Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-tfstate-backend
Description

Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.

Stars

 357

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:49:47,928 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 38, Failed checks: 7, Skipped checks: 1
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: module.tfstate_backend.aws_dynamodb_table.with_server_side_encryption
    	File: /main.tf:241-265
    	Calling File: /examples/complete/main.tf:13-31
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		241 | resource "aws_dynamodb_table" "with_server_side_encryption" {
    		242 |   count          = local.dynamodb_enabled ? 1 : 0
    		243 |   name           = local.dynamodb_table_name
    		244 |   billing_mode   = var.billing_mode
    		245 |   read_capacity  = var.billing_mode == "PROVISIONED" ? var.read_capacity : null
    		246 |   write_capacity = var.billing_mode == "PROVISIONED" ? var.write_capacity : null
    		247 | 
    		248 |   # https://www.terraform.io/docs/backends/types/s3.html#dynamodb_table
    		249 |   hash_key = "LockID"
    		250 | 
    		251 |   server_side_encryption { #tfsec:ignore:aws-dynamodb-table-customer-key
    		252 |     enabled = true
    		253 |   }
    		254 | 
    		255 |   point_in_time_recovery {
    		256 |     enabled = var.enable_point_in_time_recovery
    		257 |   }
    		258 | 
    		259 |   attribute {
    		260 |     name = "LockID"
    		261 |     type = "S"
    		262 |   }
    		263 | 
    		264 |   tags = module.dynamodb_table_label.tags
    		265 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.default
    	File: /examples/complete/main.tf:7-11
    
    		7  | resource "aws_s3_bucket" "default" {
    		8  |   count = module.this.enabled ? 1 : 0
    		9  | 
    		10 |   bucket = "${module.this.id}-logs"
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
    	File: /main.tf:151-160
    
    		151 | resource "aws_s3_bucket" "default" {
    		152 |   count = local.bucket_enabled ? 1 : 0
    		153 | 
    		154 |   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
    		155 |   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
    		156 |   bucket        = substr(local.bucket_name, 0, 63)
    		157 |   force_destroy = var.force_destroy
    		158 | 
    		159 |   tags = module.this.tags
    		160 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.default
    	File: /examples/complete/main.tf:7-11
    
    		7  | resource "aws_s3_bucket" "default" {
    		8  |   count = module.this.enabled ? 1 : 0
    		9  | 
    		10 |   bucket = "${module.this.id}-logs"
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
    	File: /main.tf:151-160
    
    		151 | resource "aws_s3_bucket" "default" {
    		152 |   count = local.bucket_enabled ? 1 : 0
    		153 | 
    		154 |   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
    		155 |   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
    		156 |   bucket        = substr(local.bucket_name, 0, 63)
    		157 |   force_destroy = var.force_destroy
    		158 | 
    		159 |   tags = module.this.tags
    		160 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.default
    	File: /examples/complete/main.tf:7-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		7  | resource "aws_s3_bucket" "default" {
    		8  |   count = module.this.enabled ? 1 : 0
    		9  | 
    		10 |   bucket = "${module.this.id}-logs"
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: module.tfstate_backend.aws_s3_bucket.default
    	File: /main.tf:151-160
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		151 | resource "aws_s3_bucket" "default" {
    		152 |   count = local.bucket_enabled ? 1 : 0
    		153 | 
    		154 |   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
    		155 |   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
    		156 |   bucket        = substr(local.bucket_name, 0, 63)
    		157 |   force_destroy = var.force_destroy
    		158 | 
    		159 |   tags = module.this.tags
    		160 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: