Repository | brikis98 / terraform-up-and-running-code |
Description | Code samples for the book "Terraform: Up & Running" by Yevgeniy Brikman |
Stars | 2590 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:38:54,279 [MainThread ] [WARNI] Failed to download module github.com/brikis98/terraform-up-and-running-code//code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster?ref=v0.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 608, Failed checks: 511, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/00-preface/hello-world/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/00-preface/hello-world/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/00-preface/hello-world/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/00-preface/hello-world/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.app
File: /code/terraform/01-why-terraform/web-server/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "app" {
17 | instance_type = "t2.micro"
18 | availability_zone = "us-east-2a"
19 | ami = "ami-0fb653ca2d3203ac1"
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | sudo service apache2 start
24 | EOF
25 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.app
File: /code/terraform/01-why-terraform/web-server/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "app" {
17 | instance_type = "t2.micro"
18 | availability_zone = "us-east-2a"
19 | ami = "ami-0fb653ca2d3203ac1"
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | sudo service apache2 start
24 | EOF
25 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.app
File: /code/terraform/01-why-terraform/web-server/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "app" {
17 | instance_type = "t2.micro"
18 | availability_zone = "us-east-2a"
19 | ami = "ami-0fb653ca2d3203ac1"
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | sudo service apache2 start
24 | EOF
25 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.app
File: /code/terraform/01-why-terraform/web-server/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "app" {
17 | instance_type = "t2.micro"
18 | availability_zone = "us-east-2a"
19 | ami = "ami-0fb653ca2d3203ac1"
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | sudo service apache2 start
24 | EOF
25 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-server/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "terraform-example"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-server/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "terraform-example"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-server/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "terraform-example"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-server/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "terraform-example"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:34-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
34 | resource "aws_security_group" "instance" {
35 |
36 | name = var.security_group_name
37 |
38 | ingress {
39 | from_port = var.server_port
40 | to_port = var.server_port
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p 8080 &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p 8080 &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p 8080 &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p 8080 &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:34-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
34 | resource "aws_security_group" "instance" {
35 |
36 | name = var.security_group_name
37 |
38 | ingress {
39 | from_port = 8080
40 | to_port = 8080
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_launch_configuration" "example" {
17 | image_id = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | security_groups = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | # Required when using a launch configuration with an auto scaling group.
28 | lifecycle {
29 | create_before_destroy = true
30 | }
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_launch_configuration" "example" {
17 | image_id = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | security_groups = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | # Required when using a launch configuration with an auto scaling group.
28 | lifecycle {
29 | create_before_destroy = true
30 | }
31 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:33-48
33 | resource "aws_autoscaling_group" "example" {
34 | launch_configuration = aws_launch_configuration.example.name
35 | vpc_zone_identifier = data.aws_subnets.default.ids
36 |
37 | target_group_arns = [aws_lb_target_group.asg.arn]
38 | health_check_type = "ELB"
39 |
40 | min_size = 2
41 | max_size = 10
42 |
43 | tag {
44 | key = "Name"
45 | value = "terraform-asg-example"
46 | propagate_at_launch = true
47 | }
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:50-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group" "instance" {
51 | name = var.instance_security_group_name
52 |
53 | ingress {
54 | from_port = var.server_port
55 | to_port = var.server_port
56 | protocol = "tcp"
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
59 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:72-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
72 | resource "aws_lb" "example" {
73 |
74 | name = var.alb_name
75 |
76 | load_balancer_type = "application"
77 | subnets = data.aws_subnets.default.ids
78 | security_groups = [aws_security_group.alb.id]
79 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:72-79
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
72 | resource "aws_lb" "example" {
73 |
74 | name = var.alb_name
75 |
76 | load_balancer_type = "application"
77 | subnets = data.aws_subnets.default.ids
78 | security_groups = [aws_security_group.alb.id]
79 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:72-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
72 | resource "aws_lb" "example" {
73 |
74 | name = var.alb_name
75 |
76 | load_balancer_type = "application"
77 | subnets = data.aws_subnets.default.ids
78 | security_groups = [aws_security_group.alb.id]
79 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:81-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
81 | resource "aws_lb_listener" "http" {
82 | load_balancer_arn = aws_lb.example.arn
83 | port = 80
84 | protocol = "HTTP"
85 |
86 | # By default, return a simple 404 page
87 | default_action {
88 | type = "fixed-response"
89 |
90 | fixed_response {
91 | content_type = "text/plain"
92 | message_body = "404: page not found"
93 | status_code = 404
94 | }
95 | }
96 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:133-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
133 | resource "aws_security_group" "alb" {
134 |
135 | name = var.alb_security_group_name
136 |
137 | # Allow inbound HTTP requests
138 | ingress {
139 | from_port = 80
140 | to_port = 80
141 | protocol = "tcp"
142 | cidr_blocks = ["0.0.0.0/0"]
143 | }
144 |
145 | # Allow all outbound requests
146 | egress {
147 | from_port = 0
148 | to_port = 0
149 | protocol = "-1"
150 | cidr_blocks = ["0.0.0.0/0"]
151 | }
152 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:133-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
133 | resource "aws_security_group" "alb" {
134 |
135 | name = var.alb_security_group_name
136 |
137 | # Allow inbound HTTP requests
138 | ingress {
139 | from_port = 80
140 | to_port = 80
141 | protocol = "tcp"
142 | cidr_blocks = ["0.0.0.0/0"]
143 | }
144 |
145 | # Allow all outbound requests
146 | egress {
147 | from_port = 0
148 | to_port = 0
149 | protocol = "-1"
150 | cidr_blocks = ["0.0.0.0/0"]
151 | }
152 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:55-64
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
55 | resource "aws_dynamodb_table" "terraform_locks" {
56 | name = var.table_name
57 | billing_mode = "PAY_PER_REQUEST"
58 | hash_key = "LockID"
59 |
60 | attribute {
61 | name = "LockID"
62 | type = "S"
63 | }
64 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:55-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
55 | resource "aws_dynamodb_table" "terraform_locks" {
56 | name = var.table_name
57 | billing_mode = "PAY_PER_REQUEST"
58 | hash_key = "LockID"
59 |
60 | attribute {
61 | name = "LockID"
62 | type = "S"
63 | }
64 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_launch_configuration" "example" {
17 | image_id = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | security_groups = [aws_security_group.instance.id]
20 |
21 | # Render the User Data script as a template
22 | user_data = templatefile("user-data.sh", {
23 | server_port = var.server_port
24 | db_address = data.terraform_remote_state.db.outputs.address
25 | db_port = data.terraform_remote_state.db.outputs.port
26 | })
27 |
28 | # Required when using a launch configuration with an auto scaling group.
29 | lifecycle {
30 | create_before_destroy = true
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_launch_configuration" "example" {
17 | image_id = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | security_groups = [aws_security_group.instance.id]
20 |
21 | # Render the User Data script as a template
22 | user_data = templatefile("user-data.sh", {
23 | server_port = var.server_port
24 | db_address = data.terraform_remote_state.db.outputs.address
25 | db_port = data.terraform_remote_state.db.outputs.port
26 | })
27 |
28 | # Required when using a launch configuration with an auto scaling group.
29 | lifecycle {
30 | create_before_destroy = true
31 | }
32 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:34-49
34 | resource "aws_autoscaling_group" "example" {
35 | launch_configuration = aws_launch_configuration.example.name
36 | vpc_zone_identifier = data.aws_subnets.default.ids
37 |
38 | target_group_arns = [aws_lb_target_group.asg.arn]
39 | health_check_type = "ELB"
40 |
41 | min_size = 2
42 | max_size = 10
43 |
44 | tag {
45 | key = "Name"
46 | value = "terraform-asg-example"
47 | propagate_at_launch = true
48 | }
49 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:51-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
51 | resource "aws_security_group" "instance" {
52 | name = var.instance_security_group_name
53 |
54 | ingress {
55 | from_port = var.server_port
56 | to_port = var.server_port
57 | protocol = "tcp"
58 | cidr_blocks = ["0.0.0.0/0"]
59 | }
60 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
62 | resource "aws_lb" "example" {
63 | name = var.alb_name
64 | load_balancer_type = "application"
65 | subnets = data.aws_subnets.default.ids
66 | security_groups = [aws_security_group.alb.id]
67 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:62-67
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
62 | resource "aws_lb" "example" {
63 | name = var.alb_name
64 | load_balancer_type = "application"
65 | subnets = data.aws_subnets.default.ids
66 | security_groups = [aws_security_group.alb.id]
67 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
62 | resource "aws_lb" "example" {
63 | name = var.alb_name
64 | load_balancer_type = "application"
65 | subnets = data.aws_subnets.default.ids
66 | security_groups = [aws_security_group.alb.id]
67 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:69-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
69 | resource "aws_lb_listener" "http" {
70 | load_balancer_arn = aws_lb.example.arn
71 | port = 80
72 | protocol = "HTTP"
73 |
74 | # By default, return a simple 404 page
75 | default_action {
76 | type = "fixed-response"
77 |
78 | fixed_response {
79 | content_type = "text/plain"
80 | message_body = "404: page not found"
81 | status_code = 404
82 | }
83 | }
84 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:119-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
119 | resource "aws_security_group" "alb" {
120 | name = var.alb_security_group_name
121 |
122 | # Allow inbound HTTP requests
123 | ingress {
124 | from_port = 80
125 | to_port = 80
126 | protocol = "tcp"
127 | cidr_blocks = ["0.0.0.0/0"]
128 | }
129 |
130 | # Allow all outbound requests
131 | egress {
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1"
135 | cidr_blocks = ["0.0.0.0/0"]
136 | }
137 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:119-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
119 | resource "aws_security_group" "alb" {
120 | name = var.alb_security_group_name
121 |
122 | # Allow inbound HTTP requests
123 | ingress {
124 | from_port = 80
125 | to_port = 80
126 | protocol = "tcp"
127 | cidr_blocks = ["0.0.0.0/0"]
128 | }
129 |
130 | # Allow all outbound requests
131 | egress {
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1"
135 | cidr_blocks = ["0.0.0.0/0"]
136 | }
137 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/03-terraform-state/workspaces-example/one-instance/main.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
29 | resource "aws_instance" "example" {
30 | ami = "ami-0fb653ca2d3203ac1"
31 |
32 | instance_type = terraform.workspace == "default" ? "t2.medium" : "t2.micro"
33 |
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/03-terraform-state/workspaces-example/one-instance/main.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "example" {
30 | ami = "ami-0fb653ca2d3203ac1"
31 |
32 | instance_type = terraform.workspace == "default" ? "t2.medium" : "t2.micro"
33 |
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/03-terraform-state/workspaces-example/one-instance/main.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "example" {
30 | ami = "ami-0fb653ca2d3203ac1"
31 |
32 | instance_type = terraform.workspace == "default" ? "t2.medium" : "t2.micro"
33 |
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/03-terraform-state/workspaces-example/one-instance/main.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "example" {
30 | ami = "ami-0fb653ca2d3203ac1"
31 |
32 | instance_type = terraform.workspace == "default" ? "t2.medium" : "t2.micro"
33 |
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:12-27
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = "ami-0fb653ca2d3203ac1"
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 |
17 | user_data = templatefile("${path.module}/user-data.sh", {
18 | server_port = var.server_port
19 | db_address = data.terraform_remote_state.db.outputs.address
20 | db_port = data.terraform_remote_state.db.outputs.port
21 | })
22 |
23 | # Required when using a launch configuration with an auto scaling group.
24 | lifecycle {
25 | create_before_destroy = true
26 | }
27 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:12-27
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = "ami-0fb653ca2d3203ac1"
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 |
17 | user_data = templatefile("${path.module}/user-data.sh", {
18 | server_port = var.server_port
19 | db_address = data.terraform_remote_state.db.outputs.address
20 | db_port = data.terraform_remote_state.db.outputs.port
21 | })
22 |
23 | # Required when using a launch configuration with an auto scaling group.
24 | lifecycle {
25 | create_before_destroy = true
26 | }
27 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.webserver_cluster.aws_autoscaling_group.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:29-43
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
29 | resource "aws_autoscaling_group" "example" {
30 | launch_configuration = aws_launch_configuration.example.name
31 | vpc_zone_identifier = data.aws_subnets.default.ids
32 | target_group_arns = [aws_lb_target_group.asg.arn]
33 | health_check_type = "ELB"
34 |
35 | min_size = var.min_size
36 | max_size = var.max_size
37 |
38 | tag {
39 | key = "Name"
40 | value = var.cluster_name
41 | propagate_at_launch = true
42 | }
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.instance
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:45-47
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
45 | resource "aws_security_group" "instance" {
46 | name = "${var.cluster_name}-instance"
47 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:49-57
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
49 | resource "aws_security_group_rule" "allow_server_http_inbound" {
50 | type = "ingress"
51 | security_group_id = aws_security_group.instance.id
52 |
53 | from_port = var.server_port
54 | to_port = var.server_port
55 | protocol = local.tcp_protocol
56 | cidr_blocks = local.all_ips
57 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:59-64
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
59 | resource "aws_lb" "example" {
60 | name = var.cluster_name
61 | load_balancer_type = "application"
62 | subnets = data.aws_subnets.default.ids
63 | security_groups = [aws_security_group.alb.id]
64 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:59-64
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
59 | resource "aws_lb" "example" {
60 | name = var.cluster_name
61 | load_balancer_type = "application"
62 | subnets = data.aws_subnets.default.ids
63 | security_groups = [aws_security_group.alb.id]
64 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:59-64
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
59 | resource "aws_lb" "example" {
60 | name = var.cluster_name
61 | load_balancer_type = "application"
62 | subnets = data.aws_subnets.default.ids
63 | security_groups = [aws_security_group.alb.id]
64 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:66-83
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
66 | resource "aws_lb_listener" "http" {
67 | load_balancer_arn = aws_lb.example.arn
68 |
69 | port = local.http_port
70 |
71 | protocol = "HTTP"
72 |
73 | # By default, return a simple 404 page
74 | default_action {
75 | type = "fixed-response"
76 |
77 | fixed_response {
78 | content_type = "text/plain"
79 | message_body = "404: page not found"
80 | status_code = 404
81 | }
82 | }
83 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.alb
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:118-120
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
118 | resource "aws_security_group" "alb" {
119 | name = "${var.cluster_name}-alb"
120 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:122-130
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
122 | resource "aws_security_group_rule" "allow_http_inbound" {
123 | type = "ingress"
124 | security_group_id = aws_security_group.alb.id
125 |
126 | from_port = local.http_port
127 | to_port = local.http_port
128 | protocol = local.tcp_protocol
129 | cidr_blocks = local.all_ips
130 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:122-130
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
122 | resource "aws_security_group_rule" "allow_http_inbound" {
123 | type = "ingress"
124 | security_group_id = aws_security_group.alb.id
125 |
126 | from_port = local.http_port
127 | to_port = local.http_port
128 | protocol = local.tcp_protocol
129 | cidr_blocks = local.all_ips
130 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_all_outbound
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:132-140
Calling File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:16-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
132 | resource "aws_security_group_rule" "allow_all_outbound" {
133 | type = "egress"
134 | security_group_id = aws_security_group.alb.id
135 |
136 | from_port = local.any_port
137 | to_port = local.any_port
138 | protocol = local.any_protocol
139 | cidr_blocks = local.all_ips
140 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_testing_inbound
File: /code/terraform/04-terraform-module/module-example/stage/services/webserver-cluster/main.tf:30-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
30 | resource "aws_security_group_rule" "allow_testing_inbound" {
31 | type = "ingress"
32 | security_group_id = module.webserver_cluster.alb_security_group_id
33 |
34 | from_port = 12345
35 | to_port = 12345
36 | protocol = "tcp"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_testing_inbound
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/services/webserver-cluster/main.tf:31-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
31 | resource "aws_security_group_rule" "allow_testing_inbound" {
32 | type = "ingress"
33 | security_group_id = module.webserver_cluster.alb_security_group_id
34 |
35 | from_port = 12345
36 | to_port = 12345
37 | protocol = "tcp"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.existing_user
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/existing-iam-user/main.tf:16-19
16 | resource "aws_iam_user" "existing_user" {
17 | # Make sure to update this to your own user name!
18 | name = "yevgeniy.brikman"
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/one-iam-user/main.tf:16-20
16 | resource "aws_iam_user" "example" {
17 |
18 | name = var.user_name
19 |
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["morpheus"]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-for-each/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | for_each = toset(var.user_names)
18 | name = each.value
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["trinity"]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-for-each/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | for_each = toset(var.user_names)
18 | name = each.value
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["neo"]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-for-each/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | for_each = toset(var.user_names)
18 | name = each.value
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-increment-name/main.tf:16-20
16 | resource "aws_iam_user" "example" {
17 | count = 3
18 |
19 | name = "${var.user_name_prefix}.${count.index}"
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-increment-name/main.tf:16-20
16 | resource "aws_iam_user" "example" {
17 | count = 3
18 |
19 | name = "${var.user_name_prefix}.${count.index}"
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-increment-name/main.tf:16-20
16 | resource "aws_iam_user" "example" {
17 | count = 3
18 |
19 | name = "${var.user_name_prefix}.${count.index}"
20 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_read_only
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:28-38
28 | data "aws_iam_policy_document" "cloudwatch_read_only" {
29 | statement {
30 | effect = "Allow"
31 | actions = [
32 | "cloudwatch:Describe*",
33 | "cloudwatch:Get*",
34 | "cloudwatch:List*"
35 | ]
36 | resources = ["*"]
37 | }
38 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cloudwatch_full_access
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:47-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
47 | data "aws_iam_policy_document" "cloudwatch_full_access" {
48 | statement {
49 | effect = "Allow"
50 | actions = ["cloudwatch:*"]
51 | resources = ["*"]
52 | }
53 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_full_access
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:47-53
47 | data "aws_iam_policy_document" "cloudwatch_full_access" {
48 | statement {
49 | effect = "Allow"
50 | actions = ["cloudwatch:*"]
51 | resources = ["*"]
52 | }
53 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | count = length(var.user_names)
18 | name = var.user_names[count.index]
19 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.neo_cloudwatch_full_access
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:55-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
55 | resource "aws_iam_user_policy_attachment" "neo_cloudwatch_full_access" {
56 | count = var.give_neo_cloudwatch_full_access ? 1 : 0
57 |
58 | user = aws_iam_user.example[0].name
59 | policy_arn = aws_iam_policy.cloudwatch_full_access.arn
60 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.neo_cloudwatch_read_only
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
62 | resource "aws_iam_user_policy_attachment" "neo_cloudwatch_read_only" {
63 | count = var.give_neo_cloudwatch_full_access ? 0 : 1
64 |
65 | user = aws_iam_user.example[0].name
66 | policy_arn = aws_iam_policy.cloudwatch_read_only.arn
67 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | count = length(var.user_names)
18 | name = var.user_names[count.index]
19 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-unique-names/main.tf:16-19
16 | resource "aws_iam_user" "example" {
17 | count = length(var.user_names)
18 | name = var.user_names[count.index]
19 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example_1[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example_1[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example_1[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example_1[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example_2
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
22 | resource "aws_instance" "example_2" {
23 | count = length(data.aws_availability_zones.all.names)
24 | availability_zone = data.aws_availability_zones.all.names[count.index]
25 | ami = "ami-0fb653ca2d3203ac1"
26 | instance_type = "t2.micro"
27 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example_2
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
22 | resource "aws_instance" "example_2" {
23 | count = length(data.aws_availability_zones.all.names)
24 | availability_zone = data.aws_availability_zones.all.names[count.index]
25 | ami = "ami-0fb653ca2d3203ac1"
26 | instance_type = "t2.micro"
27 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example_2
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
22 | resource "aws_instance" "example_2" {
23 | count = length(data.aws_availability_zones.all.names)
24 | availability_zone = data.aws_availability_zones.all.names[count.index]
25 | ami = "ami-0fb653ca2d3203ac1"
26 | instance_type = "t2.micro"
27 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example_2
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
22 | resource "aws_instance" "example_2" {
23 | count = length(data.aws_availability_zones.all.names)
24 | availability_zone = data.aws_availability_zones.all.names[count.index]
25 | ami = "ami-0fb653ca2d3203ac1"
26 | instance_type = "t2.micro"
27 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example_1[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example_1[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example_1[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example_1[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example_1[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example_1[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example_1[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example_1[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_testing_inbound
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:29-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
29 | resource "aws_security_group_rule" "allow_testing_inbound" {
30 | type = "ingress"
31 | security_group_id = module.webserver_cluster.alb_security_group_id
32 |
33 | from_port = 12345
34 | to_port = 12345
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.users["morpheus"].aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/landing-zone/iam-user/main.tf:12-14
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-module-for-each/main.tf:16-21
12 | resource "aws_iam_user" "example" {
13 | name = var.user_name
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:12-26
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = "ami-0fb653ca2d3203ac1"
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = templatefile("${path.module}/user-data.sh", {
17 | server_port = var.server_port
18 | db_address = data.terraform_remote_state.db.outputs.address
19 | db_port = data.terraform_remote_state.db.outputs.port
20 | })
21 |
22 | # Required when using a launch configuration with an auto scaling group.
23 | lifecycle {
24 | create_before_destroy = true
25 | }
26 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:12-26
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = "ami-0fb653ca2d3203ac1"
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = templatefile("${path.module}/user-data.sh", {
17 | server_port = var.server_port
18 | db_address = data.terraform_remote_state.db.outputs.address
19 | db_port = data.terraform_remote_state.db.outputs.port
20 | })
21 |
22 | # Required when using a launch configuration with an auto scaling group.
23 | lifecycle {
24 | create_before_destroy = true
25 | }
26 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.webserver_cluster.aws_autoscaling_group.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:28-57
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
28 | resource "aws_autoscaling_group" "example" {
29 | launch_configuration = aws_launch_configuration.example.name
30 | vpc_zone_identifier = data.aws_subnets.default.ids
31 | target_group_arns = [aws_lb_target_group.asg.arn]
32 | health_check_type = "ELB"
33 |
34 | min_size = var.min_size
35 | max_size = var.max_size
36 |
37 | tag {
38 | key = "Name"
39 | value = var.cluster_name
40 | propagate_at_launch = true
41 | }
42 |
43 | dynamic "tag" {
44 | for_each = {
45 | for key, value in var.custom_tags:
46 | key => upper(value)
47 | if key != "Name"
48 | }
49 |
50 | content {
51 | key = tag.key
52 | value = tag.value
53 | propagate_at_launch = true
54 | }
55 | }
56 |
57 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.instance
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:81-83
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
81 | resource "aws_security_group" "instance" {
82 | name = "${var.cluster_name}-instance"
83 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:85-93
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
85 | resource "aws_security_group_rule" "allow_server_http_inbound" {
86 | type = "ingress"
87 | security_group_id = aws_security_group.instance.id
88 |
89 | from_port = var.server_port
90 | to_port = var.server_port
91 | protocol = local.tcp_protocol
92 | cidr_blocks = local.all_ips
93 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:106-111
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
106 | resource "aws_lb" "example" {
107 | name = var.cluster_name
108 | load_balancer_type = "application"
109 | subnets = data.aws_subnets.default.ids
110 | security_groups = [aws_security_group.alb.id]
111 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:106-111
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
106 | resource "aws_lb" "example" {
107 | name = var.cluster_name
108 | load_balancer_type = "application"
109 | subnets = data.aws_subnets.default.ids
110 | security_groups = [aws_security_group.alb.id]
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:106-111
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
106 | resource "aws_lb" "example" {
107 | name = var.cluster_name
108 | load_balancer_type = "application"
109 | subnets = data.aws_subnets.default.ids
110 | security_groups = [aws_security_group.alb.id]
111 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:113-128
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
113 | resource "aws_lb_listener" "http" {
114 | load_balancer_arn = aws_lb.example.arn
115 | port = local.http_port
116 | protocol = "HTTP"
117 |
118 | # By default, return a simple 404 page
119 | default_action {
120 | type = "fixed-response"
121 |
122 | fixed_response {
123 | content_type = "text/plain"
124 | message_body = "404: page not found"
125 | status_code = 404
126 | }
127 | }
128 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.alb
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:163-165
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
163 | resource "aws_security_group" "alb" {
164 | name = "${var.cluster_name}-alb"
165 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:167-175
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
167 | resource "aws_security_group_rule" "allow_http_inbound" {
168 | type = "ingress"
169 | security_group_id = aws_security_group.alb.id
170 |
171 | from_port = local.http_port
172 | to_port = local.http_port
173 | protocol = local.tcp_protocol
174 | cidr_blocks = local.all_ips
175 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:167-175
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
167 | resource "aws_security_group_rule" "allow_http_inbound" {
168 | type = "ingress"
169 | security_group_id = aws_security_group.alb.id
170 |
171 | from_port = local.http_port
172 | to_port = local.http_port
173 | protocol = local.tcp_protocol
174 | cidr_blocks = local.all_ips
175 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_all_outbound
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:177-185
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/webserver-cluster/main.tf:16-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
177 | resource "aws_security_group_rule" "allow_all_outbound" {
178 | type = "egress"
179 | security_group_id = aws_security_group.alb.id
180 |
181 | from_port = local.any_port
182 | to_port = local.any_port
183 | protocol = local.any_protocol
184 | cidr_blocks = local.all_ips
185 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.cluster_instance
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/global/moved-example/main.tf:21-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
21 | resource "aws_security_group" "cluster_instance" {
22 | name = var.security_group_name
23 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_testing_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
33 | resource "aws_security_group_rule" "allow_testing_inbound" {
34 | type = "ingress"
35 | security_group_id = module.webserver_cluster.alb_security_group_id
36 |
37 | from_port = 12345
38 | to_port = 12345
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_testing_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
33 | resource "aws_security_group_rule" "allow_testing_inbound" {
34 | type = "ingress"
35 | security_group_id = module.webserver_cluster.alb_security_group_id
36 |
37 | from_port = 12345
38 | to_port = 12345
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:12-27
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = templatefile("${path.module}/user-data.sh", {
17 | server_port = var.server_port
18 | db_address = data.terraform_remote_state.db.outputs.address
19 | db_port = data.terraform_remote_state.db.outputs.port
20 | server_text = var.server_text
21 | })
22 |
23 | # Required when using a launch configuration with an auto scaling group.
24 | lifecycle {
25 | create_before_destroy = true
26 | }
27 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:12-27
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = templatefile("${path.module}/user-data.sh", {
17 | server_port = var.server_port
18 | db_address = data.terraform_remote_state.db.outputs.address
19 | db_port = data.terraform_remote_state.db.outputs.port
20 | server_text = var.server_text
21 | })
22 |
23 | # Required when using a launch configuration with an auto scaling group.
24 | lifecycle {
25 | create_before_destroy = true
26 | }
27 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.webserver_cluster.aws_autoscaling_group.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:29-66
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
29 | resource "aws_autoscaling_group" "example" {
30 | name = var.cluster_name
31 | launch_configuration = aws_launch_configuration.example.name
32 | vpc_zone_identifier = data.aws_subnets.default.ids
33 | target_group_arns = [aws_lb_target_group.asg.arn]
34 | health_check_type = "ELB"
35 |
36 | min_size = var.min_size
37 | max_size = var.max_size
38 |
39 | # Use instance refresh to roll out changes to the ASG
40 | instance_refresh {
41 | strategy = "Rolling"
42 | preferences {
43 | min_healthy_percentage = 50
44 | }
45 | }
46 |
47 | tag {
48 | key = "Name"
49 | value = var.cluster_name
50 | propagate_at_launch = true
51 | }
52 |
53 | dynamic "tag" {
54 | for_each = {
55 | for key, value in var.custom_tags:
56 | key => upper(value)
57 | if key != "Name"
58 | }
59 |
60 | content {
61 | key = tag.key
62 | value = tag.value
63 | propagate_at_launch = true
64 | }
65 | }
66 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.instance
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:90-92
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
90 | resource "aws_security_group" "instance" {
91 | name = "${var.cluster_name}-instance"
92 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:94-102
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
94 | resource "aws_security_group_rule" "allow_server_http_inbound" {
95 | type = "ingress"
96 | security_group_id = aws_security_group.instance.id
97 |
98 | from_port = var.server_port
99 | to_port = var.server_port
100 | protocol = local.tcp_protocol
101 | cidr_blocks = local.all_ips
102 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:115-120
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
115 | resource "aws_lb" "example" {
116 | name = var.cluster_name
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnets.default.ids
119 | security_groups = [aws_security_group.alb.id]
120 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:115-120
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
115 | resource "aws_lb" "example" {
116 | name = var.cluster_name
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnets.default.ids
119 | security_groups = [aws_security_group.alb.id]
120 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:115-120
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
115 | resource "aws_lb" "example" {
116 | name = var.cluster_name
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnets.default.ids
119 | security_groups = [aws_security_group.alb.id]
120 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:122-137
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
122 | resource "aws_lb_listener" "http" {
123 | load_balancer_arn = aws_lb.example.arn
124 | port = local.http_port
125 | protocol = "HTTP"
126 |
127 | # By default, return a simple 404 page
128 | default_action {
129 | type = "fixed-response"
130 |
131 | fixed_response {
132 | content_type = "text/plain"
133 | message_body = "404: page not found"
134 | status_code = 404
135 | }
136 | }
137 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.alb
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:172-174
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
172 | resource "aws_security_group" "alb" {
173 | name = "${var.cluster_name}-alb"
174 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:176-184
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
176 | resource "aws_security_group_rule" "allow_http_inbound" {
177 | type = "ingress"
178 | security_group_id = aws_security_group.alb.id
179 |
180 | from_port = local.http_port
181 | to_port = local.http_port
182 | protocol = local.tcp_protocol
183 | cidr_blocks = local.all_ips
184 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:176-184
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
176 | resource "aws_security_group_rule" "allow_http_inbound" {
177 | type = "ingress"
178 | security_group_id = aws_security_group.alb.id
179 |
180 | from_port = local.http_port
181 | to_port = local.http_port
182 | protocol = local.tcp_protocol
183 | cidr_blocks = local.all_ips
184 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_all_outbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:186-194
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster-instance-refresh/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
186 | resource "aws_security_group_rule" "allow_all_outbound" {
187 | type = "egress"
188 | security_group_id = aws_security_group.alb.id
189 |
190 | from_port = local.any_port
191 | to_port = local.any_port
192 | protocol = local.any_protocol
193 | cidr_blocks = local.all_ips
194 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:12-28
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 |
17 | user_data = templatefile("${path.module}/user-data.sh", {
18 | server_port = var.server_port
19 | db_address = data.terraform_remote_state.db.outputs.address
20 | db_port = data.terraform_remote_state.db.outputs.port
21 | server_text = var.server_text
22 | })
23 |
24 | # Required when using a launch configuration with an auto scaling group.
25 | lifecycle {
26 | create_before_destroy = true
27 | }
28 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:12-28
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 |
17 | user_data = templatefile("${path.module}/user-data.sh", {
18 | server_port = var.server_port
19 | db_address = data.terraform_remote_state.db.outputs.address
20 | db_port = data.terraform_remote_state.db.outputs.port
21 | server_text = var.server_text
22 | })
23 |
24 | # Required when using a launch configuration with an auto scaling group.
25 | lifecycle {
26 | create_before_destroy = true
27 | }
28 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.webserver_cluster.aws_autoscaling_group.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:30-72
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
30 | resource "aws_autoscaling_group" "example" {
31 | # Explicitly depend on the launch configuration's name so each time it's
32 | # replaced, this ASG is also replaced
33 | name = "${var.cluster_name}-${aws_launch_configuration.example.name}"
34 |
35 | launch_configuration = aws_launch_configuration.example.name
36 | vpc_zone_identifier = data.aws_subnets.default.ids
37 | target_group_arns = [aws_lb_target_group.asg.arn]
38 | health_check_type = "ELB"
39 |
40 | min_size = var.min_size
41 | max_size = var.max_size
42 |
43 | # Wait for at least this many instances to pass health checks before
44 | # considering the ASG deployment complete
45 | min_elb_capacity = var.min_size
46 |
47 | # When replacing this ASG, create the replacement first, and only delete the
48 | # original after
49 | lifecycle {
50 | create_before_destroy = true
51 | }
52 |
53 | tag {
54 | key = "Name"
55 | value = var.cluster_name
56 | propagate_at_launch = true
57 | }
58 |
59 | dynamic "tag" {
60 | for_each = {
61 | for key, value in var.custom_tags:
62 | key => upper(value)
63 | if key != "Name"
64 | }
65 |
66 | content {
67 | key = tag.key
68 | value = tag.value
69 | propagate_at_launch = true
70 | }
71 | }
72 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.instance
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:96-98
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
96 | resource "aws_security_group" "instance" {
97 | name = "${var.cluster_name}-instance"
98 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:100-108
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
100 | resource "aws_security_group_rule" "allow_server_http_inbound" {
101 | type = "ingress"
102 | security_group_id = aws_security_group.instance.id
103 |
104 | from_port = var.server_port
105 | to_port = var.server_port
106 | protocol = local.tcp_protocol
107 | cidr_blocks = local.all_ips
108 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:121-126
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
121 | resource "aws_lb" "example" {
122 | name = var.cluster_name
123 | load_balancer_type = "application"
124 | subnets = data.aws_subnets.default.ids
125 | security_groups = [aws_security_group.alb.id]
126 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:121-126
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
121 | resource "aws_lb" "example" {
122 | name = var.cluster_name
123 | load_balancer_type = "application"
124 | subnets = data.aws_subnets.default.ids
125 | security_groups = [aws_security_group.alb.id]
126 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:121-126
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
121 | resource "aws_lb" "example" {
122 | name = var.cluster_name
123 | load_balancer_type = "application"
124 | subnets = data.aws_subnets.default.ids
125 | security_groups = [aws_security_group.alb.id]
126 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:128-143
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
128 | resource "aws_lb_listener" "http" {
129 | load_balancer_arn = aws_lb.example.arn
130 | port = local.http_port
131 | protocol = "HTTP"
132 |
133 | # By default, return a simple 404 page
134 | default_action {
135 | type = "fixed-response"
136 |
137 | fixed_response {
138 | content_type = "text/plain"
139 | message_body = "404: page not found"
140 | status_code = 404
141 | }
142 | }
143 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.alb
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:178-180
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
178 | resource "aws_security_group" "alb" {
179 | name = "${var.cluster_name}-alb"
180 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:182-190
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
182 | resource "aws_security_group_rule" "allow_http_inbound" {
183 | type = "ingress"
184 | security_group_id = aws_security_group.alb.id
185 |
186 | from_port = local.http_port
187 | to_port = local.http_port
188 | protocol = local.tcp_protocol
189 | cidr_blocks = local.all_ips
190 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_http_inbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:182-190
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
182 | resource "aws_security_group_rule" "allow_http_inbound" {
183 | type = "ingress"
184 | security_group_id = aws_security_group.alb.id
185 |
186 | from_port = local.http_port
187 | to_port = local.http_port
188 | protocol = local.tcp_protocol
189 | cidr_blocks = local.all_ips
190 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group_rule.allow_all_outbound
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:192-200
Calling File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/services/webserver-cluster/main.tf:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
192 | resource "aws_security_group_rule" "allow_all_outbound" {
193 | type = "egress"
194 | security_group_id = aws_security_group.alb.id
195 |
196 | from_port = local.any_port
197 | to_port = local.any_port
198 | protocol = local.any_protocol
199 | cidr_blocks = local.all_ips
200 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
50 | data "aws_iam_policy_document" "ec2_admin_permissions" {
51 | statement {
52 | effect = "Allow"
53 | actions = ["ec2:*"]
54 | resources = ["*"]
55 | }
56 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
50 | data "aws_iam_policy_document" "ec2_admin_permissions" {
51 | statement {
52 | effect = "Allow"
53 | actions = ["ec2:*"]
54 | resources = ["*"]
55 | }
56 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
50 | data "aws_iam_policy_document" "ec2_admin_permissions" {
51 | statement {
52 | effect = "Allow"
53 | actions = ["ec2:*"]
54 | resources = ["*"]
55 | }
56 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:50-56
50 | data "aws_iam_policy_document" "ec2_admin_permissions" {
51 | statement {
52 | effect = "Allow"
53 | actions = ["ec2:*"]
54 | resources = ["*"]
55 | }
56 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | # Attach the instance profile
21 | iam_instance_profile = aws_iam_instance_profile.instance.name
22 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | # Attach the instance profile
21 | iam_instance_profile = aws_iam_instance_profile.instance.name
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | # Attach the instance profile
21 | iam_instance_profile = aws_iam_instance_profile.instance.name
22 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/ec2-iam-role/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | # Attach the instance profile
21 | iam_instance_profile = aws_iam_instance_profile.instance.name
22 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/github-actions-oidc/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
67 | data "aws_iam_policy_document" "ec2_admin_permissions" {
68 | statement {
69 | effect = "Allow"
70 | actions = ["ec2:*"]
71 | resources = ["*"]
72 | }
73 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/github-actions-oidc/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
67 | data "aws_iam_policy_document" "ec2_admin_permissions" {
68 | statement {
69 | effect = "Allow"
70 | actions = ["ec2:*"]
71 | resources = ["*"]
72 | }
73 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/github-actions-oidc/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
67 | data "aws_iam_policy_document" "ec2_admin_permissions" {
68 | statement {
69 | effect = "Allow"
70 | actions = ["ec2:*"]
71 | resources = ["*"]
72 | }
73 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.ec2_admin_permissions
File: /code/terraform/06-managing-secrets-with-terraform/github-actions-oidc/main.tf:67-73
67 | data "aws_iam_policy_document" "ec2_admin_permissions" {
68 | statement {
69 | effect = "Allow"
70 | actions = ["ec2:*"]
71 | resources = ["*"]
72 | }
73 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.cmk_admin_policy
File: /code/terraform/06-managing-secrets-with-terraform/kms-cmk/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
27 | data "aws_iam_policy_document" "cmk_admin_policy" {
28 | statement {
29 | effect = "Allow"
30 | resources = ["*"]
31 | actions = ["kms:*"]
32 | principals {
33 | type = "AWS"
34 | identifiers = [data.aws_caller_identity.self.arn]
35 | }
36 | }
37 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cmk_admin_policy
File: /code/terraform/06-managing-secrets-with-terraform/kms-cmk/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
27 | data "aws_iam_policy_document" "cmk_admin_policy" {
28 | statement {
29 | effect = "Allow"
30 | resources = ["*"]
31 | actions = ["kms:*"]
32 | principals {
33 | type = "AWS"
34 | identifiers = [data.aws_caller_identity.self.arn]
35 | }
36 | }
37 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cmk_admin_policy
File: /code/terraform/06-managing-secrets-with-terraform/kms-cmk/main.tf:27-37
27 | data "aws_iam_policy_document" "cmk_admin_policy" {
28 | statement {
29 | effect = "Allow"
30 | resources = ["*"]
31 | actions = ["kms:*"]
32 | principals {
33 | type = "AWS"
34 | identifiers = [data.aws_caller_identity.self.arn]
35 | }
36 | }
37 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.cmk
File: /code/terraform/06-managing-secrets-with-terraform/kms-cmk/main.tf:17-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
17 | resource "aws_kms_key" "cmk" {
18 | policy = data.aws_iam_policy_document.cmk_admin_policy.json
19 |
20 | # We set a short deletion window, as these keys are only used
21 | # for testing/learning, and we want to minimize the AWS charges
22 | deletion_window_in_days = 7
23 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.region_1
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
30 | resource "aws_instance" "region_1" {
31 | provider = aws.region_1
32 |
33 | ami = data.aws_ami.ubuntu_region_1.id
34 | instance_type = "t2.micro"
35 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.region_1
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
30 | resource "aws_instance" "region_1" {
31 | provider = aws.region_1
32 |
33 | ami = data.aws_ami.ubuntu_region_1.id
34 | instance_type = "t2.micro"
35 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.region_1
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
30 | resource "aws_instance" "region_1" {
31 | provider = aws.region_1
32 |
33 | ami = data.aws_ami.ubuntu_region_1.id
34 | instance_type = "t2.micro"
35 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.region_1
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
30 | resource "aws_instance" "region_1" {
31 | provider = aws.region_1
32 |
33 | ami = data.aws_ami.ubuntu_region_1.id
34 | instance_type = "t2.micro"
35 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.region_2
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:37-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
37 | resource "aws_instance" "region_2" {
38 | provider = aws.region_2
39 |
40 | ami = data.aws_ami.ubuntu_region_2.id
41 | instance_type = "t2.micro"
42 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.region_2
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:37-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
37 | resource "aws_instance" "region_2" {
38 | provider = aws.region_2
39 |
40 | ami = data.aws_ami.ubuntu_region_2.id
41 | instance_type = "t2.micro"
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.region_2
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:37-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
37 | resource "aws_instance" "region_2" {
38 | provider = aws.region_2
39 |
40 | ami = data.aws_ami.ubuntu_region_2.id
41 | instance_type = "t2.micro"
42 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.region_2
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:37-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
37 | resource "aws_instance" "region_2" {
38 | provider = aws.region_2
39 |
40 | ami = data.aws_ami.ubuntu_region_2.id
41 | instance_type = "t2.micro"
42 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:33-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/prod/data-stores/mysql/main.tf:49-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
Calling File: /code/terraform/07-working-with-multiple-providers/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: module.eks_cluster.aws_eks_cluster.cluster
File: /code/terraform/07-working-with-multiple-providers/modules/services/eks-cluster/main.tf:13-28
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-eks/main.tf:37-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
13 | resource "aws_eks_cluster" "cluster" {
14 | name = var.name
15 | role_arn = aws_iam_role.cluster.arn
16 | version = "1.21"
17 |
18 | vpc_config {
19 | subnet_ids = data.aws_subnets.default.ids
20 | }
21 |
22 | # Ensure that IAM Role permissions are created before and deleted after
23 | # the EKS Cluster. Otherwise, EKS will not be able to properly delete
24 | # EKS managed EC2 infrastructure such as Security Groups.
25 | depends_on = [
26 | aws_iam_role_policy_attachment.AmazonEKSClusterPolicy
27 | ]
28 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.eks_cluster.aws_eks_cluster.cluster
File: /code/terraform/07-working-with-multiple-providers/modules/services/eks-cluster/main.tf:13-28
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-eks/main.tf:37-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
13 | resource "aws_eks_cluster" "cluster" {
14 | name = var.name
15 | role_arn = aws_iam_role.cluster.arn
16 | version = "1.21"
17 |
18 | vpc_config {
19 | subnet_ids = data.aws_subnets.default.ids
20 | }
21 |
22 | # Ensure that IAM Role permissions are created before and deleted after
23 | # the EKS Cluster. Otherwise, EKS will not be able to properly delete
24 | # EKS managed EC2 infrastructure such as Security Groups.
25 | depends_on = [
26 | aws_iam_role_policy_attachment.AmazonEKSClusterPolicy
27 | ]
28 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: module.eks_cluster.aws_eks_cluster.cluster
File: /code/terraform/07-working-with-multiple-providers/modules/services/eks-cluster/main.tf:13-28
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-eks/main.tf:37-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
13 | resource "aws_eks_cluster" "cluster" {
14 | name = var.name
15 | role_arn = aws_iam_role.cluster.arn
16 | version = "1.21"
17 |
18 | vpc_config {
19 | subnet_ids = data.aws_subnets.default.ids
20 | }
21 |
22 | # Ensure that IAM Role permissions are created before and deleted after
23 | # the EKS Cluster. Otherwise, EKS will not be able to properly delete
24 | # EKS managed EC2 infrastructure such as Security Groups.
25 | depends_on = [
26 | aws_iam_role_policy_attachment.AmazonEKSClusterPolicy
27 | ]
28 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: module.eks_cluster.aws_eks_cluster.cluster
File: /code/terraform/07-working-with-multiple-providers/modules/services/eks-cluster/main.tf:13-28
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-eks/main.tf:37-52
13 | resource "aws_eks_cluster" "cluster" {
14 | name = var.name
15 | role_arn = aws_iam_role.cluster.arn
16 | version = "1.21"
17 |
18 | vpc_config {
19 | subnet_ids = data.aws_subnets.default.ids
20 | }
21 |
22 | # Ensure that IAM Role permissions are created before and deleted after
23 | # the EKS Cluster. Otherwise, EKS will not be able to properly delete
24 | # EKS managed EC2 infrastructure such as Security Groups.
25 | depends_on = [
26 | aws_iam_role_policy_attachment.AmazonEKSClusterPolicy
27 | ]
28 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: module.eks_cluster.aws_eks_cluster.cluster
File: /code/terraform/07-working-with-multiple-providers/modules/services/eks-cluster/main.tf:13-28
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-eks/main.tf:37-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
13 | resource "aws_eks_cluster" "cluster" {
14 | name = var.name
15 | role_arn = aws_iam_role.cluster.arn
16 | version = "1.21"
17 |
18 | vpc_config {
19 | subnet_ids = data.aws_subnets.default.ids
20 | }
21 |
22 | # Ensure that IAM Role permissions are created before and deleted after
23 | # the EKS Cluster. Otherwise, EKS will not be able to properly delete
24 | # EKS managed EC2 infrastructure such as Security Groups.
25 | depends_on = [
26 | aws_iam_role_policy_attachment.AmazonEKSClusterPolicy
27 | ]
28 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: module.simple_webapp.kubernetes_deployment.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:19-56
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
19 | resource "kubernetes_deployment" "app" {
20 | metadata {
21 | name = var.name
22 | }
23 |
24 | spec {
25 | replicas = var.replicas
26 |
27 | template {
28 | metadata {
29 | labels = local.pod_labels
30 | }
31 |
32 | spec {
33 | container {
34 | name = var.name
35 | image = var.image
36 |
37 | port {
38 | container_port = var.container_port
39 | }
40 |
41 | dynamic "env" {
42 | for_each = var.environment_variables
43 | content {
44 | name = env.key
45 | value = env.value
46 | }
47 | }
48 | }
49 | }
50 | }
51 |
52 | selector {
53 | match_labels = local.pod_labels
54 | }
55 | }
56 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: module.simple_webapp.kubernetes_service.app
File: /code/terraform/07-working-with-multiple-providers/modules/services/k8s-app/main.tf:60-74
Calling File: /code/terraform/07-working-with-multiple-providers/examples/kubernetes-local/main.tf:20-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
60 | resource "kubernetes_service" "app" {
61 | metadata {
62 | name = var.name
63 | }
64 |
65 | spec {
66 | type = "LoadBalancer"
67 | port {
68 | port = 80
69 | target_port = var.container_port
70 | protocol = "TCP"
71 | }
72 | selector = local.pod_labels
73 | }
74 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/local-exec-provisioner/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | provisioner "local-exec" {
21 | command = "echo \"Hello, World from $(uname -smp)\""
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/local-exec-provisioner/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | provisioner "local-exec" {
21 | command = "echo \"Hello, World from $(uname -smp)\""
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/local-exec-provisioner/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | provisioner "local-exec" {
21 | command = "echo \"Hello, World from $(uname -smp)\""
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/local-exec-provisioner/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | provisioner "local-exec" {
21 | command = "echo \"Hello, World from $(uname -smp)\""
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:41-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
41 | resource "aws_instance" "example" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t2.micro"
44 | vpc_security_group_ids = [aws_security_group.instance.id]
45 | key_name = aws_key_pair.generated_key.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo \"Hello, World from $(uname -smp)\""]
49 | }
50 |
51 | connection {
52 | type = "ssh"
53 | host = self.public_ip
54 | user = "ubuntu"
55 | private_key = tls_private_key.example.private_key_pem
56 | }
57 |
58 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:41-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
41 | resource "aws_instance" "example" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t2.micro"
44 | vpc_security_group_ids = [aws_security_group.instance.id]
45 | key_name = aws_key_pair.generated_key.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo \"Hello, World from $(uname -smp)\""]
49 | }
50 |
51 | connection {
52 | type = "ssh"
53 | host = self.public_ip
54 | user = "ubuntu"
55 | private_key = tls_private_key.example.private_key_pem
56 | }
57 |
58 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:41-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
41 | resource "aws_instance" "example" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t2.micro"
44 | vpc_security_group_ids = [aws_security_group.instance.id]
45 | key_name = aws_key_pair.generated_key.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo \"Hello, World from $(uname -smp)\""]
49 | }
50 |
51 | connection {
52 | type = "ssh"
53 | host = self.public_ip
54 | user = "ubuntu"
55 | private_key = tls_private_key.example.private_key_pem
56 | }
57 |
58 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:41-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
41 | resource "aws_instance" "example" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t2.micro"
44 | vpc_security_group_ids = [aws_security_group.instance.id]
45 | key_name = aws_key_pair.generated_key.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo \"Hello, World from $(uname -smp)\""]
49 | }
50 |
51 | connection {
52 | type = "ssh"
53 | host = self.public_ip
54 | user = "ubuntu"
55 | private_key = tls_private_key.example.private_key_pem
56 | }
57 |
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:60-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
60 | resource "aws_security_group" "instance" {
61 | ingress {
62 | from_port = 22
63 | to_port = 22
64 | protocol = "tcp"
65 |
66 | # To make this example easy to try out, we allow all SSH connections.
67 | # In real world usage, you should lock this down to solely trusted IPs.
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.instance
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:60-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
60 | resource "aws_security_group" "instance" {
61 | ingress {
62 | from_port = 22
63 | to_port = 22
64 | protocol = "tcp"
65 |
66 | # To make this example easy to try out, we allow all SSH connections.
67 | # In real world usage, you should lock this down to solely trusted IPs.
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:12-26
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | precondition {
22 | condition = data.aws_ec2_instance_type.instance.free_tier_eligible
23 | error_message = "${var.instance_type} is not part of the AWS Free Tier!"
24 | }
25 | }
26 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:12-26
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | precondition {
22 | condition = data.aws_ec2_instance_type.instance.free_tier_eligible
23 | error_message = "${var.instance_type} is not part of the AWS Free Tier!"
24 | }
25 | }
26 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.asg.aws_autoscaling_group.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:28-76
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/asg/main.tf:16-29
28 | resource "aws_autoscaling_group" "example" {
29 | name = var.cluster_name
30 | launch_configuration = aws_launch_configuration.example.name
31 |
32 | vpc_zone_identifier = var.subnet_ids
33 |
34 | # Configure integrations with a load balancer
35 | target_group_arns = var.target_group_arns
36 | health_check_type = var.health_check_type
37 |
38 | min_size = var.min_size
39 | max_size = var.max_size
40 |
41 | # Use instance refresh to roll out changes to the ASG
42 | instance_refresh {
43 | strategy = "Rolling"
44 | preferences {
45 | min_healthy_percentage = 50
46 | }
47 | }
48 |
49 | tag {
50 | key = "Name"
51 | value = var.cluster_name
52 | propagate_at_launch = true
53 | }
54 |
55 | dynamic "tag" {
56 | for_each = {
57 | for key, value in var.custom_tags:
58 | key => upper(value)
59 | if key != "Name"
60 | }
61 |
62 | content {
63 | key = tag.key
64 | value = tag.value
65 | propagate_at_launch = true
66 | }
67 | }
68 |
69 | lifecycle {
70 | postcondition {
71 | condition = length(self.availability_zones) > 1
72 | error_message = "You must use more than one AZ for high availability!"
73 | }
74 | }
75 |
76 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group.instance
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:100-102
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
100 | resource "aws_security_group" "instance" {
101 | name = "${var.cluster_name}-instance"
102 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:104-112
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
104 | resource "aws_security_group_rule" "allow_server_http_inbound" {
105 | type = "ingress"
106 | security_group_id = aws_security_group.instance.id
107 |
108 | from_port = var.server_port
109 | to_port = var.server_port
110 | protocol = local.tcp_protocol
111 | cidr_blocks = local.all_ips
112 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.hello_world_app.module.asg.aws_launch_configuration.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:12-26
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | precondition {
22 | condition = data.aws_ec2_instance_type.instance.free_tier_eligible
23 | error_message = "${var.instance_type} is not part of the AWS Free Tier!"
24 | }
25 | }
26 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.hello_world_app.module.asg.aws_launch_configuration.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:12-26
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | precondition {
22 | condition = data.aws_ec2_instance_type.instance.free_tier_eligible
23 | error_message = "${var.instance_type} is not part of the AWS Free Tier!"
24 | }
25 | }
26 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.hello_world_app.module.asg.aws_autoscaling_group.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:28-76
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:14-37
28 | resource "aws_autoscaling_group" "example" {
29 | name = var.cluster_name
30 | launch_configuration = aws_launch_configuration.example.name
31 |
32 | vpc_zone_identifier = var.subnet_ids
33 |
34 | # Configure integrations with a load balancer
35 | target_group_arns = var.target_group_arns
36 | health_check_type = var.health_check_type
37 |
38 | min_size = var.min_size
39 | max_size = var.max_size
40 |
41 | # Use instance refresh to roll out changes to the ASG
42 | instance_refresh {
43 | strategy = "Rolling"
44 | preferences {
45 | min_healthy_percentage = 50
46 | }
47 | }
48 |
49 | tag {
50 | key = "Name"
51 | value = var.cluster_name
52 | propagate_at_launch = true
53 | }
54 |
55 | dynamic "tag" {
56 | for_each = {
57 | for key, value in var.custom_tags:
58 | key => upper(value)
59 | if key != "Name"
60 | }
61 |
62 | content {
63 | key = tag.key
64 | value = tag.value
65 | propagate_at_launch = true
66 | }
67 | }
68 |
69 | lifecycle {
70 | postcondition {
71 | condition = length(self.availability_zones) > 1
72 | error_message = "You must use more than one AZ for high availability!"
73 | }
74 | }
75 |
76 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.asg.aws_security_group.instance
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:100-102
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
100 | resource "aws_security_group" "instance" {
101 | name = "${var.cluster_name}-instance"
102 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.asg.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/cluster/asg-rolling-deploy/main.tf:104-112
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
104 | resource "aws_security_group_rule" "allow_server_http_inbound" {
105 | type = "ingress"
106 | security_group_id = aws_security_group.instance.id
107 |
108 | from_port = var.server_port
109 | to_port = var.server_port
110 | protocol = local.tcp_protocol
111 | cidr_blocks = local.all_ips
112 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/live/stage/data-stores/mysql/main.tf:27-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:21-36
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
21 | resource "aws_lb_listener" "http" {
22 | load_balancer_arn = aws_lb.example.arn
23 | port = local.http_port
24 | protocol = "HTTP"
25 |
26 | # By default, return a simple 404 page
27 | default_action {
28 | type = "fixed-response"
29 |
30 | fixed_response {
31 | content_type = "text/plain"
32 | message_body = "404: page not found"
33 | status_code = 404
34 | }
35 | }
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group.alb
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:38-40
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
38 | resource "aws_security_group" "alb" {
39 | name = var.alb_name
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:42-50
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
42 | resource "aws_security_group_rule" "allow_http_inbound" {
43 | type = "ingress"
44 | security_group_id = aws_security_group.alb.id
45 |
46 | from_port = local.http_port
47 | to_port = local.http_port
48 | protocol = local.tcp_protocol
49 | cidr_blocks = local.all_ips
50 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:42-50
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
42 | resource "aws_security_group_rule" "allow_http_inbound" {
43 | type = "ingress"
44 | security_group_id = aws_security_group.alb.id
45 |
46 | from_port = local.http_port
47 | to_port = local.http_port
48 | protocol = local.tcp_protocol
49 | cidr_blocks = local.all_ips
50 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_all_outbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:52-60
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/examples/alb/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group_rule" "allow_all_outbound" {
53 | type = "egress"
54 | security_group_id = aws_security_group.alb.id
55 |
56 | from_port = local.any_port
57 | to_port = local.any_port
58 | protocol = local.any_protocol
59 | cidr_blocks = local.all_ips
60 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.hello_world_app.module.alb.aws_lb_listener.http
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:21-36
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
21 | resource "aws_lb_listener" "http" {
22 | load_balancer_arn = aws_lb.example.arn
23 | port = local.http_port
24 | protocol = "HTTP"
25 |
26 | # By default, return a simple 404 page
27 | default_action {
28 | type = "fixed-response"
29 |
30 | fixed_response {
31 | content_type = "text/plain"
32 | message_body = "404: page not found"
33 | status_code = 404
34 | }
35 | }
36 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group.alb
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:38-40
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
38 | resource "aws_security_group" "alb" {
39 | name = var.alb_name
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:42-50
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
42 | resource "aws_security_group_rule" "allow_http_inbound" {
43 | type = "ingress"
44 | security_group_id = aws_security_group.alb.id
45 |
46 | from_port = local.http_port
47 | to_port = local.http_port
48 | protocol = local.tcp_protocol
49 | cidr_blocks = local.all_ips
50 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:42-50
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
42 | resource "aws_security_group_rule" "allow_http_inbound" {
43 | type = "ingress"
44 | security_group_id = aws_security_group.alb.id
45 |
46 | from_port = local.http_port
47 | to_port = local.http_port
48 | protocol = local.tcp_protocol
49 | cidr_blocks = local.all_ips
50 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_all_outbound
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:52-60
Calling File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/services/hello-world-app/main.tf:39-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group_rule" "allow_all_outbound" {
53 | type = "egress"
54 | security_group_id = aws_security_group.alb.id
55 |
56 | from_port = local.any_port
57 | to_port = local.any_port
58 | protocol = local.any_protocol
59 | cidr_blocks = local.all_ips
60 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /code/terraform/09-testing-terraform-code/examples/opa/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = var.tags
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /code/terraform/09-testing-terraform-code/examples/opa/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = var.tags
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /code/terraform/09-testing-terraform-code/examples/opa/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = var.tags
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /code/terraform/09-testing-terraform-code/examples/opa/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = var.tags
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/09-testing-terraform-code/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/09-testing-terraform-code/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.asg.aws_autoscaling_group.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:24-63
Calling File: /code/terraform/09-testing-terraform-code/examples/asg/main.tf:16-29
24 | resource "aws_autoscaling_group" "example" {
25 | name = var.cluster_name
26 | launch_configuration = aws_launch_configuration.example.name
27 | vpc_zone_identifier = var.subnet_ids
28 |
29 | # Configure integrations with a load balancer
30 | target_group_arns = var.target_group_arns
31 | health_check_type = var.health_check_type
32 |
33 | min_size = var.min_size
34 | max_size = var.max_size
35 |
36 | # Use instance refresh to roll out changes to the ASG
37 | instance_refresh {
38 | strategy = "Rolling"
39 | preferences {
40 | min_healthy_percentage = 50
41 | }
42 | }
43 |
44 | tag {
45 | key = "Name"
46 | value = var.cluster_name
47 | propagate_at_launch = true
48 | }
49 |
50 | dynamic "tag" {
51 | for_each = {
52 | for key, value in var.custom_tags:
53 | key => upper(value)
54 | if key != "Name"
55 | }
56 |
57 | content {
58 | key = tag.key
59 | value = tag.value
60 | propagate_at_launch = true
61 | }
62 | }
63 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group.instance
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:87-89
Calling File: /code/terraform/09-testing-terraform-code/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
87 | resource "aws_security_group" "instance" {
88 | name = "${var.cluster_name}-instance"
89 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:91-99
Calling File: /code/terraform/09-testing-terraform-code/examples/asg/main.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
91 | resource "aws_security_group_rule" "allow_server_http_inbound" {
92 | type = "ingress"
93 | security_group_id = aws_security_group.instance.id
94 |
95 | from_port = var.server_port
96 | to_port = var.server_port
97 | protocol = local.tcp_protocol
98 | cidr_blocks = local.all_ips
99 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.hello_world_app.module.asg.aws_launch_configuration.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:13-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.hello_world_app.module.asg.aws_launch_configuration.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:13-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.hello_world_app.module.asg.aws_autoscaling_group.example
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:24-63
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:13-36
24 | resource "aws_autoscaling_group" "example" {
25 | name = var.cluster_name
26 | launch_configuration = aws_launch_configuration.example.name
27 | vpc_zone_identifier = var.subnet_ids
28 |
29 | # Configure integrations with a load balancer
30 | target_group_arns = var.target_group_arns
31 | health_check_type = var.health_check_type
32 |
33 | min_size = var.min_size
34 | max_size = var.max_size
35 |
36 | # Use instance refresh to roll out changes to the ASG
37 | instance_refresh {
38 | strategy = "Rolling"
39 | preferences {
40 | min_healthy_percentage = 50
41 | }
42 | }
43 |
44 | tag {
45 | key = "Name"
46 | value = var.cluster_name
47 | propagate_at_launch = true
48 | }
49 |
50 | dynamic "tag" {
51 | for_each = {
52 | for key, value in var.custom_tags:
53 | key => upper(value)
54 | if key != "Name"
55 | }
56 |
57 | content {
58 | key = tag.key
59 | value = tag.value
60 | propagate_at_launch = true
61 | }
62 | }
63 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.asg.aws_security_group.instance
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:87-89
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:13-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
87 | resource "aws_security_group" "instance" {
88 | name = "${var.cluster_name}-instance"
89 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.asg.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/cluster/asg-rolling-deploy/main.tf:91-99
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:13-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
91 | resource "aws_security_group_rule" "allow_server_http_inbound" {
92 | type = "ingress"
93 | security_group_id = aws_security_group.instance.id
94 |
95 | from_port = var.server_port
96 | to_port = var.server_port
97 | protocol = local.tcp_protocol
98 | cidr_blocks = local.all_ips
99 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
Calling File: /code/terraform/09-testing-terraform-code/live/stage/data-stores/mysql/main.tf:29-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:19-34
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group.alb
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:36-38
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "alb" {
37 | name = var.alb_name
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_all_outbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:50-58
Calling File: /code/terraform/09-testing-terraform-code/examples/alb/main.tf:16-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "allow_all_outbound" {
51 | type = "egress"
52 | security_group_id = aws_security_group.alb.id
53 |
54 | from_port = local.any_port
55 | to_port = local.any_port
56 | protocol = local.any_protocol
57 | cidr_blocks = local.all_ips
58 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.hello_world_app.module.alb.aws_lb_listener.http
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:19-34
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group.alb
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:36-38
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "alb" {
37 | name = var.alb_name
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.hello_world_app.module.alb.aws_security_group_rule.allow_all_outbound
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:50-58
Calling File: /code/terraform/09-testing-terraform-code/modules/services/hello-world-app/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "allow_all_outbound" {
51 | type = "egress"
52 | security_group_id = aws_security_group.alb.id
53 |
54 | from_port = local.any_port
55 | to_port = local.any_port
56 | protocol = local.any_protocol
57 | cidr_blocks = local.all_ips
58 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-anna/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.medium"
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-anna/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.medium"
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-anna/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.medium"
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-anna/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.medium"
19 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-bill/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "foo"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-bill/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "foo"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-bill/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "foo"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-bill/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "foo"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-original/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-original/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-original/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-original/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/10-terraform-team/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:18-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.asg.aws_launch_configuration.example
File: /code/terraform/10-terraform-team/modules/cluster/asg-rolling-deploy/main.tf:12-22
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:18-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_configuration" "example" {
13 | image_id = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instance.id]
16 | user_data = var.user_data
17 |
18 | # Required when using a launch configuration with an auto scaling group.
19 | lifecycle {
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.asg.aws_autoscaling_group.example
File: /code/terraform/10-terraform-team/modules/cluster/asg-rolling-deploy/main.tf:24-63
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:18-40
24 | resource "aws_autoscaling_group" "example" {
25 | name = var.cluster_name
26 | launch_configuration = aws_launch_configuration.example.name
27 | vpc_zone_identifier = var.subnet_ids
28 |
29 | # Configure integrations with a load balancer
30 | target_group_arns = var.target_group_arns
31 | health_check_type = var.health_check_type
32 |
33 | min_size = var.min_size
34 | max_size = var.max_size
35 |
36 | # Use instance refresh to roll out changes to the ASG
37 | instance_refresh {
38 | strategy = "Rolling"
39 | preferences {
40 | min_healthy_percentage = 50
41 | }
42 | }
43 |
44 | tag {
45 | key = "Name"
46 | value = var.cluster_name
47 | propagate_at_launch = true
48 | }
49 |
50 | dynamic "tag" {
51 | for_each = {
52 | for key, value in var.custom_tags:
53 | key => upper(value)
54 | if key != "Name"
55 | }
56 |
57 | content {
58 | key = tag.key
59 | value = tag.value
60 | propagate_at_launch = true
61 | }
62 | }
63 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group.instance
File: /code/terraform/10-terraform-team/modules/cluster/asg-rolling-deploy/main.tf:87-89
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:18-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
87 | resource "aws_security_group" "instance" {
88 | name = "${var.cluster_name}-instance"
89 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.asg.aws_security_group_rule.allow_server_http_inbound
File: /code/terraform/10-terraform-team/modules/cluster/asg-rolling-deploy/main.tf:91-99
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:18-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
91 | resource "aws_security_group_rule" "allow_server_http_inbound" {
92 | type = "ingress"
93 | security_group_id = aws_security_group.instance.id
94 |
95 | from_port = var.server_port
96 | to_port = var.server_port
97 | protocol = local.tcp_protocol
98 | cidr_blocks = local.all_ips
99 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:12-17
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:19-34
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group.alb
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:36-38
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "alb" {
37 | name = var.alb_name
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.alb.aws_security_group_rule.allow_http_inbound
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:40-48
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
40 | resource "aws_security_group_rule" "allow_http_inbound" {
41 | type = "ingress"
42 | security_group_id = aws_security_group.alb.id
43 |
44 | from_port = local.http_port
45 | to_port = local.http_port
46 | protocol = local.tcp_protocol
47 | cidr_blocks = local.all_ips
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.alb.aws_security_group_rule.allow_all_outbound
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:50-58
Calling File: /code/terraform/10-terraform-team/modules/services/hello-world-app/main.tf:42-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "allow_all_outbound" {
51 | type = "egress"
52 | security_group_id = aws_security_group.alb.id
53 |
54 | from_port = local.any_port
55 | to_port = local.any_port
56 | protocol = local.any_protocol
57 | cidr_blocks = local.all_ips
58 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.users[1].aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/landing-zone/iam-user/main.tf:12-14
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-module-count/main.tf:16-21
12 | resource "aws_iam_user" "example" {
13 | name = var.user_name
14 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.users[2].aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/landing-zone/iam-user/main.tf:12-14
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-module-count/main.tf:16-21
12 | resource "aws_iam_user" "example" {
13 | name = var.user_name
14 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.users["trinity"].aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/landing-zone/iam-user/main.tf:12-14
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-module-for-each/main.tf:16-21
12 | resource "aws_iam_user" "example" {
13 | name = var.user_name
14 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.users["neo"].aws_iam_user.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/landing-zone/iam-user/main.tf:12-14
Calling File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/global/three-iam-users-module-for-each/main.tf:16-21
12 | resource "aws_iam_user" "example" {
13 | name = var.user_name
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:16-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
16 | resource "aws_s3_bucket" "terraform_state" {
17 |
18 | bucket = var.bucket_name
19 |
20 | // This is only here so we can destroy the bucket as part of automated tests. You should not copy this for production
21 | // usage
22 | force_destroy = true
23 |
24 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:16-24
16 | resource "aws_s3_bucket" "terraform_state" {
17 |
18 | bucket = var.bucket_name
19 |
20 | // This is only here so we can destroy the bucket as part of automated tests. You should not copy this for production
21 | // usage
22 | force_destroy = true
23 |
24 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/data-stores/mysql/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | skip_final_snapshot = true
35 |
36 | db_name = var.db_name
37 |
38 | username = var.db_username
39 | password = var.db_password
40 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/module-example/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/04-terraform-module/multi-repo-example/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/prod/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/stage/data-stores/mysql/main.tf:27-36
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | db_name = var.db_name
33 | username = var.db_username
34 | password = var.db_password
35 | skip_final_snapshot = true
36 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-aws-secrets-mgr/main.tf:26-37
26 | resource "aws_db_instance" "example" {
27 | identifier_prefix = "terraform-up-and-running"
28 | engine = "mysql"
29 | allocated_storage = 10
30 | instance_class = "db.t2.micro"
31 | skip_final_snapshot = true
32 | db_name = var.db_name
33 |
34 | # Pass the secrets to the resource
35 | username = local.db_creds.username
36 | password = local.db_creds.password
37 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-kms/main.tf:27-38
27 | resource "aws_db_instance" "example" {
28 | identifier_prefix = "terraform-up-and-running"
29 | engine = "mysql"
30 | allocated_storage = 10
31 | instance_class = "db.t2.micro"
32 | skip_final_snapshot = true
33 | db_name = var.db_name
34 |
35 | # Pass the secrets to the resource
36 | username = local.db_creds.username
37 | password = local.db_creds.password
38 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/06-managing-secrets-with-terraform/mysql-vars/main.tf:17-28
17 | resource "aws_db_instance" "example" {
18 | identifier_prefix = "terraform-up-and-running"
19 | engine = "mysql"
20 | allocated_storage = 10
21 | instance_class = "db.t2.micro"
22 | skip_final_snapshot = true
23 | db_name = var.db_name
24 |
25 | # Pass the secrets to the resource
26 | username = var.db_username
27 | password = var.db_password
28 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.mysql_primary.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.mysql_replica.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/07-working-with-multiple-providers/modules/data-stores/mysql/main.tf:12-29
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | allocated_storage = 10
15 | instance_class = "db.t2.micro"
16 | skip_final_snapshot = true
17 |
18 | # Enable backups
19 | backup_retention_period = var.backup_retention_period
20 |
21 | # If specified, this DB will be a replica
22 | replicate_source_db = var.replicate_source_db
23 |
24 | # Only set these params if replicate_source_db is not set
25 | engine = var.replicate_source_db == null ? "mysql" : null
26 | db_name = var.replicate_source_db == null ? var.db_name : null
27 | username = var.replicate_source_db == null ? var.db_username : null
28 | password = var.replicate_source_db == null ? var.db_password : null
29 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/data-stores/mysql/main.tf:12-21
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.mysql.aws_db_instance.example
File: /code/terraform/09-testing-terraform-code/modules/data-stores/mysql/main.tf:12-21
12 | resource "aws_db_instance" "example" {
13 | identifier_prefix = "terraform-up-and-running"
14 | engine = "mysql"
15 | allocated_storage = 10
16 | instance_class = "db.t2.micro"
17 | db_name = var.db_name
18 | username = var.db_username
19 | password = var.db_password
20 | skip_final_snapshot = true
21 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /code/terraform/10-terraform-team/modules/data-stores/mysql/main.tf:18-27
18 | resource "aws_db_instance" "example" {
19 | identifier_prefix = "terraform-up-and-running"
20 | engine = "mysql"
21 | allocated_storage = 10
22 | instance_class = "db.t2.micro"
23 | db_name = var.db_name
24 | username = var.db_username
25 | password = var.db_password
26 | skip_final_snapshot = true
27 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:72-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
72 | resource "aws_lb" "example" {
73 |
74 | name = var.alb_name
75 |
76 | load_balancer_type = "application"
77 | subnets = data.aws_subnets.default.ids
78 | security_groups = [aws_security_group.alb.id]
79 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
62 | resource "aws_lb" "example" {
63 | name = var.alb_name
64 | load_balancer_type = "application"
65 | subnets = data.aws_subnets.default.ids
66 | security_groups = [aws_security_group.alb.id]
67 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:59-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
59 | resource "aws_lb" "example" {
60 | name = var.cluster_name
61 | load_balancer_type = "application"
62 | subnets = data.aws_subnets.default.ids
63 | security_groups = [aws_security_group.alb.id]
64 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:106-111
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
106 | resource "aws_lb" "example" {
107 | name = var.cluster_name
108 | load_balancer_type = "application"
109 | subnets = data.aws_subnets.default.ids
110 | security_groups = [aws_security_group.alb.id]
111 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:115-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
115 | resource "aws_lb" "example" {
116 | name = var.cluster_name
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnets.default.ids
119 | security_groups = [aws_security_group.alb.id]
120 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:121-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
121 | resource "aws_lb" "example" {
122 | name = var.cluster_name
123 | load_balancer_type = "application"
124 | subnets = data.aws_subnets.default.ids
125 | security_groups = [aws_security_group.alb.id]
126 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:81-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
81 | resource "aws_lb_listener" "http" {
82 | load_balancer_arn = aws_lb.example.arn
83 | port = 80
84 | protocol = "HTTP"
85 |
86 | # By default, return a simple 404 page
87 | default_action {
88 | type = "fixed-response"
89 |
90 | fixed_response {
91 | content_type = "text/plain"
92 | message_body = "404: page not found"
93 | status_code = 404
94 | }
95 | }
96 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:69-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
69 | resource "aws_lb_listener" "http" {
70 | load_balancer_arn = aws_lb.example.arn
71 | port = 80
72 | protocol = "HTTP"
73 |
74 | # By default, return a simple 404 page
75 | default_action {
76 | type = "fixed-response"
77 |
78 | fixed_response {
79 | content_type = "text/plain"
80 | message_body = "404: page not found"
81 | status_code = 404
82 | }
83 | }
84 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:66-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
66 | resource "aws_lb_listener" "http" {
67 | load_balancer_arn = aws_lb.example.arn
68 |
69 | port = local.http_port
70 |
71 | protocol = "HTTP"
72 |
73 | # By default, return a simple 404 page
74 | default_action {
75 | type = "fixed-response"
76 |
77 | fixed_response {
78 | content_type = "text/plain"
79 | message_body = "404: page not found"
80 | status_code = 404
81 | }
82 | }
83 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:113-128
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
113 | resource "aws_lb_listener" "http" {
114 | load_balancer_arn = aws_lb.example.arn
115 | port = local.http_port
116 | protocol = "HTTP"
117 |
118 | # By default, return a simple 404 page
119 | default_action {
120 | type = "fixed-response"
121 |
122 | fixed_response {
123 | content_type = "text/plain"
124 | message_body = "404: page not found"
125 | status_code = 404
126 | }
127 | }
128 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:122-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
122 | resource "aws_lb_listener" "http" {
123 | load_balancer_arn = aws_lb.example.arn
124 | port = local.http_port
125 | protocol = "HTTP"
126 |
127 | # By default, return a simple 404 page
128 | default_action {
129 | type = "fixed-response"
130 |
131 | fixed_response {
132 | content_type = "text/plain"
133 | message_body = "404: page not found"
134 | status_code = 404
135 | }
136 | }
137 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.webserver_cluster.aws_lb_listener.http
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:128-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
128 | resource "aws_lb_listener" "http" {
129 | load_balancer_arn = aws_lb.example.arn
130 | port = local.http_port
131 | protocol = "HTTP"
132 |
133 | # By default, return a simple 404 page
134 | default_action {
135 | type = "fixed-response"
136 |
137 | fixed_response {
138 | content_type = "text/plain"
139 | message_body = "404: page not found"
140 | status_code = 404
141 | }
142 | }
143 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:21-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
21 | resource "aws_lb_listener" "http" {
22 | load_balancer_arn = aws_lb.example.arn
23 | port = local.http_port
24 | protocol = "HTTP"
25 |
26 | # By default, return a simple 404 page
27 | default_action {
28 | type = "fixed-response"
29 |
30 | fixed_response {
31 | content_type = "text/plain"
32 | message_body = "404: page not found"
33 | status_code = 404
34 | }
35 | }
36 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.hello_world_app.module.alb.aws_lb_listener.http
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:21-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
21 | resource "aws_lb_listener" "http" {
22 | load_balancer_arn = aws_lb.example.arn
23 | port = local.http_port
24 | protocol = "HTTP"
25 |
26 | # By default, return a simple 404 page
27 | default_action {
28 | type = "fixed-response"
29 |
30 | fixed_response {
31 | content_type = "text/plain"
32 | message_body = "404: page not found"
33 | status_code = 404
34 | }
35 | }
36 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.hello_world_app.module.alb.aws_lb_listener.http
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb.aws_lb_listener.http
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
19 | resource "aws_lb_listener" "http" {
20 | load_balancer_arn = aws_lb.example.arn
21 | port = local.http_port
22 | protocol = "HTTP"
23 |
24 | # By default, return a simple 404 page
25 | default_action {
26 | type = "fixed-response"
27 |
28 | fixed_response {
29 | content_type = "text/plain"
30 | message_body = "404: page not found"
31 | status_code = 404
32 | }
33 | }
34 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.example
File: /code/terraform/02-intro-to-terraform-syntax/webserver-cluster/main.tf:72-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
72 | resource "aws_lb" "example" {
73 |
74 | name = var.alb_name
75 |
76 | load_balancer_type = "application"
77 | subnets = data.aws_subnets.default.ids
78 | security_groups = [aws_security_group.alb.id]
79 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.example
File: /code/terraform/03-terraform-state/file-layout-example/stage/services/webserver-cluster/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
62 | resource "aws_lb" "example" {
63 | name = var.alb_name
64 | load_balancer_type = "application"
65 | subnets = data.aws_subnets.default.ids
66 | security_groups = [aws_security_group.alb.id]
67 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/04-terraform-module/module-example/modules/services/webserver-cluster/main.tf:59-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
59 | resource "aws_lb" "example" {
60 | name = var.cluster_name
61 | load_balancer_type = "application"
62 | subnets = data.aws_subnets.default.ids
63 | security_groups = [aws_security_group.alb.id]
64 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/modules/services/webserver-cluster/main.tf:106-111
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
106 | resource "aws_lb" "example" {
107 | name = var.cluster_name
108 | load_balancer_type = "application"
109 | subnets = data.aws_subnets.default.ids
110 | security_groups = [aws_security_group.alb.id]
111 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster-instance-refresh/main.tf:115-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
115 | resource "aws_lb" "example" {
116 | name = var.cluster_name
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnets.default.ids
119 | security_groups = [aws_security_group.alb.id]
120 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.webserver_cluster.aws_lb.example
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/modules/services/webserver-cluster/main.tf:121-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
121 | resource "aws_lb" "example" {
122 | name = var.cluster_name
123 | load_balancer_type = "application"
124 | subnets = data.aws_subnets.default.ids
125 | security_groups = [aws_security_group.alb.id]
126 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/08-production-grade-infrastructure/small-modules/modules/networking/alb/main.tf:12-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 |
16 | subnets = var.subnet_ids
17 |
18 | security_groups = [aws_security_group.alb.id]
19 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.hello_world_app.module.alb.aws_lb.example
File: /code/terraform/09-testing-terraform-code/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.alb.aws_lb.example
File: /code/terraform/10-terraform-team/modules/networking/alb/main.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
12 | resource "aws_lb" "example" {
13 | name = var.alb_name
14 | load_balancer_type = "application"
15 | subnets = var.subnet_ids
16 | security_groups = [aws_security_group.alb.id]
17 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.cluster_instance
File: /code/terraform/05-tips-and-tricks/zero-downtime-deployment/live/global/moved-example/main.tf:21-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
21 | resource "aws_security_group" "cluster_instance" {
22 | name = var.security_group_name
23 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:16-24
16 | resource "aws_s3_bucket" "terraform_state" {
17 |
18 | bucket = var.bucket_name
19 |
20 | // This is only here so we can destroy the bucket as part of automated tests. You should not copy this for production
21 | // usage
22 | force_destroy = true
23 |
24 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:16-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
16 | resource "aws_s3_bucket" "terraform_state" {
17 |
18 | bucket = var.bucket_name
19 |
20 | // This is only here so we can destroy the bucket as part of automated tests. You should not copy this for production
21 | // usage
22 | force_destroy = true
23 |
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/00-preface/hello-world/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.app
File: /code/terraform/01-why-terraform/web-server/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "app" {
17 | instance_type = "t2.micro"
18 | availability_zone = "us-east-2a"
19 | ami = "ami-0fb653ca2d3203ac1"
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | sudo service apache2 start
24 | EOF
25 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-server/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "terraform-example"
22 | }
23 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver-with-vars/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p ${var.server_port} &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/02-intro-to-terraform-syntax/one-webserver/main.tf:16-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0fb653ca2d3203ac1"
18 | instance_type = "t2.micro"
19 | vpc_security_group_ids = [aws_security_group.instance.id]
20 |
21 | user_data = <<-EOF
22 | #!/bin/bash
23 | echo "Hello, World" > index.html
24 | nohup busybox httpd -f -p 8080 &
25 | EOF
26 |
27 | user_data_replace_on_change = true
28 |
29 | tags = {
30 | Name = "terraform-example"
31 | }
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/03-terraform-state/workspaces-example/one-instance/main.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "example" {
30 | ami = "ami-0fb653ca2d3203ac1"
31 |
32 | instance_type = terraform.workspace == "default" ? "t2.medium" : "t2.micro"
33 |
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example_1[0]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example_2
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
22 | resource "aws_instance" "example_2" {
23 | count = length(data.aws_availability_zones.all.names)
24 | availability_zone = data.aws_availability_zones.all.names[count.index]
25 | ami = "ami-0fb653ca2d3203ac1"
26 | instance_type = "t2.micro"
27 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.region_1
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
30 | resource "aws_instance" "region_1" {
31 | provider = aws.region_1
32 |
33 | ami = data.aws_ami.ubuntu_region_1.id
34 | instance_type = "t2.micro"
35 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.region_2
File: /code/terraform/07-working-with-multiple-providers/examples/multi-region/main.tf:37-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
37 | resource "aws_instance" "region_2" {
38 | provider = aws.region_2
39 |
40 | ami = data.aws_ami.ubuntu_region_2.id
41 | instance_type = "t2.micro"
42 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/local-exec-provisioner/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | provisioner "local-exec" {
21 | command = "echo \"Hello, World from $(uname -smp)\""
22 | }
23 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/08-production-grade-infrastructure/more-than-terraform/remote-exec-provisioner/main.tf:41-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
41 | resource "aws_instance" "example" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t2.micro"
44 | vpc_security_group_ids = [aws_security_group.instance.id]
45 | key_name = aws_key_pair.generated_key.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo \"Hello, World from $(uname -smp)\""]
49 | }
50 |
51 | connection {
52 | type = "ssh"
53 | host = self.public_ip
54 | user = "ubuntu"
55 | private_key = tls_private_key.example.private_key_pem
56 | }
57 |
58 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /code/terraform/09-testing-terraform-code/examples/opa/main.tf:16-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = var.tags
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-anna/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.medium"
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-bill/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 |
20 | tags = {
21 | Name = "foo"
22 | }
23 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.foo
File: /code/terraform/10-terraform-team/live/stage/services/conflict-original/main.tf:16-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "foo" {
17 | ami = data.aws_ami.ubuntu.id
18 | instance_type = "t2.micro"
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example_1[1]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example_1[2]
File: /code/terraform/05-tips-and-tricks/loops-and-if-statements/live/stage/services/multiple-ec2-instances/main.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example_1" {
17 | count = 3
18 | ami = "ami-0fb653ca2d3203ac1"
19 | instance_type = "t2.micro"
20 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /code/terraform/03-terraform-state/file-layout-example/global/s3/main.tf:16-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
16 | resource "aws_s3_bucket" "terraform_state" {
17 |
18 | bucket = var.bucket_name
19 |
20 | // This is only here so we can destroy the bucket as part of automated tests. You should not copy this for production
21 | // usage
22 | force_destroy = true
23 |
24 | }
ansible scan results:
Passed checks: 6, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools