Repository | cogini / multi-env-deploy |
Description | Complete example of deploying complex web apps to AWS using Terraform, Ansible, and Packer |
Stars | 335 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:50:18,811 [MainThread ] [WARNI] Failed to download module github.com/cloudposse/terraform-aws-ecs-container-definition?ref=0.58.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:18,811 [MainThread ] [WARNI] Failed to download module int128/nat-instance/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:18,811 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpn-gateway/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:18,811 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/rds/aws:~>3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:18,811 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>3.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 823, Failed checks: 90, Skipped checks: 0
Check: CKV_AWS_68: "CloudFront Distribution should have WAF enabled"
FAILED for resource: aws_cloudfront_distribution.this
File: /terraform/modules/cloudfront/main.tf:83-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_174: "Verify CloudFront Distribution Viewer Certificate is using TLS v1.2"
FAILED for resource: aws_cloudfront_distribution.this
File: /terraform/modules/cloudfront/main.tf:83-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /terraform/modules/cloudfront/main.tf:83-203
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: aws_codebuild_project.this
File: /terraform/modules/codebuild-github-action/main.tf:74-150
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.this
File: /terraform/modules/codepipeline/main.tf:103-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: aws_codebuild_project.this
File: /terraform/modules/codepipeline/main.tf:103-201
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-private/main.tf:57-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
57 | resource "aws_instance" "this" {
58 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
59 |
60 | ami = var.ami
61 | instance_type = var.instance_type
62 | user_data = var.user_data
63 | key_name = var.keypair_name
64 | monitoring = var.monitoring
65 | subnet_id = element(distinct(compact(var.subnet_ids)), count.index)
66 | vpc_security_group_ids = var.security_group_ids
67 | iam_instance_profile = var.instance_profile_name
68 | # availability_zone = var.availability_zones[count.index]
69 | associate_public_ip_address = false
70 | disable_api_termination = var.disable_api_termination
71 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
72 | ebs_optimized = var.ebs_optimized
73 | root_block_device {
74 | volume_size = var.root_volume_size
75 | delete_on_termination = var.root_volume_delete_on_termination
76 | }
77 |
78 | tags = merge(
79 | {
80 | "Name" = local.name
81 | "org" = var.org
82 | "app" = var.app_name
83 | "env" = var.env
84 | "comp" = var.comp
85 | "owner" = var.owner
86 | "index" = count.index
87 | },
88 | var.extra_tags,
89 | )
90 |
91 | volume_tags = merge(
92 | {
93 | "Name" = local.name
94 | "org" = var.org
95 | "app" = var.app_name
96 | "env" = var.env
97 | "comp" = var.comp
98 | "owner" = var.owner
99 | "index" = count.index
100 | },
101 | var.extra_tags,
102 | )
103 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-private/main.tf:57-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
57 | resource "aws_instance" "this" {
58 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
59 |
60 | ami = var.ami
61 | instance_type = var.instance_type
62 | user_data = var.user_data
63 | key_name = var.keypair_name
64 | monitoring = var.monitoring
65 | subnet_id = element(distinct(compact(var.subnet_ids)), count.index)
66 | vpc_security_group_ids = var.security_group_ids
67 | iam_instance_profile = var.instance_profile_name
68 | # availability_zone = var.availability_zones[count.index]
69 | associate_public_ip_address = false
70 | disable_api_termination = var.disable_api_termination
71 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
72 | ebs_optimized = var.ebs_optimized
73 | root_block_device {
74 | volume_size = var.root_volume_size
75 | delete_on_termination = var.root_volume_delete_on_termination
76 | }
77 |
78 | tags = merge(
79 | {
80 | "Name" = local.name
81 | "org" = var.org
82 | "app" = var.app_name
83 | "env" = var.env
84 | "comp" = var.comp
85 | "owner" = var.owner
86 | "index" = count.index
87 | },
88 | var.extra_tags,
89 | )
90 |
91 | volume_tags = merge(
92 | {
93 | "Name" = local.name
94 | "org" = var.org
95 | "app" = var.app_name
96 | "env" = var.env
97 | "comp" = var.comp
98 | "owner" = var.owner
99 | "index" = count.index
100 | },
101 | var.extra_tags,
102 | )
103 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-private/main.tf:57-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
57 | resource "aws_instance" "this" {
58 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
59 |
60 | ami = var.ami
61 | instance_type = var.instance_type
62 | user_data = var.user_data
63 | key_name = var.keypair_name
64 | monitoring = var.monitoring
65 | subnet_id = element(distinct(compact(var.subnet_ids)), count.index)
66 | vpc_security_group_ids = var.security_group_ids
67 | iam_instance_profile = var.instance_profile_name
68 | # availability_zone = var.availability_zones[count.index]
69 | associate_public_ip_address = false
70 | disable_api_termination = var.disable_api_termination
71 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
72 | ebs_optimized = var.ebs_optimized
73 | root_block_device {
74 | volume_size = var.root_volume_size
75 | delete_on_termination = var.root_volume_delete_on_termination
76 | }
77 |
78 | tags = merge(
79 | {
80 | "Name" = local.name
81 | "org" = var.org
82 | "app" = var.app_name
83 | "env" = var.env
84 | "comp" = var.comp
85 | "owner" = var.owner
86 | "index" = count.index
87 | },
88 | var.extra_tags,
89 | )
90 |
91 | volume_tags = merge(
92 | {
93 | "Name" = local.name
94 | "org" = var.org
95 | "app" = var.app_name
96 | "env" = var.env
97 | "comp" = var.comp
98 | "owner" = var.owner
99 | "index" = count.index
100 | },
101 | var.extra_tags,
102 | )
103 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-private/main.tf:57-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
57 | resource "aws_instance" "this" {
58 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
59 |
60 | ami = var.ami
61 | instance_type = var.instance_type
62 | user_data = var.user_data
63 | key_name = var.keypair_name
64 | monitoring = var.monitoring
65 | subnet_id = element(distinct(compact(var.subnet_ids)), count.index)
66 | vpc_security_group_ids = var.security_group_ids
67 | iam_instance_profile = var.instance_profile_name
68 | # availability_zone = var.availability_zones[count.index]
69 | associate_public_ip_address = false
70 | disable_api_termination = var.disable_api_termination
71 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
72 | ebs_optimized = var.ebs_optimized
73 | root_block_device {
74 | volume_size = var.root_volume_size
75 | delete_on_termination = var.root_volume_delete_on_termination
76 | }
77 |
78 | tags = merge(
79 | {
80 | "Name" = local.name
81 | "org" = var.org
82 | "app" = var.app_name
83 | "env" = var.env
84 | "comp" = var.comp
85 | "owner" = var.owner
86 | "index" = count.index
87 | },
88 | var.extra_tags,
89 | )
90 |
91 | volume_tags = merge(
92 | {
93 | "Name" = local.name
94 | "org" = var.org
95 | "app" = var.app_name
96 | "env" = var.env
97 | "comp" = var.comp
98 | "owner" = var.owner
99 | "index" = count.index
100 | },
101 | var.extra_tags,
102 | )
103 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-public/main.tf:63-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
63 | resource "aws_instance" "this" {
64 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
65 |
66 | ami = var.ami
67 | instance_type = var.instance_type
68 | user_data = var.user_data
69 | key_name = var.keypair_name
70 | monitoring = var.monitoring
71 | subnet_id = var.subnet_ids[count.index]
72 | vpc_security_group_ids = var.security_group_ids
73 | iam_instance_profile = var.instance_profile_name
74 | availability_zone = var.availability_zones[count.index]
75 | associate_public_ip_address = true
76 | disable_api_termination = var.disable_api_termination
77 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
78 |
79 | root_block_device {
80 | volume_size = var.root_volume_size
81 | delete_on_termination = var.root_volume_delete_on_termination
82 | }
83 |
84 | tags = merge(
85 | {
86 | "Name" = local.name
87 | "org" = var.org
88 | "app" = var.app_name
89 | "env" = var.env
90 | "comp" = var.comp
91 | "owner" = var.owner
92 | "index" = count.index
93 | },
94 | var.extra_tags,
95 | )
96 |
97 | volume_tags = merge(
98 | {
99 | "Name" = local.name
100 | "org" = var.org
101 | "app" = var.app_name
102 | "env" = var.env
103 | "comp" = var.comp
104 | "owner" = var.owner
105 | "index" = count.index
106 | },
107 | var.extra_tags,
108 | )
109 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-public/main.tf:63-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
63 | resource "aws_instance" "this" {
64 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
65 |
66 | ami = var.ami
67 | instance_type = var.instance_type
68 | user_data = var.user_data
69 | key_name = var.keypair_name
70 | monitoring = var.monitoring
71 | subnet_id = var.subnet_ids[count.index]
72 | vpc_security_group_ids = var.security_group_ids
73 | iam_instance_profile = var.instance_profile_name
74 | availability_zone = var.availability_zones[count.index]
75 | associate_public_ip_address = true
76 | disable_api_termination = var.disable_api_termination
77 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
78 |
79 | root_block_device {
80 | volume_size = var.root_volume_size
81 | delete_on_termination = var.root_volume_delete_on_termination
82 | }
83 |
84 | tags = merge(
85 | {
86 | "Name" = local.name
87 | "org" = var.org
88 | "app" = var.app_name
89 | "env" = var.env
90 | "comp" = var.comp
91 | "owner" = var.owner
92 | "index" = count.index
93 | },
94 | var.extra_tags,
95 | )
96 |
97 | volume_tags = merge(
98 | {
99 | "Name" = local.name
100 | "org" = var.org
101 | "app" = var.app_name
102 | "env" = var.env
103 | "comp" = var.comp
104 | "owner" = var.owner
105 | "index" = count.index
106 | },
107 | var.extra_tags,
108 | )
109 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-public/main.tf:63-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
63 | resource "aws_instance" "this" {
64 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
65 |
66 | ami = var.ami
67 | instance_type = var.instance_type
68 | user_data = var.user_data
69 | key_name = var.keypair_name
70 | monitoring = var.monitoring
71 | subnet_id = var.subnet_ids[count.index]
72 | vpc_security_group_ids = var.security_group_ids
73 | iam_instance_profile = var.instance_profile_name
74 | availability_zone = var.availability_zones[count.index]
75 | associate_public_ip_address = true
76 | disable_api_termination = var.disable_api_termination
77 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
78 |
79 | root_block_device {
80 | volume_size = var.root_volume_size
81 | delete_on_termination = var.root_volume_delete_on_termination
82 | }
83 |
84 | tags = merge(
85 | {
86 | "Name" = local.name
87 | "org" = var.org
88 | "app" = var.app_name
89 | "env" = var.env
90 | "comp" = var.comp
91 | "owner" = var.owner
92 | "index" = count.index
93 | },
94 | var.extra_tags,
95 | )
96 |
97 | volume_tags = merge(
98 | {
99 | "Name" = local.name
100 | "org" = var.org
101 | "app" = var.app_name
102 | "env" = var.env
103 | "comp" = var.comp
104 | "owner" = var.owner
105 | "index" = count.index
106 | },
107 | var.extra_tags,
108 | )
109 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-public/main.tf:63-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
63 | resource "aws_instance" "this" {
64 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
65 |
66 | ami = var.ami
67 | instance_type = var.instance_type
68 | user_data = var.user_data
69 | key_name = var.keypair_name
70 | monitoring = var.monitoring
71 | subnet_id = var.subnet_ids[count.index]
72 | vpc_security_group_ids = var.security_group_ids
73 | iam_instance_profile = var.instance_profile_name
74 | availability_zone = var.availability_zones[count.index]
75 | associate_public_ip_address = true
76 | disable_api_termination = var.disable_api_termination
77 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
78 |
79 | root_block_device {
80 | volume_size = var.root_volume_size
81 | delete_on_termination = var.root_volume_delete_on_termination
82 | }
83 |
84 | tags = merge(
85 | {
86 | "Name" = local.name
87 | "org" = var.org
88 | "app" = var.app_name
89 | "env" = var.env
90 | "comp" = var.comp
91 | "owner" = var.owner
92 | "index" = count.index
93 | },
94 | var.extra_tags,
95 | )
96 |
97 | volume_tags = merge(
98 | {
99 | "Name" = local.name
100 | "org" = var.org
101 | "app" = var.app_name
102 | "env" = var.env
103 | "comp" = var.comp
104 | "owner" = var.owner
105 | "index" = count.index
106 | },
107 | var.extra_tags,
108 | )
109 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.this[0]
File: /terraform/modules/ec2-public/main.tf:63-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
63 | resource "aws_instance" "this" {
64 | count = var.instance_count > 0 ? var.instance_count : length(var.subnet_ids)
65 |
66 | ami = var.ami
67 | instance_type = var.instance_type
68 | user_data = var.user_data
69 | key_name = var.keypair_name
70 | monitoring = var.monitoring
71 | subnet_id = var.subnet_ids[count.index]
72 | vpc_security_group_ids = var.security_group_ids
73 | iam_instance_profile = var.instance_profile_name
74 | availability_zone = var.availability_zones[count.index]
75 | associate_public_ip_address = true
76 | disable_api_termination = var.disable_api_termination
77 | instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
78 |
79 | root_block_device {
80 | volume_size = var.root_volume_size
81 | delete_on_termination = var.root_volume_delete_on_termination
82 | }
83 |
84 | tags = merge(
85 | {
86 | "Name" = local.name
87 | "org" = var.org
88 | "app" = var.app_name
89 | "env" = var.env
90 | "comp" = var.comp
91 | "owner" = var.owner
92 | "index" = count.index
93 | },
94 | var.extra_tags,
95 | )
96 |
97 | volume_tags = merge(
98 | {
99 | "Name" = local.name
100 | "org" = var.org
101 | "app" = var.app_name
102 | "env" = var.env
103 | "comp" = var.comp
104 | "owner" = var.owner
105 | "index" = count.index
106 | },
107 | var.extra_tags,
108 | )
109 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: aws_ecr_repository.this
File: /terraform/modules/ecr-build/main.tf:9-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
9 | resource "aws_ecr_repository" "this" {
10 | name = local.name
11 |
12 | image_scanning_configuration {
13 | scan_on_push = var.scan_on_push
14 | }
15 |
16 | tags = merge(
17 | {
18 | "Name" = local.name
19 | "org" = var.org
20 | "app" = var.app_name
21 | "env" = var.env
22 | "comp" = var.comp
23 | "owner" = var.owner
24 | },
25 | var.extra_tags,
26 | )
27 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: aws_ecr_repository.this
File: /terraform/modules/ecr-build/main.tf:9-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
9 | resource "aws_ecr_repository" "this" {
10 | name = local.name
11 |
12 | image_scanning_configuration {
13 | scan_on_push = var.scan_on_push
14 | }
15 |
16 | tags = merge(
17 | {
18 | "Name" = local.name
19 | "org" = var.org
20 | "app" = var.app_name
21 | "env" = var.env
22 | "comp" = var.comp
23 | "owner" = var.owner
24 | },
25 | var.extra_tags,
26 | )
27 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.this
File: /terraform/modules/ecr-build/main.tf:9-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
9 | resource "aws_ecr_repository" "this" {
10 | name = local.name
11 |
12 | image_scanning_configuration {
13 | scan_on_push = var.scan_on_push
14 | }
15 |
16 | tags = merge(
17 | {
18 | "Name" = local.name
19 | "org" = var.org
20 | "app" = var.app_name
21 | "env" = var.env
22 | "comp" = var.comp
23 | "owner" = var.owner
24 | },
25 | var.extra_tags,
26 | )
27 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.this
File: /terraform/modules/ecs-cluster/main.tf:38-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
38 | resource "aws_ecs_cluster" "this" {
39 | name = local.name
40 |
41 | capacity_providers = var.capacity_providers
42 |
43 | dynamic "default_capacity_provider_strategy" {
44 | for_each = var.default_capacity_provider_strategy
45 | iterator = strategy
46 | content {
47 | capacity_provider = lookup(strategy.value, "capacity_provider", null)
48 | weight = lookup(strategy.value, "weight", null)
49 | base = lookup(strategy.value, "base", null)
50 | }
51 | }
52 |
53 | dynamic "setting" {
54 | for_each = var.container_insights == null ? [] : tolist([1])
55 | content {
56 | name = "containerInsights"
57 | value = var.container_insights
58 | }
59 | }
60 |
61 | tags = merge(
62 | {
63 | "Name" = local.name
64 | "org" = var.org
65 | "app" = var.app_name
66 | "env" = var.env
67 | "owner" = var.owner
68 | },
69 | var.extra_tags
70 | )
71 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.this
File: /terraform/modules/elasticache-memcached/main.tf:30-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
30 | resource "aws_sns_topic" "this" {
31 | name = var.sns_topic_name != "" ? var.sns_topic_name : "${local.name}-${var.engine}"
32 | }
Check: CKV_AWS_134: "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on"
FAILED for resource: aws_elasticache_cluster.this
File: /terraform/modules/elasticache-memcached/main.tf:35-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on.html
35 | resource "aws_elasticache_cluster" "this" {
36 | cluster_id = local.name
37 | engine = var.engine
38 | engine_version = var.engine_version
39 | maintenance_window = var.maintenance_window
40 | node_type = var.instance_type
41 | num_cache_nodes = var.num_cache_nodes
42 | parameter_group_name = var.parameter_group_name
43 |
44 | subnet_group_name = var.subnet_group_name
45 | security_group_ids = var.security_group_ids
46 |
47 | apply_immediately = var.apply_immediately
48 |
49 | az_mode = var.az_mode
50 |
51 | notification_topic_arn = aws_sns_topic.this.arn
52 |
53 | tags = merge(
54 | {
55 | "Name" = local.name
56 | "org" = var.org
57 | "app" = var.app_name
58 | "env" = var.env
59 | "comp" = var.comp
60 | "owner" = var.owner
61 | },
62 | var.extra_tags,
63 | )
64 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.this
File: /terraform/modules/elasticache-redis/main.tf:30-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
30 | resource "aws_sns_topic" "this" {
31 | name = var.sns_topic_name != "" ? var.sns_topic_name : "${local.name}-${var.engine}"
32 | }
Check: CKV_AWS_134: "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on"
FAILED for resource: aws_elasticache_cluster.this
File: /terraform/modules/elasticache-redis/main.tf:35-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on.html
35 | resource "aws_elasticache_cluster" "this" {
36 | cluster_id = local.name
37 | engine = var.engine
38 | engine_version = var.engine_version
39 | maintenance_window = var.maintenance_window
40 | node_type = var.instance_type
41 | num_cache_nodes = var.num_cache_nodes
42 | parameter_group_name = var.parameter_group_name
43 |
44 | subnet_group_name = var.subnet_group_name
45 | security_group_ids = var.security_group_ids
46 |
47 | apply_immediately = var.apply_immediately
48 |
49 | notification_topic_arn = aws_sns_topic.this.arn
50 |
51 | tags = merge(
52 | {
53 | "Name" = local.name
54 | "org" = var.org
55 | "app" = var.app_name
56 | "env" = var.env
57 | "comp" = var.comp
58 | "owner" = var.owner
59 | },
60 | var.extra_tags,
61 | )
62 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.this
File: /terraform/modules/elasticsearch/main.tf:42-44
42 | resource "aws_cloudwatch_log_group" "this" {
43 | name = local.cloudwatch_log_group
44 | }
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: aws_cloudwatch_log_group.this
File: /terraform/modules/elasticsearch/main.tf:42-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
42 | resource "aws_cloudwatch_log_group" "this" {
43 | name = local.cloudwatch_log_group
44 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.this
File: /terraform/modules/elasticsearch/main.tf:42-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
42 | resource "aws_cloudwatch_log_group" "this" {
43 | name = local.cloudwatch_log_group
44 | }
Check: CKV_AWS_318: "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA"
FAILED for resource: aws_elasticsearch_domain.this
File: /terraform/modules/elasticsearch/main.tf:75-135
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_228: "Verify Elasticsearch domain is using an up to date TLS policy"
FAILED for resource: aws_elasticsearch_domain.this
File: /terraform/modules/elasticsearch/main.tf:75-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticsearch-domain-uses-an-updated-tls-policy.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_248: "Ensure that Elasticsearch is not using the default Security Group"
FAILED for resource: aws_elasticsearch_domain.this
File: /terraform/modules/elasticsearch/main.tf:75-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-elasticsearch-does-not-use-the-default-security-group.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_317: "Ensure Elasticsearch Domain Audit Logging is enabled"
FAILED for resource: aws_elasticsearch_domain.this
File: /terraform/modules/elasticsearch/main.tf:75-135
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.this
File: /terraform/modules/iam-codecommit-user-mirror/main.tf:22-35
22 | resource "aws_iam_user" "this" {
23 | name = local.name
24 | tags = merge(
25 | {
26 | "Name" = local.name
27 | "org" = var.org
28 | "app" = var.app_name
29 | "env" = var.env
30 | "comp" = var.comp
31 | "owner" = var.owner
32 | },
33 | var.extra_tags
34 | )
35 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.codebuild-codedeploy
File: /terraform/modules/iam-codepipeline/main.tf:88-137
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.codebuild-codedeploy
File: /terraform/modules/iam-codepipeline/main.tf:88-137
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.codebuild-codedeploy
File: /terraform/modules/iam-codepipeline/main.tf:88-137
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.codebuild-logs
File: /terraform/modules/iam-codepipeline/main.tf:174-204
174 | resource "aws_iam_role_policy" "codebuild-logs" {
175 | name = "${var.app_name}-codebuild-logs"
176 | role = aws_iam_role.codebuild-service-role.id
177 | policy = <= 7
38 | #
39 | #- name: Install SELinux module for nginx
40 | # command: semodule -i /tmp/nginx_custom.pp
41 | # when: ("selinuxmodules.stdout.find('nginx_custom') == -1") and (ansible_os_family == 'RedHat') and ansible_distribution_major_version|int >= 7
42 |
43 | - block:
44 | - name: Set SELinux httpd_can_network_connect
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/roles/nginx/tasks/main.yml:43-62
43 | - block:
44 | - name: Set SELinux httpd_can_network_connect
45 | seboolean: name=httpd_can_network_connect state={{ selinux_httpd_can_network_connect }} persistent=yes
46 |
47 | - name: Set SELinux httpd_can_network_relay
48 | seboolean: name=httpd_can_network_relay state={{ selinux_httpd_can_network_relay }} persistent=yes
49 |
50 | - name: Set SELinux selinux_httpd_setrlimit
51 | seboolean: name=httpd_setrlimit state={{ selinux_httpd_setrlimit }} persistent=yes
52 |
53 | # Default root directory is /usr/share/nginx/html
54 | # - name: Create /var/www
55 | # file: path=/var/www state=directory owner=root group=root mode=0755 recurse=false
56 |
57 | # - name: Set SELinux context for /var/www
58 | # file: path=/var/www setype=httpd_sys_content_t state=directory recurse=yes
59 | when: ansible_os_family == 'RedHat' and ansible_selinux['status'] != 'disabled'
60 |
61 | - name: Start and enable service
62 | service: name=nginx state=started enabled=yes
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/roles.galaxy/cogini.users/tasks/main.yml:117-155
117 | - block:
118 |
119 | - name: Add deploy group
120 | group: name={{ users_deploy_group }} state=present
121 |
122 | - name: Create deploy groups
123 | group: name={{ item }} state=present
124 | with_items: "{{ users_deploy_groups }}"
125 |
126 | - name: Add deploy user
127 | user:
128 | name: "{{ users_deploy_user }}"
129 | group: "{{ users_deploy_group }}"
130 | groups: "{{ users_deploy_groups | join(',') }}"
131 | shell: /bin/bash
132 |
133 | - name: Remove deploy user ssh keys
134 | file:
135 | path: "/home/{{ users_deploy_user }}/.ssh/authorized_keys"
136 | state: absent
137 |
138 | - name: Add ssh keys for deploy users from files
139 | authorized_key:
140 | user: "{{ users_deploy_user }}"
141 | key: "{{ lookup('file', item.key) }}"
142 | with_items: "{{ users_users }}"
143 | when: item.key is defined and item.user in users_deploy_users
144 |
145 | - name: Add ssh keys for deploy users from GitHub
146 | authorized_key:
147 | user: "{{ users_deploy_user }}"
148 | key: "https://github.com/{{ item.github }}.keys"
149 | with_items: "{{ users_users }}"
150 | when: item.github is defined and item.user in users_deploy_users and not ansible_check_mode
151 |
152 | when: users_deploy_user is defined
153 |
154 | - block:
155 |
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/roles.galaxy/cogini.users/tasks/main.yml:154-192
154 | - block:
155 |
156 | - name: Add app group
157 | group: name={{ users_app_group }} state=present
158 |
159 | - name: Create app groups
160 | group: name={{ item }} state=present
161 | with_items: "{{ users_app_groups }}"
162 |
163 | - name: Add app user
164 | user:
165 | name: "{{ users_app_user }}"
166 | group: "{{ users_app_group }}"
167 | groups: "{{ users_app_groups | join(',') }}"
168 | shell: /bin/bash
169 |
170 | - name: Remove app user ssh keys
171 | file:
172 | path: "/home/{{ users_app_user }}/.ssh/authorized_keys"
173 | state: absent
174 |
175 | - name: Add ssh keys for app users from files
176 | authorized_key:
177 | user: "{{ users_app_user }}"
178 | key: "{{ lookup('file', item.key) }}"
179 | with_items: "{{ users_users }}"
180 | when: item.key is defined and item.user in users_app_users
181 |
182 | - name: Add ssh keys for app users from GitHub
183 | authorized_key:
184 | user: "{{ users_app_user }}"
185 | key: "https://github.com/{{ item.github }}.keys"
186 | with_items: "{{ users_users }}"
187 | when: item.github is defined and item.user in users_app_users and not ansible_check_mode
188 |
189 | when: users_app_user is defined
190 |
191 | - name: Remove authorized_keys for system accounts
192 | file:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/playbooks/foo/config-app-https.yml:19-48
19 | - block:
20 | - name: Create key tempfile
21 | tempfile:
22 | state: file
23 | register: key_temp
24 |
25 | # - debug: var=key_temp.path
26 |
27 | - name: Write key data
28 | copy:
29 | content: "{{ https_key }}"
30 | dest: "{{ key_temp.path }}"
31 | no_log: true
32 |
33 | - name: Put key file to S3
34 | aws_s3:
35 | bucket: "{{ config_bucket }}"
36 | object: "{{ config_bucket_prefix }}/ssl/{{ filename }}.key"
37 | src: "{{ key_temp.path }}"
38 | mode: put
39 |
40 | - name: Delete key tempfile
41 | file:
42 | state: absent
43 | path: "{{ key_temp.path }}"
44 |
45 | when: https_key is defined
46 |
47 | - block:
48 | - name: Create cert tempfile
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/playbooks/foo/config-app-https.yml:47-76
47 | - block:
48 | - name: Create cert tempfile
49 | tempfile:
50 | state: file
51 | register: cert_temp
52 |
53 | # - debug: var=cert_temp.path
54 |
55 | - name: Write cert data
56 | copy:
57 | content: "{{ https_cert }}"
58 | dest: "{{ cert_temp.path }}"
59 | no_log: true
60 |
61 | - name: Put cert file to S3
62 | aws_s3:
63 | bucket: "{{ config_bucket }}"
64 | object: "{{ config_bucket_prefix }}/ssl/{{ filename }}.cert.pem"
65 | src: "{{ cert_temp.path }}"
66 | mode: put
67 |
68 | - name: Delete cert tempfile
69 | file:
70 | state: absent
71 | path: "{{ cert_temp.path }}"
72 |
73 | when: https_cert is defined
74 |
75 | - block:
76 | - name: Create cacert tempfile
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/playbooks/foo/config-app-https.yml:75-104
75 | - block:
76 | - name: Create cacert tempfile
77 | tempfile:
78 | state: file
79 | register: cacert_temp
80 |
81 | # - debug: var=cacert_temp.path
82 |
83 | - name: Write cacert data
84 | copy:
85 | content: "{{ https_cacert }}"
86 | dest: "{{ cacert_temp.path }}"
87 | no_log: true
88 |
89 | - name: Put cacert file to S3
90 | aws_s3:
91 | bucket: "{{ config_bucket }}"
92 | object: "{{ config_bucket_prefix }}/ssl/{{ filename }}.cacert.pem"
93 | src: "{{ cacert_temp.path }}"
94 | mode: put
95 |
96 | - name: Delete cacert tempfile
97 | file:
98 | state: absent
99 | path: "{{ cacert_temp.path }}"
100 |
101 | when: https_cacert is defined
102 |
103 | - block:
104 | - name: Create dh tempfile
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /ansible/playbooks/foo/config-app-https.yml:103-131
103 | - block:
104 | - name: Create dh tempfile
105 | tempfile:
106 | state: file
107 | register: dh_temp
108 |
109 | # - debug: var=dh_temp.path
110 |
111 | - name: Write dh data
112 | copy:
113 | content: "{{ https_dh }}"
114 | dest: "{{ dh_temp.path }}"
115 | no_log: true
116 |
117 | - name: Put dh file to S3
118 | aws_s3:
119 | bucket: "{{ config_bucket }}"
120 | object: "{{ config_bucket_prefix }}/ssl/{{ filename }}.dh.pem"
121 | src: "{{ dh_temp.path }}"
122 | mode: put
123 |
124 | - name: Delete dh tempfile
125 | file:
126 | state: absent
127 | path: "{{ dh_temp.path }}"
128 |
129 | when: https_dh is defined
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools