Repository | cloudposse / terraform-aws-jenkins |
Description | Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack |
Stars | 252 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:50:49,865 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,865 [MainThread ] [WARNI] Failed to download module cloudposse/elastic-beanstalk-application/aws:0.11.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,865 [MainThread ] [WARNI] Failed to download module cloudposse/elastic-beanstalk-environment/aws:0.46.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,865 [MainThread ] [WARNI] Failed to download module cloudposse/ecr/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,865 [MainThread ] [WARNI] Failed to download module cloudposse/efs/aws:0.32.7 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,866 [MainThread ] [WARNI] Failed to download module cloudposse/backup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,866 [MainThread ] [WARNI] Failed to download module cloudposse/cicd/aws:0.19.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,866 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,866 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.18.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,866 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.33.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:49,867 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=master:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 18, Failed checks: 6, Skipped checks: 0
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
File: /main.tf:173-201
Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
173 | data "aws_iam_policy_document" "slaves" {
174 | statement {
175 | sid = "AllowLaunchingEC2Instances"
176 |
177 | actions = [
178 | "ec2:DescribeSpotInstanceRequests",
179 | "ec2:CancelSpotInstanceRequests",
180 | "ec2:GetConsoleOutput",
181 | "ec2:RequestSpotInstances",
182 | "ec2:RunInstances",
183 | "ec2:StartInstances",
184 | "ec2:StopInstances",
185 | "ec2:TerminateInstances",
186 | "ec2:CreateTags",
187 | "ec2:DeleteTags",
188 | "ec2:DescribeInstances",
189 | "ec2:DescribeKeyPairs",
190 | "ec2:DescribeRegions",
191 | "ec2:DescribeImages",
192 | "ec2:DescribeAvailabilityZones",
193 | "ec2:DescribeSecurityGroups",
194 | "ec2:DescribeSubnets",
195 | "iam:PassRole"
196 | ]
197 |
198 | resources = ["*"]
199 | effect = "Allow"
200 | }
201 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
File: /main.tf:173-201
Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
173 | data "aws_iam_policy_document" "slaves" {
174 | statement {
175 | sid = "AllowLaunchingEC2Instances"
176 |
177 | actions = [
178 | "ec2:DescribeSpotInstanceRequests",
179 | "ec2:CancelSpotInstanceRequests",
180 | "ec2:GetConsoleOutput",
181 | "ec2:RequestSpotInstances",
182 | "ec2:RunInstances",
183 | "ec2:StartInstances",
184 | "ec2:StopInstances",
185 | "ec2:TerminateInstances",
186 | "ec2:CreateTags",
187 | "ec2:DeleteTags",
188 | "ec2:DescribeInstances",
189 | "ec2:DescribeKeyPairs",
190 | "ec2:DescribeRegions",
191 | "ec2:DescribeImages",
192 | "ec2:DescribeAvailabilityZones",
193 | "ec2:DescribeSecurityGroups",
194 | "ec2:DescribeSubnets",
195 | "iam:PassRole"
196 | ]
197 |
198 | resources = ["*"]
199 | effect = "Allow"
200 | }
201 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
File: /main.tf:173-201
Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
173 | data "aws_iam_policy_document" "slaves" {
174 | statement {
175 | sid = "AllowLaunchingEC2Instances"
176 |
177 | actions = [
178 | "ec2:DescribeSpotInstanceRequests",
179 | "ec2:CancelSpotInstanceRequests",
180 | "ec2:GetConsoleOutput",
181 | "ec2:RequestSpotInstances",
182 | "ec2:RunInstances",
183 | "ec2:StartInstances",
184 | "ec2:StopInstances",
185 | "ec2:TerminateInstances",
186 | "ec2:CreateTags",
187 | "ec2:DeleteTags",
188 | "ec2:DescribeInstances",
189 | "ec2:DescribeKeyPairs",
190 | "ec2:DescribeRegions",
191 | "ec2:DescribeImages",
192 | "ec2:DescribeAvailabilityZones",
193 | "ec2:DescribeSecurityGroups",
194 | "ec2:DescribeSubnets",
195 | "iam:PassRole"
196 | ]
197 |
198 | resources = ["*"]
199 | effect = "Allow"
200 | }
201 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.jenkins.aws_iam_policy_document.slaves
File: /main.tf:173-201
Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
173 | data "aws_iam_policy_document" "slaves" {
174 | statement {
175 | sid = "AllowLaunchingEC2Instances"
176 |
177 | actions = [
178 | "ec2:DescribeSpotInstanceRequests",
179 | "ec2:CancelSpotInstanceRequests",
180 | "ec2:GetConsoleOutput",
181 | "ec2:RequestSpotInstances",
182 | "ec2:RunInstances",
183 | "ec2:StartInstances",
184 | "ec2:StopInstances",
185 | "ec2:TerminateInstances",
186 | "ec2:CreateTags",
187 | "ec2:DeleteTags",
188 | "ec2:DescribeInstances",
189 | "ec2:DescribeKeyPairs",
190 | "ec2:DescribeRegions",
191 | "ec2:DescribeImages",
192 | "ec2:DescribeAvailabilityZones",
193 | "ec2:DescribeSecurityGroups",
194 | "ec2:DescribeSubnets",
195 | "iam:PassRole"
196 | ]
197 |
198 | resources = ["*"]
199 | effect = "Allow"
200 | }
201 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.jenkins.aws_security_group.slaves
File: /main.tf:140-169
Calling File: /examples/new_vpc_new_subnets/main.tf:11-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
140 | resource "aws_security_group" "slaves" {
141 | name = module.label_slaves.id
142 | description = "Security Group for Jenkins EC2 slaves"
143 | vpc_id = var.vpc_id
144 |
145 | # Allow the provided Security Groups to connect to Jenkins slave instances
146 | ingress {
147 | from_port = 0
148 | to_port = 0
149 | protocol = -1
150 | security_groups = var.associated_security_group_ids
151 | }
152 |
153 | # Allow Jenkins master instance to communicate with Jenkins slave instances on SSH port 22
154 | ingress {
155 | from_port = 22
156 | to_port = 22
157 | protocol = "tcp"
158 | security_groups = [module.elastic_beanstalk_environment.security_group_id]
159 | }
160 |
161 | egress {
162 | from_port = 0
163 | to_port = 0
164 | protocol = "-1"
165 | cidr_blocks = ["0.0.0.0/0"]
166 | }
167 |
168 | tags = module.label_slaves.tags
169 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.jenkins.aws_security_group.slaves
File: /main.tf:140-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
140 | resource "aws_security_group" "slaves" {
141 | name = module.label_slaves.id
142 | description = "Security Group for Jenkins EC2 slaves"
143 | vpc_id = var.vpc_id
144 |
145 | # Allow the provided Security Groups to connect to Jenkins slave instances
146 | ingress {
147 | from_port = 0
148 | to_port = 0
149 | protocol = -1
150 | security_groups = var.associated_security_group_ids
151 | }
152 |
153 | # Allow Jenkins master instance to communicate with Jenkins slave instances on SSH port 22
154 | ingress {
155 | from_port = 22
156 | to_port = 22
157 | protocol = "tcp"
158 | security_groups = [module.elastic_beanstalk_environment.security_group_id]
159 | }
160 |
161 | egress {
162 | from_port = 0
163 | to_port = 0
164 | protocol = "-1"
165 | cidr_blocks = ["0.0.0.0/0"]
166 | }
167 |
168 | tags = module.label_slaves.tags
169 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools