Repository | BigDataBoutique / elasticsearch-cloud-deploy |
Description | Deploy Elasticsearch on the cloud easily |
Stars | 329 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 113, Failed checks: 68, Skipped checks: 0, Parsing errors: 4
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-es
File: /terraform-aws/alb.tf:8-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-es" {
9 | type = "ingress"
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | from_port = 9200
13 | to_port = 9200
14 |
15 | security_group_id = aws_security_group.elasticsearch-alb-sg.id
16 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-egress-rule-all
File: /terraform-aws/alb.tf:19-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
19 | resource "aws_security_group_rule" "elasticsearch-alb-sg-egress-rule-all" {
20 | type = "egress"
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | from_port = 0
24 | to_port = 0
25 |
26 | security_group_id = aws_security_group.elasticsearch-alb-sg.id
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-cerebro[0]
File: /terraform-aws/alb.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-cerebro" {
33 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
34 | type = "ingress"
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | from_port = 9000
38 | to_port = 9000
39 |
40 | security_group_id = aws_security_group.elasticsearch-alb-sg.id
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-grafana[0]
File: /terraform-aws/alb.tf:44-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
44 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-grafana" {
45 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
46 | type = "ingress"
47 | protocol = "tcp"
48 | cidr_blocks = ["0.0.0.0/0"]
49 | from_port = 3000
50 | to_port = 3000
51 |
52 | security_group_id = aws_security_group.elasticsearch-alb-sg.id
53 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elasticsearch-alb-sg-ingress-rule-kibana[0]
File: /terraform-aws/alb.tf:56-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-kibana" {
57 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
58 | type = "ingress"
59 | protocol = "tcp"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | from_port = 5601
62 | to_port = 5601
63 |
64 | security_group_id = aws_security_group.elasticsearch-alb-sg.id
65 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.elasticsearch-alb
File: /terraform-aws/alb.tf:141-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
141 | resource "aws_lb" "elasticsearch-alb" {
142 | name = "${var.es_cluster}-alb"
143 | internal = ! var.public_facing
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
146 | subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
147 |
148 | enable_deletion_protection = false
149 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.elasticsearch-alb
File: /terraform-aws/alb.tf:141-149
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
141 | resource "aws_lb" "elasticsearch-alb" {
142 | name = "${var.es_cluster}-alb"
143 | internal = ! var.public_facing
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
146 | subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
147 |
148 | enable_deletion_protection = false
149 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.elasticsearch-alb
File: /terraform-aws/alb.tf:141-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
141 | resource "aws_lb" "elasticsearch-alb" {
142 | name = "${var.es_cluster}-alb"
143 | internal = ! var.public_facing
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
146 | subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
147 |
148 | enable_deletion_protection = false
149 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.esearch
File: /terraform-aws/alb.tf:156-165
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
156 | resource "aws_lb_listener" "esearch" {
157 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
158 | port = "9200"
159 | protocol = "HTTP"
160 |
161 | default_action {
162 | type = "forward"
163 | target_group_arn = aws_lb_target_group.esearch-p9200-tg.arn
164 | }
165 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.kibana[0]
File: /terraform-aws/alb.tf:167-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
167 | resource "aws_lb_listener" "kibana" {
168 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
169 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
170 | port = "5601"
171 | protocol = "HTTP"
172 |
173 | default_action {
174 | type = "forward"
175 | target_group_arn = aws_lb_target_group.kibana-p5601-tg[0].arn
176 | }
177 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.grafana[0]
File: /terraform-aws/alb.tf:179-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
179 | resource "aws_lb_listener" "grafana" {
180 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
181 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
182 | port = "3000"
183 | protocol = "HTTP"
184 |
185 | default_action {
186 | type = "forward"
187 | target_group_arn = aws_lb_target_group.grafana-p3000-tg[0].arn
188 | }
189 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.cerebro[0]
File: /terraform-aws/alb.tf:191-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
191 | resource "aws_lb_listener" "cerebro" {
192 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
193 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
194 | port = "9000"
195 | protocol = "HTTP"
196 |
197 | default_action {
198 | type = "forward"
199 | target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn
200 | }
201 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.client
File: /terraform-aws/client.tf:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
9 | resource "aws_launch_template" "client" {
10 | name_prefix = "elasticsearch-${var.es_cluster}-client-nodes"
11 | image_id = data.aws_ami.kibana_client.id
12 | instance_type = var.master_instance_type
13 | user_data = base64encode(data.template_file.client_userdata_script.rendered)
14 | key_name = var.key_name
15 |
16 | iam_instance_profile {
17 | arn = aws_iam_instance_profile.elasticsearch.arn
18 | }
19 |
20 | network_interfaces {
21 | delete_on_termination = true
22 | associate_public_ip_address = false
23 | security_groups = concat(
24 | [aws_security_group.elasticsearch_security_group.id],
25 | [aws_security_group.elasticsearch_clients_security_group.id],
26 | var.additional_security_groups,
27 | )
28 | }
29 |
30 | lifecycle {
31 | create_before_destroy = true
32 | }
33 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.data
File: /terraform-aws/datas.tf:9-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
9 | resource "aws_launch_template" "data" {
10 | name_prefix = "elasticsearch-${var.es_cluster}-data-nodes"
11 | image_id = data.aws_ami.elasticsearch.id
12 | instance_type = var.data_instance_type
13 | user_data = base64encode(data.template_file.data_userdata_script.rendered)
14 | key_name = var.key_name
15 |
16 | ebs_optimized = var.ebs_optimized
17 |
18 | iam_instance_profile {
19 | arn = aws_iam_instance_profile.elasticsearch.arn
20 | }
21 |
22 | network_interfaces {
23 | delete_on_termination = true
24 | associate_public_ip_address = false
25 | security_groups = concat(
26 | [aws_security_group.elasticsearch_security_group.id],
27 | var.additional_security_groups,
28 | )
29 | }
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | }
34 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.master
File: /terraform-aws/disks.tf:15-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
15 | resource "aws_ebs_volume" "master" {
16 | for_each = local.master_az_flattened
17 |
18 | availability_zone = jsondecode(each.value)["az"]
19 | size = 10
20 | type = "gp2"
21 | encrypted = var.volume_encryption
22 |
23 | tags = {
24 | Name = "elasticsearch-${var.es_cluster}-master-${jsondecode(each.value)["name"]}"
25 | ClusterName = var.es_cluster
26 | VolumeIndex = jsondecode(each.value)["index"]
27 | AutoAttachGroup = "master"
28 | }
29 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.data
File: /terraform-aws/disks.tf:31-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
31 | resource "aws_ebs_volume" "data" {
32 | for_each = local.data_az_flattened
33 |
34 | availability_zone = jsondecode(each.value)["az"]
35 | size = var.elasticsearch_volume_size
36 | type = "gp2"
37 | encrypted = var.volume_encryption
38 |
39 | tags = {
40 | Name = "elasticsearch-${var.es_cluster}-data-${jsondecode(each.value)["name"]}"
41 | ClusterName = var.es_cluster
42 | VolumeIndex = jsondecode(each.value)["index"]
43 | AutoAttachGroup = "data"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.elasticsearch_security_group
File: /terraform-aws/main.tf:73-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
73 | resource "aws_security_group" "elasticsearch_security_group" {
74 | name = "elasticsearch-${var.es_cluster}-security-group"
75 | description = "Elasticsearch ports with ssh"
76 | vpc_id = var.vpc_id
77 |
78 | tags = {
79 | Name = "${var.es_cluster}-elasticsearch"
80 | cluster = var.es_cluster
81 | }
82 |
83 | # ssh access from everywhere
84 | ingress {
85 | from_port = 22
86 | to_port = 22
87 | protocol = "tcp"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 |
91 | # inter-cluster communication over ports 9200-9400
92 | ingress {
93 | from_port = 9200
94 | to_port = 9400
95 | protocol = "tcp"
96 | self = true
97 | }
98 |
99 | # allow inter-cluster ping
100 | ingress {
101 | from_port = 8
102 | to_port = 0
103 | protocol = "icmp"
104 | self = true
105 | }
106 |
107 | # allow alb sg access
108 | ingress {
109 | from_port = 9200
110 | to_port = 9200
111 | protocol = "tcp"
112 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
113 | }
114 |
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.elasticsearch_security_group
File: /terraform-aws/main.tf:73-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
73 | resource "aws_security_group" "elasticsearch_security_group" {
74 | name = "elasticsearch-${var.es_cluster}-security-group"
75 | description = "Elasticsearch ports with ssh"
76 | vpc_id = var.vpc_id
77 |
78 | tags = {
79 | Name = "${var.es_cluster}-elasticsearch"
80 | cluster = var.es_cluster
81 | }
82 |
83 | # ssh access from everywhere
84 | ingress {
85 | from_port = 22
86 | to_port = 22
87 | protocol = "tcp"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 |
91 | # inter-cluster communication over ports 9200-9400
92 | ingress {
93 | from_port = 9200
94 | to_port = 9400
95 | protocol = "tcp"
96 | self = true
97 | }
98 |
99 | # allow inter-cluster ping
100 | ingress {
101 | from_port = 8
102 | to_port = 0
103 | protocol = "icmp"
104 | self = true
105 | }
106 |
107 | # allow alb sg access
108 | ingress {
109 | from_port = 9200
110 | to_port = 9200
111 | protocol = "tcp"
112 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
113 | }
114 |
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.elasticsearch_clients_security_group
File: /terraform-aws/main.tf:123-165
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
123 | resource "aws_security_group" "elasticsearch_clients_security_group" {
124 | name = "elasticsearch-${var.es_cluster}-clients-security-group"
125 | description = "Kibana HTTP access from outside"
126 | vpc_id = var.vpc_id
127 |
128 | tags = {
129 | Name = "${var.es_cluster}-kibana"
130 | cluster = var.es_cluster
131 | }
132 |
133 | # allow alb sg access
134 | ingress {
135 | from_port = 9200
136 | to_port = 9200
137 | protocol = "tcp"
138 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
139 | }
140 | ingress {
141 | from_port = 5601
142 | to_port = 5601
143 | protocol = "tcp"
144 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
145 | }
146 | ingress {
147 | from_port = 3000
148 | to_port = 3000
149 | protocol = "tcp"
150 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
151 | }
152 | ingress {
153 | from_port = 9000
154 | to_port = 9000
155 | protocol = "tcp"
156 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
157 | }
158 |
159 | egress {
160 | from_port = 0
161 | to_port = 0
162 | protocol = "-1"
163 | cidr_blocks = ["0.0.0.0/0"]
164 | }
165 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.master
File: /terraform-aws/masters.tf:21-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
21 | resource "aws_launch_template" "master" {
22 | name_prefix = "elasticsearch-${var.es_cluster}-master-nodes"
23 | image_id = data.aws_ami.elasticsearch.id
24 | instance_type = var.master_instance_type
25 | user_data = base64encode(data.template_file.master_userdata_script.rendered)
26 | key_name = var.key_name
27 |
28 | iam_instance_profile {
29 | arn = aws_iam_instance_profile.elasticsearch.arn
30 | }
31 |
32 | network_interfaces {
33 | delete_on_termination = true
34 | associate_public_ip_address = false
35 | security_groups = concat(
36 | [aws_security_group.elasticsearch_security_group.id],
37 | var.additional_security_groups,
38 | )
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.bootstrap_node
File: /terraform-aws/masters.tf:94-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
94 | resource "aws_instance" "bootstrap_node" {
95 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
96 |
97 | ami = data.aws_ami.elasticsearch.id
98 | instance_type = var.master_instance_type
99 | instance_initiated_shutdown_behavior = "terminate"
100 |
101 | vpc_security_group_ids = concat(
102 | [aws_security_group.elasticsearch_security_group.id],
103 | var.additional_security_groups,
104 | )
105 | iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
106 | user_data = data.template_file.bootstrap_userdata_script.rendered
107 | key_name = var.key_name
108 | subnet_id = local.bootstrap_node_subnet_id
109 |
110 | associate_public_ip_address = false
111 |
112 | tags = {
113 | Name = "${var.es_cluster}-bootstrap-node"
114 | Environment = var.environment
115 | Cluster = "${var.environment}-${var.es_cluster}"
116 | Role = "bootstrap"
117 | }
118 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.bootstrap_node
File: /terraform-aws/masters.tf:94-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
94 | resource "aws_instance" "bootstrap_node" {
95 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
96 |
97 | ami = data.aws_ami.elasticsearch.id
98 | instance_type = var.master_instance_type
99 | instance_initiated_shutdown_behavior = "terminate"
100 |
101 | vpc_security_group_ids = concat(
102 | [aws_security_group.elasticsearch_security_group.id],
103 | var.additional_security_groups,
104 | )
105 | iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
106 | user_data = data.template_file.bootstrap_userdata_script.rendered
107 | key_name = var.key_name
108 | subnet_id = local.bootstrap_node_subnet_id
109 |
110 | associate_public_ip_address = false
111 |
112 | tags = {
113 | Name = "${var.es_cluster}-bootstrap-node"
114 | Environment = var.environment
115 | Cluster = "${var.environment}-${var.es_cluster}"
116 | Role = "bootstrap"
117 | }
118 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.bootstrap_node
File: /terraform-aws/masters.tf:94-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
94 | resource "aws_instance" "bootstrap_node" {
95 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
96 |
97 | ami = data.aws_ami.elasticsearch.id
98 | instance_type = var.master_instance_type
99 | instance_initiated_shutdown_behavior = "terminate"
100 |
101 | vpc_security_group_ids = concat(
102 | [aws_security_group.elasticsearch_security_group.id],
103 | var.additional_security_groups,
104 | )
105 | iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
106 | user_data = data.template_file.bootstrap_userdata_script.rendered
107 | key_name = var.key_name
108 | subnet_id = local.bootstrap_node_subnet_id
109 |
110 | associate_public_ip_address = false
111 |
112 | tags = {
113 | Name = "${var.es_cluster}-bootstrap-node"
114 | Environment = var.environment
115 | Cluster = "${var.environment}-${var.es_cluster}"
116 | Role = "bootstrap"
117 | }
118 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.bootstrap_node
File: /terraform-aws/masters.tf:94-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
94 | resource "aws_instance" "bootstrap_node" {
95 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
96 |
97 | ami = data.aws_ami.elasticsearch.id
98 | instance_type = var.master_instance_type
99 | instance_initiated_shutdown_behavior = "terminate"
100 |
101 | vpc_security_group_ids = concat(
102 | [aws_security_group.elasticsearch_security_group.id],
103 | var.additional_security_groups,
104 | )
105 | iam_instance_profile = aws_iam_instance_profile.elasticsearch.id
106 | user_data = data.template_file.bootstrap_userdata_script.rendered
107 | key_name = var.key_name
108 | subnet_id = local.bootstrap_node_subnet_id
109 |
110 | associate_public_ip_address = false
111 |
112 | tags = {
113 | Name = "${var.es_cluster}-bootstrap-node"
114 | Environment = var.environment
115 | Cluster = "${var.environment}-${var.es_cluster}"
116 | Role = "bootstrap"
117 | }
118 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.single_node
File: /terraform-aws/singlenode.tf:9-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
9 | resource "aws_launch_template" "single_node" {
10 | name_prefix = "elasticsearch-${var.es_cluster}-single-node"
11 | image_id = data.aws_ami.kibana_client.id
12 | instance_type = var.data_instance_type
13 | user_data = base64encode(data.template_file.singlenode_userdata_script.rendered)
14 | key_name = var.key_name
15 |
16 | ebs_optimized = var.ebs_optimized
17 |
18 | iam_instance_profile {
19 | arn = aws_iam_instance_profile.elasticsearch.arn
20 | }
21 |
22 | network_interfaces {
23 | delete_on_termination = true
24 | associate_public_ip_address = false
25 | security_groups = [aws_security_group.elasticsearch_security_group.id, aws_security_group.elasticsearch_clients_security_group.id]
26 | }
27 |
28 | lifecycle {
29 | create_before_destroy = true
30 | }
31 | }
Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.vpc-endpoint
File: /terraform-aws/vpc.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports.html
23 | resource "aws_security_group" "vpc-endpoint" {
24 | vpc_id = var.vpc_id
25 |
26 | ingress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.vpc-endpoint
File: /terraform-aws/vpc.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group" "vpc-endpoint" {
24 | vpc_id = var.vpc_id
25 |
26 | ingress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-endpoint
File: /terraform-aws/vpc.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
23 | resource "aws_security_group" "vpc-endpoint" {
24 | vpc_id = var.vpc_id
25 |
26 | ingress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: aws_security_group.vpc-endpoint
File: /terraform-aws/vpc.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
23 | resource "aws_security_group" "vpc-endpoint" {
24 | vpc_id = var.vpc_id
25 |
26 | ingress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-endpoint
File: /terraform-aws/vpc.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
23 | resource "aws_security_group" "vpc-endpoint" {
24 | vpc_id = var.vpc_id
25 |
26 | ingress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance_template.client
File: /terraform-gcp/client.tf:57-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
57 | resource "google_compute_instance_template" "client" {
58 | provider = google-beta
59 | name_prefix = "${var.es_cluster}-instance-template-client"
60 | project = "${var.gcp_project_id}"
61 | machine_type = "${var.master_machine_type}"
62 | can_ip_forward = true
63 |
64 | tags = [
65 | "${var.es_cluster}",
66 | "es-client-node",
67 | "http-server",
68 | "https-server"
69 | ]
70 |
71 | metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
72 |
73 | labels = {
74 | environment = var.environment
75 | cluster = "${var.environment}-${var.es_cluster}"
76 | role = "client"
77 | }
78 |
79 | disk {
80 | source_image = data.google_compute_image.kibana.self_link
81 | boot = true
82 | }
83 |
84 | network_interface {
85 | network = var.cluster_network
86 | }
87 |
88 | service_account {
89 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
90 | }
91 |
92 | lifecycle {
93 | create_before_destroy = true
94 | }
95 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: google_compute_instance_template.client
File: /terraform-gcp/client.tf:57-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
57 | resource "google_compute_instance_template" "client" {
58 | provider = google-beta
59 | name_prefix = "${var.es_cluster}-instance-template-client"
60 | project = "${var.gcp_project_id}"
61 | machine_type = "${var.master_machine_type}"
62 | can_ip_forward = true
63 |
64 | tags = [
65 | "${var.es_cluster}",
66 | "es-client-node",
67 | "http-server",
68 | "https-server"
69 | ]
70 |
71 | metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
72 |
73 | labels = {
74 | environment = var.environment
75 | cluster = "${var.environment}-${var.es_cluster}"
76 | role = "client"
77 | }
78 |
79 | disk {
80 | source_image = data.google_compute_image.kibana.self_link
81 | boot = true
82 | }
83 |
84 | network_interface {
85 | network = var.cluster_network
86 | }
87 |
88 | service_account {
89 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
90 | }
91 |
92 | lifecycle {
93 | create_before_destroy = true
94 | }
95 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance_template.client
File: /terraform-gcp/client.tf:57-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
57 | resource "google_compute_instance_template" "client" {
58 | provider = google-beta
59 | name_prefix = "${var.es_cluster}-instance-template-client"
60 | project = "${var.gcp_project_id}"
61 | machine_type = "${var.master_machine_type}"
62 | can_ip_forward = true
63 |
64 | tags = [
65 | "${var.es_cluster}",
66 | "es-client-node",
67 | "http-server",
68 | "https-server"
69 | ]
70 |
71 | metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
72 |
73 | labels = {
74 | environment = var.environment
75 | cluster = "${var.environment}-${var.es_cluster}"
76 | role = "client"
77 | }
78 |
79 | disk {
80 | source_image = data.google_compute_image.kibana.self_link
81 | boot = true
82 | }
83 |
84 | network_interface {
85 | network = var.cluster_network
86 | }
87 |
88 | service_account {
89 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
90 | }
91 |
92 | lifecycle {
93 | create_before_destroy = true
94 | }
95 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance_template.client
File: /terraform-gcp/client.tf:57-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
57 | resource "google_compute_instance_template" "client" {
58 | provider = google-beta
59 | name_prefix = "${var.es_cluster}-instance-template-client"
60 | project = "${var.gcp_project_id}"
61 | machine_type = "${var.master_machine_type}"
62 | can_ip_forward = true
63 |
64 | tags = [
65 | "${var.es_cluster}",
66 | "es-client-node",
67 | "http-server",
68 | "https-server"
69 | ]
70 |
71 | metadata_startup_script = "${data.template_file.client_userdata_script.rendered}"
72 |
73 | labels = {
74 | environment = var.environment
75 | cluster = "${var.environment}-${var.es_cluster}"
76 | role = "client"
77 | }
78 |
79 | disk {
80 | source_image = data.google_compute_image.kibana.self_link
81 | boot = true
82 | }
83 |
84 | network_interface {
85 | network = var.cluster_network
86 | }
87 |
88 | service_account {
89 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
90 | }
91 |
92 | lifecycle {
93 | create_before_destroy = true
94 | }
95 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance_template.data-voters
File: /terraform-gcp/datas-voters.tf:47-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
47 | resource "google_compute_instance_template" "data-voters" {
48 | provider = google-beta
49 | name_prefix = "${var.es_cluster}-instance-template-data-voters"
50 | project = var.gcp_project_id
51 | machine_type = var.data_machine_type
52 | can_ip_forward = false
53 |
54 | tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
55 |
56 | metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
57 |
58 | labels = {
59 | environment = var.environment
60 | cluster = "${var.environment}-${var.es_cluster}"
61 | role = "data-voters"
62 | }
63 |
64 | disk {
65 | source_image = data.google_compute_image.elasticsearch.self_link
66 | boot = true
67 | }
68 |
69 | network_interface {
70 | network = var.cluster_network
71 | }
72 |
73 | service_account {
74 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
75 | }
76 |
77 | lifecycle {
78 | create_before_destroy = true
79 | }
80 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance_template.data-voters
File: /terraform-gcp/datas-voters.tf:47-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
47 | resource "google_compute_instance_template" "data-voters" {
48 | provider = google-beta
49 | name_prefix = "${var.es_cluster}-instance-template-data-voters"
50 | project = var.gcp_project_id
51 | machine_type = var.data_machine_type
52 | can_ip_forward = false
53 |
54 | tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
55 |
56 | metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
57 |
58 | labels = {
59 | environment = var.environment
60 | cluster = "${var.environment}-${var.es_cluster}"
61 | role = "data-voters"
62 | }
63 |
64 | disk {
65 | source_image = data.google_compute_image.elasticsearch.self_link
66 | boot = true
67 | }
68 |
69 | network_interface {
70 | network = var.cluster_network
71 | }
72 |
73 | service_account {
74 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
75 | }
76 |
77 | lifecycle {
78 | create_before_destroy = true
79 | }
80 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance_template.data-voters
File: /terraform-gcp/datas-voters.tf:47-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
47 | resource "google_compute_instance_template" "data-voters" {
48 | provider = google-beta
49 | name_prefix = "${var.es_cluster}-instance-template-data-voters"
50 | project = var.gcp_project_id
51 | machine_type = var.data_machine_type
52 | can_ip_forward = false
53 |
54 | tags = ["${var.es_cluster}", "es-data-node", "es-master-node"]
55 |
56 | metadata_startup_script = data.template_file.data_voting_userdata_script.rendered
57 |
58 | labels = {
59 | environment = var.environment
60 | cluster = "${var.environment}-${var.es_cluster}"
61 | role = "data-voters"
62 | }
63 |
64 | disk {
65 | source_image = data.google_compute_image.elasticsearch.self_link
66 | boot = true
67 | }
68 |
69 | network_interface {
70 | network = var.cluster_network
71 | }
72 |
73 | service_account {
74 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
75 | }
76 |
77 | lifecycle {
78 | create_before_destroy = true
79 | }
80 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance_template.data
File: /terraform-gcp/datas.tf:46-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
46 | resource "google_compute_instance_template" "data" {
47 | provider = google-beta
48 | name_prefix = "${var.es_cluster}-instance-template-data"
49 | project = var.gcp_project_id
50 | machine_type = var.data_machine_type
51 | can_ip_forward = false
52 |
53 | tags = ["${var.es_cluster}", "es-data-node"]
54 |
55 | metadata_startup_script = data.template_file.data_userdata_script.rendered
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "data"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.elasticsearch.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance_template.data
File: /terraform-gcp/datas.tf:46-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
46 | resource "google_compute_instance_template" "data" {
47 | provider = google-beta
48 | name_prefix = "${var.es_cluster}-instance-template-data"
49 | project = var.gcp_project_id
50 | machine_type = var.data_machine_type
51 | can_ip_forward = false
52 |
53 | tags = ["${var.es_cluster}", "es-data-node"]
54 |
55 | metadata_startup_script = data.template_file.data_userdata_script.rendered
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "data"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.elasticsearch.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance_template.data
File: /terraform-gcp/datas.tf:46-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
46 | resource "google_compute_instance_template" "data" {
47 | provider = google-beta
48 | name_prefix = "${var.es_cluster}-instance-template-data"
49 | project = var.gcp_project_id
50 | machine_type = var.data_machine_type
51 | can_ip_forward = false
52 |
53 | tags = ["${var.es_cluster}", "es-data-node"]
54 |
55 | metadata_startup_script = data.template_file.data_userdata_script.rendered
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "data"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.elasticsearch.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.dev[0]
File: /terraform-gcp/dev.tf:1-6
1 | resource "google_storage_bucket" "dev" {
2 | count = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
3 | name = var.DEV_MODE_scripts_gcs_bucket
4 | location = var.gcp_region
5 | force_destroy = true
6 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.dev[0]
File: /terraform-gcp/dev.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
1 | resource "google_storage_bucket" "dev" {
2 | count = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
3 | name = var.DEV_MODE_scripts_gcs_bucket
4 | location = var.gcp_region
5 | force_destroy = true
6 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.dev[0]
File: /terraform-gcp/dev.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
1 | resource "google_storage_bucket" "dev" {
2 | count = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
3 | name = var.DEV_MODE_scripts_gcs_bucket
4 | location = var.gcp_region
5 | force_destroy = true
6 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.dev[0]
File: /terraform-gcp/dev.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
1 | resource "google_storage_bucket" "dev" {
2 | count = var.DEV_MODE_scripts_gcs_bucket != "" ? 1 : 0
3 | name = var.DEV_MODE_scripts_gcs_bucket
4 | location = var.gcp_region
5 | force_destroy = true
6 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_disk.master
File: /terraform-gcp/disks.tf:33-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
33 | resource "google_compute_disk" "master" {
34 | for_each = local.master_zone_flattened
35 |
36 | name = "elasticsearch-${var.es_cluster}-master-${jsondecode(each.value)["name"]}"
37 | zone = jsondecode(each.value)["zone"]
38 | size = 10
39 |
40 | labels = {
41 | cluster-name = "${var.es_cluster}"
42 | volume-index = jsondecode(each.value)["index"]
43 | auto-attach-group = "master"
44 | }
45 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_disk.data
File: /terraform-gcp/disks.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
47 | resource "google_compute_disk" "data" {
48 | for_each = local.data_zone_flattened
49 |
50 | name = "elasticsearch-${var.es_cluster}-data-${jsondecode(each.value)["name"]}"
51 | zone = jsondecode(each.value)["zone"]
52 | size = var.elasticsearch_volume_size
53 |
54 | labels = {
55 | cluster-name = "${var.es_cluster}"
56 | volume-index = jsondecode(each.value)["index"]
57 | auto-attach-group = "data"
58 | }
59 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_disk.data_voters
File: /terraform-gcp/disks.tf:61-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
61 | resource "google_compute_disk" "data_voters" {
62 | for_each = local.data_voters_zone_flattened
63 |
64 | name = "elasticsearch-${var.es_cluster}-data-voters-${jsondecode(each.value)["name"]}"
65 | zone = jsondecode(each.value)["zone"]
66 | size = var.elasticsearch_volume_size
67 |
68 | labels = {
69 | cluster-name = "${var.es_cluster}"
70 | volume-index = jsondecode(each.value)["index"]
71 | auto-attach-group = "data-voters"
72 | }
73 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.snapshots[0]
File: /terraform-gcp/main.tf:66-70
66 | resource "google_storage_bucket" "snapshots" {
67 | count = var.gcs_snapshots_bucket != "" ? 1 : 0
68 | name = var.gcs_snapshots_bucket
69 | location = var.gcp_region
70 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.snapshots[0]
File: /terraform-gcp/main.tf:66-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
66 | resource "google_storage_bucket" "snapshots" {
67 | count = var.gcs_snapshots_bucket != "" ? 1 : 0
68 | name = var.gcs_snapshots_bucket
69 | location = var.gcp_region
70 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.snapshots[0]
File: /terraform-gcp/main.tf:66-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
66 | resource "google_storage_bucket" "snapshots" {
67 | count = var.gcs_snapshots_bucket != "" ? 1 : 0
68 | name = var.gcs_snapshots_bucket
69 | location = var.gcp_region
70 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.snapshots[0]
File: /terraform-gcp/main.tf:66-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
66 | resource "google_storage_bucket" "snapshots" {
67 | count = var.gcs_snapshots_bucket != "" ? 1 : 0
68 | name = var.gcs_snapshots_bucket
69 | location = var.gcp_region
70 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.bootstrap_node
File: /terraform-gcp/masters.tf:51-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
51 | resource "google_compute_instance" "bootstrap_node" {
52 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
53 |
54 | name = "${var.es_cluster}-bootstrap-node"
55 | machine_type = "${var.master_machine_type}"
56 | zone = "${var.gcp_zone}"
57 |
58 | tags = ["${var.es_cluster}", "es-bootstrap-node"]
59 |
60 | boot_disk {
61 | initialize_params {
62 | image = data.google_compute_image.elasticsearch.self_link
63 | }
64 | }
65 |
66 | network_interface {
67 | network = var.cluster_network
68 | }
69 |
70 | metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.bootstrap_node
File: /terraform-gcp/masters.tf:51-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
51 | resource "google_compute_instance" "bootstrap_node" {
52 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
53 |
54 | name = "${var.es_cluster}-bootstrap-node"
55 | machine_type = "${var.master_machine_type}"
56 | zone = "${var.gcp_zone}"
57 |
58 | tags = ["${var.es_cluster}", "es-bootstrap-node"]
59 |
60 | boot_disk {
61 | initialize_params {
62 | image = data.google_compute_image.elasticsearch.self_link
63 | }
64 | }
65 |
66 | network_interface {
67 | network = var.cluster_network
68 | }
69 |
70 | metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.bootstrap_node
File: /terraform-gcp/masters.tf:51-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
51 | resource "google_compute_instance" "bootstrap_node" {
52 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
53 |
54 | name = "${var.es_cluster}-bootstrap-node"
55 | machine_type = "${var.master_machine_type}"
56 | zone = "${var.gcp_zone}"
57 |
58 | tags = ["${var.es_cluster}", "es-bootstrap-node"]
59 |
60 | boot_disk {
61 | initialize_params {
62 | image = data.google_compute_image.elasticsearch.self_link
63 | }
64 | }
65 |
66 | network_interface {
67 | network = var.cluster_network
68 | }
69 |
70 | metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.bootstrap_node
File: /terraform-gcp/masters.tf:51-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
51 | resource "google_compute_instance" "bootstrap_node" {
52 | count = local.singlenode_mode || local.is_cluster_bootstrapped ? 0 : 1
53 |
54 | name = "${var.es_cluster}-bootstrap-node"
55 | machine_type = "${var.master_machine_type}"
56 | zone = "${var.gcp_zone}"
57 |
58 | tags = ["${var.es_cluster}", "es-bootstrap-node"]
59 |
60 | boot_disk {
61 | initialize_params {
62 | image = data.google_compute_image.elasticsearch.self_link
63 | }
64 | }
65 |
66 | network_interface {
67 | network = var.cluster_network
68 | }
69 |
70 | metadata_startup_script = "${data.template_file.bootstrap_userdata_script.rendered}"
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance_template.master
File: /terraform-gcp/masters.tf:77-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
77 | resource "google_compute_instance_template" "master" {
78 | provider = google-beta
79 | name_prefix = "${var.es_cluster}-instance-template-master"
80 | project = "${var.gcp_project_id}"
81 | machine_type = "${var.master_machine_type}"
82 | can_ip_forward = false
83 |
84 | tags = ["${var.es_cluster}", "es-master-node"]
85 |
86 | metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
87 |
88 | labels = {
89 | environment = var.environment
90 | cluster = "${var.environment}-${var.es_cluster}"
91 | role = "master"
92 | }
93 |
94 | disk {
95 | source_image = data.google_compute_image.elasticsearch.self_link
96 | boot = true
97 | }
98 |
99 | network_interface {
100 | network = var.cluster_network
101 | }
102 |
103 | service_account {
104 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
105 | }
106 |
107 | lifecycle {
108 | create_before_destroy = true
109 | }
110 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance_template.master
File: /terraform-gcp/masters.tf:77-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
77 | resource "google_compute_instance_template" "master" {
78 | provider = google-beta
79 | name_prefix = "${var.es_cluster}-instance-template-master"
80 | project = "${var.gcp_project_id}"
81 | machine_type = "${var.master_machine_type}"
82 | can_ip_forward = false
83 |
84 | tags = ["${var.es_cluster}", "es-master-node"]
85 |
86 | metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
87 |
88 | labels = {
89 | environment = var.environment
90 | cluster = "${var.environment}-${var.es_cluster}"
91 | role = "master"
92 | }
93 |
94 | disk {
95 | source_image = data.google_compute_image.elasticsearch.self_link
96 | boot = true
97 | }
98 |
99 | network_interface {
100 | network = var.cluster_network
101 | }
102 |
103 | service_account {
104 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
105 | }
106 |
107 | lifecycle {
108 | create_before_destroy = true
109 | }
110 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance_template.master
File: /terraform-gcp/masters.tf:77-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
77 | resource "google_compute_instance_template" "master" {
78 | provider = google-beta
79 | name_prefix = "${var.es_cluster}-instance-template-master"
80 | project = "${var.gcp_project_id}"
81 | machine_type = "${var.master_machine_type}"
82 | can_ip_forward = false
83 |
84 | tags = ["${var.es_cluster}", "es-master-node"]
85 |
86 | metadata_startup_script = "${data.template_file.master_userdata_script.rendered}"
87 |
88 | labels = {
89 | environment = var.environment
90 | cluster = "${var.environment}-${var.es_cluster}"
91 | role = "master"
92 | }
93 |
94 | disk {
95 | source_image = data.google_compute_image.elasticsearch.self_link
96 | boot = true
97 | }
98 |
99 | network_interface {
100 | network = var.cluster_network
101 | }
102 |
103 | service_account {
104 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
105 | }
106 |
107 | lifecycle {
108 | create_before_destroy = true
109 | }
110 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance_template.singlenode
File: /terraform-gcp/singlenode.tf:43-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
43 | resource "google_compute_instance_template" "singlenode" {
44 | provider = google-beta
45 | name_prefix = "${var.es_cluster}-instance-template-single"
46 |
47 | project = "${var.gcp_project_id}"
48 | machine_type = "${var.data_machine_type}"
49 |
50 | tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
51 |
52 | metadata = {
53 | sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
54 | }
55 | metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "singlenode"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.kibana.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 |
80 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance_template.singlenode
File: /terraform-gcp/singlenode.tf:43-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
43 | resource "google_compute_instance_template" "singlenode" {
44 | provider = google-beta
45 | name_prefix = "${var.es_cluster}-instance-template-single"
46 |
47 | project = "${var.gcp_project_id}"
48 | machine_type = "${var.data_machine_type}"
49 |
50 | tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
51 |
52 | metadata = {
53 | sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
54 | }
55 | metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "singlenode"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.kibana.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 |
80 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance_template.singlenode
File: /terraform-gcp/singlenode.tf:43-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
43 | resource "google_compute_instance_template" "singlenode" {
44 | provider = google-beta
45 | name_prefix = "${var.es_cluster}-instance-template-single"
46 |
47 | project = "${var.gcp_project_id}"
48 | machine_type = "${var.data_machine_type}"
49 |
50 | tags = ["${var.es_cluster}", "es-singlenode-node", "http-server", "https-server"]
51 |
52 | metadata = {
53 | sshKeys = "ubuntu:${file(var.gcp_ssh_pub_key_file)}"
54 | }
55 | metadata_startup_script = "${data.template_file.singlenode_userdata_script.rendered}"
56 |
57 | labels = {
58 | environment = var.environment
59 | cluster = "${var.environment}-${var.es_cluster}"
60 | role = "singlenode"
61 | }
62 |
63 | disk {
64 | source_image = data.google_compute_image.kibana.self_link
65 | boot = true
66 | }
67 |
68 | network_interface {
69 | network = var.cluster_network
70 | }
71 |
72 | service_account {
73 | scopes = ["userinfo-email", "compute-rw", "storage-ro"]
74 | }
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 |
80 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.elasticsearch_subnet
File: /terraform-azure/main.tf:26-31
26 | resource "azurerm_subnet" "elasticsearch_subnet" {
27 | name = "es-${var.es_cluster}-subnet"
28 | resource_group_name = "${azurerm_resource_group.elasticsearch.name}"
29 | virtual_network_name = "${azurerm_virtual_network.elasticsearch_vnet.name}"
30 | address_prefix = "10.1.0.0/24"
31 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.esearch
File: /terraform-aws/alb.tf:156-165
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
156 | resource "aws_lb_listener" "esearch" {
157 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
158 | port = "9200"
159 | protocol = "HTTP"
160 |
161 | default_action {
162 | type = "forward"
163 | target_group_arn = aws_lb_target_group.esearch-p9200-tg.arn
164 | }
165 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.kibana[0]
File: /terraform-aws/alb.tf:167-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
167 | resource "aws_lb_listener" "kibana" {
168 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
169 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
170 | port = "5601"
171 | protocol = "HTTP"
172 |
173 | default_action {
174 | type = "forward"
175 | target_group_arn = aws_lb_target_group.kibana-p5601-tg[0].arn
176 | }
177 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.grafana[0]
File: /terraform-aws/alb.tf:179-189
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
179 | resource "aws_lb_listener" "grafana" {
180 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
181 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
182 | port = "3000"
183 | protocol = "HTTP"
184 |
185 | default_action {
186 | type = "forward"
187 | target_group_arn = aws_lb_target_group.grafana-p3000-tg[0].arn
188 | }
189 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.cerebro[0]
File: /terraform-aws/alb.tf:191-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
191 | resource "aws_lb_listener" "cerebro" {
192 | count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0
193 | load_balancer_arn = aws_lb.elasticsearch-alb.arn
194 | port = "9000"
195 | protocol = "HTTP"
196 |
197 | default_action {
198 | type = "forward"
199 | target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn
200 | }
201 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.elasticsearch-alb
File: /terraform-aws/alb.tf:141-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
141 | resource "aws_lb" "elasticsearch-alb" {
142 | name = "${var.es_cluster}-alb"
143 | internal = ! var.public_facing
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
146 | subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
147 |
148 | enable_deletion_protection = false
149 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.elasticsearch-alb
File: /terraform-aws/alb.tf:141-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
141 | resource "aws_lb" "elasticsearch-alb" {
142 | name = "${var.es_cluster}-alb"
143 | internal = ! var.public_facing
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.elasticsearch-alb-sg.id]
146 | subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids))
147 |
148 | enable_deletion_protection = false
149 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools