Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-dynamic-subnets
Description

Terraform module for public and private subnets provisioning in existing VPC

Stars

 173

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:53:44,527 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:53:44,527 [MainThread  ] [WARNI]  Failed to download module cloudposse/utils/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:53:44,527 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:2.0.0 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 137, Failed checks: 25, Skipped checks: 21
    
    Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
    	FAILED for resource: aws_network_acl_rule.custom_private_ingress_account
    	File: /examples/nacls/private-nacls.local.tf:111-123
    
    		111 | resource "aws_network_acl_rule" "custom_private_ingress_account" {
    		112 |   count = local.custom_private_nacls_enabled ? length(local.private_open_cidrs) : 0
    		113 | 
    		114 |   network_acl_id = one(aws_network_acl.custom_private[*].id)
    		115 |   rule_action    = "allow"
    		116 |   rule_number    = 80 + count.index
    		117 | 
    		118 |   egress     = false
    		119 |   cidr_block = local.private_open_cidrs[count.index]
    		120 |   from_port  = 0
    		121 |   to_port    = 65535
    		122 |   protocol   = "tcp"
    		123 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: module.subnets.aws_instance.nat_instance
    	File: /nat-instance.tf:75-118
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		75  | resource "aws_instance" "nat_instance" {
    		76  |   count = local.nat_instance_enabled ? local.nat_count : 0
    		77  | 
    		78  |   ami                    = local.nat_instance_ami_id
    		79  |   instance_type          = var.nat_instance_type
    		80  |   subnet_id              = aws_subnet.public[count.index].id
    		81  |   vpc_security_group_ids = [aws_security_group.nat_instance[0].id]
    		82  | 
    		83  |   tags = merge(
    		84  |     module.nat_instance_label.tags,
    		85  |     {
    		86  |       "Name" = format("%s%s%s", module.nat_instance_label.id, local.delimiter, local.subnet_az_abbreviations[count.index])
    		87  |     }
    		88  |   )
    		89  | 
    		90  |   # Required by NAT
    		91  |   # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
    		92  |   source_dest_check = false
    		93  | 
    		94  |   #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
    		95  |   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
    		96  |   #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.
    		97  |   associate_public_ip_address = true #tfsec:ignore:AWS012
    		98  | 
    		99  |   metadata_options {
    		100 |     http_endpoint               = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
    		101 |     http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
    		102 |     http_tokens                 = var.metadata_http_tokens_required ? "required" : "optional"
    		103 |   }
    		104 | 
    		105 |   root_block_device {
    		106 |     encrypted = local.nat_instance_root_block_device_encrypted
    		107 |   }
    		108 | 
    		109 |   dynamic "credit_specification" {
    		110 |     for_each = var.nat_instance_cpu_credits_override == "" ? [] : [var.nat_instance_cpu_credits_override]
    		111 | 
    		112 |     content {
    		113 |       cpu_credits = var.nat_instance_cpu_credits_override
    		114 |     }
    		115 |   }
    		116 | 
    		117 |   ebs_optimized = true
    		118 | }
    
    Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
    	File: /private.tf:95-107
    	Calling File: /examples/nacls/main.tf:20-45
    
    		95  | resource "aws_network_acl_rule" "private4_ingress" {
    		96  |   count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
    		97  | 
    		98  |   network_acl_id = aws_network_acl.private[0].id
    		99  |   rule_action    = "allow"
    		100 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		101 | 
    		102 |   egress     = false
    		103 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		104 |   from_port  = 0
    		105 |   to_port    = 0
    		106 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		107 | }
    
    Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
    	File: /private.tf:95-107
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
    
    		95  | resource "aws_network_acl_rule" "private4_ingress" {
    		96  |   count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
    		97  | 
    		98  |   network_acl_id = aws_network_acl.private[0].id
    		99  |   rule_action    = "allow"
    		100 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		101 | 
    		102 |   egress     = false
    		103 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		104 |   from_port  = 0
    		105 |   to_port    = 0
    		106 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		107 | }
    
    Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
    	File: /private.tf:95-107
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
    
    		95  | resource "aws_network_acl_rule" "private4_ingress" {
    		96  |   count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
    		97  | 
    		98  |   network_acl_id = aws_network_acl.private[0].id
    		99  |   rule_action    = "allow"
    		100 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		101 | 
    		102 |   egress     = false
    		103 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		104 |   from_port  = 0
    		105 |   to_port    = 0
    		106 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		107 | }
    
    Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
    	File: /private.tf:95-107
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
    
    		95  | resource "aws_network_acl_rule" "private4_ingress" {
    		96  |   count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
    		97  | 
    		98  |   network_acl_id = aws_network_acl.private[0].id
    		99  |   rule_action    = "allow"
    		100 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		101 | 
    		102 |   egress     = false
    		103 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		104 |   from_port  = 0
    		105 |   to_port    = 0
    		106 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		107 | }
    
    Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private4_ingress[0]
    	File: /private.tf:95-107
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
    
    		95  | resource "aws_network_acl_rule" "private4_ingress" {
    		96  |   count = local.private_open_network_acl_enabled && local.private4_enabled ? 1 : 0
    		97  | 
    		98  |   network_acl_id = aws_network_acl.private[0].id
    		99  |   rule_action    = "allow"
    		100 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		101 | 
    		102 |   egress     = false
    		103 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		104 |   from_port  = 0
    		105 |   to_port    = 0
    		106 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		107 | }
    
    Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
    	File: /private.tf:123-135
    	Calling File: /examples/nacls/main.tf:20-45
    
    		123 | resource "aws_network_acl_rule" "private6_ingress" {
    		124 |   count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
    		125 | 
    		126 |   network_acl_id = aws_network_acl.private[0].id
    		127 |   rule_action    = "allow"
    		128 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		129 | 
    		130 |   egress          = false
    		131 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		132 |   from_port       = 0
    		133 |   to_port         = 0
    		134 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		135 | }
    
    Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
    	File: /private.tf:123-135
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
    
    		123 | resource "aws_network_acl_rule" "private6_ingress" {
    		124 |   count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
    		125 | 
    		126 |   network_acl_id = aws_network_acl.private[0].id
    		127 |   rule_action    = "allow"
    		128 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		129 | 
    		130 |   egress          = false
    		131 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		132 |   from_port       = 0
    		133 |   to_port         = 0
    		134 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		135 | }
    
    Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
    	File: /private.tf:123-135
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
    
    		123 | resource "aws_network_acl_rule" "private6_ingress" {
    		124 |   count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
    		125 | 
    		126 |   network_acl_id = aws_network_acl.private[0].id
    		127 |   rule_action    = "allow"
    		128 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		129 | 
    		130 |   egress          = false
    		131 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		132 |   from_port       = 0
    		133 |   to_port         = 0
    		134 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		135 | }
    
    Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
    	File: /private.tf:123-135
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
    
    		123 | resource "aws_network_acl_rule" "private6_ingress" {
    		124 |   count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
    		125 | 
    		126 |   network_acl_id = aws_network_acl.private[0].id
    		127 |   rule_action    = "allow"
    		128 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		129 | 
    		130 |   egress          = false
    		131 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		132 |   from_port       = 0
    		133 |   to_port         = 0
    		134 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		135 | }
    
    Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: module.subnets.aws_network_acl_rule.private6_ingress[0]
    	File: /private.tf:123-135
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
    
    		123 | resource "aws_network_acl_rule" "private6_ingress" {
    		124 |   count = local.private_open_network_acl_enabled && local.private6_enabled ? 1 : 0
    		125 | 
    		126 |   network_acl_id = aws_network_acl.private[0].id
    		127 |   rule_action    = "allow"
    		128 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		129 | 
    		130 |   egress          = false
    		131 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		132 |   from_port       = 0
    		133 |   to_port         = 0
    		134 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		135 | }
    
    Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
    	File: /public.tf:106-118
    	Calling File: /examples/nacls/main.tf:20-45
    
    		106 | resource "aws_network_acl_rule" "public4_ingress" {
    		107 |   count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
    		108 | 
    		109 |   network_acl_id = aws_network_acl.public[0].id
    		110 |   rule_action    = "allow"
    		111 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		112 | 
    		113 |   egress     = false
    		114 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		115 |   from_port  = 0
    		116 |   to_port    = 0
    		117 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		118 | }
    
    Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
    	File: /public.tf:106-118
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
    
    		106 | resource "aws_network_acl_rule" "public4_ingress" {
    		107 |   count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
    		108 | 
    		109 |   network_acl_id = aws_network_acl.public[0].id
    		110 |   rule_action    = "allow"
    		111 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		112 | 
    		113 |   egress     = false
    		114 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		115 |   from_port  = 0
    		116 |   to_port    = 0
    		117 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		118 | }
    
    Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
    	File: /public.tf:106-118
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
    
    		106 | resource "aws_network_acl_rule" "public4_ingress" {
    		107 |   count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
    		108 | 
    		109 |   network_acl_id = aws_network_acl.public[0].id
    		110 |   rule_action    = "allow"
    		111 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		112 | 
    		113 |   egress     = false
    		114 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		115 |   from_port  = 0
    		116 |   to_port    = 0
    		117 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		118 | }
    
    Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
    	File: /public.tf:106-118
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
    
    		106 | resource "aws_network_acl_rule" "public4_ingress" {
    		107 |   count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
    		108 | 
    		109 |   network_acl_id = aws_network_acl.public[0].id
    		110 |   rule_action    = "allow"
    		111 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		112 | 
    		113 |   egress     = false
    		114 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		115 |   from_port  = 0
    		116 |   to_port    = 0
    		117 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		118 | }
    
    Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public4_ingress[0]
    	File: /public.tf:106-118
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
    
    		106 | resource "aws_network_acl_rule" "public4_ingress" {
    		107 |   count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
    		108 | 
    		109 |   network_acl_id = aws_network_acl.public[0].id
    		110 |   rule_action    = "allow"
    		111 |   rule_number    = var.open_network_acl_ipv4_rule_number
    		112 | 
    		113 |   egress     = false
    		114 |   cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		115 |   from_port  = 0
    		116 |   to_port    = 0
    		117 |   protocol   = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		118 | }
    
    Check: CKV_AWS_352: "Ensure NACL ingress does not allow all Ports"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
    	File: /public.tf:134-146
    	Calling File: /examples/nacls/main.tf:20-45
    
    		134 | resource "aws_network_acl_rule" "public6_ingress" {
    		135 |   count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
    		136 | 
    		137 |   network_acl_id = aws_network_acl.public[0].id
    		138 |   rule_action    = "allow"
    		139 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		140 | 
    		141 |   egress          = false
    		142 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		143 |   from_port       = 0
    		144 |   to_port         = 0
    		145 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		146 | }
    
    Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
    	File: /public.tf:134-146
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
    
    		134 | resource "aws_network_acl_rule" "public6_ingress" {
    		135 |   count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
    		136 | 
    		137 |   network_acl_id = aws_network_acl.public[0].id
    		138 |   rule_action    = "allow"
    		139 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		140 | 
    		141 |   egress          = false
    		142 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		143 |   from_port       = 0
    		144 |   to_port         = 0
    		145 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		146 | }
    
    Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
    	File: /public.tf:134-146
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
    
    		134 | resource "aws_network_acl_rule" "public6_ingress" {
    		135 |   count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
    		136 | 
    		137 |   network_acl_id = aws_network_acl.public[0].id
    		138 |   rule_action    = "allow"
    		139 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		140 | 
    		141 |   egress          = false
    		142 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		143 |   from_port       = 0
    		144 |   to_port         = 0
    		145 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		146 | }
    
    Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
    	File: /public.tf:134-146
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
    
    		134 | resource "aws_network_acl_rule" "public6_ingress" {
    		135 |   count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
    		136 | 
    		137 |   network_acl_id = aws_network_acl.public[0].id
    		138 |   rule_action    = "allow"
    		139 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		140 | 
    		141 |   egress          = false
    		142 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		143 |   from_port       = 0
    		144 |   to_port         = 0
    		145 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		146 | }
    
    Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: module.subnets.aws_network_acl_rule.public6_ingress[0]
    	File: /public.tf:134-146
    	Calling File: /examples/nacls/main.tf:20-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
    
    		134 | resource "aws_network_acl_rule" "public6_ingress" {
    		135 |   count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
    		136 | 
    		137 |   network_acl_id = aws_network_acl.public[0].id
    		138 |   rule_action    = "allow"
    		139 |   rule_number    = var.open_network_acl_ipv6_rule_number
    		140 | 
    		141 |   egress          = false
    		142 |   ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
    		143 |   from_port       = 0
    		144 |   to_port         = 0
    		145 |   protocol        = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
    		146 | }
    
    Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
    	FAILED for resource: aws_eip.nat_ips
    	File: /examples/existing-ips/main.tf:15-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
    
    		15 | resource "aws_eip" "nat_ips" {
    		16 |   count = length(var.availability_zones)
    		17 | 
    		18 |   vpc = true
    		19 | 
    		20 |   depends_on = [
    		21 |     module.vpc
    		22 |   ]
    		23 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: module.subnets.aws_security_group.nat_instance[0]
    	File: /nat-instance.tf:20-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		20 | resource "aws_security_group" "nat_instance" {
    		21 |   count = local.nat_instance_enabled ? 1 : 0
    		22 | 
    		23 |   name        = module.nat_instance_label.id
    		24 |   description = "Security Group for NAT Instance"
    		25 |   vpc_id      = local.vpc_id
    		26 |   tags        = module.nat_instance_label.tags
    		27 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: module.subnets.aws_instance.nat_instance
    	File: /nat-instance.tf:75-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		75  | resource "aws_instance" "nat_instance" {
    		76  |   count = local.nat_instance_enabled ? local.nat_count : 0
    		77  | 
    		78  |   ami                    = local.nat_instance_ami_id
    		79  |   instance_type          = var.nat_instance_type
    		80  |   subnet_id              = aws_subnet.public[count.index].id
    		81  |   vpc_security_group_ids = [aws_security_group.nat_instance[0].id]
    		82  | 
    		83  |   tags = merge(
    		84  |     module.nat_instance_label.tags,
    		85  |     {
    		86  |       "Name" = format("%s%s%s", module.nat_instance_label.id, local.delimiter, local.subnet_az_abbreviations[count.index])
    		87  |     }
    		88  |   )
    		89  | 
    		90  |   # Required by NAT
    		91  |   # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
    		92  |   source_dest_check = false
    		93  | 
    		94  |   #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
    		95  |   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
    		96  |   #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.
    		97  |   associate_public_ip_address = true #tfsec:ignore:AWS012
    		98  | 
    		99  |   metadata_options {
    		100 |     http_endpoint               = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
    		101 |     http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
    		102 |     http_tokens                 = var.metadata_http_tokens_required ? "required" : "optional"
    		103 |   }
    		104 | 
    		105 |   root_block_device {
    		106 |     encrypted = local.nat_instance_root_block_device_encrypted
    		107 |   }
    		108 | 
    		109 |   dynamic "credit_specification" {
    		110 |     for_each = var.nat_instance_cpu_credits_override == "" ? [] : [var.nat_instance_cpu_credits_override]
    		111 | 
    		112 |     content {
    		113 |       cpu_credits = var.nat_instance_cpu_credits_override
    		114 |     }
    		115 |   }
    		116 | 
    		117 |   ebs_optimized = true
    		118 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: