Repository | dumrauf / openvpn-terraform-install |
Description | A one-stop Terraform module that creates an OpenVPN server in AWS readily provisioned with access by the users defined in the input |
Stars | 108 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 17, Failed checks: 10, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.openvpn
File: /vpc.tf:45-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
45 | resource "aws_security_group" "openvpn" {
46 | name = "openvpn"
47 | description = "Allow inbound UDP access to OpenVPN and unrestricted egress"
48 |
49 | vpc_id = aws_vpc.openvpn.id
50 |
51 | tags = {
52 | Name = var.tag_name
53 | Provisioner = "Terraform"
54 | }
55 |
56 | ingress {
57 | from_port = 1194
58 | to_port = 1194
59 | protocol = "udp"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | }
62 |
63 | egress {
64 | from_port = 0
65 | to_port = 0
66 | protocol = -1
67 | cidr_blocks = ["0.0.0.0/0"]
68 | }
69 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ssh_from_local
File: /vpc.tf:71-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
71 | resource "aws_security_group" "ssh_from_local" {
72 | name = "ssh-from-local"
73 | description = "Allow SSH access only from local machine"
74 |
75 | vpc_id = aws_vpc.openvpn.id
76 |
77 | tags = {
78 | Name = var.tag_name
79 | Provisioner = "Terraform"
80 | }
81 |
82 | ingress {
83 | from_port = 22
84 | to_port = 22
85 | protocol = "tcp"
86 | cidr_blocks = [local.local_ip_address]
87 | }
88 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.openvpn
File: /vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "openvpn" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 |
6 | tags = {
7 | Name = var.tag_name
8 | Provisioner = "Terraform"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.openvpn
File: /vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "openvpn" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 |
6 | tags = {
7 | Name = var.tag_name
8 | Provisioner = "Terraform"
9 | }
10 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.openvpn
File: /ec2.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
32 | resource "aws_instance" "openvpn" {
33 | ami = data.aws_ami.amazon_linux_2.id
34 | associate_public_ip_address = true
35 | instance_type = var.instance_type
36 | key_name = aws_key_pair.openvpn.key_name
37 | subnet_id = aws_subnet.openvpn.id
38 |
39 | vpc_security_group_ids = [
40 | aws_security_group.openvpn.id,
41 | aws_security_group.ssh_from_local.id,
42 | ]
43 |
44 | root_block_device {
45 | volume_type = "gp2"
46 | volume_size = var.instance_root_block_device_volume_size
47 | delete_on_termination = true
48 | }
49 |
50 | tags = {
51 | Name = var.tag_name
52 | Provisioner = "Terraform"
53 | }
54 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools