Repository | cloudposse / terraform-aws-dynamic-subnets |
Description | Terraform module for public and private subnets provisioning in existing VPC |
Stars | 173 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:53:44,527 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:53:44,527 [MainThread ] [WARNI] Failed to download module cloudposse/utils/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:53:44,527 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:2.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 137, Failed checks: 25, Skipped checks: 21
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: aws_network_acl_rule.custom_private_ingress_account
File: /examples/nacls/private-nacls.local.tf:111-123
111 | resource "aws_network_acl_rule" "custom_private_ingress_account" {
112 | count = local.custom_private_nacls_enabled ? length(local.private_open_cidrs) : 0
113 |
114 | network_acl_id = one(aws_network_acl.custom_private[*].id)
115 | rule_action = "allow"
116 | rule_number = 80 + count.index
117 |
118 | egress = false
119 | cidr_block = local.private_open_cidrs[count.index]
120 | from_port = 0
121 | to_port = 65535
122 | protocol = "tcp"
123 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.subnets.aws_instance.nat_instance
File: /nat-instance.tf:75-118
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
75 | resource "aws_instance" "nat_instance" {
76 | count = local.nat_instance_enabled ? local.nat_count : 0
77 |
78 | ami = local.nat_instance_ami_id
79 | instance_type = var.nat_instance_type
80 | subnet_id = aws_subnet.public[count.index].id
81 | vpc_security_group_ids = [aws_security_group.nat_instance[0].id]
82 |
83 | tags = merge(
84 | module.nat_instance_label.tags,
85 | {
86 | "Name" = format("%s%s%s", module.nat_instance_label.id, local.delimiter, local.subnet_az_abbreviations[count.index])
87 | }
88 | )
89 |
90 | # Required by NAT
91 | # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
92 | source_dest_check = false
93 |
94 | #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
95 | #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
96 | #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.
97 | associate_public_ip_address = true #tfsec:ignore:AWS012
98 |
99 | metadata_options {
100 | http_endpoint = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
101 | http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
102 | http_tokens = var.metadata_http_tokens_required ? "required" : "optional"
103 | }
104 |
105 | root_block_device {
106 | encrypted = local.nat_instance_root_block_device_encrypted
107 | }
108 |
109 | dynamic "credit_specification" {
110 | for_each = var.nat_instance_cpu_credits_override == "" ? [] : [var.nat_instance_cpu_credits_override]
111 |
112 | content {
113 | cpu_credits = var.nat_instance_cpu_credits_override
114 | }
115 | }
116 |
117 | ebs_optimized = true
118 | }
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
File: /private.tf:95-107
Calling File: /examples/nacls/main.tf:20-45
95 | resource "aws_network_acl_rule" "private4_ingress" {
96 | count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
97 |
98 | network_acl_id = aws_network_acl.private[0].id
99 | rule_action = "allow"
100 | rule_number = var.open_network_acl_ipv4_rule_number
101 |
102 | egress = false
103 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
104 | from_port = 0
105 | to_port = 0
106 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
107 | }
Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
File: /private.tf:95-107
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
95 | resource "aws_network_acl_rule" "private4_ingress" {
96 | count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
97 |
98 | network_acl_id = aws_network_acl.private[0].id
99 | rule_action = "allow"
100 | rule_number = var.open_network_acl_ipv4_rule_number
101 |
102 | egress = false
103 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
104 | from_port = 0
105 | to_port = 0
106 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
107 | }
Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
File: /private.tf:95-107
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
95 | resource "aws_network_acl_rule" "private4_ingress" {
96 | count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
97 |
98 | network_acl_id = aws_network_acl.private[0].id
99 | rule_action = "allow"
100 | rule_number = var.open_network_acl_ipv4_rule_number
101 |
102 | egress = false
103 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
104 | from_port = 0
105 | to_port = 0
106 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
107 | }
Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
File: /private.tf:95-107
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
95 | resource "aws_network_acl_rule" "private4_ingress" {
96 | count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
97 |
98 | network_acl_id = aws_network_acl.private[0].id
99 | rule_action = "allow"
100 | rule_number = var.open_network_acl_ipv4_rule_number
101 |
102 | egress = false
103 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
104 | from_port = 0
105 | to_port = 0
106 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
107 | }
Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
File: /private.tf:95-107
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
95 | resource "aws_network_acl_rule" "private4_ingress" {
96 | count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
97 |
98 | network_acl_id = aws_network_acl.private[0].id
99 | rule_action = "allow"
100 | rule_number = var.open_network_acl_ipv4_rule_number
101 |
102 | egress = false
103 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
104 | from_port = 0
105 | to_port = 0
106 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
107 | }
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
File: /private.tf:123-135
Calling File: /examples/nacls/main.tf:20-45
123 | resource "aws_network_acl_rule" "private6_ingress" {
124 | count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
125 |
126 | network_acl_id = aws_network_acl.private[0].id
127 | rule_action = "allow"
128 | rule_number = var.open_network_acl_ipv6_rule_number
129 |
130 | egress = false
131 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
135 | }
Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
File: /private.tf:123-135
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
123 | resource "aws_network_acl_rule" "private6_ingress" {
124 | count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
125 |
126 | network_acl_id = aws_network_acl.private[0].id
127 | rule_action = "allow"
128 | rule_number = var.open_network_acl_ipv6_rule_number
129 |
130 | egress = false
131 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
135 | }
Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
File: /private.tf:123-135
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
123 | resource "aws_network_acl_rule" "private6_ingress" {
124 | count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
125 |
126 | network_acl_id = aws_network_acl.private[0].id
127 | rule_action = "allow"
128 | rule_number = var.open_network_acl_ipv6_rule_number
129 |
130 | egress = false
131 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
135 | }
Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
File: /private.tf:123-135
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
123 | resource "aws_network_acl_rule" "private6_ingress" {
124 | count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
125 |
126 | network_acl_id = aws_network_acl.private[0].id
127 | rule_action = "allow"
128 | rule_number = var.open_network_acl_ipv6_rule_number
129 |
130 | egress = false
131 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
135 | }
Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
File: /private.tf:123-135
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
123 | resource "aws_network_acl_rule" "private6_ingress" {
124 | count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
125 |
126 | network_acl_id = aws_network_acl.private[0].id
127 | rule_action = "allow"
128 | rule_number = var.open_network_acl_ipv6_rule_number
129 |
130 | egress = false
131 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
132 | from_port = 0
133 | to_port = 0
134 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
135 | }
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
File: /public.tf:106-118
Calling File: /examples/nacls/main.tf:20-45
106 | resource "aws_network_acl_rule" "public4_ingress" {
107 | count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
108 |
109 | network_acl_id = aws_network_acl.public[0].id
110 | rule_action = "allow"
111 | rule_number = var.open_network_acl_ipv4_rule_number
112 |
113 | egress = false
114 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
115 | from_port = 0
116 | to_port = 0
117 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
118 | }
Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
File: /public.tf:106-118
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
106 | resource "aws_network_acl_rule" "public4_ingress" {
107 | count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
108 |
109 | network_acl_id = aws_network_acl.public[0].id
110 | rule_action = "allow"
111 | rule_number = var.open_network_acl_ipv4_rule_number
112 |
113 | egress = false
114 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
115 | from_port = 0
116 | to_port = 0
117 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
118 | }
Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
File: /public.tf:106-118
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
106 | resource "aws_network_acl_rule" "public4_ingress" {
107 | count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
108 |
109 | network_acl_id = aws_network_acl.public[0].id
110 | rule_action = "allow"
111 | rule_number = var.open_network_acl_ipv4_rule_number
112 |
113 | egress = false
114 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
115 | from_port = 0
116 | to_port = 0
117 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
118 | }
Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
File: /public.tf:106-118
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
106 | resource "aws_network_acl_rule" "public4_ingress" {
107 | count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
108 |
109 | network_acl_id = aws_network_acl.public[0].id
110 | rule_action = "allow"
111 | rule_number = var.open_network_acl_ipv4_rule_number
112 |
113 | egress = false
114 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
115 | from_port = 0
116 | to_port = 0
117 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
118 | }
Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
File: /public.tf:106-118
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
106 | resource "aws_network_acl_rule" "public4_ingress" {
107 | count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
108 |
109 | network_acl_id = aws_network_acl.public[0].id
110 | rule_action = "allow"
111 | rule_number = var.open_network_acl_ipv4_rule_number
112 |
113 | egress = false
114 | cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
115 | from_port = 0
116 | to_port = 0
117 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
118 | }
Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
File: /public.tf:134-146
Calling File: /examples/nacls/main.tf:20-45
134 | resource "aws_network_acl_rule" "public6_ingress" {
135 | count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
136 |
137 | network_acl_id = aws_network_acl.public[0].id
138 | rule_action = "allow"
139 | rule_number = var.open_network_acl_ipv6_rule_number
140 |
141 | egress = false
142 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
143 | from_port = 0
144 | to_port = 0
145 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
146 | }
Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
File: /public.tf:134-146
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
134 | resource "aws_network_acl_rule" "public6_ingress" {
135 | count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
136 |
137 | network_acl_id = aws_network_acl.public[0].id
138 | rule_action = "allow"
139 | rule_number = var.open_network_acl_ipv6_rule_number
140 |
141 | egress = false
142 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
143 | from_port = 0
144 | to_port = 0
145 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
146 | }
Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
File: /public.tf:134-146
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
134 | resource "aws_network_acl_rule" "public6_ingress" {
135 | count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
136 |
137 | network_acl_id = aws_network_acl.public[0].id
138 | rule_action = "allow"
139 | rule_number = var.open_network_acl_ipv6_rule_number
140 |
141 | egress = false
142 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
143 | from_port = 0
144 | to_port = 0
145 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
146 | }
Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
File: /public.tf:134-146
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
134 | resource "aws_network_acl_rule" "public6_ingress" {
135 | count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
136 |
137 | network_acl_id = aws_network_acl.public[0].id
138 | rule_action = "allow"
139 | rule_number = var.open_network_acl_ipv6_rule_number
140 |
141 | egress = false
142 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
143 | from_port = 0
144 | to_port = 0
145 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
146 | }
Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
File: /public.tf:134-146
Calling File: /examples/nacls/main.tf:20-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
134 | resource "aws_network_acl_rule" "public6_ingress" {
135 | count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
136 |
137 | network_acl_id = aws_network_acl.public[0].id
138 | rule_action = "allow"
139 | rule_number = var.open_network_acl_ipv6_rule_number
140 |
141 | egress = false
142 | ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
143 | from_port = 0
144 | to_port = 0
145 | protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
146 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat_ips
File: /examples/existing-ips/main.tf:15-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
15 | resource "aws_eip" "nat_ips" {
16 | count = length(var.availability_zones)
17 |
18 | vpc = true
19 |
20 | depends_on = [
21 | module.vpc
22 | ]
23 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.subnets.aws_security_group.nat_instance[0]
File: /nat-instance.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
20 | resource "aws_security_group" "nat_instance" {
21 | count = local.nat_instance_enabled ? 1 : 0
22 |
23 | name = module.nat_instance_label.id
24 | description = "Security Group for NAT Instance"
25 | vpc_id = local.vpc_id
26 | tags = module.nat_instance_label.tags
27 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.subnets.aws_instance.nat_instance
File: /nat-instance.tf:75-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
75 | resource "aws_instance" "nat_instance" {
76 | count = local.nat_instance_enabled ? local.nat_count : 0
77 |
78 | ami = local.nat_instance_ami_id
79 | instance_type = var.nat_instance_type
80 | subnet_id = aws_subnet.public[count.index].id
81 | vpc_security_group_ids = [aws_security_group.nat_instance[0].id]
82 |
83 | tags = merge(
84 | module.nat_instance_label.tags,
85 | {
86 | "Name" = format("%s%s%s", module.nat_instance_label.id, local.delimiter, local.subnet_az_abbreviations[count.index])
87 | }
88 | )
89 |
90 | # Required by NAT
91 | # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
92 | source_dest_check = false
93 |
94 | #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
95 | #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
96 | #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.
97 | associate_public_ip_address = true #tfsec:ignore:AWS012
98 |
99 | metadata_options {
100 | http_endpoint = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
101 | http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
102 | http_tokens = var.metadata_http_tokens_required ? "required" : "optional"
103 | }
104 |
105 | root_block_device {
106 | encrypted = local.nat_instance_root_block_device_encrypted
107 | }
108 |
109 | dynamic "credit_specification" {
110 | for_each = var.nat_instance_cpu_credits_override == "" ? [] : [var.nat_instance_cpu_credits_override]
111 |
112 | content {
113 | cpu_credits = var.nat_instance_cpu_credits_override
114 | }
115 | }
116 |
117 | ebs_optimized = true
118 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools