Repository | cloudposse / terraform-aws-components |
Description | Opinionated, self-contained Terraform root modules that each solve one, specific problem |
Stars | 428 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:48:20,021 [MainThread ] [WARNI] Failed to download module git::https://github.com/ACME/infrastructure.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,021 [MainThread ] [WARNI] Failed to download module git::https://github.com/ACME/infrastructure.git//components/terraform/account-map/modules/iam-roles?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,021 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,021 [MainThread ] [WARNI] Failed to download module cloudposse/security-group/aws:2.0.0-rc1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,021 [MainThread ] [WARNI] Failed to download module cloudposse/ec2-autoscale-group/aws:0.34.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,022 [MainThread ] [WARNI] Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.4.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,022 [MainThread ] [WARNI] Failed to download module cloudposse/transit-gateway/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,027 [MainThread ] [WARNI] Failed to download module cloudposse/utils/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,028 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.21.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,028 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-iam-role.git?ref=tags/0.3.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,029 [MainThread ] [WARNI] Failed to download module cloudposse/utils/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,029 [MainThread ] [WARNI] Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.4.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,029 [MainThread ] [WARNI] Failed to download module cloudposse/guardduty/aws:0.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/cloud-infrastructure-automation/spacelift:0.55.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/eks-cluster/aws:0.44.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/utils/aws:0.8.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/eks-node-group/aws:0.27.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module DrFaust92/ebs-csi-driver/kubernetes:3.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/helm-release/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/security-hub/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module cloudposse/stack-config/yaml//modules/remote-state:0.22.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,030 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.3:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.15.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.4:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-iam.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.6.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-chamber-user.git?ref=tags/0.1.7:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,031 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudformation-stack-set.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-parameter-chamber-reader.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudformation-stack.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.16.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudtrail.git?ref=tags/0.7.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=tags/0.1.3:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,032 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git?ref=tags/0.3.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.2.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-s3-website.git?ref=tags/0.5.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudfront-cdn.git?ref=tags/0.5.7:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-replica.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.4.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,033 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds.git?ref=tags/0.4.4:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticache-redis.git?ref=tags/0.7.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster-instance-group.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.1.5:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module stage:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-codefresh-backing-services.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-state-backend.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,034 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-tls-ssh-key-pair.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module subnets:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudfront-cdn.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.14.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-iam.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering.git?ref=tags/0.1.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.2.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.3:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,035 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.12.3:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-account-settings.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=tags/0.7.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.1.6:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.4:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.6:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,036 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-topic.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-cloudwatch-alarms.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-external-dns.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-network.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-aws-alb-ingress.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-chart-repo.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-role.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-iam-authenticator-config.git?ref=tags/0.2.2:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,037 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-efs.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,038 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-datadog-aws-integration.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,038 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=tags/0.2.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,038 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=tags/0.5.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,038 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-alb.git?ref=tags/0.7.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,038 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-atlantis.git?ref=tags/0.14.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.8.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.18.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-route53-cluster-zone.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,043 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=tags/0.24.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.15.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-backup.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-role.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-network.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.14.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-lambda-elasticsearch-cleanup.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module ns:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,044 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ses-lambda-forwarder.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-teleport-storage.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config?ref=0.9.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-launch-configurations.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ses.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,045 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-rds.git?ref=tags/0.19.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticache-redis.git?ref=tags/0.13.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=0.16.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=0.9.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.24.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module cloudposse/waf/aws:0.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module cloudposse/helm-release/aws:0.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,046 [MainThread ] [WARNI] Failed to download module cloudposse/stack-config/yaml//modules/remote-state:0.22.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/iam-policy/aws:0.2.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/eks-iam-role/aws:0.10.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/ssm-parameter-store/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/kinesis-stream/aws:0.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/ecr/aws:0.36.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,052 [MainThread ] [WARNI] Failed to download module cloudposse/transit-gateway/aws:0.11.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/transit-gateway/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/nlb/aws:0.12.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/api-gateway/aws:0.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/ssm-parameter-store/aws:0.11.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/acm-request-certificate/aws:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/waf/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,053 [MainThread ] [WARNI] Failed to download module cloudposse/iam-policy/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/s3-bucket/aws:3.1.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/cloudtrail/aws:0.21.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-container-definition/aws:0.58.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-alb-service-task/aws:0.66.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/inspector/aws:0.2.8 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/backup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/security-group/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,054 [MainThread ] [WARNI] Failed to download module cloudposse/transfer-sftp/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/route53-resolver-dns-firewall/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/acm-request-certificate/aws:0.16.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/cloudfront-s3-cdn/aws:0.92.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge:0.82.4 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/mwaa/aws:0.4.8 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/iam-policy/aws:0.4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/cloudwatch-logs/aws:0.6.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/kms-key/aws:0.12.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,055 [MainThread ] [WARNI] Failed to download module cloudposse/lambda-function/aws:0.4.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/helm-release/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/ec2-client-vpn/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/security-group/aws:2.2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/rds/aws:0.38.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/iam-role/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/config/yaml:1.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/config/yaml//modules/deepmerge:1.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,056 [MainThread ] [WARNI] Failed to download module cloudposse/platform/datadog//modules/synthetics:1.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-space:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-policy:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/ec2-autoscale-group/aws:0.35.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-stacks-from-atmos-config:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-stack:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/config-storage/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/elasticache-redis/aws:0.52.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,057 [MainThread ] [WARNI] Failed to download module cloudposse/ssm-parameter-store/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module aws-ia/ipam/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/team:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/service:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/schedule:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/team_routing_rule:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/service_incident_rule:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/incident-management/opsgenie//modules/api_integration:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,058 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws//modules/vpc-endpoints:2.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:2.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/iam-account-settings/aws:0.4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/service-quotas/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/budgets/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/datadog-lambda-forwarder/aws:1.5.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/tfstate-backend/aws:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/eks-cluster/aws:2.9.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,059 [MainThread ] [WARNI] Failed to download module cloudposse/eks-iam-role/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/eks-fargate-profile/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/eks-node-group/aws:2.11.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/sso/aws//modules/permission-sets:1.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/sso/aws//modules/account-assignments:1.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/sns-topic/aws:0.20.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/config/aws//modules/conformance-pack:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/config/aws:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/alb/aws:1.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,060 [MainThread ] [WARNI] Failed to download module cloudposse/ssm-tls-ssh-key-pair/aws:0.10.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/amplify-app/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/documentdb-cluster/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/cloudwatch-logs/aws:0.6.8 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-container-definition/aws:0.60.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,061 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-alb-service-task/aws:0.71.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/alb-ingress/aws:0.28.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/route53-alias/aws:0.13.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-cloudwatch-autoscaling/aws:0.7.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-cloudwatch-sns-alarms/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/cloudwatch-logs/aws:0.6.6 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-cluster/aws:0.4.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/alb/aws:1.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/dynamodb/aws:0.31.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,062 [MainThread ] [WARNI] Failed to download module cloudposse/global-accelerator/aws//modules/endpoint-group:0.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/elasticsearch/aws:0.42.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/lambda-elasticsearch-cleanup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/mq-broker/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/module-artifact/external:0.8.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/service-control-policies/aws:0.9.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/redshift-cluster/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/s3-bucket/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/acm-request-certificate/aws:0.16.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,063 [MainThread ] [WARNI] Failed to download module cloudposse/cloudtrail-s3-bucket/aws:0.26.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/acm-request-certificate/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/global-accelerator/aws:0.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/ses/aws:0.22.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/api-gateway/aws//modules/account-settings:0.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/vpc-peering-multi-account/aws:0.19.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/datadog-integration/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/rds-cluster/aws:1.3.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/athena/aws:0.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/lakeformation/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/rds-cluster/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,064 [MainThread ] [WARNI] Failed to download module cloudposse/github-action-token-rotator/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/platform/datadog//modules/monitors:1.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/vpc-flow-logs-s3-bucket/aws:0.18.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/efs/aws:0.32.7 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/network-firewall/aws:0.3.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/ec2-instance/aws:0.32.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/dms/aws//modules/dms-iam:0.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/dms/aws//modules/dms-endpoint:0.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/dms/aws//modules/dms-replication-task:0.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,065 [MainThread ] [WARNI] Failed to download module cloudposse/dms/aws//modules/dms-replication-instance:0.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:48:20,179 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys:latest failed to load via
2023-10-05 14:48:20,183 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys
2023-10-05 14:48:20,183 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles:latest failed to load via
2023-10-05 14:48:20,183 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles
2023-10-05 14:48:20,184 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles:latest failed to load via
2023-10-05 14:48:20,184 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles
2023-10-05 14:48:20,190 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy:latest failed to load via
2023-10-05 14:48:20,205 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy
2023-10-05 14:48:22,492 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles:latest failed to load via
2023-10-05 14:48:22,495 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles
2023-10-05 14:48:22,553 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles:latest failed to load via
2023-10-05 14:48:22,558 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles
2023-10-05 14:48:22,676 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy:latest failed to load via
2023-10-05 14:48:22,694 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy
2023-10-05 14:48:24,299 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles:latest failed to load via
2023-10-05 14:48:24,299 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles
2023-10-05 14:48:24,875 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy:latest failed to load via
2023-10-05 14:48:24,875 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy
terraform scan results:
Passed checks: 1215, Failed checks: 258, Skipped checks: 5, Parsing errors: 2
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.acl_arn
File: /deprecated/aws-waf-acl/main.tf:30-37
30 | resource "aws_ssm_parameter" "acl_arn" {
31 | count = local.enabled ? 1 : 0
32 | name = "${var.ssm_path_prefix}/${var.acl_name}/arn"
33 | value = module.aws_waf.arn
34 | description = "ARN for WAF web ACL ${var.acl_name}"
35 | type = "String"
36 | overwrite = true
37 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.account_id
File: /deprecated/aws/accounts/stage/main.tf:16-23
16 | resource "aws_ssm_parameter" "account_id" {
17 | count = local.count
18 | name = "/${var.namespace}/${var.stage}/account_id"
19 | description = "AWS Account ID"
20 | type = "String"
21 | value = local.account_id
22 | overwrite = "true"
23 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.account_arn
File: /deprecated/aws/accounts/stage/main.tf:25-32
25 | resource "aws_ssm_parameter" "account_arn" {
26 | count = local.count
27 | name = "/${var.namespace}/${var.stage}/account_arn"
28 | description = "AWS Account ARN"
29 | type = "String"
30 | value = local.account_arn
31 | overwrite = "true"
32 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.organization_account_access_role
File: /deprecated/aws/accounts/stage/main.tf:34-41
34 | resource "aws_ssm_parameter" "organization_account_access_role" {
35 | count = local.count
36 | name = "/${var.namespace}/${var.stage}/organization_account_access_role"
37 | description = "AWS Organization Account Access Role"
38 | type = "String"
39 | value = local.organization_account_access_role
40 | overwrite = "true"
41 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
File: /deprecated/aws/acm-teleport/main.tf:23-29
23 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
24 | name = format(var.chamber_parameter_name, var.chamber_service, var.certificate_arn_parameter_name)
25 | value = module.certificate.arn
26 | description = "Teleport ACM-issued TLS Certificate AWS ARN"
27 | type = "String"
28 | overwrite = "true"
29 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
File: /deprecated/aws/acm/main.tf:22-28
22 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
23 | name = format(var.chamber_parameter_name_format, var.chamber_service, var.certificate_arn_parameter_name)
24 | value = module.certificate.arn
25 | description = "ACM-issued TLS Certificate ARN"
26 | type = "String"
27 | overwrite = true
28 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_logs
File: /deprecated/aws/audit-cloudtrail/cloudwatch_logs.tf:33-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
33 | data "aws_iam_policy_document" "kms_key_logs" {
34 | statement {
35 | sid = "Allow CloudWatch to Encrypt with the key"
36 | effect = "Allow"
37 |
38 | actions = [
39 | "kms:Encrypt*",
40 | "kms:Decrypt*",
41 | "kms:ReEncrypt*",
42 | "kms:GenerateDataKey*",
43 | "kms:Describe*",
44 | ]
45 |
46 | resources = [
47 | "*",
48 | ]
49 |
50 | principals {
51 | type = "Service"
52 |
53 | identifiers = [
54 | "logs.${local.region}.amazonaws.com",
55 | ]
56 | }
57 | }
58 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_logs
File: /deprecated/aws/audit-cloudtrail/cloudwatch_logs.tf:33-58
33 | data "aws_iam_policy_document" "kms_key_logs" {
34 | statement {
35 | sid = "Allow CloudWatch to Encrypt with the key"
36 | effect = "Allow"
37 |
38 | actions = [
39 | "kms:Encrypt*",
40 | "kms:Decrypt*",
41 | "kms:ReEncrypt*",
42 | "kms:GenerateDataKey*",
43 | "kms:Describe*",
44 | ]
45 |
46 | resources = [
47 | "*",
48 | ]
49 |
50 | principals {
51 | type = "Service"
52 |
53 | identifiers = [
54 | "logs.${local.region}.amazonaws.com",
55 | ]
56 | }
57 | }
58 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aws_metrics_iam_role
File: /deprecated/aws/aws-metrics-role/main.tf:117-123
117 | resource "aws_ssm_parameter" "aws_metrics_iam_role" {
118 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_role")
119 | value = aws_iam_role.default.name
120 | description = "IAM role name for AWS metrics access"
121 | type = "String"
122 | overwrite = "true"
123 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aws_metrics_iam_namespace[0]
File: /deprecated/aws/aws-metrics-role/main.tf:125-132
125 | resource "aws_ssm_parameter" "aws_metrics_iam_namespace" {
126 | count = length(var.cloudwatch_namespace) > 0 ? 1 : 0
127 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_namespace")
128 | value = var.cloudwatch_namespace
129 | description = "Kubernetes namespace for AWS metrics accessors"
130 | type = "String"
131 | overwrite = "true"
132 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_role_policy_attachment.administrator_access
File: /deprecated/aws/bootstrap/main.tf:49-52
49 | resource "aws_iam_role_policy_attachment" "administrator_access" {
50 | role = aws_iam_role.bootstrap.name
51 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
52 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.executor
File: /deprecated/aws/cis-executor/main.tf:36-271
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.executor
File: /deprecated/aws/cis-executor/main.tf:36-271
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.executor
File: /deprecated/aws/cis-executor/main.tf:36-271
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_logs
File: /deprecated/aws/cloudtrail/cloudwatch_logs.tf:33-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
33 | data "aws_iam_policy_document" "kms_key_logs" {
34 | statement {
35 | sid = "Allow CloudWatch to Encrypt with the key"
36 | effect = "Allow"
37 |
38 | actions = [
39 | "kms:Encrypt*",
40 | "kms:Decrypt*",
41 | "kms:ReEncrypt*",
42 | "kms:GenerateDataKey*",
43 | "kms:Describe*",
44 | ]
45 |
46 | resources = [
47 | "*",
48 | ]
49 |
50 | principals {
51 | type = "Service"
52 |
53 | identifiers = [
54 | "logs.${local.region}.amazonaws.com",
55 | ]
56 | }
57 | }
58 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_logs
File: /deprecated/aws/cloudtrail/cloudwatch_logs.tf:33-58
33 | data "aws_iam_policy_document" "kms_key_logs" {
34 | statement {
35 | sid = "Allow CloudWatch to Encrypt with the key"
36 | effect = "Allow"
37 |
38 | actions = [
39 | "kms:Encrypt*",
40 | "kms:Decrypt*",
41 | "kms:ReEncrypt*",
42 | "kms:GenerateDataKey*",
43 | "kms:Describe*",
44 | ]
45 |
46 | resources = [
47 | "*",
48 | ]
49 |
50 | principals {
51 | type = "Service"
52 |
53 | identifiers = [
54 | "logs.${local.region}.amazonaws.com",
55 | ]
56 | }
57 | }
58 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.datadog_cluster_agent_token
File: /deprecated/aws/datadog/main.tf:45-51
45 | resource "aws_ssm_parameter" "datadog_cluster_agent_token" {
46 | name = format(var.chamber_parameter_name, local.chamber_service, "datadog_cluster_agent_token")
47 | value = random_string.tokens.result
48 | description = "A cluster-internal secret for agent-to-agent communication. Must be 32+ characters a-zA-Z"
49 | type = "String"
50 | overwrite = "true"
51 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.default
File: /deprecated/aws/ecs/ecs.tf:12-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
12 | resource "aws_ecs_cluster" "default" {
13 | name = module.ecs_cluster_label.id
14 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.default
File: /deprecated/aws/ecs/sns.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
25 | resource "aws_sns_topic" "default" {
26 | name_prefix = module.sns_topic_label.id
27 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.autoscaler
File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
1 | data "aws_iam_policy_document" "autoscaler" {
2 | statement {
3 | sid = "AutoScaler"
4 |
5 | actions = [
6 | "autoscaling:DescribeAutoScalingGroups",
7 | "autoscaling:DescribeAutoScalingInstances",
8 | "autoscaling:DescribeLaunchConfigurations",
9 | "autoscaling:DescribeTags",
10 | "autoscaling:SetDesiredCapacity",
11 | "autoscaling:TerminateInstanceInAutoScalingGroup",
12 | ]
13 |
14 | resources = ["*"]
15 | effect = "Allow"
16 | }
17 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.autoscaler
File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:1-17
1 | data "aws_iam_policy_document" "autoscaler" {
2 | statement {
3 | sid = "AutoScaler"
4 |
5 | actions = [
6 | "autoscaling:DescribeAutoScalingGroups",
7 | "autoscaling:DescribeAutoScalingInstances",
8 | "autoscaling:DescribeLaunchConfigurations",
9 | "autoscaling:DescribeTags",
10 | "autoscaling:SetDesiredCapacity",
11 | "autoscaling:TerminateInstanceInAutoScalingGroup",
12 | ]
13 |
14 | resources = ["*"]
15 | effect = "Allow"
16 | }
17 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_autoscaler_iam_role_name
File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:39-45
39 | resource "aws_ssm_parameter" "kops_autoscaler_iam_role_name" {
40 | name = format(local.chamber_parameter_format, var.chamber_service, "kubernetes_autoscaler_iam_role_name")
41 | value = module.autoscaler_role.name
42 | description = "IAM role name for cluster autoscaler"
43 | type = "String"
44 | overwrite = "true"
45 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_cluster_name
File: /deprecated/aws/kops/main.tf:138-144
138 | resource "aws_ssm_parameter" "kops_cluster_name" {
139 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_cluster_name")
140 | value = module.kops_state_backend.zone_name
141 | description = "Kops cluster name"
142 | type = "String"
143 | overwrite = "true"
144 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_state_store
File: /deprecated/aws/kops/main.tf:146-152
146 | resource "aws_ssm_parameter" "kops_state_store" {
147 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store")
148 | value = "s3://${module.kops_state_backend.bucket_name}"
149 | description = "Kops state store S3 bucket name"
150 | type = "String"
151 | overwrite = "true"
152 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_state_store_region
File: /deprecated/aws/kops/main.tf:154-160
154 | resource "aws_ssm_parameter" "kops_state_store_region" {
155 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store_region")
156 | value = module.kops_state_backend.bucket_region
157 | description = "Kops state store (S3 bucket) region"
158 | type = "String"
159 | overwrite = "true"
160 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_dns_zone
File: /deprecated/aws/kops/main.tf:162-168
162 | resource "aws_ssm_parameter" "kops_dns_zone" {
163 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone")
164 | value = module.kops_state_backend.zone_name
165 | description = "Kops DNS zone name"
166 | type = "String"
167 | overwrite = "true"
168 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_dns_zone_id
File: /deprecated/aws/kops/main.tf:170-176
170 | resource "aws_ssm_parameter" "kops_dns_zone_id" {
171 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone_id")
172 | value = module.kops_state_backend.zone_id
173 | description = "Kops DNS zone ID"
174 | type = "String"
175 | overwrite = "true"
176 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_network_cidr
File: /deprecated/aws/kops/main.tf:178-184
178 | resource "aws_ssm_parameter" "kops_network_cidr" {
179 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_network_cidr")
180 | value = local.vpc_network_cidr
181 | description = "CIDR block of the kops virtual network"
182 | type = "String"
183 | overwrite = "true"
184 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_shared_vpc_id[0]
File: /deprecated/aws/kops/main.tf:187-194
187 | resource "aws_ssm_parameter" "kops_shared_vpc_id" {
188 | count = var.create_vpc == "true" ? 0 : 1
189 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_vpc_id")
190 | value = join("", data.aws_ssm_parameter.vpc_id.*.value)
191 | description = "Kops (shared) VPC AWS ID"
192 | type = "String"
193 | overwrite = "true"
194 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_shared_nat_gateways[0]
File: /deprecated/aws/kops/main.tf:197-204
197 | resource "aws_ssm_parameter" "kops_shared_nat_gateways" {
198 | count = var.create_vpc == "true" ? 0 : 1
199 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_nat_gateways")
200 | value = var.use_shared_nat_gateways == "true" ? join("", data.aws_ssm_parameter.nat_gateways.*.value) : replace(local.private_subnet_cidrs, "/[^,]+/", "External")
201 | description = "Kops (shared) private subnet NAT gateway AWS IDs"
202 | type = "String"
203 | overwrite = "true"
204 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_shared_private_subnet_ids[0]
File: /deprecated/aws/kops/main.tf:207-214
207 | resource "aws_ssm_parameter" "kops_shared_private_subnet_ids" {
208 | count = var.create_vpc == "true" ? 0 : 1
209 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_private_subnet_ids")
210 | value = join("", data.aws_ssm_parameter.private_subnet_ids.*.value)
211 | description = "Kops private subnet AWS IDs"
212 | type = "String"
213 | overwrite = "true"
214 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_shared_utility_subnet_ids[0]
File: /deprecated/aws/kops/main.tf:217-224
217 | resource "aws_ssm_parameter" "kops_shared_utility_subnet_ids" {
218 | count = var.create_vpc == "true" ? 0 : 1
219 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_utility_subnet_ids")
220 | value = join("", data.aws_ssm_parameter.public_subnet_ids.*.value)
221 | description = "Kops utility subnet AWS IDs"
222 | type = "String"
223 | overwrite = "true"
224 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_private_subnets
File: /deprecated/aws/kops/main.tf:226-232
226 | resource "aws_ssm_parameter" "kops_private_subnets" {
227 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_private_subnets")
228 | value = local.private_subnet_cidrs
229 | description = "Kops private subnet CIDRs"
230 | type = "String"
231 | overwrite = "true"
232 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_utility_subnets
File: /deprecated/aws/kops/main.tf:234-240
234 | resource "aws_ssm_parameter" "kops_utility_subnets" {
235 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_utility_subnets")
236 | value = local.utility_subnet_cidrs
237 | description = "Kops utility subnet CIDRs"
238 | type = "String"
239 | overwrite = "true"
240 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_non_masquerade_cidr
File: /deprecated/aws/kops/main.tf:242-248
242 | resource "aws_ssm_parameter" "kops_non_masquerade_cidr" {
243 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_non_masquerade_cidr")
244 | value = var.kops_non_masquerade_cidr
245 | description = "The CIDR range for Pod IPs"
246 | type = "String"
247 | overwrite = "true"
248 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.kops_availability_zones
File: /deprecated/aws/kops/main.tf:250-256
250 | resource "aws_ssm_parameter" "kops_availability_zones" {
251 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_availability_zones")
252 | value = join(",", local.availability_zones)
253 | description = "Kops availability zones in which cluster will be provisioned"
254 | type = "String"
255 | overwrite = "true"
256 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:130-137
130 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
131 | count = local.postgres_cluster_enabled ? 1 : 0
132 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_database")
133 | value = module.aurora_postgres.database_name
134 | description = "Aurora Postgres Database Name for Sentry"
135 | type = "String"
136 | overwrite = true
137 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:139-146
139 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
140 | count = local.postgres_cluster_enabled ? 1 : 0
141 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_user")
142 | value = module.aurora_postgres.master_username
143 | description = "Aurora Postgres Username for Sentry's master DB user"
144 | type = "String"
145 | overwrite = true
146 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:148-155
148 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
149 | count = local.postgres_cluster_enabled ? 1 : 0
150 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_password")
151 | value = local.postgres_admin_password
152 | description = "Aurora Postgres Password for Sentry's master DB user"
153 | type = "String"
154 | overwrite = true
155 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:157-164
157 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
158 | count = local.postgres_cluster_enabled ? 1 : 0
159 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_host")
160 | value = module.aurora_postgres.master_host
161 | description = "Aurora Postgres DB Master hostname"
162 | type = "String"
163 | overwrite = true
164 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:166-173
166 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
167 | count = local.postgres_cluster_enabled ? 1 : 0
168 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_replicas_hostname")
169 | value = module.aurora_postgres.replicas_host
170 | description = "Aurora Postgres DB Replicas hostname"
171 | type = "String"
172 | overwrite = true
173 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:175-182
175 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
176 | count = local.postgres_cluster_enabled ? 1 : 0
177 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_cluster_name")
178 | value = module.aurora_postgres.cluster_identifier
179 | description = "Aurora Postgres DB Cluster Identifier"
180 | type = "String"
181 | overwrite = true
182 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.elasticache_redis_host[0]
File: /deprecated/aws/sentry/elasticache-redis.tf:63-70
63 | resource "aws_ssm_parameter" "elasticache_redis_host" {
64 | count = local.postgres_cluster_enabled ? 1 : 0
65 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_redis_host")
66 | value = module.elasticache_redis.host
67 | description = "Elasticache host for Sentry"
68 | type = "String"
69 | overwrite = true
70 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.sentry_secret
File: /deprecated/aws/sentry/main.tf:42-48
42 | resource "aws_ssm_parameter" "sentry_secret" {
43 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_secret")
44 | value = random_string.sentry_secret_key.result
45 | description = "Secret Key for Sentry to encrypt sessions"
46 | type = "String"
47 | overwrite = true
48 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.sentry_admin_user_password
File: /deprecated/aws/sentry/main.tf:50-56
50 | resource "aws_ssm_parameter" "sentry_admin_user_password" {
51 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_admin_user_password")
52 | value = random_string.sentry_admin_user_password.result
53 | description = "Password for Sentry admin user"
54 | type = "String"
55 | overwrite = true
56 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_audit_sessions_uri
File: /deprecated/aws/teleport/main.tf:144-150
144 | resource "aws_ssm_parameter" "teleport_audit_sessions_uri" {
145 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_sessions_uri")
146 | value = "s3://${module.teleport_backend.s3_bucket_id}"
147 | description = "Teleport session logs storage URI"
148 | type = "String"
149 | overwrite = "true"
150 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_audit_events_uri
File: /deprecated/aws/teleport/main.tf:152-158
152 | resource "aws_ssm_parameter" "teleport_audit_events_uri" {
153 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_events_uri")
154 | value = "dynamodb://${module.teleport_backend.dynamodb_audit_table_id}"
155 | description = "Teleport audite events storage URI"
156 | type = "String"
157 | overwrite = "true"
158 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_cluster_state_dynamodb_table
File: /deprecated/aws/teleport/main.tf:160-166
160 | resource "aws_ssm_parameter" "teleport_cluster_state_dynamodb_table" {
161 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_cluster_state_dynamodb_table")
162 | value = module.teleport_backend.dynamodb_state_table_id
163 | description = "Teleport cluster state storage dynamodb table"
164 | type = "String"
165 | overwrite = "true"
166 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_auth_iam_role
File: /deprecated/aws/teleport/main.tf:168-174
168 | resource "aws_ssm_parameter" "teleport_auth_iam_role" {
169 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_auth_iam_role")
170 | value = aws_iam_role.teleport.name
171 | description = "Teleport auth IAM role"
172 | type = "String"
173 | overwrite = "true"
174 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_kubernetes_namespace
File: /deprecated/aws/teleport/main.tf:176-182
176 | resource "aws_ssm_parameter" "teleport_kubernetes_namespace" {
177 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_kubernetes_namespace")
178 | value = var.kubernetes_namespace
179 | description = "Teleport auth IAM role"
180 | type = "String"
181 | overwrite = "true"
182 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_tokens[0]
File: /deprecated/aws/teleport/main.tf:198-205
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_proxy_domain_name
File: /deprecated/aws/teleport/main.tf:207-213
207 | resource "aws_ssm_parameter" "teleport_proxy_domain_name" {
208 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_proxy_domain_name")
209 | value = var.teleport_proxy_domain_name
210 | description = "Teleport Proxy domain name"
211 | type = "String"
212 | overwrite = "true"
213 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_version
File: /deprecated/aws/teleport/main.tf:215-221
215 | resource "aws_ssm_parameter" "teleport_version" {
216 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_version")
217 | value = var.teleport_version
218 | description = "Teleport version to install"
219 | type = "String"
220 | overwrite = "true"
221 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_tokens[1]
File: /deprecated/aws/teleport/main.tf:198-205
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.teleport_tokens[2]
File: /deprecated/aws/teleport/main.tf:198-205
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.vpc_id
File: /deprecated/aws/vpc/main.tf:62-68
62 | resource "aws_ssm_parameter" "vpc_id" {
63 | description = "VPC ID of backing services"
64 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "vpc_id")
65 | value = module.vpc.vpc_id
66 | type = "String"
67 | overwrite = "true"
68 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.igw_id
File: /deprecated/aws/vpc/main.tf:70-76
70 | resource "aws_ssm_parameter" "igw_id" {
71 | description = "VPC ID of backing services"
72 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "igw_id")
73 | value = module.vpc.igw_id
74 | type = "String"
75 | overwrite = "true"
76 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.cidr_block
File: /deprecated/aws/vpc/main.tf:78-84
78 | resource "aws_ssm_parameter" "cidr_block" {
79 | description = "VPC ID of backing services"
80 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "cidr_block")
81 | value = module.vpc.vpc_cidr_block
82 | type = "String"
83 | overwrite = "true"
84 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.availability_zones
File: /deprecated/aws/vpc/main.tf:86-92
86 | resource "aws_ssm_parameter" "availability_zones" {
87 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "availability_zones")
88 | value = join(",", local.availability_zones)
89 | description = "VPC subnet availability zones"
90 | type = "String"
91 | overwrite = "true"
92 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.private_subnet_cidrs
File: /deprecated/aws/vpc/main.tf:112-118
112 | resource "aws_ssm_parameter" "private_subnet_cidrs" {
113 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_cidrs")
114 | value = join(",", module.subnets.private_subnet_cidrs)
115 | description = "VPC private subnet CIDRs"
116 | type = "String"
117 | overwrite = "true"
118 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.private_subnet_ids
File: /deprecated/aws/vpc/main.tf:120-126
120 | resource "aws_ssm_parameter" "private_subnet_ids" {
121 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_ids")
122 | value = join(",", module.subnets.private_subnet_ids)
123 | description = "VPC private subnet AWS IDs"
124 | type = "String"
125 | overwrite = "true"
126 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.public_subnet_cidrs
File: /deprecated/aws/vpc/main.tf:128-134
128 | resource "aws_ssm_parameter" "public_subnet_cidrs" {
129 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_cidrs")
130 | value = join(",", module.subnets.public_subnet_cidrs)
131 | description = "VPC public subnet CIDRs"
132 | type = "String"
133 | overwrite = "true"
134 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.public_subnet_ids
File: /deprecated/aws/vpc/main.tf:136-142
136 | resource "aws_ssm_parameter" "public_subnet_ids" {
137 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_ids")
138 | value = join(",", module.subnets.public_subnet_ids)
139 | description = "VPC public subnet AWS IDs"
140 | type = "String"
141 | overwrite = "true"
142 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.autoscaler
File: /deprecated/eks-iam/autoscaler.tf:15-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
15 | data "aws_iam_policy_document" "autoscaler" {
16 | statement {
17 | sid = "AllowToScaleEKSNodeGroupAutoScalingGroup"
18 |
19 | actions = [
20 | "ec2:DescribeLaunchTemplateVersions",
21 | "autoscaling:TerminateInstanceInAutoScalingGroup",
22 | "autoscaling:SetDesiredCapacity",
23 | "autoscaling:DescribeTags",
24 | "autoscaling:DescribeLaunchConfigurations",
25 | "autoscaling:DescribeAutoScalingInstances",
26 | "autoscaling:DescribeAutoScalingGroups"
27 | ]
28 |
29 | effect = "Allow"
30 | resources = ["*"]
31 | }
32 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.autoscaler
File: /deprecated/eks-iam/autoscaler.tf:15-32
15 | data "aws_iam_policy_document" "autoscaler" {
16 | statement {
17 | sid = "AllowToScaleEKSNodeGroupAutoScalingGroup"
18 |
19 | actions = [
20 | "ec2:DescribeLaunchTemplateVersions",
21 | "autoscaling:TerminateInstanceInAutoScalingGroup",
22 | "autoscaling:SetDesiredCapacity",
23 | "autoscaling:DescribeTags",
24 | "autoscaling:DescribeLaunchConfigurations",
25 | "autoscaling:DescribeAutoScalingInstances",
26 | "autoscaling:DescribeAutoScalingGroups"
27 | ]
28 |
29 | effect = "Allow"
30 | resources = ["*"]
31 | }
32 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.external_dns
File: /deprecated/eks-iam/external-dns.tf:15-39
15 | data "aws_iam_policy_document" "external_dns" {
16 | statement {
17 | sid = "GrantChangeResourceRecordSets"
18 |
19 | actions = [
20 | "route53:ChangeResourceRecordSets"
21 | ]
22 |
23 | effect = "Allow"
24 | resources = formatlist("arn:aws:route53:::hostedzone/%s", local.zone_ids)
25 | }
26 |
27 | statement {
28 | sid = "GrantListHostedZonesListResourceRecordSets"
29 |
30 | actions = [
31 | "route53:ListHostedZones",
32 | "route53:ListHostedZonesByName",
33 | "route53:ListResourceRecordSets"
34 | ]
35 |
36 | effect = "Allow"
37 | resources = ["*"]
38 | }
39 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
File: /deprecated/iam-delegated-roles/policy-support.tf:16-30
16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
17 | count = local.support_policy_enabled ? 1 : 0
18 |
19 | statement {
20 | sid = "AllowTrustedAdvisor"
21 | effect = "Allow"
22 | actions = [
23 | "trustedadvisor:Describe*",
24 | ]
25 |
26 | resources = [
27 | "*",
28 | ]
29 | }
30 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
File: /deprecated/iam-primary-roles/policy-support.tf:16-30
16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
17 | count = local.support_policy_enabled ? 1 : 0
18 |
19 | statement {
20 | sid = "AllowTrustedAdvisor"
21 | effect = "Allow"
22 | actions = [
23 | "trustedadvisor:Describe*",
24 | ]
25 |
26 | resources = [
27 | "*",
28 | ]
29 | }
30 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.okta_api_user.aws_iam_user.default
File: /deprecated/sso/modules/okta-user/main.tf:1-5
Calling File: /deprecated/sso/main.tf:11-18
1 | resource "aws_iam_user" "default" {
2 | name = module.this.id
3 | tags = module.this.tags
4 | force_destroy = true
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.acm_arn
File: /modules/acm/main.tf:38-48
38 | resource "aws_ssm_parameter" "acm_arn" {
39 | count = local.enabled ? 1 : 0
40 |
41 | name = "/acm/${local.domain_name}"
42 | value = module.acm.arn
43 | description = format("ACM certificate ARN for '%s' domain", local.domain_name)
44 | type = "String"
45 | overwrite = true
46 |
47 | tags = module.this.tags
48 | }
Check: CKV_AWS_206: "Ensure API Gateway Domain uses a modern security Policy"
FAILED for resource: aws_api_gateway_domain_name.this
File: /modules/api-gateway-rest-api/main.tf:41-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-domain-uses-a-modern-security-policy.html
41 | resource "aws_api_gateway_domain_name" "this" {
42 | count = local.enabled ? 1 : 0
43 | domain_name = local.domain_name
44 | regional_certificate_arn = data.aws_acm_certificate.issued[0].arn
45 |
46 | endpoint_configuration {
47 | types = ["REGIONAL"]
48 | }
49 |
50 | tags = module.this.tags
51 | }
Check: CKV_GIT_3: "Ensure GitHub repository has vulnerability alerts enabled"
FAILED for resource: github_repository.default[0]
File: /modules/argocd-repo/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/build-integrity-policies/github-policies/ensure-github-repository-has-vulnerability-alerts-enabled.html
45 | resource "github_repository" "default" {
46 | count = local.enabled && var.create_repo ? 1 : 0
47 |
48 | name = module.this.name
49 | description = var.description
50 | auto_init = true # will create a 'main' branch
51 |
52 | visibility = "private"
53 | }
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
FAILED for resource: github_branch_protection.default
File: /modules/argocd-repo/main.tf:68-88
Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
68 | resource "github_branch_protection" "default" {
69 | # This resource enforces PRs needing to be opened in order for changes to be made, except for automated commits to
70 | # the main branch. Those commits made by the automation user, which is an admin.
71 | count = local.enabled ? 1 : 0
72 |
73 | repository_id = local.github_repository.name
74 |
75 | pattern = join("", github_branch_default.default.*.branch)
76 | enforce_admins = false # needs to be false in order to allow automation user to push
77 | allows_deletions = true
78 |
79 | required_pull_request_reviews {
80 | dismiss_stale_reviews = true
81 | restrict_dismissals = true
82 | require_code_owner_reviews = true
83 | }
84 |
85 | push_restrictions = [
86 | join("", data.github_user.automation_user.*.node_id),
87 | ]
88 | }
Check: CKV_GIT_6: "Ensure GitHub branch protection rules requires signed commits"
FAILED for resource: github_branch_protection.default
File: /modules/argocd-repo/main.tf:68-88
Guide: https://docs.bridgecrew.io/docs/ensure-github-branch-protection-rules-requires-signed-commits
68 | resource "github_branch_protection" "default" {
69 | # This resource enforces PRs needing to be opened in order for changes to be made, except for automated commits to
70 | # the main branch. Those commits made by the automation user, which is an admin.
71 | count = local.enabled ? 1 : 0
72 |
73 | repository_id = local.github_repository.name
74 |
75 | pattern = join("", github_branch_default.default.*.branch)
76 | enforce_admins = false # needs to be false in order to allow automation user to push
77 | allows_deletions = true
78 |
79 | required_pull_request_reviews {
80 | dismiss_stale_reviews = true
81 | restrict_dismissals = true
82 | require_code_owner_reviews = true
83 | }
84 |
85 | push_restrictions = [
86 | join("", data.github_user.automation_user.*.node_id),
87 | ]
88 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-mysql/kms.tf:23-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-mysql/kms.tf:23-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-mysql/kms.tf:23-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-postgres/kms.tf:23-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-postgres/kms.tf:23-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/aurora-postgres/kms.tf:23-75
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.okta_api_user.aws_iam_user.default
File: /modules/aws-saml/modules/okta-user/main.tf:5-11
Calling File: /modules/aws-saml/main.tf:12-19
5 | resource "aws_iam_user" "default" {
6 | count = local.enabled ? 1 : 0
7 |
8 | name = module.this.id
9 | tags = module.this.tags
10 | force_destroy = true
11 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.dns_administrator_access
File: /modules/aws-sso/policy-DNSAdministratorAccess.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
1 | data "aws_iam_policy_document" "dns_administrator_access" {
2 | statement {
3 | sid = "AllowDNS"
4 | effect = "Allow"
5 | actions = [
6 | "route53:ChangeResourceRecordSets",
7 | "route53:CreateHealthCheck",
8 | "route53:CreateTrafficPolicy",
9 | "route53:CreateTrafficPolicyInstance",
10 | "route53:CreateTrafficPolicyVersion",
11 | "route53:DeleteHealthCheck",
12 | "route53:DeleteTrafficPolicy",
13 | "route53:DeleteTrafficPolicyInstance",
14 | "route53:Get*",
15 | "route53:List*",
16 | "route53:UpdateHealthCheck",
17 | "route53:UpdateTrafficPolicyComment",
18 | "route53:UpdateTrafficPolicyInstance",
19 | "route53domains:List*",
20 | ]
21 |
22 | resources = [
23 | "*",
24 | ]
25 | }
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.dns_administrator_access
File: /modules/aws-sso/policy-DNSAdministratorAccess.tf:1-26
1 | data "aws_iam_policy_document" "dns_administrator_access" {
2 | statement {
3 | sid = "AllowDNS"
4 | effect = "Allow"
5 | actions = [
6 | "route53:ChangeResourceRecordSets",
7 | "route53:CreateHealthCheck",
8 | "route53:CreateTrafficPolicy",
9 | "route53:CreateTrafficPolicyInstance",
10 | "route53:CreateTrafficPolicyVersion",
11 | "route53:DeleteHealthCheck",
12 | "route53:DeleteTrafficPolicy",
13 | "route53:DeleteTrafficPolicyInstance",
14 | "route53:Get*",
15 | "route53:List*",
16 | "route53:UpdateHealthCheck",
17 | "route53:UpdateTrafficPolicyComment",
18 | "route53:UpdateTrafficPolicyInstance",
19 | "route53domains:List*",
20 | ]
21 |
22 | resources = [
23 | "*",
24 | ]
25 | }
26 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy_document.assume_aws_team
File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
6 | data "aws_iam_policy_document" "assume_aws_team" {
7 | for_each = local.enabled ? var.aws_teams_accessible : []
8 |
9 | statement {
10 | sid = "RoleAssumeRole"
11 |
12 | effect = "Allow"
13 | actions = [
14 | "sts:AssumeRole",
15 | "sts:SetSourceIdentity",
16 | "sts:TagSession",
17 | ]
18 |
19 | resources = ["*"]
20 |
21 | /* For future reference, this tag-based restriction also works, based on
22 | the fact that we always tag our IAM roles with the "Name" tag.
23 | This could be used to control access based on some other tag, like "Category",
24 | so is left here as an example.
25 |
26 | condition {
27 | test = "ForAllValues:StringEquals"
28 | variable = "iam:ResourceTag/Name" # "Name" is the Tag Key
29 | values = [format("%s-%s", module.role_prefix.id, each.value)]
30 | }
31 | resources = [
32 | # This allows/restricts access to only IAM roles, not users or SSO roles
33 | format("arn:aws:iam::%s:role/*", local.identity_account)
34 | ]
35 |
36 | */
37 |
38 | }
39 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.assume_aws_team
File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
6 | data "aws_iam_policy_document" "assume_aws_team" {
7 | for_each = local.enabled ? var.aws_teams_accessible : []
8 |
9 | statement {
10 | sid = "RoleAssumeRole"
11 |
12 | effect = "Allow"
13 | actions = [
14 | "sts:AssumeRole",
15 | "sts:SetSourceIdentity",
16 | "sts:TagSession",
17 | ]
18 |
19 | resources = ["*"]
20 |
21 | /* For future reference, this tag-based restriction also works, based on
22 | the fact that we always tag our IAM roles with the "Name" tag.
23 | This could be used to control access based on some other tag, like "Category",
24 | so is left here as an example.
25 |
26 | condition {
27 | test = "ForAllValues:StringEquals"
28 | variable = "iam:ResourceTag/Name" # "Name" is the Tag Key
29 | values = [format("%s-%s", module.role_prefix.id, each.value)]
30 | }
31 | resources = [
32 | # This allows/restricts access to only IAM roles, not users or SSO roles
33 | format("arn:aws:iam::%s:role/*", local.identity_account)
34 | ]
35 |
36 | */
37 |
38 | }
39 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.assume_aws_team
File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
6 | data "aws_iam_policy_document" "assume_aws_team" {
7 | for_each = local.enabled ? var.aws_teams_accessible : []
8 |
9 | statement {
10 | sid = "RoleAssumeRole"
11 |
12 | effect = "Allow"
13 | actions = [
14 | "sts:AssumeRole",
15 | "sts:SetSourceIdentity",
16 | "sts:TagSession",
17 | ]
18 |
19 | resources = ["*"]
20 |
21 | /* For future reference, this tag-based restriction also works, based on
22 | the fact that we always tag our IAM roles with the "Name" tag.
23 | This could be used to control access based on some other tag, like "Category",
24 | so is left here as an example.
25 |
26 | condition {
27 | test = "ForAllValues:StringEquals"
28 | variable = "iam:ResourceTag/Name" # "Name" is the Tag Key
29 | values = [format("%s-%s", module.role_prefix.id, each.value)]
30 | }
31 | resources = [
32 | # This allows/restricts access to only IAM roles, not users or SSO roles
33 | format("arn:aws:iam::%s:role/*", local.identity_account)
34 | ]
35 |
36 | */
37 |
38 | }
39 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.eks_read_only
File: /modules/aws-sso/policy-ReadOnlyAccess.tf:17-31
17 | data "aws_iam_policy_document" "eks_read_only" {
18 | statement {
19 | sid = "AllowEKSView"
20 | effect = "Allow"
21 | actions = [
22 | "eks:Get*",
23 | "eks:Describe*",
24 | "eks:List*",
25 | "eks:Access*"
26 | ]
27 | resources = [
28 | "*"
29 | ]
30 | }
31 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
File: /modules/aws-ssosync/iam.tf:13-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
14 | statement {
15 | effect = "Allow"
16 | actions = [
17 | "identitystore:DeleteUser",
18 | "identitystore:CreateGroup",
19 | "identitystore:CreateGroupMembership",
20 | "identitystore:ListGroups",
21 | "identitystore:ListUsers",
22 | "identitystore:ListGroupMemberships",
23 | "identitystore:IsMemberInGroups",
24 | "identitystore:GetGroupMembershipId",
25 | "identitystore:DeleteGroupMembership",
26 | "identitystore:DeleteGroup",
27 | "secretsmanager:GetSecretValue",
28 | "kms:Decrypt"
29 | ]
30 | resources = ["*"]
31 | }
32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
File: /modules/aws-ssosync/iam.tf:13-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
14 | statement {
15 | effect = "Allow"
16 | actions = [
17 | "identitystore:DeleteUser",
18 | "identitystore:CreateGroup",
19 | "identitystore:CreateGroupMembership",
20 | "identitystore:ListGroups",
21 | "identitystore:ListUsers",
22 | "identitystore:ListGroupMemberships",
23 | "identitystore:IsMemberInGroups",
24 | "identitystore:GetGroupMembershipId",
25 | "identitystore:DeleteGroupMembership",
26 | "identitystore:DeleteGroup",
27 | "secretsmanager:GetSecretValue",
28 | "kms:Decrypt"
29 | ]
30 | resources = ["*"]
31 | }
32 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
File: /modules/aws-ssosync/iam.tf:13-32
13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
14 | statement {
15 | effect = "Allow"
16 | actions = [
17 | "identitystore:DeleteUser",
18 | "identitystore:CreateGroup",
19 | "identitystore:CreateGroupMembership",
20 | "identitystore:ListGroups",
21 | "identitystore:ListUsers",
22 | "identitystore:ListGroupMemberships",
23 | "identitystore:IsMemberInGroups",
24 | "identitystore:GetGroupMembershipId",
25 | "identitystore:DeleteGroupMembership",
26 | "identitystore:DeleteGroup",
27 | "secretsmanager:GetSecretValue",
28 | "kms:Decrypt"
29 | ]
30 | resources = ["*"]
31 | }
32 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.ssosync
File: /modules/aws-ssosync/main.tf:67-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
67 | resource "aws_lambda_function" "ssosync" {
68 | count = local.enabled ? 1 : 0
69 |
70 | function_name = module.this.id
71 | filename = "ssosync.zip"
72 | source_code_hash = module.ssosync_artifact[0].base64sha256
73 | description = "Syncs Google Workspace users and groups to AWS SSO"
74 | role = aws_iam_role.default[0].arn
75 | handler = "ssosync"
76 | runtime = "go1.x"
77 | timeout = 300
78 | memory_size = 128
79 |
80 | environment {
81 | variables = {
82 | SSOSYNC_LOG_LEVEL = var.log_level
83 | SSOSYNC_LOG_FORMAT = var.log_format
84 | SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
85 | SSOSYNC_GOOGLE_ADMIN = var.google_admin_email
86 | SSOSYNC_SCIM_ENDPOINT = local.scim_endpoint_url
87 | SSOSYNC_SCIM_ACCESS_TOKEN = local.scim_endpoint_access_token
88 | SSOSYNC_REGION = var.region
89 | SSOSYNC_IDENTITY_STORE_ID = local.identity_store_id
90 | SSOSYNC_USER_MATCH = var.google_user_match
91 | SSOSYNC_GROUP_MATCH = var.google_group_match
92 | SSOSYNC_SYNC_METHOD = var.sync_method
93 | SSOSYNC_IGNORE_GROUPS = var.ignore_groups
94 | SSOSYNC_IGNORE_USERS = var.ignore_users
95 | SSOSYNC_INCLUDE_GROUPS = var.include_groups
96 | SSOSYNC_LOAD_ASM_SECRETS = false
97 | }
98 | }
99 | depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
100 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.eks_view_access
File: /modules/aws-team-roles/policy-eks-viewer.tf:5-22
5 | data "aws_iam_policy_document" "eks_view_access" {
6 | count = local.eks_viewer_enabled ? 1 : 0
7 |
8 | statement {
9 | sid = "AllowEKSView"
10 | effect = "Allow"
11 | actions = [
12 | "eks:Get*",
13 | "eks:Describe*",
14 | "eks:List*",
15 | "eks:Access*"
16 | ]
17 | resources = [
18 | "*"
19 | ]
20 | }
21 |
22 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
File: /modules/aws-team-roles/policy-support.tf:16-30
16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
17 | count = local.support_policy_enabled ? 1 : 0
18 |
19 | statement {
20 | sid = "AllowTrustedAdvisor"
21 | effect = "Allow"
22 | actions = [
23 | "trustedadvisor:Describe*",
24 | ]
25 |
26 | resources = [
27 | "*",
28 | ]
29 | }
30 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.main
File: /modules/bastion/iam.tf:42-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.main
File: /modules/bastion/iam.tf:42-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.main
File: /modules/bastion/iam.tf:42-120
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudtrail_cloudwatch_logs
File: /modules/cloudtrail/cloudtrail-cloudwatch-logs.tf:15-37
15 | data "aws_iam_policy_document" "cloudtrail_cloudwatch_logs" {
16 | count = local.enabled ? 1 : 0
17 |
18 | statement {
19 | actions = [
20 | "logs:DescribeLogGroups",
21 | "logs:DescribeLogStreams"
22 | ]
23 |
24 | resources = ["*"]
25 | }
26 |
27 | statement {
28 | actions = [
29 | "logs:PutLogEvents",
30 | "logs:CreateLogStream"
31 | ]
32 |
33 | resources = [
34 | "${join("", aws_cloudwatch_log_group.cloudtrail_cloudwatch_logs[*].arn)}:*"
35 | ]
36 | }
37 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.cloudtrail_cloudwatch_logs
File: /modules/cloudtrail/cloudtrail-cloudwatch-logs.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
62 | resource "aws_cloudwatch_log_group" "cloudtrail_cloudwatch_logs" {
63 | count = local.enabled ? 1 : 0
64 | name = module.this.id
65 | retention_in_days = var.cloudwatch_logs_retention_in_days
66 | tags = module.this.tags
67 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms
File: /modules/cloudwatch-logs/main.tf:39-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms
File: /modules/cloudwatch-logs/main.tf:39-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms
File: /modules/cloudwatch-logs/main.tf:39-100
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.acm_arn
File: /modules/dns-delegated/acm.tf:36-46
36 | resource "aws_ssm_parameter" "acm_arn" {
37 | for_each = local.certificate_enabled ? local.zone_map : {}
38 |
39 | name = format("/acm/%s.%s", each.key, each.value)
40 | value = module.acm[each.key].arn
41 | description = "ACM certificate id"
42 | type = "String"
43 | overwrite = true
44 |
45 | tags = module.this.tags
46 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.master_username
File: /modules/documentdb/ssm.tf:1-7
1 | resource "aws_ssm_parameter" "master_username" {
2 | count = local.enabled ? 1 : 0
3 |
4 | name = "/${module.this.name}/master_username"
5 | type = "String"
6 | value = var.master_username
7 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.master_password
File: /modules/documentdb/ssm.tf:26-32
26 | resource "aws_ssm_parameter" "master_password" {
27 | count = local.enabled ? 1 : 0
28 |
29 | name = "/${module.this.name}/master_password"
30 | type = "SecureString"
31 | value = join("", random_password.master_password.*.result)
32 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.github_actions_iam_platform_policy
File: /modules/ecs-service/github-actions-iam-policy.tf:24-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.github_actions_iam_platform_policy
File: /modules/ecs-service/github-actions-iam-policy.tf:24-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_cidr
File: /modules/ecs/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
37 | resource "aws_security_group_rule" "ingress_cidr" {
38 | for_each = local.enabled ? toset(var.allowed_cidr_blocks) : []
39 | type = "ingress"
40 | from_port = 0
41 | to_port = 65535
42 | protocol = "tcp"
43 | cidr_blocks = [each.value]
44 | security_group_id = join("", aws_security_group.default.*.id)
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_security_groups
File: /modules/ecs/main.tf:47-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
47 | resource "aws_security_group_rule" "ingress_security_groups" {
48 | for_each = local.enabled ? toset(var.allowed_security_groups) : []
49 | type = "ingress"
50 | from_port = 0
51 | to_port = 65535
52 | protocol = "tcp"
53 | source_security_group_id = each.value
54 | security_group_id = join("", aws_security_group.default.*.id)
55 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress
File: /modules/ecs/main.tf:57-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
57 | resource "aws_security_group_rule" "egress" {
58 | count = local.enabled ? 1 : 0
59 | type = "egress"
60 | from_port = 0
61 | to_port = 65535
62 | protocol = "tcp"
63 | cidr_blocks = ["0.0.0.0/0"]
64 | security_group_id = join("", aws_security_group.default.*.id)
65 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_efs
File: /modules/efs/main.tf:58-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_efs
File: /modules/efs/main.tf:58-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_efs
File: /modules/efs/main.tf:58-112
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.vpc_cni_ipv6
File: /modules/eks/cluster/addons.tf:78-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
78 | data "aws_iam_policy_document" "vpc_cni_ipv6" {
79 | count = local.vpc_cni_sa_needed ? 1 : 0
80 |
81 | # See https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
82 | statement {
83 | sid = ""
84 | effect = "Allow"
85 | resources = ["*"]
86 |
87 | actions = [
88 | "ec2:AssignIpv6Addresses",
89 | "ec2:DescribeInstances",
90 | "ec2:DescribeTags",
91 | "ec2:DescribeNetworkInterfaces",
92 | "ec2:DescribeInstanceTypes"
93 | ]
94 | }
95 |
96 | statement {
97 | sid = ""
98 | effect = "Allow"
99 | resources = ["arn:aws:ec2:*:*:network-interface/*"]
100 | actions = ["ec2:CreateTags"]
101 | }
102 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.vpc_cni_ipv6
File: /modules/eks/cluster/addons.tf:78-102
78 | data "aws_iam_policy_document" "vpc_cni_ipv6" {
79 | count = local.vpc_cni_sa_needed ? 1 : 0
80 |
81 | # See https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
82 | statement {
83 | sid = ""
84 | effect = "Allow"
85 | resources = ["*"]
86 |
87 | actions = [
88 | "ec2:AssignIpv6Addresses",
89 | "ec2:DescribeInstances",
90 | "ec2:DescribeTags",
91 | "ec2:DescribeNetworkInterfaces",
92 | "ec2:DescribeInstanceTypes"
93 | ]
94 | }
95 |
96 | statement {
97 | sid = ""
98 | effect = "Allow"
99 | resources = ["arn:aws:ec2:*:*:network-interface/*"]
100 | actions = ["ec2:CreateTags"]
101 | }
102 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.admin_password
File: /modules/elasticsearch/main.tf:74-81
74 | resource "aws_ssm_parameter" "admin_password" {
75 | count = local.enabled ? 1 : 0
76 | name = local.elasticsearch_admin_password
77 | value = local.elasticsearch_password
78 | description = "Primary Aurora Postgres Password for the master DB user"
79 | type = "SecureString"
80 | overwrite = true
81 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
File: /modules/elasticsearch/main.tf:84-91
84 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
85 | count = local.enabled ? 1 : 0
86 | name = local.elasticsearch_domain_endpoint
87 | value = module.elasticsearch.domain_endpoint
88 | description = "Domain-specific endpoint used to submit index, search, and data upload requests"
89 | type = "String"
90 | overwrite = true
91 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
File: /modules/elasticsearch/main.tf:93-100
93 | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
94 | count = local.enabled ? 1 : 0
95 | name = local.elasticsearch_kibana_endpoint
96 | value = module.elasticsearch.kibana_endpoint
97 | description = "Domain-specific endpoint for Kibana without https scheme"
98 | type = "String"
99 | overwrite = true
100 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.github_action_runner
File: /modules/github-runners/iam.tf:23-84
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.github_actions_iam_policy
File: /modules/gitops/github-actions-iam-policy.tf:9-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/rds/kms.tf:15-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/rds/kms.tf:15-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_rds
File: /modules/rds/kms.tf:15-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.kms_key_ses
File: /modules/ses/main.tf:82-140
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.destination
File: /modules/ssm-parameters/main.tf:28-40
28 | resource "aws_ssm_parameter" "destination" {
29 | for_each = local.params
30 |
31 | name = each.key
32 | description = each.value.description
33 | tier = each.value.tier
34 | type = each.value.type
35 | key_id = var.kms_arn
36 | value = each.value.value
37 | overwrite = each.value.overwrite
38 |
39 | tags = module.this.tags
40 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.acl_arn
File: /modules/waf/main.tf:56-65
56 | resource "aws_ssm_parameter" "acl_arn" {
57 | count = local.enabled ? 1 : 0
58 |
59 | name = "${var.ssm_path_prefix}/${var.acl_name}/arn"
60 | value = module.aws_waf.arn
61 | description = "ARN for WAF web ACL ${var.acl_name}"
62 | type = "String"
63 | overwrite = true
64 | tags = module.this.tags
65 | }
Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
FAILED for resource: github_repository.default[0]
File: /modules/argocd-repo/main.tf:45-53
45 | resource "github_repository" "default" {
46 | count = local.enabled && var.create_repo ? 1 : 0
47 |
48 | name = module.this.name
49 | description = var.description
50 | auto_init = true # will create a 'main' branch
51 |
52 | visibility = "private"
53 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.github_action_runner
File: /deprecated/github-actions-runner/kms.tf:1-8
1 | resource "aws_kms_key" "github_action_runner" {
2 | count = local.enabled ? 1 : 0
3 |
4 | description = "Github Action Runners key used for decryption - ${module.github_action_controller_label.id}"
5 | enable_key_rotation = true
6 | deletion_window_in_days = 30
7 | tags = module.github_action_controller_label.tags
8 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.acl_arn
File: /deprecated/aws-waf-acl/main.tf:30-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
30 | resource "aws_ssm_parameter" "acl_arn" {
31 | count = local.enabled ? 1 : 0
32 | name = "${var.ssm_path_prefix}/${var.acl_name}/arn"
33 | value = module.aws_waf.arn
34 | description = "ARN for WAF web ACL ${var.acl_name}"
35 | type = "String"
36 | overwrite = true
37 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.account_id
File: /deprecated/aws/accounts/stage/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
16 | resource "aws_ssm_parameter" "account_id" {
17 | count = local.count
18 | name = "/${var.namespace}/${var.stage}/account_id"
19 | description = "AWS Account ID"
20 | type = "String"
21 | value = local.account_id
22 | overwrite = "true"
23 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.account_arn
File: /deprecated/aws/accounts/stage/main.tf:25-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
25 | resource "aws_ssm_parameter" "account_arn" {
26 | count = local.count
27 | name = "/${var.namespace}/${var.stage}/account_arn"
28 | description = "AWS Account ARN"
29 | type = "String"
30 | value = local.account_arn
31 | overwrite = "true"
32 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.organization_account_access_role
File: /deprecated/aws/accounts/stage/main.tf:34-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
34 | resource "aws_ssm_parameter" "organization_account_access_role" {
35 | count = local.count
36 | name = "/${var.namespace}/${var.stage}/organization_account_access_role"
37 | description = "AWS Organization Account Access Role"
38 | type = "String"
39 | value = local.organization_account_access_role
40 | overwrite = "true"
41 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
File: /deprecated/aws/acm-teleport/main.tf:23-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
23 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
24 | name = format(var.chamber_parameter_name, var.chamber_service, var.certificate_arn_parameter_name)
25 | value = module.certificate.arn
26 | description = "Teleport ACM-issued TLS Certificate AWS ARN"
27 | type = "String"
28 | overwrite = "true"
29 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
File: /deprecated/aws/acm/main.tf:22-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
22 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
23 | name = format(var.chamber_parameter_name_format, var.chamber_service, var.certificate_arn_parameter_name)
24 | value = module.certificate.arn
25 | description = "ACM-issued TLS Certificate ARN"
26 | type = "String"
27 | overwrite = true
28 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aws_metrics_iam_role
File: /deprecated/aws/aws-metrics-role/main.tf:117-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
117 | resource "aws_ssm_parameter" "aws_metrics_iam_role" {
118 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_role")
119 | value = aws_iam_role.default.name
120 | description = "IAM role name for AWS metrics access"
121 | type = "String"
122 | overwrite = "true"
123 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aws_metrics_iam_namespace[0]
File: /deprecated/aws/aws-metrics-role/main.tf:125-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
125 | resource "aws_ssm_parameter" "aws_metrics_iam_namespace" {
126 | count = length(var.cloudwatch_namespace) > 0 ? 1 : 0
127 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_namespace")
128 | value = var.cloudwatch_namespace
129 | description = "Kubernetes namespace for AWS metrics accessors"
130 | type = "String"
131 | overwrite = "true"
132 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
File: /deprecated/aws/backing-services/aurora-mysql.tf:105-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
105 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
106 | count = local.mysql_cluster_enabled ? 1 : 0
107 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_database_name")
108 | value = module.aurora_mysql.name
109 | description = "Aurora MySQL Database Name"
110 | type = "String"
111 | overwrite = "true"
112 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
File: /deprecated/aws/backing-services/aurora-mysql.tf:114-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
114 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
115 | count = local.mysql_cluster_enabled ? 1 : 0
116 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_username")
117 | value = module.aurora_mysql.user
118 | description = "Aurora MySQL Username for the master DB user"
119 | type = "String"
120 | overwrite = "true"
121 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_password
File: /deprecated/aws/backing-services/aurora-mysql.tf:123-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
123 | resource "aws_ssm_parameter" "aurora_mysql_master_password" {
124 | count = local.mysql_cluster_enabled ? 1 : 0
125 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_password")
126 | value = module.aurora_mysql.password
127 | description = "Aurora MySQL Password for the master DB user"
128 | type = "String"
129 | overwrite = "true"
130 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_hostname
File: /deprecated/aws/backing-services/aurora-mysql.tf:132-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
132 | resource "aws_ssm_parameter" "aurora_mysql_master_hostname" {
133 | count = local.mysql_cluster_enabled ? 1 : 0
134 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_hostname")
135 | value = module.aurora_mysql.master_host
136 | description = "Aurora MySQL DB Master hostname"
137 | type = "String"
138 | overwrite = "true"
139 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_replicas_hostname
File: /deprecated/aws/backing-services/aurora-mysql.tf:141-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
141 | resource "aws_ssm_parameter" "aurora_mysql_replicas_hostname" {
142 | count = local.mysql_cluster_enabled ? 1 : 0
143 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_replicas_hostname")
144 | value = module.aurora_mysql.replicas_host
145 | description = "Aurora MySQL DB Replicas hostname"
146 | type = "String"
147 | overwrite = "true"
148 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_cluster_name
File: /deprecated/aws/backing-services/aurora-mysql.tf:150-157
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
150 | resource "aws_ssm_parameter" "aurora_mysql_cluster_name" {
151 | count = local.mysql_cluster_enabled ? 1 : 0
152 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_cluster_name")
153 | value = module.aurora_mysql.cluster_name
154 | description = "Aurora MySQL DB Cluster Identifier"
155 | type = "String"
156 | overwrite = "true"
157 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.postgres_replica_hostname
File: /deprecated/aws/backing-services/aurora-postgres-replica.tf:55-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
55 | resource "aws_ssm_parameter" "postgres_replica_hostname" {
56 | count = local.postgres_replica_enabled ? 1 : 0
57 | name = format(var.chamber_parameter_name, local.chamber_service, "postgres_replica_hostname")
58 | value = module.postgres_replica.hostname
59 | description = "RDS Cluster replica hostname"
60 | type = "String"
61 | overwrite = "true"
62 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.postgres_replica_endpoint
File: /deprecated/aws/backing-services/aurora-postgres-replica.tf:64-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
64 | resource "aws_ssm_parameter" "postgres_replica_endpoint" {
65 | count = local.postgres_replica_enabled ? 1 : 0
66 | name = format(var.chamber_parameter_name, local.chamber_service, "postgres_replica_endpoint")
67 | value = module.postgres_replica.endpoint
68 | description = "RDS Cluster Replicas hostname"
69 | type = "String"
70 | overwrite = "true"
71 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name
File: /deprecated/aws/backing-services/aurora-postgres.tf:104-111
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
104 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
105 | count = local.postgres_cluster_enabled ? 1 : 0
106 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_database_name")
107 | value = module.aurora_postgres.name
108 | description = "Aurora Postgres Database Name"
109 | type = "String"
110 | overwrite = "true"
111 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username
File: /deprecated/aws/backing-services/aurora-postgres.tf:113-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
113 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
114 | count = local.postgres_cluster_enabled ? 1 : 0
115 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_username")
116 | value = module.aurora_postgres.user
117 | description = "Aurora Postgres Username for the master DB user"
118 | type = "String"
119 | overwrite = "true"
120 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password
File: /deprecated/aws/backing-services/aurora-postgres.tf:122-129
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
122 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
123 | count = local.postgres_cluster_enabled ? 1 : 0
124 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_password")
125 | value = module.aurora_postgres.password
126 | description = "Aurora Postgres Password for the master DB user"
127 | type = "String"
128 | overwrite = "true"
129 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname
File: /deprecated/aws/backing-services/aurora-postgres.tf:131-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
131 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
132 | count = local.postgres_cluster_enabled ? 1 : 0
133 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_hostname")
134 | value = module.aurora_postgres.master_host
135 | description = "Aurora Postgres DB Master hostname"
136 | type = "String"
137 | overwrite = "true"
138 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname
File: /deprecated/aws/backing-services/aurora-postgres.tf:140-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
140 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
141 | count = local.postgres_cluster_enabled ? 1 : 0
142 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_replicas_hostname")
143 | value = module.aurora_postgres.replicas_host
144 | description = "Aurora Postgres DB Replicas hostname"
145 | type = "String"
146 | overwrite = "true"
147 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name
File: /deprecated/aws/backing-services/aurora-postgres.tf:149-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
149 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
150 | count = local.postgres_cluster_enabled ? 1 : 0
151 | name = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_cluster_name")
152 | value = module.aurora_postgres.cluster_name
153 | description = "Aurora Postgres DB Cluster Identifier"
154 | type = "String"
155 | overwrite = "true"
156 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_replica_hostname
File: /deprecated/aws/backing-services/rds-replica.tf:138-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
138 | resource "aws_ssm_parameter" "rds_replica_hostname" {
139 | count = local.rds_replica_enabled ? 1 : 0
140 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_replica_hostname")
141 | value = module.rds_replica.hostname
142 | description = "RDS replica hostname"
143 | type = "String"
144 | overwrite = "true"
145 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_replica_port
File: /deprecated/aws/backing-services/rds-replica.tf:147-154
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
147 | resource "aws_ssm_parameter" "rds_replica_port" {
148 | count = local.rds_replica_enabled ? 1 : 0
149 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_replica_port")
150 | value = var.rds_replica_port
151 | description = "RDS replica port"
152 | type = "String"
153 | overwrite = "true"
154 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_db_name
File: /deprecated/aws/backing-services/rds.tf:201-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
201 | resource "aws_ssm_parameter" "rds_db_name" {
202 | count = local.rds_enabled ? 1 : 0
203 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_db_name")
204 | value = local.rds_db_name
205 | description = "RDS Database Name"
206 | type = "String"
207 | overwrite = "true"
208 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_admin_username
File: /deprecated/aws/backing-services/rds.tf:210-217
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
210 | resource "aws_ssm_parameter" "rds_admin_username" {
211 | count = local.rds_enabled ? 1 : 0
212 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_admin_username")
213 | value = local.rds_admin_user
214 | description = "RDS Username for the admin DB user"
215 | type = "String"
216 | overwrite = "true"
217 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_admin_password
File: /deprecated/aws/backing-services/rds.tf:219-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
219 | resource "aws_ssm_parameter" "rds_admin_password" {
220 | count = local.rds_enabled ? 1 : 0
221 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_admin_password")
222 | value = local.rds_admin_password
223 | description = "RDS Password for the admin DB user"
224 | type = "String"
225 | overwrite = "true"
226 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_hostname
File: /deprecated/aws/backing-services/rds.tf:228-235
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
228 | resource "aws_ssm_parameter" "rds_hostname" {
229 | count = local.rds_enabled ? 1 : 0
230 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_hostname")
231 | value = module.rds.hostname
232 | description = "RDS hostname"
233 | type = "String"
234 | overwrite = "true"
235 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_port
File: /deprecated/aws/backing-services/rds.tf:237-244
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
237 | resource "aws_ssm_parameter" "rds_port" {
238 | count = local.rds_enabled ? 1 : 0
239 | name = format(var.chamber_parameter_name, local.chamber_service, "rds_port")
240 | value = var.rds_port
241 | description = "RDS port"
242 | type = "String"
243 | overwrite = "true"
244 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.datadog_cluster_agent_token
File: /deprecated/aws/datadog/main.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
45 | resource "aws_ssm_parameter" "datadog_cluster_agent_token" {
46 | name = format(var.chamber_parameter_name, local.chamber_service, "datadog_cluster_agent_token")
47 | value = random_string.tokens.result
48 | description = "A cluster-internal secret for agent-to-agent communication. Must be 32+ characters a-zA-Z"
49 | type = "String"
50 | overwrite = "true"
51 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.dynamodb_table_name
File: /deprecated/aws/dynamodb/ssm.tf:5-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
5 | resource "aws_ssm_parameter" "dynamodb_table_name" {
6 | count = var.chamber_parameters_enabled ? 1 : 0
7 | name = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_name")
8 | value = module.dynamodb.table_name
9 | description = "DynamoDB table name"
10 | type = "String"
11 | overwrite = true
12 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.dynamodb_table_id
File: /deprecated/aws/dynamodb/ssm.tf:14-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
14 | resource "aws_ssm_parameter" "dynamodb_table_id" {
15 | count = var.chamber_parameters_enabled ? 1 : 0
16 | name = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_id")
17 | value = module.dynamodb.table_id
18 | description = "DynamoDB table ID"
19 | type = "String"
20 | overwrite = true
21 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.dynamodb_table_arn
File: /deprecated/aws/dynamodb/ssm.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
23 | resource "aws_ssm_parameter" "dynamodb_table_arn" {
24 | count = var.chamber_parameters_enabled ? 1 : 0
25 | name = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_arn")
26 | value = module.dynamodb.table_arn
27 | description = "DynamoDB table ARN"
28 | type = "String"
29 | overwrite = true
30 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
File: /deprecated/aws/elasticsearch/main.tf:116-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
116 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
117 | count = var.chamber_parameters_enabled ? 1 : 0
118 | name = format(
119 | var.chamber_parameter_name,
120 | local.elasticsearch_chamber_service,
121 | "elasticsearch_domain_endpoint"
122 | )
123 | value = module.elasticsearch.domain_endpoint
124 | description = "Domain-specific endpoint used to submit index, search, and data upload requests"
125 | type = "String"
126 | overwrite = true
127 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
File: /deprecated/aws/elasticsearch/main.tf:129-140
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
129 | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
130 | count = var.chamber_parameters_enabled ? 1 : 0
131 | name = format(
132 | var.chamber_parameter_name,
133 | local.elasticsearch_chamber_service,
134 | "elasticsearch_kibana_endpoint"
135 | )
136 | value = module.elasticsearch.kibana_endpoint
137 | description = "Domain-specific endpoint for Kibana without https scheme"
138 | type = "String"
139 | overwrite = true
140 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:176-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
176 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
177 | count = var.mysql_cluster_enabled ? 1 : 0
178 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_name")
179 | value = module.aurora_mysql.database_name
180 | description = "Aurora MySQL Database Name"
181 | type = "String"
182 | overwrite = "true"
183 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:185-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
185 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
186 | count = var.mysql_cluster_enabled ? 1 : 0
187 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_user")
188 | value = module.aurora_mysql.master_username
189 | description = "Aurora MySQL Username for the master DB user"
190 | type = "String"
191 | overwrite = "true"
192 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_endpoint_hostname
File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:204-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
204 | resource "aws_ssm_parameter" "aurora_mysql_endpoint_hostname" {
205 | count = var.mysql_cluster_enabled ? 1 : 0
206 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_host")
207 | value = module.aurora_mysql.endpoint
208 | description = "Aurora MySQL DB endpoint DNS name"
209 | type = "String"
210 | overwrite = "true"
211 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_port
File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:213-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
213 | resource "aws_ssm_parameter" "aurora_mysql_port" {
214 | count = var.mysql_cluster_enabled ? 1 : 0
215 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_port")
216 | value = "3306"
217 | description = "Aurora MySQL DB endpoint port"
218 | type = "String"
219 | overwrite = "true"
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:191-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
191 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
192 | count = local.mysql_cluster_enabled ? 1 : 0
193 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_name")
194 | value = module.aurora_mysql.name
195 | description = "Aurora MySQL Database Name"
196 | type = "String"
197 | overwrite = "true"
198 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:200-207
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
200 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
201 | count = local.mysql_cluster_enabled ? 1 : 0
202 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_user")
203 | value = module.aurora_mysql.user
204 | description = "Aurora MySQL Username for the master DB user"
205 | type = "String"
206 | overwrite = "true"
207 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_master_hostname
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:219-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
219 | resource "aws_ssm_parameter" "aurora_mysql_master_hostname" {
220 | count = local.mysql_cluster_enabled ? 1 : 0
221 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_host")
222 | value = module.aurora_mysql.master_host
223 | description = "Aurora MySQL DB Master hostname"
224 | type = "String"
225 | overwrite = "true"
226 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_port
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:228-235
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
228 | resource "aws_ssm_parameter" "aurora_mysql_port" {
229 | count = local.mysql_cluster_enabled ? 1 : 0
230 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_port")
231 | value = "3306"
232 | description = "Aurora MySQL DB Master hostname"
233 | type = "String"
234 | overwrite = "true"
235 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_replicas_hostname
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:237-244
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
237 | resource "aws_ssm_parameter" "aurora_mysql_replicas_hostname" {
238 | count = local.mysql_cluster_enabled ? 1 : 0
239 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_aurora_mysql_replicas_hostname")
240 | value = module.aurora_mysql.replicas_host
241 | description = "Aurora MySQL DB Replicas hostname"
242 | type = "String"
243 | overwrite = "true"
244 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_mysql_cluster_name
File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:246-253
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
246 | resource "aws_ssm_parameter" "aurora_mysql_cluster_name" {
247 | count = local.mysql_cluster_enabled ? 1 : 0
248 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_aurora_mysql_cluster_name")
249 | value = module.aurora_mysql.cluster_name
250 | description = "Aurora MySQL DB Cluster Identifier"
251 | type = "String"
252 | overwrite = "true"
253 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.keycloak_db_vendor
File: /deprecated/aws/keycloak-backing-services/main.tf:65-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
65 | resource "aws_ssm_parameter" "keycloak_db_vendor" {
66 | count = local.mysql_cluster_enabled ? 1 : 0
67 | name = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_vendor")
68 | value = "mysql"
69 | description = "Database Vendor, e.g. mysql, postgres"
70 | type = "String"
71 | overwrite = "true"
72 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_autoscaler_iam_role_name
File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:39-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
39 | resource "aws_ssm_parameter" "kops_autoscaler_iam_role_name" {
40 | name = format(local.chamber_parameter_format, var.chamber_service, "kubernetes_autoscaler_iam_role_name")
41 | value = module.autoscaler_role.name
42 | description = "IAM role name for cluster autoscaler"
43 | type = "String"
44 | overwrite = "true"
45 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_efs_provisioner_role_name
File: /deprecated/aws/kops-aws-platform/efs-provisioner.tf:73-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
73 | resource "aws_ssm_parameter" "kops_efs_provisioner_role_name" {
74 | count = var.efs_enabled == "true" ? 1 : 0
75 | name = format(local.chamber_parameter_format, var.chamber_service, "kops_efs_provisioner_role_name")
76 | value = module.kops_efs_provisioner.role_name
77 | description = "IAM role name for EFS provisioner"
78 | type = "String"
79 | overwrite = "true"
80 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_efs_file_system_id
File: /deprecated/aws/kops-aws-platform/efs-provisioner.tf:82-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
82 | resource "aws_ssm_parameter" "kops_efs_file_system_id" {
83 | count = var.efs_enabled == "true" ? 1 : 0
84 | name = format(local.chamber_parameter_format, var.chamber_service, "kops_efs_file_system_id")
85 | value = module.kops_efs_provisioner.efs_id
86 | description = "ID for shared EFS file system"
87 | type = "String"
88 | overwrite = "true"
89 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_cluster_name
File: /deprecated/aws/kops/main.tf:138-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
138 | resource "aws_ssm_parameter" "kops_cluster_name" {
139 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_cluster_name")
140 | value = module.kops_state_backend.zone_name
141 | description = "Kops cluster name"
142 | type = "String"
143 | overwrite = "true"
144 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_state_store
File: /deprecated/aws/kops/main.tf:146-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
146 | resource "aws_ssm_parameter" "kops_state_store" {
147 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store")
148 | value = "s3://${module.kops_state_backend.bucket_name}"
149 | description = "Kops state store S3 bucket name"
150 | type = "String"
151 | overwrite = "true"
152 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_state_store_region
File: /deprecated/aws/kops/main.tf:154-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
154 | resource "aws_ssm_parameter" "kops_state_store_region" {
155 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store_region")
156 | value = module.kops_state_backend.bucket_region
157 | description = "Kops state store (S3 bucket) region"
158 | type = "String"
159 | overwrite = "true"
160 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_dns_zone
File: /deprecated/aws/kops/main.tf:162-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
162 | resource "aws_ssm_parameter" "kops_dns_zone" {
163 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone")
164 | value = module.kops_state_backend.zone_name
165 | description = "Kops DNS zone name"
166 | type = "String"
167 | overwrite = "true"
168 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_dns_zone_id
File: /deprecated/aws/kops/main.tf:170-176
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
170 | resource "aws_ssm_parameter" "kops_dns_zone_id" {
171 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone_id")
172 | value = module.kops_state_backend.zone_id
173 | description = "Kops DNS zone ID"
174 | type = "String"
175 | overwrite = "true"
176 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_network_cidr
File: /deprecated/aws/kops/main.tf:178-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
178 | resource "aws_ssm_parameter" "kops_network_cidr" {
179 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_network_cidr")
180 | value = local.vpc_network_cidr
181 | description = "CIDR block of the kops virtual network"
182 | type = "String"
183 | overwrite = "true"
184 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_shared_vpc_id[0]
File: /deprecated/aws/kops/main.tf:187-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
187 | resource "aws_ssm_parameter" "kops_shared_vpc_id" {
188 | count = var.create_vpc == "true" ? 0 : 1
189 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_vpc_id")
190 | value = join("", data.aws_ssm_parameter.vpc_id.*.value)
191 | description = "Kops (shared) VPC AWS ID"
192 | type = "String"
193 | overwrite = "true"
194 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_shared_nat_gateways[0]
File: /deprecated/aws/kops/main.tf:197-204
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
197 | resource "aws_ssm_parameter" "kops_shared_nat_gateways" {
198 | count = var.create_vpc == "true" ? 0 : 1
199 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_nat_gateways")
200 | value = var.use_shared_nat_gateways == "true" ? join("", data.aws_ssm_parameter.nat_gateways.*.value) : replace(local.private_subnet_cidrs, "/[^,]+/", "External")
201 | description = "Kops (shared) private subnet NAT gateway AWS IDs"
202 | type = "String"
203 | overwrite = "true"
204 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_shared_private_subnet_ids[0]
File: /deprecated/aws/kops/main.tf:207-214
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
207 | resource "aws_ssm_parameter" "kops_shared_private_subnet_ids" {
208 | count = var.create_vpc == "true" ? 0 : 1
209 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_private_subnet_ids")
210 | value = join("", data.aws_ssm_parameter.private_subnet_ids.*.value)
211 | description = "Kops private subnet AWS IDs"
212 | type = "String"
213 | overwrite = "true"
214 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_shared_utility_subnet_ids[0]
File: /deprecated/aws/kops/main.tf:217-224
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
217 | resource "aws_ssm_parameter" "kops_shared_utility_subnet_ids" {
218 | count = var.create_vpc == "true" ? 0 : 1
219 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_utility_subnet_ids")
220 | value = join("", data.aws_ssm_parameter.public_subnet_ids.*.value)
221 | description = "Kops utility subnet AWS IDs"
222 | type = "String"
223 | overwrite = "true"
224 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_private_subnets
File: /deprecated/aws/kops/main.tf:226-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
226 | resource "aws_ssm_parameter" "kops_private_subnets" {
227 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_private_subnets")
228 | value = local.private_subnet_cidrs
229 | description = "Kops private subnet CIDRs"
230 | type = "String"
231 | overwrite = "true"
232 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_utility_subnets
File: /deprecated/aws/kops/main.tf:234-240
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
234 | resource "aws_ssm_parameter" "kops_utility_subnets" {
235 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_utility_subnets")
236 | value = local.utility_subnet_cidrs
237 | description = "Kops utility subnet CIDRs"
238 | type = "String"
239 | overwrite = "true"
240 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_non_masquerade_cidr
File: /deprecated/aws/kops/main.tf:242-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
242 | resource "aws_ssm_parameter" "kops_non_masquerade_cidr" {
243 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_non_masquerade_cidr")
244 | value = var.kops_non_masquerade_cidr
245 | description = "The CIDR range for Pod IPs"
246 | type = "String"
247 | overwrite = "true"
248 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.kops_availability_zones
File: /deprecated/aws/kops/main.tf:250-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
250 | resource "aws_ssm_parameter" "kops_availability_zones" {
251 | name = format(var.chamber_parameter_name, local.chamber_service, "kops_availability_zones")
252 | value = join(",", local.availability_zones)
253 | description = "Kops availability zones in which cluster will be provisioned"
254 | type = "String"
255 | overwrite = "true"
256 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:130-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
130 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
131 | count = local.postgres_cluster_enabled ? 1 : 0
132 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_database")
133 | value = module.aurora_postgres.database_name
134 | description = "Aurora Postgres Database Name for Sentry"
135 | type = "String"
136 | overwrite = true
137 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:139-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
139 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
140 | count = local.postgres_cluster_enabled ? 1 : 0
141 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_user")
142 | value = module.aurora_postgres.master_username
143 | description = "Aurora Postgres Username for Sentry's master DB user"
144 | type = "String"
145 | overwrite = true
146 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:148-155
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
148 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
149 | count = local.postgres_cluster_enabled ? 1 : 0
150 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_password")
151 | value = local.postgres_admin_password
152 | description = "Aurora Postgres Password for Sentry's master DB user"
153 | type = "String"
154 | overwrite = true
155 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:157-164
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
157 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
158 | count = local.postgres_cluster_enabled ? 1 : 0
159 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_host")
160 | value = module.aurora_postgres.master_host
161 | description = "Aurora Postgres DB Master hostname"
162 | type = "String"
163 | overwrite = true
164 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:166-173
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
166 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
167 | count = local.postgres_cluster_enabled ? 1 : 0
168 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_replicas_hostname")
169 | value = module.aurora_postgres.replicas_host
170 | description = "Aurora Postgres DB Replicas hostname"
171 | type = "String"
172 | overwrite = true
173 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name[0]
File: /deprecated/aws/sentry/aurora-postgres.tf:175-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
175 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
176 | count = local.postgres_cluster_enabled ? 1 : 0
177 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_cluster_name")
178 | value = module.aurora_postgres.cluster_identifier
179 | description = "Aurora Postgres DB Cluster Identifier"
180 | type = "String"
181 | overwrite = true
182 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.elasticache_redis_host[0]
File: /deprecated/aws/sentry/elasticache-redis.tf:63-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
63 | resource "aws_ssm_parameter" "elasticache_redis_host" {
64 | count = local.postgres_cluster_enabled ? 1 : 0
65 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_redis_host")
66 | value = module.elasticache_redis.host
67 | description = "Elasticache host for Sentry"
68 | type = "String"
69 | overwrite = true
70 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.sentry_secret
File: /deprecated/aws/sentry/main.tf:42-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
42 | resource "aws_ssm_parameter" "sentry_secret" {
43 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_secret")
44 | value = random_string.sentry_secret_key.result
45 | description = "Secret Key for Sentry to encrypt sessions"
46 | type = "String"
47 | overwrite = true
48 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.sentry_admin_user_password
File: /deprecated/aws/sentry/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
50 | resource "aws_ssm_parameter" "sentry_admin_user_password" {
51 | name = format(local.chamber_parameter_format, local.chamber_service, "sentry_admin_user_password")
52 | value = random_string.sentry_admin_user_password.result
53 | description = "Password for Sentry admin user"
54 | type = "String"
55 | overwrite = true
56 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_audit_sessions_uri
File: /deprecated/aws/teleport/main.tf:144-150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
144 | resource "aws_ssm_parameter" "teleport_audit_sessions_uri" {
145 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_sessions_uri")
146 | value = "s3://${module.teleport_backend.s3_bucket_id}"
147 | description = "Teleport session logs storage URI"
148 | type = "String"
149 | overwrite = "true"
150 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_audit_events_uri
File: /deprecated/aws/teleport/main.tf:152-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
152 | resource "aws_ssm_parameter" "teleport_audit_events_uri" {
153 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_events_uri")
154 | value = "dynamodb://${module.teleport_backend.dynamodb_audit_table_id}"
155 | description = "Teleport audite events storage URI"
156 | type = "String"
157 | overwrite = "true"
158 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_cluster_state_dynamodb_table
File: /deprecated/aws/teleport/main.tf:160-166
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
160 | resource "aws_ssm_parameter" "teleport_cluster_state_dynamodb_table" {
161 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_cluster_state_dynamodb_table")
162 | value = module.teleport_backend.dynamodb_state_table_id
163 | description = "Teleport cluster state storage dynamodb table"
164 | type = "String"
165 | overwrite = "true"
166 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_auth_iam_role
File: /deprecated/aws/teleport/main.tf:168-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
168 | resource "aws_ssm_parameter" "teleport_auth_iam_role" {
169 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_auth_iam_role")
170 | value = aws_iam_role.teleport.name
171 | description = "Teleport auth IAM role"
172 | type = "String"
173 | overwrite = "true"
174 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_kubernetes_namespace
File: /deprecated/aws/teleport/main.tf:176-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
176 | resource "aws_ssm_parameter" "teleport_kubernetes_namespace" {
177 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_kubernetes_namespace")
178 | value = var.kubernetes_namespace
179 | description = "Teleport auth IAM role"
180 | type = "String"
181 | overwrite = "true"
182 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_tokens[0]
File: /deprecated/aws/teleport/main.tf:198-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_proxy_domain_name
File: /deprecated/aws/teleport/main.tf:207-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
207 | resource "aws_ssm_parameter" "teleport_proxy_domain_name" {
208 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_proxy_domain_name")
209 | value = var.teleport_proxy_domain_name
210 | description = "Teleport Proxy domain name"
211 | type = "String"
212 | overwrite = "true"
213 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_version
File: /deprecated/aws/teleport/main.tf:215-221
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
215 | resource "aws_ssm_parameter" "teleport_version" {
216 | name = format(var.chamber_parameter_name, local.chamber_service, "teleport_version")
217 | value = var.teleport_version
218 | description = "Teleport version to install"
219 | type = "String"
220 | overwrite = "true"
221 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.vpc_id
File: /deprecated/aws/vpc/main.tf:62-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
62 | resource "aws_ssm_parameter" "vpc_id" {
63 | description = "VPC ID of backing services"
64 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "vpc_id")
65 | value = module.vpc.vpc_id
66 | type = "String"
67 | overwrite = "true"
68 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.igw_id
File: /deprecated/aws/vpc/main.tf:70-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
70 | resource "aws_ssm_parameter" "igw_id" {
71 | description = "VPC ID of backing services"
72 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "igw_id")
73 | value = module.vpc.igw_id
74 | type = "String"
75 | overwrite = "true"
76 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cidr_block
File: /deprecated/aws/vpc/main.tf:78-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
78 | resource "aws_ssm_parameter" "cidr_block" {
79 | description = "VPC ID of backing services"
80 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "cidr_block")
81 | value = module.vpc.vpc_cidr_block
82 | type = "String"
83 | overwrite = "true"
84 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.availability_zones
File: /deprecated/aws/vpc/main.tf:86-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
86 | resource "aws_ssm_parameter" "availability_zones" {
87 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "availability_zones")
88 | value = join(",", local.availability_zones)
89 | description = "VPC subnet availability zones"
90 | type = "String"
91 | overwrite = "true"
92 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.nat_gateways
File: /deprecated/aws/vpc/main.tf:94-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
94 | resource "aws_ssm_parameter" "nat_gateways" {
95 | count = var.vpc_nat_gateway_enabled == "true" ? 1 : 0
96 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "nat_gateways")
97 | value = join(",", module.subnets.nat_gateway_ids)
98 | description = "VPC private NAT gateways"
99 | type = "String"
100 | overwrite = "true"
101 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.nat_instances
File: /deprecated/aws/vpc/main.tf:103-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
103 | resource "aws_ssm_parameter" "nat_instances" {
104 | count = var.vpc_nat_instance_enabled == "true" ? 1 : 0
105 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "nat_instances")
106 | value = join(",", module.subnets.nat_instance_ids)
107 | description = "VPC private NAT instances"
108 | type = "String"
109 | overwrite = "true"
110 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.private_subnet_cidrs
File: /deprecated/aws/vpc/main.tf:112-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
112 | resource "aws_ssm_parameter" "private_subnet_cidrs" {
113 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_cidrs")
114 | value = join(",", module.subnets.private_subnet_cidrs)
115 | description = "VPC private subnet CIDRs"
116 | type = "String"
117 | overwrite = "true"
118 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.private_subnet_ids
File: /deprecated/aws/vpc/main.tf:120-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
120 | resource "aws_ssm_parameter" "private_subnet_ids" {
121 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_ids")
122 | value = join(",", module.subnets.private_subnet_ids)
123 | description = "VPC private subnet AWS IDs"
124 | type = "String"
125 | overwrite = "true"
126 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.public_subnet_cidrs
File: /deprecated/aws/vpc/main.tf:128-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
128 | resource "aws_ssm_parameter" "public_subnet_cidrs" {
129 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_cidrs")
130 | value = join(",", module.subnets.public_subnet_cidrs)
131 | description = "VPC public subnet CIDRs"
132 | type = "String"
133 | overwrite = "true"
134 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.public_subnet_ids
File: /deprecated/aws/vpc/main.tf:136-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
136 | resource "aws_ssm_parameter" "public_subnet_ids" {
137 | name = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_ids")
138 | value = join(",", module.subnets.public_subnet_ids)
139 | description = "VPC public subnet AWS IDs"
140 | type = "String"
141 | overwrite = "true"
142 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.acm_arn
File: /modules/acm/main.tf:38-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
38 | resource "aws_ssm_parameter" "acm_arn" {
39 | count = local.enabled ? 1 : 0
40 |
41 | name = "/acm/${local.domain_name}"
42 | value = module.acm.arn
43 | description = format("ACM certificate ARN for '%s' domain", local.domain_name)
44 | type = "String"
45 | overwrite = true
46 |
47 | tags = module.this.tags
48 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.acm_arn
File: /modules/dns-delegated/acm.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
36 | resource "aws_ssm_parameter" "acm_arn" {
37 | for_each = local.certificate_enabled ? local.zone_map : {}
38 |
39 | name = format("/acm/%s.%s", each.key, each.value)
40 | value = module.acm[each.key].arn
41 | description = "ACM certificate id"
42 | type = "String"
43 | overwrite = true
44 |
45 | tags = module.this.tags
46 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.master_username
File: /modules/documentdb/ssm.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
1 | resource "aws_ssm_parameter" "master_username" {
2 | count = local.enabled ? 1 : 0
3 |
4 | name = "/${module.this.name}/master_username"
5 | type = "String"
6 | value = var.master_username
7 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.full_urls
File: /modules/ecs-service/systems-manager.tf:48-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
48 | resource "aws_ssm_parameter" "full_urls" {
49 | for_each = local.ssm_enabled ? local.params : {}
50 |
51 | name = each.key
52 | description = each.value.description
53 | type = each.value.type
54 | key_id = var.kms_alias_name_ssm
55 | value = each.value.value
56 | overwrite = true
57 |
58 | tags = module.this.tags
59 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
File: /modules/elasticsearch/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
84 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
85 | count = local.enabled ? 1 : 0
86 | name = local.elasticsearch_domain_endpoint
87 | value = module.elasticsearch.domain_endpoint
88 | description = "Domain-specific endpoint used to submit index, search, and data upload requests"
89 | type = "String"
90 | overwrite = true
91 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
File: /modules/elasticsearch/main.tf:93-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
93 | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
94 | count = local.enabled ? 1 : 0
95 | name = local.elasticsearch_kibana_endpoint
96 | value = module.elasticsearch.kibana_endpoint
97 | description = "Domain-specific endpoint for Kibana without https scheme"
98 | type = "String"
99 | overwrite = true
100 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_database_user
File: /modules/rds/systems-manager.tf:54-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
54 | resource "aws_ssm_parameter" "rds_database_user" {
55 | count = local.ssm_enabled ? 1 : 0
56 |
57 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_user)
58 | value = local.database_user
59 | description = "RDS DB user"
60 | type = "String"
61 | overwrite = true
62 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_database_hostname
File: /modules/rds/systems-manager.tf:75-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
75 | resource "aws_ssm_parameter" "rds_database_hostname" {
76 | count = local.ssm_enabled ? 1 : 0
77 |
78 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_hostname)
79 | value = module.rds_instance.hostname == "" ? module.rds_instance.instance_address : module.rds_instance.hostname
80 | description = "RDS DB hostname"
81 | type = "String"
82 | overwrite = true
83 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.rds_database_port
File: /modules/rds/systems-manager.tf:85-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
85 | resource "aws_ssm_parameter" "rds_database_port" {
86 | count = local.ssm_enabled ? 1 : 0
87 |
88 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
89 | value = var.database_port
90 | description = "RDS DB port"
91 | type = "String"
92 | overwrite = true
93 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.redshift_database_name
File: /modules/redshift/systems-manager.tf:54-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
54 | resource "aws_ssm_parameter" "redshift_database_name" {
55 | count = local.ssm_enabled ? 1 : 0
56 |
57 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
58 | value = local.database_name
59 | description = "Redshift DB port"
60 | type = "String"
61 | overwrite = true
62 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.redshift_database_user
File: /modules/redshift/systems-manager.tf:64-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
64 | resource "aws_ssm_parameter" "redshift_database_user" {
65 | count = local.ssm_enabled ? 1 : 0
66 |
67 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_user)
68 | value = local.admin_user
69 | description = "Redshift DB user"
70 | type = "String"
71 | overwrite = true
72 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.redshift_database_hostname
File: /modules/redshift/systems-manager.tf:85-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
85 | resource "aws_ssm_parameter" "redshift_database_hostname" {
86 | count = local.ssm_enabled ? 1 : 0
87 |
88 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_hostname)
89 | value = module.redshift_cluster.endpoint
90 | description = "Redshift DB hostname"
91 | type = "String"
92 | overwrite = true
93 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.redshift_database_port
File: /modules/redshift/systems-manager.tf:95-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
95 | resource "aws_ssm_parameter" "redshift_database_port" {
96 | count = local.ssm_enabled ? 1 : 0
97 |
98 | name = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
99 | value = var.port
100 | description = "Redshift DB port"
101 | type = "String"
102 | overwrite = true
103 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.destination
File: /modules/ssm-parameters/main.tf:28-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
28 | resource "aws_ssm_parameter" "destination" {
29 | for_each = local.params
30 |
31 | name = each.key
32 | description = each.value.description
33 | tier = each.value.tier
34 | type = each.value.type
35 | key_id = var.kms_arn
36 | value = each.value.value
37 | overwrite = each.value.overwrite
38 |
39 | tags = module.this.tags
40 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.acl_arn
File: /modules/waf/main.tf:56-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
56 | resource "aws_ssm_parameter" "acl_arn" {
57 | count = local.enabled ? 1 : 0
58 |
59 | name = "${var.ssm_path_prefix}/${var.acl_name}/arn"
60 | value = module.aws_waf.arn
61 | description = "ARN for WAF web ACL ${var.acl_name}"
62 | type = "String"
63 | overwrite = true
64 | tags = module.this.tags
65 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_tokens[1]
File: /deprecated/aws/teleport/main.tf:198-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.teleport_tokens[2]
File: /deprecated/aws/teleport/main.tf:198-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
198 | resource "aws_ssm_parameter" "teleport_tokens" {
199 | count = length(local.token_names)
200 | name = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
201 | value = element(random_string.tokens.*.result, count.index)
202 | description = "Teleport join token: ${element(local.token_names, count.index)}"
203 | type = "String"
204 | overwrite = "true"
205 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.dns_zone
File: /deprecated/aws/account-dns/main.tf:22-24
22 | resource "aws_route53_zone" "dns_zone" {
23 | name = var.domain_name
24 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.parent_dns_zone
File: /deprecated/aws/root-dns/parent.tf:6-9
6 | resource "aws_route53_zone" "parent_dns_zone" {
7 | name = var.parent_domain_name
8 | comment = "Parent domain name"
9 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.root_dns_zone
File: /deprecated/aws/root-dns/root.tf:6-9
6 | resource "aws_route53_zone" "root_dns_zone" {
7 | name = var.root_domain_name
8 | comment = "DNS Zone for Root Account"
9 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.default
File: /modules/dns-delegated/main.tf:17-25
17 | resource "aws_route53_zone" "default" {
18 | for_each = local.public_enabled ? local.zone_map : {}
19 |
20 | name = format("%s.%s", each.key, each.value)
21 | comment = format("DNS zone for %s.%s", each.key, each.value)
22 |
23 |
24 | tags = module.this.tags
25 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /modules/dns-delegated/main.tf:27-54
27 | resource "aws_route53_zone" "private" {
28 | for_each = local.private_enabled ? local.zone_map : {}
29 |
30 | name = format("%s.%s", each.key, each.value)
31 | comment = format("DNS zone for %s.%s", each.key, each.value)
32 |
33 | # The reason why this isn't in the original route53 zone is because this shows up as an update
34 | # when the aws provider should replace it. Using a separate resource allows the user to toggle
35 | # between private and public without manual targeted destroys.
36 | # See: https://github.com/hashicorp/terraform-provider-aws/issues/7614
37 | dynamic "vpc" {
38 | for_each = local.private_enabled ? [true] : []
39 |
40 | content {
41 | vpc_id = module.vpc[var.vpc_primary_environment_name].outputs.vpc_id
42 | }
43 | }
44 |
45 | tags = module.this.tags
46 |
47 | # Prevent the deletion of associated VPCs after
48 | # the initial creation. See documentation on
49 | # aws_route53_zone_association for details
50 | # See https://github.com/hashicorp/terraform-provider-aws/issues/14872#issuecomment-682008493
51 | lifecycle {
52 | ignore_changes = [vpc]
53 | }
54 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.root
File: /modules/dns-primary/main.tf:7-13
7 | resource "aws_route53_zone" "root" {
8 | for_each = local.domains_set
9 |
10 | name = each.value
11 | comment = "DNS zone for the ${each.value} root domain"
12 | tags = module.this.tags
13 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: aws_guardduty_detector.this[0]
File: /deprecated/guardduty/root/main.tf:19-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
19 | resource "aws_guardduty_detector" "this" {
20 | count = local.enabled && var.administrator_account != null && var.administrator_account != "" ? 1 : 0
21 |
22 | enable = true
23 |
24 | datasources {
25 | s3_logs {
26 | enable = true
27 | }
28 | }
29 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: aws_route53_record.local_dns_name
File: /deprecated/aws/root-dns/parent-local-ns.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
1 | resource "aws_route53_record" "local_dns_name" {
2 | zone_id = aws_route53_zone.parent_dns_zone.zone_id
3 | name = "local"
4 | type = "A"
5 | ttl = "30"
6 | records = ["127.0.0.1"]
7 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: aws_route53_record.local_dns_wildcard
File: /deprecated/aws/root-dns/parent-local-ns.tf:9-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
9 | resource "aws_route53_record" "local_dns_wildcard" {
10 | zone_id = aws_route53_zone.parent_dns_zone.zone_id
11 | name = "*.local"
12 | type = "A"
13 | ttl = "30"
14 | records = ["127.0.0.1"]
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.default
File: /modules/ecs/main.tf:30-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
30 | resource "aws_security_group" "default" {
31 | count = local.enabled ? 1 : 0
32 | name = module.this.id
33 | description = "ECS cluster EC2 autoscale capacity providers"
34 | vpc_id = module.vpc.outputs.vpc_id
35 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.dns_zone
File: /deprecated/aws/account-dns/main.tf:22-24
22 | resource "aws_route53_zone" "dns_zone" {
23 | name = var.domain_name
24 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.parent_dns_zone
File: /deprecated/aws/root-dns/parent.tf:6-9
6 | resource "aws_route53_zone" "parent_dns_zone" {
7 | name = var.parent_domain_name
8 | comment = "Parent domain name"
9 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.root_dns_zone
File: /deprecated/aws/root-dns/root.tf:6-9
6 | resource "aws_route53_zone" "root_dns_zone" {
7 | name = var.root_domain_name
8 | comment = "DNS Zone for Root Account"
9 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.default
File: /modules/dns-delegated/main.tf:17-25
17 | resource "aws_route53_zone" "default" {
18 | for_each = local.public_enabled ? local.zone_map : {}
19 |
20 | name = format("%s.%s", each.key, each.value)
21 | comment = format("DNS zone for %s.%s", each.key, each.value)
22 |
23 |
24 | tags = module.this.tags
25 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /modules/dns-delegated/main.tf:27-54
27 | resource "aws_route53_zone" "private" {
28 | for_each = local.private_enabled ? local.zone_map : {}
29 |
30 | name = format("%s.%s", each.key, each.value)
31 | comment = format("DNS zone for %s.%s", each.key, each.value)
32 |
33 | # The reason why this isn't in the original route53 zone is because this shows up as an update
34 | # when the aws provider should replace it. Using a separate resource allows the user to toggle
35 | # between private and public without manual targeted destroys.
36 | # See: https://github.com/hashicorp/terraform-provider-aws/issues/7614
37 | dynamic "vpc" {
38 | for_each = local.private_enabled ? [true] : []
39 |
40 | content {
41 | vpc_id = module.vpc[var.vpc_primary_environment_name].outputs.vpc_id
42 | }
43 | }
44 |
45 | tags = module.this.tags
46 |
47 | # Prevent the deletion of associated VPCs after
48 | # the initial creation. See documentation on
49 | # aws_route53_zone_association for details
50 | # See https://github.com/hashicorp/terraform-provider-aws/issues/14872#issuecomment-682008493
51 | lifecycle {
52 | ignore_changes = [vpc]
53 | }
54 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.root
File: /modules/dns-primary/main.tf:7-13
7 | resource "aws_route53_zone" "root" {
8 | for_each = local.domains_set
9 |
10 | name = each.value
11 | comment = "DNS zone for the ${each.value} root domain"
12 | tags = module.this.tags
13 | }
dockerfile scan results:
Passed checks: 136, Failed checks: 4, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /Dockerfile.
File: /Dockerfile:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM scratch
2 | COPY modules/ /modules
3 | WORKDIR /modules
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /Dockerfile.
File: /Dockerfile:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM scratch
2 | COPY modules/ /modules
3 | WORKDIR /modules
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /deprecated/github-actions-runner/runners/runner/Dockerfile.
File: /deprecated/github-actions-runner/runners/runner/Dockerfile:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | ARG VERSION=2.281.0-ubuntu-20.04
2 |
3 | FROM summerwind/actions-runner-dind:v$VERSION
4 |
5 | # We want to ignore the metadata server, which would normally have high priority,
6 | # because we want to pick up the EKS Service Account role, not the EC2 instance profile role
7 | ENV AWS_EC2_METADATA_DISABLED=true
8 |
9 | # We are not using ~/.aws/config or ~/.aws/credentials so we want to prevent
10 | # the AWS SDK from looking for or at them (and complaining they do not exist)
11 | ENV AWS_SDK_LOAD_CONFIG=false
12 |
13 | ARG ECR_CREDENTIAL_HELPER_VERSION=0.5.0
14 | RUN sudo wget -nv https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login \
15 | -O /usr/local/bin/docker-credential-ecr-login && \
16 | sudo chmod a+x /usr/local/bin/docker-credential-ecr-login
17 |
18 | USER root
19 |
20 | ENV TERM=dumb
21 |
22 | # Add CloudPosse package repo
23 | RUN apt-get update && apt-get install -y apt-utils && apt-get install -y curl
24 | RUN curl -1sLf 'https://dl.cloudsmith.io/public/cloudposse/packages/cfg/setup/bash.deb.sh' | bash
25 |
26 | # Install Chamber
27 | RUN apt-get install -y awscli chamber
28 |
29 | COPY docker-config.json /home/runner/.docker/config.json
30 |
31 | RUN chown -R runner:root /home/runner
32 |
33 | USER runner
34 | RUN id
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
FAILED for resource: /deprecated/github-actions-runner/runners/runner/Dockerfile.RUN
File: /deprecated/github-actions-runner/runners/runner/Dockerfile:14-16
14 | RUN sudo wget -nv https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login \
15 | -O /usr/local/bin/docker-credential-ecr-login && \
16 | sudo chmod a+x /usr/local/bin/docker-credential-ecr-login
secrets scan results:
Passed checks: 0, Failed checks: 3, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 949ff93e118b74f9152192169c7a7b232a1eb9df
File: /deprecated/aws/kops/main.tf:53-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
53 | ssh_private_key_name = "kops_***************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 70bacdd84f4fbfd92520369b572b7806b85d51c5
File: /modules/eks/cert-manager/cert-manager-issuer/values.yaml:5-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5 | selfsigned_secretname: ca*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 8278de8619381b204fb63e28d383fd4cd5c64b83
File: /modules/eks/external-secrets-operator/examples/external-secrets.yaml:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | - secretKey: go*********
github_actions scan results:
Passed checks: 124, Failed checks: 4, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(pre-commit-check-and-autocommit-changes)
File: /.github/workflows/pre-commit-check-and-autocommit-changes.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(bats)
File: /.github/workflows/bats.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Validate Codeowners)
File: /.github/workflows/validate-codeowners.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(auto-release)
File: /.github/workflows/auto-release.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools