Repository | cloudposse / terraform-aws-tfstate-backend |
Description | Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption. |
Stars | 357 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:49:47,928 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 38, Failed checks: 7, Skipped checks: 1
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: module.tfstate_backend.aws_dynamodb_table.with_server_side_encryption
File: /main.tf:241-265
Calling File: /examples/complete/main.tf:13-31
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
241 | resource "aws_dynamodb_table" "with_server_side_encryption" {
242 | count = local.dynamodb_enabled ? 1 : 0
243 | name = local.dynamodb_table_name
244 | billing_mode = var.billing_mode
245 | read_capacity = var.billing_mode == "PROVISIONED" ? var.read_capacity : null
246 | write_capacity = var.billing_mode == "PROVISIONED" ? var.write_capacity : null
247 |
248 | # https://www.terraform.io/docs/backends/types/s3.html#dynamodb_table
249 | hash_key = "LockID"
250 |
251 | server_side_encryption { #tfsec:ignore:aws-dynamodb-table-customer-key
252 | enabled = true
253 | }
254 |
255 | point_in_time_recovery {
256 | enabled = var.enable_point_in_time_recovery
257 | }
258 |
259 | attribute {
260 | name = "LockID"
261 | type = "S"
262 | }
263 |
264 | tags = module.dynamodb_table_label.tags
265 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.default
File: /examples/complete/main.tf:7-11
7 | resource "aws_s3_bucket" "default" {
8 | count = module.this.enabled ? 1 : 0
9 |
10 | bucket = "${module.this.id}-logs"
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
File: /main.tf:151-160
151 | resource "aws_s3_bucket" "default" {
152 | count = local.bucket_enabled ? 1 : 0
153 |
154 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
155 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
156 | bucket = substr(local.bucket_name, 0, 63)
157 | force_destroy = var.force_destroy
158 |
159 | tags = module.this.tags
160 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.default
File: /examples/complete/main.tf:7-11
7 | resource "aws_s3_bucket" "default" {
8 | count = module.this.enabled ? 1 : 0
9 |
10 | bucket = "${module.this.id}-logs"
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
File: /main.tf:151-160
151 | resource "aws_s3_bucket" "default" {
152 | count = local.bucket_enabled ? 1 : 0
153 |
154 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
155 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
156 | bucket = substr(local.bucket_name, 0, 63)
157 | force_destroy = var.force_destroy
158 |
159 | tags = module.this.tags
160 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.default
File: /examples/complete/main.tf:7-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
7 | resource "aws_s3_bucket" "default" {
8 | count = module.this.enabled ? 1 : 0
9 |
10 | bucket = "${module.this.id}-logs"
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
File: /main.tf:151-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
151 | resource "aws_s3_bucket" "default" {
152 | count = local.bucket_enabled ? 1 : 0
153 |
154 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
155 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
156 | bucket = substr(local.bucket_name, 0, 63)
157 | force_destroy = var.force_destroy
158 |
159 | tags = module.this.tags
160 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools