Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-jenkins
Description

Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack

Stars

 252

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:50:49,865 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,865 [MainThread  ] [WARNI]  Failed to download module cloudposse/elastic-beanstalk-application/aws:0.11.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,865 [MainThread  ] [WARNI]  Failed to download module cloudposse/elastic-beanstalk-environment/aws:0.46.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,865 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecr/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,865 [MainThread  ] [WARNI]  Failed to download module cloudposse/efs/aws:0.32.7 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,866 [MainThread  ] [WARNI]  Failed to download module cloudposse/backup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,866 [MainThread  ] [WARNI]  Failed to download module cloudposse/cicd/aws:0.19.5 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,866 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,866 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:0.18.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,866 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamic-subnets/aws:0.33.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:50:49,867 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=master:None (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 18, Failed checks: 6, Skipped checks: 0
    
    Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
    	FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
    	File: /main.tf:173-201
    	Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
    
    		173 | data "aws_iam_policy_document" "slaves" {
    		174 |   statement {
    		175 |     sid = "AllowLaunchingEC2Instances"
    		176 | 
    		177 |     actions = [
    		178 |       "ec2:DescribeSpotInstanceRequests",
    		179 |       "ec2:CancelSpotInstanceRequests",
    		180 |       "ec2:GetConsoleOutput",
    		181 |       "ec2:RequestSpotInstances",
    		182 |       "ec2:RunInstances",
    		183 |       "ec2:StartInstances",
    		184 |       "ec2:StopInstances",
    		185 |       "ec2:TerminateInstances",
    		186 |       "ec2:CreateTags",
    		187 |       "ec2:DeleteTags",
    		188 |       "ec2:DescribeInstances",
    		189 |       "ec2:DescribeKeyPairs",
    		190 |       "ec2:DescribeRegions",
    		191 |       "ec2:DescribeImages",
    		192 |       "ec2:DescribeAvailabilityZones",
    		193 |       "ec2:DescribeSecurityGroups",
    		194 |       "ec2:DescribeSubnets",
    		195 |       "iam:PassRole"
    		196 |     ]
    		197 | 
    		198 |     resources = ["*"]
    		199 |     effect    = "Allow"
    		200 |   }
    		201 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
    	File: /main.tf:173-201
    	Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		173 | data "aws_iam_policy_document" "slaves" {
    		174 |   statement {
    		175 |     sid = "AllowLaunchingEC2Instances"
    		176 | 
    		177 |     actions = [
    		178 |       "ec2:DescribeSpotInstanceRequests",
    		179 |       "ec2:CancelSpotInstanceRequests",
    		180 |       "ec2:GetConsoleOutput",
    		181 |       "ec2:RequestSpotInstances",
    		182 |       "ec2:RunInstances",
    		183 |       "ec2:StartInstances",
    		184 |       "ec2:StopInstances",
    		185 |       "ec2:TerminateInstances",
    		186 |       "ec2:CreateTags",
    		187 |       "ec2:DeleteTags",
    		188 |       "ec2:DescribeInstances",
    		189 |       "ec2:DescribeKeyPairs",
    		190 |       "ec2:DescribeRegions",
    		191 |       "ec2:DescribeImages",
    		192 |       "ec2:DescribeAvailabilityZones",
    		193 |       "ec2:DescribeSecurityGroups",
    		194 |       "ec2:DescribeSubnets",
    		195 |       "iam:PassRole"
    		196 |     ]
    		197 | 
    		198 |     resources = ["*"]
    		199 |     effect    = "Allow"
    		200 |   }
    		201 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
    	File: /main.tf:173-201
    	Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		173 | data "aws_iam_policy_document" "slaves" {
    		174 |   statement {
    		175 |     sid = "AllowLaunchingEC2Instances"
    		176 | 
    		177 |     actions = [
    		178 |       "ec2:DescribeSpotInstanceRequests",
    		179 |       "ec2:CancelSpotInstanceRequests",
    		180 |       "ec2:GetConsoleOutput",
    		181 |       "ec2:RequestSpotInstances",
    		182 |       "ec2:RunInstances",
    		183 |       "ec2:StartInstances",
    		184 |       "ec2:StopInstances",
    		185 |       "ec2:TerminateInstances",
    		186 |       "ec2:CreateTags",
    		187 |       "ec2:DeleteTags",
    		188 |       "ec2:DescribeInstances",
    		189 |       "ec2:DescribeKeyPairs",
    		190 |       "ec2:DescribeRegions",
    		191 |       "ec2:DescribeImages",
    		192 |       "ec2:DescribeAvailabilityZones",
    		193 |       "ec2:DescribeSecurityGroups",
    		194 |       "ec2:DescribeSubnets",
    		195 |       "iam:PassRole"
    		196 |     ]
    		197 | 
    		198 |     resources = ["*"]
    		199 |     effect    = "Allow"
    		200 |   }
    		201 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
    	File: /main.tf:173-201
    	Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
    
    		173 | data "aws_iam_policy_document" "slaves" {
    		174 |   statement {
    		175 |     sid = "AllowLaunchingEC2Instances"
    		176 | 
    		177 |     actions = [
    		178 |       "ec2:DescribeSpotInstanceRequests",
    		179 |       "ec2:CancelSpotInstanceRequests",
    		180 |       "ec2:GetConsoleOutput",
    		181 |       "ec2:RequestSpotInstances",
    		182 |       "ec2:RunInstances",
    		183 |       "ec2:StartInstances",
    		184 |       "ec2:StopInstances",
    		185 |       "ec2:TerminateInstances",
    		186 |       "ec2:CreateTags",
    		187 |       "ec2:DeleteTags",
    		188 |       "ec2:DescribeInstances",
    		189 |       "ec2:DescribeKeyPairs",
    		190 |       "ec2:DescribeRegions",
    		191 |       "ec2:DescribeImages",
    		192 |       "ec2:DescribeAvailabilityZones",
    		193 |       "ec2:DescribeSecurityGroups",
    		194 |       "ec2:DescribeSubnets",
    		195 |       "iam:PassRole"
    		196 |     ]
    		197 | 
    		198 |     resources = ["*"]
    		199 |     effect    = "Allow"
    		200 |   }
    		201 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: module.jenkins.aws_security_group.slaves
    	File: /main.tf:140-169
    	Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		140 | resource "aws_security_group" "slaves" {
    		141 |   name        = module.label_slaves.id
    		142 |   description = "Security Group for Jenkins EC2 slaves"
    		143 |   vpc_id      = var.vpc_id
    		144 | 
    		145 |   # Allow the provided Security Groups to connect to Jenkins slave instances
    		146 |   ingress {
    		147 |     from_port       = 0
    		148 |     to_port         = 0
    		149 |     protocol        = -1
    		150 |     security_groups = var.associated_security_group_ids
    		151 |   }
    		152 | 
    		153 |   # Allow Jenkins master instance to communicate with Jenkins slave instances on SSH port 22
    		154 |   ingress {
    		155 |     from_port       = 22
    		156 |     to_port         = 22
    		157 |     protocol        = "tcp"
    		158 |     security_groups = [module.elastic_beanstalk_environment.security_group_id]
    		159 |   }
    		160 | 
    		161 |   egress {
    		162 |     from_port   = 0
    		163 |     to_port     = 0
    		164 |     protocol    = "-1"
    		165 |     cidr_blocks = ["0.0.0.0/0"]
    		166 |   }
    		167 | 
    		168 |   tags = module.label_slaves.tags
    		169 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: module.jenkins.aws_security_group.slaves
    	File: /main.tf:140-169
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		140 | resource "aws_security_group" "slaves" {
    		141 |   name        = module.label_slaves.id
    		142 |   description = "Security Group for Jenkins EC2 slaves"
    		143 |   vpc_id      = var.vpc_id
    		144 | 
    		145 |   # Allow the provided Security Groups to connect to Jenkins slave instances
    		146 |   ingress {
    		147 |     from_port       = 0
    		148 |     to_port         = 0
    		149 |     protocol        = -1
    		150 |     security_groups = var.associated_security_group_ids
    		151 |   }
    		152 | 
    		153 |   # Allow Jenkins master instance to communicate with Jenkins slave instances on SSH port 22
    		154 |   ingress {
    		155 |     from_port       = 22
    		156 |     to_port         = 22
    		157 |     protocol        = "tcp"
    		158 |     security_groups = [module.elastic_beanstalk_environment.security_group_id]
    		159 |   }
    		160 | 
    		161 |   egress {
    		162 |     from_port   = 0
    		163 |     to_port     = 0
    		164 |     protocol    = "-1"
    		165 |     cidr_blocks = ["0.0.0.0/0"]
    		166 |   }
    		167 | 
    		168 |   tags = module.label_slaves.tags
    		169 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: