aws/alb.tf:179-189
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		179 | resource "aws_lb_listener" "grafana" {
    		180 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		181 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		182 |   port              = "3000"
    		183 |   protocol          = "HTTP"
    		184 | 
    		185 |   default_action {
    		186 |     type             = "forward"
    		187 |     target_group_arn = aws_lb_target_group.grafana-p3000-tg[0].arn
    		188 |   }
    		189 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.cerebro[0]
    	File: /terraform-aws/alb.tf:191-201
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		191 | resource "aws_lb_listener" "cerebro" {
    		192 |   count    = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
    		193 |   load_balancer_arn = aws_lb.elasticsearch-alb.arn
    		194 |   port              = "9000"
    		195 |   protocol          = "HTTP"
    		196 | 
    		197 |   default_action {
    		198 |     type             = "forward"
    		199 |     target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn
    		200 |   }
    		201 | }
    
    Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
    	FAILED for resource: aws_lb.elasticsearch-alb
    	File: /terraform-aws/alb.tf:141-149
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
    
    		141 | resource "aws_lb" "elasticsearch-alb" {
    		142 |   name               = "${var.es_cluster}-alb"
    		143 |   internal           = ! var.public_facing
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.elasticsearch-alb-sg.id]
    		146 |   subnets            = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
    		147 | 
    		148 |   enable_deletion_protection = false
    		149 | }
    
    Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
    	FAILED for resource: aws_lb.elasticsearch-alb
    	File: /terraform-aws/alb.tf:141-149
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
    
    		141 | resource "aws_lb" "elasticsearch-alb" {
    		142 |   name               = "${var.es_cluster}-alb"
    		143 |   internal           = ! var.public_facing
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.elasticsearch-alb-sg.id]
    		146 |   subnets            = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
    		147 | 
    		148 |   enable_deletion_protection = false
    		149 | }
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: