Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-ecs-codepipeline
Description

Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/

Stars

 142

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:55:12,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/codebuild/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/repository-webhooks/github:0.13.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:0.18.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamic-subnets/aws:0.39.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-container-definition/aws:0.46.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:55:12,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-alb-service-task/aws:0.42.3 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 82, Failed checks: 16, Skipped checks: 0
    
    Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
    	FAILED for resource: aws_ecs_cluster.default
    	File: /examples/complete/main.tf:26-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
    
    		26 | resource "aws_ecs_cluster" "default" {
    		27 |   name = module.this.id
    		28 |   tags = module.this.tags
    		29 | }
    
    Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
    	FAILED for resource: module.ecs_codepipeline.aws_codepipeline.default[0]
    	File: /main.tf:260-340
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
    	FAILED for resource: module.ecs_codepipeline.aws_codepipeline.bitbucket
    	File: /main.tf:343-418
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
    	File: /main.tf:64-85
    	Calling File: /examples/complete/main.tf:70-92
    
    		64 | data "aws_iam_policy_document" "default" {
    		65 |   statement {
    		66 |     sid = ""
    		67 | 
    		68 |     actions = [
    		69 |       "ec2:*",
    		70 |       "elasticloadbalancing:*",
    		71 |       "autoscaling:*",
    		72 |       "cloudwatch:*",
    		73 |       "s3:*",
    		74 |       "sns:*",
    		75 |       "cloudformation:*",
    		76 |       "rds:*",
    		77 |       "sqs:*",
    		78 |       "ecs:*",
    		79 |       "iam:PassRole"
    		80 |     ]
    		81 | 
    		82 |     resources = ["*"]
    		83 |     effect    = "Allow"
    		84 |   }
    		85 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
    	File: /main.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		13 | resource "aws_s3_bucket" "default" {
    		14 |   count         = module.this.enabled ? 1 : 0
    		15 |   bucket        = module.codepipeline_label.id
    		16 |   acl           = "private"
    		17 |   force_destroy = var.s3_bucket_force_destroy
    		18 |   tags          = module.codepipeline_label.tags
    		19 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: