Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-ec2-bastion-server
Description

Terraform module to define a generic Bastion host with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication.

Stars

 131

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:55:33,480 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:33,481 [MainThread  ] [WARNI]  Failed to download module cloudposse/security-group/aws:0.3.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:33,481 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:33,481 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:33,481 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamic-subnets/aws:0.39.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:33,481 [MainThread  ] [WARNI]  Failed to download module cloudposse/key-pair/aws:0.18.0 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 24, Failed checks: 5, Skipped checks: 2
    
    Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
    	File: /iam.tf:41-103
    	Calling File: /examples/complete/main.tf:37-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
    	File: /iam.tf:41-103
    	Calling File: /examples/complete/main.tf:37-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
    	File: /iam.tf:41-103
    	Calling File: /examples/complete/main.tf:37-51
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: module.ec2_bastion.aws_instance.default
    	File: /main.tf:54-93
    	Calling File: /examples/complete/main.tf:37-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		54 | resource "aws_instance" "default" {
    		55 |   #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
    		56 |   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
    		57 |   count                       = module.this.enabled ? 1 : 0
    		58 |   ami                         = coalesce(var.ami, join("", data.aws_ami.default.*.id))
    		59 |   instance_type               = var.instance_type
    		60 |   user_data                   = length(var.user_data_base64) > 0 ? var.user_data_base64 : local.user_data_templated
    		61 |   vpc_security_group_ids      = compact(concat(module.security_group.*.id, var.security_groups))
    		62 |   iam_instance_profile        = local.instance_profile
    		63 |   associate_public_ip_address = var.associate_public_ip_address
    		64 |   key_name                    = var.key_name
    		65 |   subnet_id                   = var.subnets[0]
    		66 |   monitoring                  = var.monitoring
    		67 |   disable_api_termination     = var.disable_api_termination
    		68 | 
    		69 |   metadata_options {
    		70 |     http_endpoint               = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled"
    		71 |     http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
    		72 |     http_tokens                 = (var.metadata_http_tokens_required) ? "required" : "optional"
    		73 |   }
    		74 | 
    		75 |   root_block_device {
    		76 |     encrypted   = var.root_block_device_encrypted
    		77 |     volume_size = var.root_block_device_volume_size
    		78 |   }
    		79 | 
    		80 |   # Optional block; skipped if var.ebs_block_device_volume_size is zero
    		81 |   dynamic "ebs_block_device" {
    		82 |     for_each = var.ebs_block_device_volume_size > 0 ? [1] : []
    		83 | 
    		84 |     content {
    		85 |       encrypted             = var.ebs_block_device_encrypted
    		86 |       volume_size           = var.ebs_block_device_volume_size
    		87 |       delete_on_termination = var.ebs_delete_on_termination
    		88 |       device_name           = var.ebs_device_name
    		89 |     }
    		90 |   }
    		91 | 
    		92 |   tags = module.this.tags
    		93 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: module.ec2_bastion.aws_instance.default
    	File: /main.tf:54-93
    	Calling File: /examples/complete/main.tf:37-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		54 | resource "aws_instance" "default" {
    		55 |   #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
    		56 |   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
    		57 |   count                       = module.this.enabled ? 1 : 0
    		58 |   ami                         = coalesce(var.ami, join("", data.aws_ami.default.*.id))
    		59 |   instance_type               = var.instance_type
    		60 |   user_data                   = length(var.user_data_base64) > 0 ? var.user_data_base64 : local.user_data_templated
    		61 |   vpc_security_group_ids      = compact(concat(module.security_group.*.id, var.security_groups))
    		62 |   iam_instance_profile        = local.instance_profile
    		63 |   associate_public_ip_address = var.associate_public_ip_address
    		64 |   key_name                    = var.key_name
    		65 |   subnet_id                   = var.subnets[0]
    		66 |   monitoring                  = var.monitoring
    		67 |   disable_api_termination     = var.disable_api_termination
    		68 | 
    		69 |   metadata_options {
    		70 |     http_endpoint               = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled"
    		71 |     http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
    		72 |     http_tokens                 = (var.metadata_http_tokens_required) ? "required" : "optional"
    		73 |   }
    		74 | 
    		75 |   root_block_device {
    		76 |     encrypted   = var.root_block_device_encrypted
    		77 |     volume_size = var.root_block_device_volume_size
    		78 |   }
    		79 | 
    		80 |   # Optional block; skipped if var.ebs_block_device_volume_size is zero
    		81 |   dynamic "ebs_block_device" {
    		82 |     for_each = var.ebs_block_device_volume_size > 0 ? [1] : []
    		83 | 
    		84 |     content {
    		85 |       encrypted             = var.ebs_block_device_encrypted
    		86 |       volume_size           = var.ebs_block_device_volume_size
    		87 |       delete_on_termination = var.ebs_delete_on_termination
    		88 |       device_name           = var.ebs_device_name
    		89 |     }
    		90 |   }
    		91 | 
    		92 |   tags = module.this.tags
    		93 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: