Repository | collabnix / terraform |
Description | Terraform - Beginners | Intermediate | Advanced |
Stars | 251 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:50:52,770 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:2.6.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:52,770 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:52,913 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch:latest failed to load via
2023-10-05 14:50:52,913 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch
2023-10-05 14:50:52,926 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch:latest failed to load via
2023-10-05 14:50:52,926 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/beginners/aws/modules/API_Gateway & Cloudwatch
terraform scan results:
Passed checks: 112, Failed checks: 125, Skipped checks: 0, Parsing errors: 1
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /beginners/aws/eks/security-groups.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "worker_group_mgmt_one" {
2 | name_prefix = "worker_group_mgmt_one"
3 | vpc_id = module.vpc.vpc_id
4 |
5 | ingress {
6 | from_port = 22
7 | to_port = 22
8 | protocol = "tcp"
9 |
10 | cidr_blocks = [
11 | "10.0.0.0/8",
12 | ]
13 | }
14 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /beginners/aws/eks/security-groups.tf:16-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
16 | resource "aws_security_group" "worker_group_mgmt_two" {
17 | name_prefix = "worker_group_mgmt_two"
18 | vpc_id = module.vpc.vpc_id
19 |
20 | ingress {
21 | from_port = 22
22 | to_port = 22
23 | protocol = "tcp"
24 |
25 | cidr_blocks = [
26 | "192.168.0.0/16",
27 | ]
28 | }
29 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /beginners/aws/eks/security-groups.tf:31-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
31 | resource "aws_security_group" "all_worker_mgmt" {
32 | name_prefix = "all_worker_management"
33 | vpc_id = module.vpc.vpc_id
34 |
35 | ingress {
36 | from_port = 22
37 | to_port = 22
38 | protocol = "tcp"
39 |
40 | cidr_blocks = [
41 | "10.0.0.0/8",
42 | "172.16.0.0/12",
43 | "192.168.0.0/16",
44 | ]
45 | }
46 | }
Check: CKV_AWS_237: "Ensure Create before destroy for API GATEWAY"
FAILED for resource: aws_api_gateway_rest_api.panda
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy.html
1 | resource "aws_api_gateway_rest_api" "panda" {
2 | name = "panda"
3 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.panda1
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:11-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
11 | resource "aws_api_gateway_method" "panda1" {
12 | rest_api_id = aws_api_gateway_rest_api.panda.id
13 | resource_id = aws_api_gateway_resource.healthcheck.id
14 | http_method = "POST"
15 | authorization = "NONE"
16 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.panda
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:88-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
88 | resource "aws_api_gateway_method" "panda" {
89 | authorization = "NONE"
90 | http_method = "GET"
91 | resource_id = aws_api_gateway_resource.panda.id
92 | rest_api_id = aws_api_gateway_rest_api.panda.id
93 | }
Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
FAILED for resource: aws_api_gateway_stage.panda
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:120-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled.html
120 | resource "aws_api_gateway_stage" "panda" {
121 | depends_on = [aws_api_gateway_deployment.panda1, aws_api_gateway_stage.panda]
122 | deployment_id = aws_api_gateway_deployment.panda.id
123 | rest_api_id = aws_api_gateway_rest_api.panda.id
124 | stage_name = "panda"
125 | }
Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
FAILED for resource: aws_api_gateway_stage.panda
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:120-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-15.html
120 | resource "aws_api_gateway_stage" "panda" {
121 | depends_on = [aws_api_gateway_deployment.panda1, aws_api_gateway_stage.panda]
122 | deployment_id = aws_api_gateway_deployment.panda.id
123 | rest_api_id = aws_api_gateway_rest_api.panda.id
124 | stage_name = "panda"
125 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_api_gateway_stage.panda
File: /beginners/aws/modules/API_Gateway & CloudWatch/api_gateway.tf:120-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
120 | resource "aws_api_gateway_stage" "panda" {
121 | depends_on = [aws_api_gateway_deployment.panda1, aws_api_gateway_stage.panda]
122 | deployment_id = aws_api_gateway_deployment.panda.id
123 | rest_api_id = aws_api_gateway_rest_api.panda.id
124 | stage_name = "panda"
125 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.sns
File: /beginners/aws/modules/API_Gateway & CloudWatch/route53_health_check.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
1 | resource "aws_sns_topic" "sns" {
2 | name = "user-updates-topic"
3 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web1
File: /beginners/aws/modules/application_load_balancer/instances.tf:1-22
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web1" {
2 | ami = "enter-ami-id"
3 | instance_type = "t2.micro"
4 | subnet_id = "enter-subnet-id"
5 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
6 | key_name = "enter-key-name"
7 | provisioner "remote-exec" {
8 | inline = [
9 | "sudo yum install httpd -y",
10 | "sudo service httpd start",
11 | "sudo chkconfig httpd on"
12 | ]
13 |
14 | connection {
15 | type = "ssh"
16 | user = "ec2-user"
17 | host = aws_instance.web.public_ip
18 | private_key = file("${path.module}/key-name.pem")
19 | }
20 |
21 | }
22 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web1
File: /beginners/aws/modules/application_load_balancer/instances.tf:1-22
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web1" {
2 | ami = "enter-ami-id"
3 | instance_type = "t2.micro"
4 | subnet_id = "enter-subnet-id"
5 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
6 | key_name = "enter-key-name"
7 | provisioner "remote-exec" {
8 | inline = [
9 | "sudo yum install httpd -y",
10 | "sudo service httpd start",
11 | "sudo chkconfig httpd on"
12 | ]
13 |
14 | connection {
15 | type = "ssh"
16 | user = "ec2-user"
17 | host = aws_instance.web.public_ip
18 | private_key = file("${path.module}/key-name.pem")
19 | }
20 |
21 | }
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web1
File: /beginners/aws/modules/application_load_balancer/instances.tf:1-22
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web1" {
2 | ami = "enter-ami-id"
3 | instance_type = "t2.micro"
4 | subnet_id = "enter-subnet-id"
5 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
6 | key_name = "enter-key-name"
7 | provisioner "remote-exec" {
8 | inline = [
9 | "sudo yum install httpd -y",
10 | "sudo service httpd start",
11 | "sudo chkconfig httpd on"
12 | ]
13 |
14 | connection {
15 | type = "ssh"
16 | user = "ec2-user"
17 | host = aws_instance.web.public_ip
18 | private_key = file("${path.module}/key-name.pem")
19 | }
20 |
21 | }
22 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web1
File: /beginners/aws/modules/application_load_balancer/instances.tf:1-22
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web1" {
2 | ami = "enter-ami-id"
3 | instance_type = "t2.micro"
4 | subnet_id = "enter-subnet-id"
5 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
6 | key_name = "enter-key-name"
7 | provisioner "remote-exec" {
8 | inline = [
9 | "sudo yum install httpd -y",
10 | "sudo service httpd start",
11 | "sudo chkconfig httpd on"
12 | ]
13 |
14 | connection {
15 | type = "ssh"
16 | user = "ec2-user"
17 | host = aws_instance.web.public_ip
18 | private_key = file("${path.module}/key-name.pem")
19 | }
20 |
21 | }
22 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web2
File: /beginners/aws/modules/application_load_balancer/instances.tf:24-45
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "web2" {
25 | ami = "enter-ami-id"
26 | instance_type = "t2.micro"
27 | subnet_id = "enter-your-subnet-id"
28 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
29 | key_name = "enter-key-name"
30 | provisioner "remote-exec" {
31 | inline = [
32 | "sudo yum install https -y",
33 | "sudo service httpd start",
34 | "sudo chkconfig httpd on"
35 | ]
36 |
37 | connection {
38 | type = "ssh"
39 | user = "ec2-user"
40 | host = aws_instance.web2.public_ip
41 | private_key = file("${path.module}/kay-name.pem")
42 | }
43 |
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web2
File: /beginners/aws/modules/application_load_balancer/instances.tf:24-45
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "web2" {
25 | ami = "enter-ami-id"
26 | instance_type = "t2.micro"
27 | subnet_id = "enter-your-subnet-id"
28 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
29 | key_name = "enter-key-name"
30 | provisioner "remote-exec" {
31 | inline = [
32 | "sudo yum install https -y",
33 | "sudo service httpd start",
34 | "sudo chkconfig httpd on"
35 | ]
36 |
37 | connection {
38 | type = "ssh"
39 | user = "ec2-user"
40 | host = aws_instance.web2.public_ip
41 | private_key = file("${path.module}/kay-name.pem")
42 | }
43 |
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web2
File: /beginners/aws/modules/application_load_balancer/instances.tf:24-45
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "web2" {
25 | ami = "enter-ami-id"
26 | instance_type = "t2.micro"
27 | subnet_id = "enter-your-subnet-id"
28 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
29 | key_name = "enter-key-name"
30 | provisioner "remote-exec" {
31 | inline = [
32 | "sudo yum install https -y",
33 | "sudo service httpd start",
34 | "sudo chkconfig httpd on"
35 | ]
36 |
37 | connection {
38 | type = "ssh"
39 | user = "ec2-user"
40 | host = aws_instance.web2.public_ip
41 | private_key = file("${path.module}/kay-name.pem")
42 | }
43 |
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.collabnix_application_load_balancer.aws_instance.web2
File: /beginners/aws/modules/application_load_balancer/instances.tf:24-45
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "web2" {
25 | ami = "enter-ami-id"
26 | instance_type = "t2.micro"
27 | subnet_id = "enter-your-subnet-id"
28 | vpc_security_group_ids = [aws_security_group.allow_http_instances.id]
29 | key_name = "enter-key-name"
30 | provisioner "remote-exec" {
31 | inline = [
32 | "sudo yum install https -y",
33 | "sudo service httpd start",
34 | "sudo chkconfig httpd on"
35 | ]
36 |
37 | connection {
38 | type = "ssh"
39 | user = "ec2-user"
40 | host = aws_instance.web2.public_ip
41 | private_key = file("${path.module}/kay-name.pem")
42 | }
43 |
44 | }
45 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.collabnix_application_load_balancer.aws_lb.my-lb
File: /beginners/aws/modules/application_load_balancer/loadbalancer.tf:1-16
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
1 | resource "aws_lb" "my-lb" {
2 | name = "lb-tf"
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.allow_http.id]
6 | # Enter you subnet ids under vpc below
7 | subnets = ["subnet-id1","subnet-id2","subnet-id3","subnet-id4"]
8 |
9 | enable_deletion_protection = false
10 |
11 |
12 |
13 | tags = {
14 | name = "my-first-load-balancer"
15 | }
16 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.collabnix_application_load_balancer.aws_lb.my-lb
File: /beginners/aws/modules/application_load_balancer/loadbalancer.tf:1-16
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
1 | resource "aws_lb" "my-lb" {
2 | name = "lb-tf"
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.allow_http.id]
6 | # Enter you subnet ids under vpc below
7 | subnets = ["subnet-id1","subnet-id2","subnet-id3","subnet-id4"]
8 |
9 | enable_deletion_protection = false
10 |
11 |
12 |
13 | tags = {
14 | name = "my-first-load-balancer"
15 | }
16 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.collabnix_application_load_balancer.aws_lb.my-lb
File: /beginners/aws/modules/application_load_balancer/loadbalancer.tf:1-16
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
1 | resource "aws_lb" "my-lb" {
2 | name = "lb-tf"
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.allow_http.id]
6 | # Enter you subnet ids under vpc below
7 | subnets = ["subnet-id1","subnet-id2","subnet-id3","subnet-id4"]
8 |
9 | enable_deletion_protection = false
10 |
11 |
12 |
13 | tags = {
14 | name = "my-first-load-balancer"
15 | }
16 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.collabnix_application_load_balancer.aws_lb_listener.front_end
File: /beginners/aws/modules/application_load_balancer/loadbalancer.tf:18-27
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
18 | resource "aws_lb_listener" "front_end" {
19 | load_balancer_arn = aws_lb.my-lb.arn
20 | port = "80"
21 | protocol = "HTTP"
22 |
23 | default_action {
24 | type = "forward"
25 | target_group_arn = aws_lb_target_group.target-lb.arn
26 | }
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.collabnix_application_load_balancer.aws_security_group.allow_http
File: /beginners/aws/modules/application_load_balancer/security_group.tf:1-24
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "allow_http" {
2 | name = "alb_http"
3 | description = "Allow http traffic to alb"
4 | vpc_id = "enter_vpc_id"
5 |
6 | ingress {
7 | description = "http for alb"
8 | from_port = 80
9 | to_port = 80
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "allow_http_alb"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.collabnix_application_load_balancer.aws_security_group.allow_http
File: /beginners/aws/modules/application_load_balancer/security_group.tf:1-24
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
1 | resource "aws_security_group" "allow_http" {
2 | name = "alb_http"
3 | description = "Allow http traffic to alb"
4 | vpc_id = "enter_vpc_id"
5 |
6 | ingress {
7 | description = "http for alb"
8 | from_port = 80
9 | to_port = 80
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "allow_http_alb"
23 | }
24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.collabnix_application_load_balancer.aws_security_group.allow_http_instances
File: /beginners/aws/modules/application_load_balancer/security_group.tf:26-56
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
26 | resource "aws_security_group" "allow_http_instances" {
27 | name = "instances_http"
28 | description = "Allow http traffic to instances"
29 | vpc_id = "enter_vpc_id"
30 |
31 | ingress {
32 | description = "http for instances"
33 | from_port = 80
34 | to_port = 80
35 | protocol = "tcp"
36 | security_groups = [aws_security_group.allow_http.id]
37 | }
38 |
39 | ingress {
40 | description = "ssh for instances"
41 | from_port = 22
42 | to_port = 22
43 | protocol = "tcp"
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
46 | egress {
47 | from_port = 0
48 | to_port = 0
49 | protocol = "-1"
50 | cidr_blocks = ["0.0.0.0/0"]
51 | }
52 |
53 | tags = {
54 | Name = "allow_http_instaces"
55 | }
56 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.collabnix_application_load_balancer.aws_security_group.allow_http_instances
File: /beginners/aws/modules/application_load_balancer/security_group.tf:26-56
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
26 | resource "aws_security_group" "allow_http_instances" {
27 | name = "instances_http"
28 | description = "Allow http traffic to instances"
29 | vpc_id = "enter_vpc_id"
30 |
31 | ingress {
32 | description = "http for instances"
33 | from_port = 80
34 | to_port = 80
35 | protocol = "tcp"
36 | security_groups = [aws_security_group.allow_http.id]
37 | }
38 |
39 | ingress {
40 | description = "ssh for instances"
41 | from_port = 22
42 | to_port = 22
43 | protocol = "tcp"
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
46 | egress {
47 | from_port = 0
48 | to_port = 0
49 | protocol = "-1"
50 | cidr_blocks = ["0.0.0.0/0"]
51 | }
52 |
53 | tags = {
54 | Name = "allow_http_instaces"
55 | }
56 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: module.collabnix_application_load_balancer.aws_lb_target_group.target-lb
File: /beginners/aws/modules/application_load_balancer/target_group_attach.tf:1-6
Calling File: /beginners/aws/main.tf:22-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
1 | resource "aws_lb_target_group" "target-lb" {
2 | name = "lb-tg"
3 | port = 80
4 | protocol = "HTTP"
5 | vpc_id = "enter_vpc_id"
6 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.collabnix_ec2.aws_instance.instance
File: /beginners/aws/modules/ec2/ec2.tf:17-31
Calling File: /beginners/aws/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "instance" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.defaultNIC.id
24 | device_index = 0
25 | }
26 |
27 | tags = {
28 | project = "Collabnix"
29 | department = "Automation"
30 | }
31 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.collabnix_ec2.aws_instance.instance
File: /beginners/aws/modules/ec2/ec2.tf:17-31
Calling File: /beginners/aws/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "instance" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.defaultNIC.id
24 | device_index = 0
25 | }
26 |
27 | tags = {
28 | project = "Collabnix"
29 | department = "Automation"
30 | }
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.collabnix_ec2.aws_instance.instance
File: /beginners/aws/modules/ec2/ec2.tf:17-31
Calling File: /beginners/aws/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "instance" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.defaultNIC.id
24 | device_index = 0
25 | }
26 |
27 | tags = {
28 | project = "Collabnix"
29 | department = "Automation"
30 | }
31 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.collabnix_ec2.aws_instance.instance
File: /beginners/aws/modules/ec2/ec2.tf:17-31
Calling File: /beginners/aws/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "instance" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.defaultNIC.id
24 | device_index = 0
25 | }
26 |
27 | tags = {
28 | project = "Collabnix"
29 | department = "Automation"
30 | }
31 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.collabnix_ec2_webserver.aws_instance.webserver
File: /beginners/aws/modules/ec2_apache_webserver/ec2.tf:17-58
Calling File: /beginners/aws/main.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "webserver" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.webserverNIC.id
24 | device_index = 0
25 | }
26 |
27 | provisioner "file" {
28 |
29 | connection {
30 | host = self.public_ip
31 | type = "ssh"
32 | user = "ubuntu"
33 | private_key = file("${path.module}/key.pem")
34 | }
35 |
36 | source = var.bootscript_file_path
37 | destination = "/tmp/bootscript.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 |
42 | connection {
43 | host = self.public_ip
44 | type = "ssh"
45 | user = "ubuntu"
46 | private_key = file("${path.module}/key.pem")
47 | }
48 | inline = [
49 | "chmod +x /tmp/bootscript.sh",
50 | "/tmp/bootscript.sh",
51 | ]
52 | }
53 |
54 | tags = {
55 | project = "Collabnix"
56 | department = "Automation"
57 | }
58 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.collabnix_ec2_webserver.aws_instance.webserver
File: /beginners/aws/modules/ec2_apache_webserver/ec2.tf:17-58
Calling File: /beginners/aws/main.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "webserver" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.webserverNIC.id
24 | device_index = 0
25 | }
26 |
27 | provisioner "file" {
28 |
29 | connection {
30 | host = self.public_ip
31 | type = "ssh"
32 | user = "ubuntu"
33 | private_key = file("${path.module}/key.pem")
34 | }
35 |
36 | source = var.bootscript_file_path
37 | destination = "/tmp/bootscript.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 |
42 | connection {
43 | host = self.public_ip
44 | type = "ssh"
45 | user = "ubuntu"
46 | private_key = file("${path.module}/key.pem")
47 | }
48 | inline = [
49 | "chmod +x /tmp/bootscript.sh",
50 | "/tmp/bootscript.sh",
51 | ]
52 | }
53 |
54 | tags = {
55 | project = "Collabnix"
56 | department = "Automation"
57 | }
58 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.collabnix_ec2_webserver.aws_instance.webserver
File: /beginners/aws/modules/ec2_apache_webserver/ec2.tf:17-58
Calling File: /beginners/aws/main.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "webserver" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.webserverNIC.id
24 | device_index = 0
25 | }
26 |
27 | provisioner "file" {
28 |
29 | connection {
30 | host = self.public_ip
31 | type = "ssh"
32 | user = "ubuntu"
33 | private_key = file("${path.module}/key.pem")
34 | }
35 |
36 | source = var.bootscript_file_path
37 | destination = "/tmp/bootscript.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 |
42 | connection {
43 | host = self.public_ip
44 | type = "ssh"
45 | user = "ubuntu"
46 | private_key = file("${path.module}/key.pem")
47 | }
48 | inline = [
49 | "chmod +x /tmp/bootscript.sh",
50 | "/tmp/bootscript.sh",
51 | ]
52 | }
53 |
54 | tags = {
55 | project = "Collabnix"
56 | department = "Automation"
57 | }
58 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.collabnix_ec2_webserver.aws_instance.webserver
File: /beginners/aws/modules/ec2_apache_webserver/ec2.tf:17-58
Calling File: /beginners/aws/main.tf:10-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "webserver" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = var.key_pair_name
21 |
22 | network_interface {
23 | network_interface_id = aws_network_interface.webserverNIC.id
24 | device_index = 0
25 | }
26 |
27 | provisioner "file" {
28 |
29 | connection {
30 | host = self.public_ip
31 | type = "ssh"
32 | user = "ubuntu"
33 | private_key = file("${path.module}/key.pem")
34 | }
35 |
36 | source = var.bootscript_file_path
37 | destination = "/tmp/bootscript.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 |
42 | connection {
43 | host = self.public_ip
44 | type = "ssh"
45 | user = "ubuntu"
46 | private_key = file("${path.module}/key.pem")
47 | }
48 | inline = [
49 | "chmod +x /tmp/bootscript.sh",
50 | "/tmp/bootscript.sh",
51 | ]
52 | }
53 |
54 | tags = {
55 | project = "Collabnix"
56 | department = "Automation"
57 | }
58 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.collabnix_vpc.aws_subnet.publicsubnet
File: /beginners/aws/modules/vpc/subnet.tf:1-10
Calling File: /beginners/aws/main.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "publicsubnet" {
2 | vpc_id = aws_vpc.collabnix_vpc.id
3 | cidr_block = var.public_subnet_cidr
4 | map_public_ip_on_launch = "true"
5 |
6 | tags = {
7 | project = "Collabnix"
8 | department = "Automation"
9 | }
10 | }
Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_117: "Ensure that AKS uses disk encryption set"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-uses-disk-encryption-set.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_7: "Ensure AKS cluster has Network Policy configured"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-4.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_116: "Ensure that AKS uses Azure Policies Add-on"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-uses-azure-policies-add-on.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_6: "Ensure AKS has an API Server Authorized IP Ranges enabled"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-3.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_170: "Ensure that AKS use the Paid Sku for its SLA"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_141: "Ensure AKS local admin account is disabled"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-kubernetes-service-aks-local-admin-account-is-disabled.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_171: "Ensure AKS cluster upgrade channel is chosen"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_115: "Ensure that AKS enables private clusters"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/ensure-that-aks-enables-private-clusters.html
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /beginners/azure/linuxVM/linuxvm.tf:121-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
121 | resource "azurerm_linux_virtual_machine" "vm" {
122 | name = "${var.prefix}-linuxvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 | disable_password_authentication = false
131 |
132 | os_disk {
133 | name = "${var.prefix}-linuxvm-os-disk"
134 | caching = var.os_disk_caching
135 | storage_account_type = var.os_disk_storage_account_type
136 | disk_size_gb = var.os_disk_size_gb
137 | }
138 |
139 | source_image_reference {
140 | publisher = var.publisher
141 | offer = var.offer
142 | sku = var.sku
143 | version = var.vm_image_version
144 | }
145 |
146 | tags = var.tags
147 |
148 | }
Check: CKV_AZURE_178: "Ensure linux VM enables SSH with keys for secure communication"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /beginners/azure/linuxVM/linuxvm.tf:121-148
121 | resource "azurerm_linux_virtual_machine" "vm" {
122 | name = "${var.prefix}-linuxvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 | disable_password_authentication = false
131 |
132 | os_disk {
133 | name = "${var.prefix}-linuxvm-os-disk"
134 | caching = var.os_disk_caching
135 | storage_account_type = var.os_disk_storage_account_type
136 | disk_size_gb = var.os_disk_size_gb
137 | }
138 |
139 | source_image_reference {
140 | publisher = var.publisher
141 | offer = var.offer
142 | sku = var.sku
143 | version = var.vm_image_version
144 | }
145 |
146 | tags = var.tags
147 |
148 | }
Check: CKV_AZURE_1: "Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /beginners/azure/linuxVM/linuxvm.tf:121-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-1.html
121 | resource "azurerm_linux_virtual_machine" "vm" {
122 | name = "${var.prefix}-linuxvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 | disable_password_authentication = false
131 |
132 | os_disk {
133 | name = "${var.prefix}-linuxvm-os-disk"
134 | caching = var.os_disk_caching
135 | storage_account_type = var.os_disk_storage_account_type
136 | disk_size_gb = var.os_disk_size_gb
137 | }
138 |
139 | source_image_reference {
140 | publisher = var.publisher
141 | offer = var.offer
142 | sku = var.sku
143 | version = var.vm_image_version
144 | }
145 |
146 | tags = var.tags
147 |
148 | }
Check: CKV_AZURE_149: "Ensure that Virtual machine does not enable password authentication"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /beginners/azure/linuxVM/linuxvm.tf:121-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-virtual-machine-does-not-enable-password-authentication.html
121 | resource "azurerm_linux_virtual_machine" "vm" {
122 | name = "${var.prefix}-linuxvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 | disable_password_authentication = false
131 |
132 | os_disk {
133 | name = "${var.prefix}-linuxvm-os-disk"
134 | caching = var.os_disk_caching
135 | storage_account_type = var.os_disk_storage_account_type
136 | disk_size_gb = var.os_disk_size_gb
137 | }
138 |
139 | source_image_reference {
140 | publisher = var.publisher
141 | offer = var.offer
142 | sku = var.sku
143 | version = var.vm_image_version
144 | }
145 |
146 | tags = var.tags
147 |
148 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_windows_virtual_machine.vm
File: /beginners/azure/windowsVM/windowsvm.tf:121-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
121 | resource "azurerm_windows_virtual_machine" "vm" {
122 | name = "${var.prefix}-winvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 |
131 | os_disk {
132 | name = "${var.prefix}-winvm-os-disk"
133 | caching = var.os_disk_caching
134 | storage_account_type = var.os_disk_storage_account_type
135 | disk_size_gb = var.os_disk_size_gb
136 | }
137 |
138 | source_image_reference {
139 | publisher = var.publisher
140 | offer = var.offer
141 | sku = var.sku
142 | version = var.vm_image_version
143 | }
144 |
145 | tags = var.tags
146 |
147 | }
Check: CKV_AZURE_151: "Ensure Windows VM enables encryption"
FAILED for resource: azurerm_windows_virtual_machine.vm
File: /beginners/azure/windowsVM/windowsvm.tf:121-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption.html
121 | resource "azurerm_windows_virtual_machine" "vm" {
122 | name = "${var.prefix}-winvm"
123 | resource_group_name = azurerm_resource_group.rg.name
124 | location = azurerm_resource_group.rg.location
125 | network_interface_ids = [azurerm_network_interface.nic.id]
126 | size = var.virtual_machine_size
127 | computer_name = var.computer_name
128 | admin_username = var.admin_username
129 | admin_password = var.admin_password
130 |
131 | os_disk {
132 | name = "${var.prefix}-winvm-os-disk"
133 | caching = var.os_disk_caching
134 | storage_account_type = var.os_disk_storage_account_type
135 | disk_size_gb = var.os_disk_size_gb
136 | }
137 |
138 | source_image_reference {
139 | publisher = var.publisher
140 | offer = var.offer
141 | sku = var.sku
142 | version = var.vm_image_version
143 | }
144 |
145 | tags = var.tags
146 |
147 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_disk.default
File: /beginners/gcp/virtual-machine/compute-disk.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
2 | resource "google_compute_disk" "default" {
3 | name = "disk-${random_id.top_level_resource_suffix.hex}"
4 | type = "pd-ssd"
5 | size = 20
6 | zone = var.gcp_compute_zone
7 | image = data.google_compute_image.ubuntu_image.self_link
8 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.nginx
File: /beginners/gcp/virtual-machine/compute-instance.tf:7-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
7 | resource "google_compute_instance" "nginx" {
8 | name = "vm-${random_id.top_level_resource_suffix.hex}"
9 | machine_type = var.machine_type
10 | zone = var.gcp_compute_zone
11 |
12 | allow_stopping_for_update = true
13 |
14 | boot_disk {
15 | source = google_compute_disk.default.self_link
16 | }
17 |
18 | # A startup script that will run on our os and setup a nginx server for us
19 | metadata_startup_script = "sudo apt-get update; sudo apt-get install nginx-light -y"
20 |
21 | # Allows traffic @ PORT 80. It is recommended to use custom vpc and subnets with firewalls rules
22 | tags = ["http-server"]
23 |
24 | # Block where you can configure your vpc and subnets
25 | network_interface {
26 | network = "default"
27 | access_config {
28 | nat_ip = google_compute_address.static.address
29 | }
30 | }
31 |
32 | # Adding a service account
33 | service_account {
34 | scopes = ["https://www.googleapis.com/auth/monitoring"]
35 | }
36 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.nginx
File: /beginners/gcp/virtual-machine/compute-instance.tf:7-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
7 | resource "google_compute_instance" "nginx" {
8 | name = "vm-${random_id.top_level_resource_suffix.hex}"
9 | machine_type = var.machine_type
10 | zone = var.gcp_compute_zone
11 |
12 | allow_stopping_for_update = true
13 |
14 | boot_disk {
15 | source = google_compute_disk.default.self_link
16 | }
17 |
18 | # A startup script that will run on our os and setup a nginx server for us
19 | metadata_startup_script = "sudo apt-get update; sudo apt-get install nginx-light -y"
20 |
21 | # Allows traffic @ PORT 80. It is recommended to use custom vpc and subnets with firewalls rules
22 | tags = ["http-server"]
23 |
24 | # Block where you can configure your vpc and subnets
25 | network_interface {
26 | network = "default"
27 | access_config {
28 | nat_ip = google_compute_address.static.address
29 | }
30 | }
31 |
32 | # Adding a service account
33 | service_account {
34 | scopes = ["https://www.googleapis.com/auth/monitoring"]
35 | }
36 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.nginx
File: /beginners/gcp/virtual-machine/compute-instance.tf:7-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
7 | resource "google_compute_instance" "nginx" {
8 | name = "vm-${random_id.top_level_resource_suffix.hex}"
9 | machine_type = var.machine_type
10 | zone = var.gcp_compute_zone
11 |
12 | allow_stopping_for_update = true
13 |
14 | boot_disk {
15 | source = google_compute_disk.default.self_link
16 | }
17 |
18 | # A startup script that will run on our os and setup a nginx server for us
19 | metadata_startup_script = "sudo apt-get update; sudo apt-get install nginx-light -y"
20 |
21 | # Allows traffic @ PORT 80. It is recommended to use custom vpc and subnets with firewalls rules
22 | tags = ["http-server"]
23 |
24 | # Block where you can configure your vpc and subnets
25 | network_interface {
26 | network = "default"
27 | access_config {
28 | nat_ip = google_compute_address.static.address
29 | }
30 | }
31 |
32 | # Adding a service account
33 | service_account {
34 | scopes = ["https://www.googleapis.com/auth/monitoring"]
35 | }
36 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.nginx
File: /beginners/gcp/virtual-machine/compute-instance.tf:7-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
7 | resource "google_compute_instance" "nginx" {
8 | name = "vm-${random_id.top_level_resource_suffix.hex}"
9 | machine_type = var.machine_type
10 | zone = var.gcp_compute_zone
11 |
12 | allow_stopping_for_update = true
13 |
14 | boot_disk {
15 | source = google_compute_disk.default.self_link
16 | }
17 |
18 | # A startup script that will run on our os and setup a nginx server for us
19 | metadata_startup_script = "sudo apt-get update; sudo apt-get install nginx-light -y"
20 |
21 | # Allows traffic @ PORT 80. It is recommended to use custom vpc and subnets with firewalls rules
22 | tags = ["http-server"]
23 |
24 | # Block where you can configure your vpc and subnets
25 | network_interface {
26 | network = "default"
27 | access_config {
28 | nat_ip = google_compute_address.static.address
29 | }
30 | }
31 |
32 | # Adding a service account
33 | service_account {
34 | scopes = ["https://www.googleapis.com/auth/monitoring"]
35 | }
36 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.nginx
File: /beginners/gcp/virtual-machine/compute-instance.tf:7-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
7 | resource "google_compute_instance" "nginx" {
8 | name = "vm-${random_id.top_level_resource_suffix.hex}"
9 | machine_type = var.machine_type
10 | zone = var.gcp_compute_zone
11 |
12 | allow_stopping_for_update = true
13 |
14 | boot_disk {
15 | source = google_compute_disk.default.self_link
16 | }
17 |
18 | # A startup script that will run on our os and setup a nginx server for us
19 | metadata_startup_script = "sudo apt-get update; sudo apt-get install nginx-light -y"
20 |
21 | # Allows traffic @ PORT 80. It is recommended to use custom vpc and subnets with firewalls rules
22 | tags = ["http-server"]
23 |
24 | # Block where you can configure your vpc and subnets
25 | network_interface {
26 | network = "default"
27 | access_config {
28 | nat_ip = google_compute_address.static.address
29 | }
30 | }
31 |
32 | # Adding a service account
33 | service_account {
34 | scopes = ["https://www.googleapis.com/auth/monitoring"]
35 | }
36 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.this
File: /beginners/gcp/vpc/vpc.tf:6-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
6 | resource "google_compute_subnetwork" "this" {
7 | name = var.subnet_name
8 | ip_cidr_range = var.ip_cidr_range
9 | region = var.gcp_project_location
10 | network = google_compute_network.this.self_link
11 | private_ip_google_access = true
12 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.this
File: /beginners/gcp/vpc/vpc.tf:6-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
6 | resource "google_compute_subnetwork" "this" {
7 | name = var.subnet_name
8 | ip_cidr_range = var.ip_cidr_range
9 | region = var.gcp_project_location
10 | network = google_compute_network.this.self_link
11 | private_ip_google_access = true
12 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /beginners/rds-restore/main.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
9 | resource "aws_db_instance" "example" {
10 | engine = "mysql"
11 | instance_class = "db.t3.micro"
12 | allocated_storage = 20
13 | storage_type = "gp2"
14 | identifier = "my-rds-instance"
15 | username = "admin"
16 | password = "password"
17 | publicly_accessible = false
18 |
19 | # Other RDS configuration settings...
20 |
21 | # Enable automatic backups and set the retention period
22 | backup_retention_period = 7
23 | backup_window = "03:00-04:00"
24 | maintenance_window = "sun:05:00-sun:06:00"
25 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.restored_example
File: /beginners/rds-restore/restore.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
4 | resource "aws_db_instance" "restored_example" {
5 | engine = "mysql"
6 | instance_class = "db.t3.micro"
7 | allocated_storage = 20
8 | storage_type = "gp2"
9 | identifier = "restored-rds-instance"
10 | username = "admin"
11 | password = "password"
12 | publicly_accessible = false
13 |
14 | # Other RDS configuration settings...
15 |
16 | # Specify the snapshot ID to restore from
17 | snapshot_identifier = ""
18 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /intermediate/azure/Terraform-Provisioners/linuxvm.tf:119-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
119 | resource "azurerm_linux_virtual_machine" "vm" {
120 | name = "${var.prefix}-linuxvm"
121 | resource_group_name = azurerm_resource_group.rg.name
122 | location = azurerm_resource_group.rg.location
123 | network_interface_ids = [azurerm_network_interface.nic.id]
124 | size = var.virtual_machine_size
125 | computer_name = var.computer_name
126 | admin_username = var.admin_username
127 | admin_password = var.admin_password
128 | disable_password_authentication = false
129 |
130 | os_disk {
131 | name = "${var.prefix}-${var.os_disk.name}"
132 | caching = var.os_disk.caching
133 | storage_account_type = var.os_disk.storage_account_type
134 | disk_size_gb = var.os_disk.size
135 | }
136 |
137 | source_image_reference {
138 | publisher = var.os_image.publisher
139 | offer = var.os_image.offer
140 | sku = var.os_image.sku
141 | version = var.os_image.version
142 | }
143 |
144 | provisioner "local-exec" {
145 | command = "echo 'Hello, This is the output of Local-Exec Provisioner'"
146 | }
147 |
148 | provisioner "remote-exec" {
149 | inline = [
150 | "echo 'Hello, This is the output of Remote-Exec Provisioner'"
151 | ]
152 | connection {
153 | type = "ssh"
154 | user = var.admin_username
155 | password = var.admin_password
156 | host = azurerm_public_ip.pip.ip_address
157 | }
158 | }
159 |
160 | tags = var.tags
161 |
162 | }
Check: CKV_AZURE_178: "Ensure linux VM enables SSH with keys for secure communication"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /intermediate/azure/Terraform-Provisioners/linuxvm.tf:119-162
119 | resource "azurerm_linux_virtual_machine" "vm" {
120 | name = "${var.prefix}-linuxvm"
121 | resource_group_name = azurerm_resource_group.rg.name
122 | location = azurerm_resource_group.rg.location
123 | network_interface_ids = [azurerm_network_interface.nic.id]
124 | size = var.virtual_machine_size
125 | computer_name = var.computer_name
126 | admin_username = var.admin_username
127 | admin_password = var.admin_password
128 | disable_password_authentication = false
129 |
130 | os_disk {
131 | name = "${var.prefix}-${var.os_disk.name}"
132 | caching = var.os_disk.caching
133 | storage_account_type = var.os_disk.storage_account_type
134 | disk_size_gb = var.os_disk.size
135 | }
136 |
137 | source_image_reference {
138 | publisher = var.os_image.publisher
139 | offer = var.os_image.offer
140 | sku = var.os_image.sku
141 | version = var.os_image.version
142 | }
143 |
144 | provisioner "local-exec" {
145 | command = "echo 'Hello, This is the output of Local-Exec Provisioner'"
146 | }
147 |
148 | provisioner "remote-exec" {
149 | inline = [
150 | "echo 'Hello, This is the output of Remote-Exec Provisioner'"
151 | ]
152 | connection {
153 | type = "ssh"
154 | user = var.admin_username
155 | password = var.admin_password
156 | host = azurerm_public_ip.pip.ip_address
157 | }
158 | }
159 |
160 | tags = var.tags
161 |
162 | }
Check: CKV_AZURE_1: "Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /intermediate/azure/Terraform-Provisioners/linuxvm.tf:119-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-1.html
119 | resource "azurerm_linux_virtual_machine" "vm" {
120 | name = "${var.prefix}-linuxvm"
121 | resource_group_name = azurerm_resource_group.rg.name
122 | location = azurerm_resource_group.rg.location
123 | network_interface_ids = [azurerm_network_interface.nic.id]
124 | size = var.virtual_machine_size
125 | computer_name = var.computer_name
126 | admin_username = var.admin_username
127 | admin_password = var.admin_password
128 | disable_password_authentication = false
129 |
130 | os_disk {
131 | name = "${var.prefix}-${var.os_disk.name}"
132 | caching = var.os_disk.caching
133 | storage_account_type = var.os_disk.storage_account_type
134 | disk_size_gb = var.os_disk.size
135 | }
136 |
137 | source_image_reference {
138 | publisher = var.os_image.publisher
139 | offer = var.os_image.offer
140 | sku = var.os_image.sku
141 | version = var.os_image.version
142 | }
143 |
144 | provisioner "local-exec" {
145 | command = "echo 'Hello, This is the output of Local-Exec Provisioner'"
146 | }
147 |
148 | provisioner "remote-exec" {
149 | inline = [
150 | "echo 'Hello, This is the output of Remote-Exec Provisioner'"
151 | ]
152 | connection {
153 | type = "ssh"
154 | user = var.admin_username
155 | password = var.admin_password
156 | host = azurerm_public_ip.pip.ip_address
157 | }
158 | }
159 |
160 | tags = var.tags
161 |
162 | }
Check: CKV_AZURE_149: "Ensure that Virtual machine does not enable password authentication"
FAILED for resource: azurerm_linux_virtual_machine.vm
File: /intermediate/azure/Terraform-Provisioners/linuxvm.tf:119-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-virtual-machine-does-not-enable-password-authentication.html
119 | resource "azurerm_linux_virtual_machine" "vm" {
120 | name = "${var.prefix}-linuxvm"
121 | resource_group_name = azurerm_resource_group.rg.name
122 | location = azurerm_resource_group.rg.location
123 | network_interface_ids = [azurerm_network_interface.nic.id]
124 | size = var.virtual_machine_size
125 | computer_name = var.computer_name
126 | admin_username = var.admin_username
127 | admin_password = var.admin_password
128 | disable_password_authentication = false
129 |
130 | os_disk {
131 | name = "${var.prefix}-${var.os_disk.name}"
132 | caching = var.os_disk.caching
133 | storage_account_type = var.os_disk.storage_account_type
134 | disk_size_gb = var.os_disk.size
135 | }
136 |
137 | source_image_reference {
138 | publisher = var.os_image.publisher
139 | offer = var.os_image.offer
140 | sku = var.os_image.sku
141 | version = var.os_image.version
142 | }
143 |
144 | provisioner "local-exec" {
145 | command = "echo 'Hello, This is the output of Local-Exec Provisioner'"
146 | }
147 |
148 | provisioner "remote-exec" {
149 | inline = [
150 | "echo 'Hello, This is the output of Remote-Exec Provisioner'"
151 | ]
152 | connection {
153 | type = "ssh"
154 | user = var.admin_username
155 | password = var.admin_password
156 | host = azurerm_public_ip.pip.ip_address
157 | }
158 | }
159 |
160 | tags = var.tags
161 |
162 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.nic
File: /beginners/azure/linuxVM/linuxvm.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
103 | resource "azurerm_network_interface" "nic" {
104 | name = "${var.prefix}-linuxvm-nic"
105 | resource_group_name = azurerm_resource_group.rg.name
106 | location = azurerm_resource_group.rg.location
107 | tags = var.tags
108 | ip_configuration {
109 | name = "${var.prefix}-nic-ipconfig"
110 | subnet_id = azurerm_subnet.web.id
111 | public_ip_address_id = azurerm_public_ip.pip.id
112 | private_ip_address_allocation = var.allocation_method[1]
113 | }
114 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.nic
File: /beginners/azure/windowsVM/windowsvm.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
103 | resource "azurerm_network_interface" "nic" {
104 | name = "${var.prefix}-winvm-nic"
105 | resource_group_name = azurerm_resource_group.rg.name
106 | location = azurerm_resource_group.rg.location
107 | tags = var.tags
108 | ip_configuration {
109 | name = "${var.prefix}-nic-ipconfig"
110 | subnet_id = azurerm_subnet.web.id
111 | public_ip_address_id = azurerm_public_ip.pip.id
112 | private_ip_address_allocation = var.allocation_method[1]
113 | }
114 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.nic
File: /intermediate/azure/Terraform-Provisioners/linuxvm.tf:101-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
101 | resource "azurerm_network_interface" "nic" {
102 | name = "${var.prefix}-linuxvm-nic"
103 | resource_group_name = azurerm_resource_group.rg.name
104 | location = azurerm_resource_group.rg.location
105 | tags = var.tags
106 | ip_configuration {
107 | name = "linuxvm-nic-ipconfig"
108 | subnet_id = azurerm_subnet.web.id
109 | public_ip_address_id = azurerm_public_ip.pip.id
110 | private_ip_address_allocation = var.allocation_method[1]
111 | }
112 | }
Check: CKV2_AZURE_29: "Ensure AKS cluster has Azure CNI networking enabled"
FAILED for resource: azurerm_kubernetes_cluster.k8cluster
File: /beginners/azure/aks_cluster/main.tf:54-81
54 | resource "azurerm_kubernetes_cluster" "k8cluster" {
55 | name = var.cluster_name
56 | location = azurerm_resource_group.k8terraform.location
57 | resource_group_name = azurerm_resource_group.k8terraform.name
58 | dns_prefix = var.dns_prifix
59 |
60 | default_node_pool {
61 | name = "infrapool"
62 | vm_size = "Standard_D2_v2"
63 | max_pods = 50
64 | node_count = 3
65 | }
66 |
67 | addon_profile{
68 | oms_agent{
69 | enabled = true
70 | log_analytics_workspace_id = azurerm_log_analytics_workspace.aksterraform.id
71 | }
72 | }
73 |
74 | identity {
75 | type = "SystemAssigned"
76 | }
77 |
78 | tags ={
79 | Enviornment = "Development"
80 | }
81 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.sa
File: /beginners/azure/storageAccount/storageaccount.tf:43-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
43 | resource "azurerm_storage_account" "sa" {
44 | name = "${var.saVars["name"]}${random_integer.sa_name.result}"
45 | resource_group_name = azurerm_resource_group.rg.name
46 | location = azurerm_resource_group.rg.location
47 | account_kind = var.saVars["account_kind"]
48 | account_tier = var.saVars["account_tier"]
49 | access_tier = var.saVars["access_tier"]
50 | account_replication_type = var.saVars["account_replication_type"]
51 |
52 | static_website {
53 | index_document = "index.html"
54 | error_404_document = "404.html"
55 | }
56 |
57 | tags = var.tags
58 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.vnet.azurerm_subnet.sn
File: /beginners/azure/module_example/child_module/main.tf:37-42
37 | resource "azurerm_subnet" "sn" {
38 | name = var.subnet_name
39 | resource_group_name = azurerm_resource_group.rg.name
40 | virtual_network_name = azurerm_virtual_network.vnet.name
41 | address_prefixes = [var.subnet_address_range]
42 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.sn["App-Subnet"]
File: /beginners/azure/multiple_resources/main.tf:48-54
48 | resource "azurerm_subnet" "sn" {
49 | for_each = var.subnet
50 | name = each.key
51 | resource_group_name = azurerm_resource_group.rg["Dev-RG"].name
52 | virtual_network_name = azurerm_virtual_network.vnet.name
53 | address_prefixes = [each.value]
54 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.sn
File: /beginners/azure/virtualnetwork/main.tf:51-56
51 | resource "azurerm_subnet" "sn" {
52 | name = var.subnet_name
53 | resource_group_name = azurerm_resource_group.rg.name
54 | virtual_network_name = azurerm_virtual_network.vnet.name
55 | address_prefixes = [var.subnet_address_range]
56 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.sn["DB-Subnet"]
File: /beginners/azure/multiple_resources/main.tf:48-54
48 | resource "azurerm_subnet" "sn" {
49 | for_each = var.subnet
50 | name = each.key
51 | resource_group_name = azurerm_resource_group.rg["Dev-RG"].name
52 | virtual_network_name = azurerm_virtual_network.vnet.name
53 | address_prefixes = [each.value]
54 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.sn["Web-Subnet"]
File: /beginners/azure/multiple_resources/main.tf:48-54
48 | resource "azurerm_subnet" "sn" {
49 | for_each = var.subnet
50 | name = each.key
51 | resource_group_name = azurerm_resource_group.rg["Dev-RG"].name
52 | virtual_network_name = azurerm_virtual_network.vnet.name
53 | address_prefixes = [each.value]
54 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.collabnix_static_s3_website.aws_s3_bucket.my_static_website_bucket
File: /beginners/aws/modules/s3/s3.tf:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "my_static_website_bucket" {
2 | bucket = var.s3_bucket_name
3 | acl = "public-read"
4 | force_destroy = true
5 |
6 | tags = {
7 | project = "Collabnix"
8 | department = "Automation"
9 | }
10 |
11 | website {
12 | index_document = "index.html"
13 | error_document = "error.html"
14 |
15 | routing_rules = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools