Repository | cloudposse / terraform-aws-elasticsearch |
Description | Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash. |
Stars | 207 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:28,770 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:28,770 [MainThread ] [WARNI] Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:28,770 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.18.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:28,770 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 48, Failed checks: 13, Skipped checks: 0
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
File: /main.tf:42-51
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
43 | count = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
44 | description = "Allow inbound traffic from CIDR blocks"
45 | type = "ingress"
46 | from_port = var.ingress_port_range_start
47 | to_port = var.ingress_port_range_end
48 | protocol = "tcp"
49 | cidr_blocks = var.allowed_cidr_blocks
50 | security_group_id = join("", aws_security_group.default.*.id)
51 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
File: /main.tf:42-51
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
43 | count = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
44 | description = "Allow inbound traffic from CIDR blocks"
45 | type = "ingress"
46 | from_port = var.ingress_port_range_start
47 | to_port = var.ingress_port_range_end
48 | protocol = "tcp"
49 | cidr_blocks = var.allowed_cidr_blocks
50 | security_group_id = join("", aws_security_group.default.*.id)
51 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
File: /main.tf:42-51
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
43 | count = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
44 | description = "Allow inbound traffic from CIDR blocks"
45 | type = "ingress"
46 | from_port = var.ingress_port_range_start
47 | to_port = var.ingress_port_range_end
48 | protocol = "tcp"
49 | cidr_blocks = var.allowed_cidr_blocks
50 | security_group_id = join("", aws_security_group.default.*.id)
51 | }
Check: CKV_AWS_318: "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_228: "Verify Elasticsearch domain is using an up to date TLS policy"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticsearch-domain-uses-an-updated-tls-policy.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_247: "Ensure all data stored in the Elasticsearch is encrypted with a CMK"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-all-data-stored-in-the-elasticsearch-domain-is-encrypted-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_6: "Ensure all Elasticsearch has node-to-node encryption enabled"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_248: "Ensure that Elasticsearch is not using the default Security Group"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-elasticsearch-does-not-use-the-default-security-group.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_84: "Ensure Elasticsearch Domain Logging is enabled"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/elastisearch-policies/elasticsearch-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_317: "Ensure Elasticsearch Domain Audit Logging is enabled"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Calling File: /examples/non_vpc/main.tf:5-25
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_59: "Ensure ElasticSearch/OpenSearch has dedicated master node enabled"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_52: "Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled"
FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
File: /main.tf:106-241
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.elasticsearch.aws_security_group.default[0]
File: /main.tf:19-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
19 | resource "aws_security_group" "default" {
20 | count = module.this.enabled && var.vpc_enabled && var.create_security_group ? 1 : 0
21 | vpc_id = var.vpc_id
22 | name = module.this.id
23 | description = "Allow inbound traffic from Security Groups and CIDRs. Allow all outbound traffic"
24 | tags = module.this.tags
25 |
26 | lifecycle {
27 | create_before_destroy = true
28 | }
29 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools