Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-elasticsearch
Description

Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.

Stars

 207

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:51:28,770 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:51:28,770 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:51:28,770 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:0.18.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:51:28,770 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamic-subnets/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 48, Failed checks: 13, Skipped checks: 0
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
    	File: /main.tf:42-51
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
    		43 |   count             = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
    		44 |   description       = "Allow inbound traffic from CIDR blocks"
    		45 |   type              = "ingress"
    		46 |   from_port         = var.ingress_port_range_start
    		47 |   to_port           = var.ingress_port_range_end
    		48 |   protocol          = "tcp"
    		49 |   cidr_blocks       = var.allowed_cidr_blocks
    		50 |   security_group_id = join("", aws_security_group.default.*.id)
    		51 | }
    
    Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
    	FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
    	File: /main.tf:42-51
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
    
    		42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
    		43 |   count             = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
    		44 |   description       = "Allow inbound traffic from CIDR blocks"
    		45 |   type              = "ingress"
    		46 |   from_port         = var.ingress_port_range_start
    		47 |   to_port           = var.ingress_port_range_end
    		48 |   protocol          = "tcp"
    		49 |   cidr_blocks       = var.allowed_cidr_blocks
    		50 |   security_group_id = join("", aws_security_group.default.*.id)
    		51 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: module.elasticsearch.aws_security_group_rule.ingress_cidr_blocks[0]
    	File: /main.tf:42-51
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		42 | resource "aws_security_group_rule" "ingress_cidr_blocks" {
    		43 |   count             = module.this.enabled && var.vpc_enabled && var.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
    		44 |   description       = "Allow inbound traffic from CIDR blocks"
    		45 |   type              = "ingress"
    		46 |   from_port         = var.ingress_port_range_start
    		47 |   to_port           = var.ingress_port_range_end
    		48 |   protocol          = "tcp"
    		49 |   cidr_blocks       = var.allowed_cidr_blocks
    		50 |   security_group_id = join("", aws_security_group.default.*.id)
    		51 | }
    
    Check: CKV_AWS_318: "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_228: "Verify Elasticsearch domain is using an up to date TLS policy"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticsearch-domain-uses-an-updated-tls-policy.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_247: "Ensure all data stored in the Elasticsearch is encrypted with a CMK"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-all-data-stored-in-the-elasticsearch-domain-is-encrypted-using-a-customer-managed-key-cmk.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_6: "Ensure all Elasticsearch has node-to-node encryption enabled"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_248: "Ensure that Elasticsearch is not using the default Security Group"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-elasticsearch-does-not-use-the-default-security-group.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_84: "Ensure Elasticsearch Domain Logging is enabled"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/elastisearch-policies/elasticsearch-7.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_317: "Ensure Elasticsearch Domain Audit Logging is enabled"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    	Calling File: /examples/non_vpc/main.tf:5-25
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_59: "Ensure ElasticSearch/OpenSearch has dedicated master node enabled"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_52: "Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled"
    	FAILED for resource: module.elasticsearch.aws_elasticsearch_domain.default
    	File: /main.tf:106-241
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: module.elasticsearch.aws_security_group.default[0]
    	File: /main.tf:19-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		19 | resource "aws_security_group" "default" {
    		20 |   count       = module.this.enabled && var.vpc_enabled && var.create_security_group ? 1 : 0
    		21 |   vpc_id      = var.vpc_id
    		22 |   name        = module.this.id
    		23 |   description = "Allow inbound traffic from Security Groups and CIDRs. Allow all outbound traffic"
    		24 |   tags        = module.this.tags
    		25 | 
    		26 |   lifecycle {
    		27 |     create_before_destroy = true
    		28 |   }
    		29 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: