Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-cloudfront-s3-cdn
Description

Terraform module to easily provision CloudFront CDN backed by an S3 origin

Stars

 256

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:50:46,812 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:46,812 [MainThread  ] [WARNI]  Failed to download module cloudposse/s3-log-storage/aws:1.4.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:46,812 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-alias/aws:0.13.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:46,812 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-role/aws:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:46,813 [MainThread  ] [WARNI]  Failed to download module cloudposse/s3-bucket/aws:3.1.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:46,813 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.24.1 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 102, Failed checks: 7, Skipped checks: 20
    
    Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
    	FAILED for resource: aws_iam_policy_document.document
    	File: /examples/complete/main.tf:15-31
    
    		15 | data "aws_iam_policy_document" "document" {
    		16 |   count = local.enabled ? 1 : 0
    		17 | 
    		18 |   statement {
    		19 |     sid = "TemplateTest"
    		20 | 
    		21 |     actions = ["s3:GetObject"]
    		22 |     resources = [
    		23 |       "arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
    		24 |     ]
    		25 | 
    		26 |     principals {
    		27 |       type        = "AWS"
    		28 |       identifiers = ["*"]
    		29 |     }
    		30 |   }
    		31 | }
    
    Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
    	FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_public_access_block.origin[0]
    	File: /main.tf:307-319
    	Calling File: /examples/complete/main.tf:80-127
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
    
    		307 | resource "aws_s3_bucket_public_access_block" "origin" {
    		308 |   count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
    		309 | 
    		310 |   bucket = local.bucket
    		311 | 
    		312 |   # Allows the bucket to be publicly accessible by policy
    		313 |   block_public_policy     = var.block_origin_public_access_enabled
    		314 |   restrict_public_buckets = var.block_origin_public_access_enabled
    		315 | 
    		316 |   # Always block ACL access. We're using policies instead
    		317 |   block_public_acls  = true
    		318 |   ignore_public_acls = true
    		319 | }
    
    Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
    	FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_public_access_block.origin[0]
    	File: /main.tf:307-319
    	Calling File: /examples/complete/main.tf:80-127
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
    
    		307 | resource "aws_s3_bucket_public_access_block" "origin" {
    		308 |   count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
    		309 | 
    		310 |   bucket = local.bucket
    		311 | 
    		312 |   # Allows the bucket to be publicly accessible by policy
    		313 |   block_public_policy     = var.block_origin_public_access_enabled
    		314 |   restrict_public_buckets = var.block_origin_public_access_enabled
    		315 | 
    		316 |   # Always block ACL access. We're using policies instead
    		317 |   block_public_acls  = true
    		318 |   ignore_public_acls = true
    		319 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: module.lambda_at_edge.aws_lambda_function.default
    	File: /modules/lambda@edge/main.tf:71-85
    	Calling File: /examples/complete/lambda-at-edge.tf:6-95
    
    		71 | resource "aws_lambda_function" "default" {
    		72 |   #bridgecrew:skip=BC_AWS_GENERAL_64:Lambda@Edge functions associated with CF distributions do not support DLQs.
    		73 |   #bridgecrew:skip=BC_AWS_SERVERLESS_4:Lambda@Edge functions do not support X-Ray tracing.
    		74 |   #bridgecrew:skip=BC_AWS_GENERAL_65:Lambda@Edge functions cannot be configured for connectivity inside a VPC.
    		75 |   #bridgecrew:skip=BC_AWS_GENERAL_63:Lambda@Edge functions cannot be configured for reserved concurrency.
    		76 |   for_each = local.functions
    		77 | 
    		78 |   function_name    = module.function_label[each.key].id
    		79 |   runtime          = each.value.runtime
    		80 |   handler          = each.value.handler
    		81 |   role             = module.role[each.key].arn
    		82 |   filename         = each.value.source_zip != null ? data.local_file.lambda_zip[each.key].filename : data.archive_file.lambda_zip[each.key].output_path
    		83 |   source_code_hash = each.value.source_zip != null ? sha256(data.local_file.lambda_zip[each.key].content_base64) : data.archive_file.lambda_zip[each.key].output_base64sha256
    		84 |   publish          = true
    		85 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket.origin
    	File: /main.tf:248-305
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
    	FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_ownership_controls.origin
    	File: /main.tf:321-331
    
    		321 | resource "aws_s3_bucket_ownership_controls" "origin" {
    		322 |   count = local.create_s3_origin_bucket ? 1 : 0
    		323 | 
    		324 |   bucket = local.bucket
    		325 | 
    		326 |   rule {
    		327 |     object_ownership = var.s3_object_ownership
    		328 |   }
    		329 | 
    		330 |   depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
    		331 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket.origin
    	File: /main.tf:248-305
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: