Repository | futurice / terraform-examples |
Description | Terraform samples for all the major clouds you can copy and paste. The future, co-created. |
Stars | 625 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:45:00,608 [MainThread ] [WARNI] Failed to download module github.com/neomantra/terraform-docker-mirror:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:00,608 [MainThread ] [WARNI] Failed to download module github.com/claranet/terraform-path-hash?ref=v0.1.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:00,608 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/acm/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:00,609 [MainThread ] [WARNI] Failed to download module git::ssh://[email protected]/futurice/terraform-utils.git//aws_reverse_proxy?ref=v11.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:00,609 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/alb/aws:~>5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:00,609 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 277, Failed checks: 251, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.this
File: /aws/aws_ec2_ebs_docker_host/main.tf:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
3 | resource "aws_instance" "this" {
4 | instance_type = "${var.instance_type}"
5 | ami = "${var.instance_ami}"
6 | availability_zone = "${local.availability_zone}"
7 | key_name = "${aws_key_pair.this.id}" # the name of the SSH keypair to use for provisioning
8 | vpc_security_group_ids = ["${aws_security_group.this.id}"]
9 | subnet_id = "${data.aws_subnet.this.id}"
10 | user_data = "${sha1(local.reprovision_trigger)}" # this value isn't used by the EC2 instance, but its change will trigger re-creation of the resource
11 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
12 | volume_tags = "${merge(var.tags, map("Name", "${var.hostname}"))}" # give the root EBS volume a name (+ other possible tags) that makes it easier to identify as belonging to this host
13 |
14 | root_block_device {
15 | volume_size = "${var.root_volume_size}"
16 | }
17 |
18 | connection {
19 | user = "${var.ssh_username}"
20 | private_key = "${file("${var.ssh_private_key_path}")}"
21 | agent = false # don't use SSH agent because we have the private key right here
22 | }
23 |
24 | provisioner "remote-exec" {
25 | inline = [
26 | "sudo hostnamectl set-hostname ${var.hostname}",
27 | "echo 127.0.0.1 ${var.hostname} | sudo tee -a /etc/hosts", # https://askubuntu.com/a/59517
28 | ]
29 | }
30 |
31 | provisioner "remote-exec" {
32 | script = "${path.module}/provision-docker.sh"
33 | }
34 |
35 | provisioner "file" {
36 | source = "${path.module}/provision-swap.sh"
37 | destination = "/home/${var.ssh_username}/provision-swap.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 | inline = [
42 | "sh /home/${var.ssh_username}/provision-swap.sh ${var.swap_file_size} ${var.swap_swappiness}",
43 | "rm /home/${var.ssh_username}/provision-swap.sh",
44 | ]
45 | }
46 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.this
File: /aws/aws_ec2_ebs_docker_host/main.tf:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
3 | resource "aws_instance" "this" {
4 | instance_type = "${var.instance_type}"
5 | ami = "${var.instance_ami}"
6 | availability_zone = "${local.availability_zone}"
7 | key_name = "${aws_key_pair.this.id}" # the name of the SSH keypair to use for provisioning
8 | vpc_security_group_ids = ["${aws_security_group.this.id}"]
9 | subnet_id = "${data.aws_subnet.this.id}"
10 | user_data = "${sha1(local.reprovision_trigger)}" # this value isn't used by the EC2 instance, but its change will trigger re-creation of the resource
11 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
12 | volume_tags = "${merge(var.tags, map("Name", "${var.hostname}"))}" # give the root EBS volume a name (+ other possible tags) that makes it easier to identify as belonging to this host
13 |
14 | root_block_device {
15 | volume_size = "${var.root_volume_size}"
16 | }
17 |
18 | connection {
19 | user = "${var.ssh_username}"
20 | private_key = "${file("${var.ssh_private_key_path}")}"
21 | agent = false # don't use SSH agent because we have the private key right here
22 | }
23 |
24 | provisioner "remote-exec" {
25 | inline = [
26 | "sudo hostnamectl set-hostname ${var.hostname}",
27 | "echo 127.0.0.1 ${var.hostname} | sudo tee -a /etc/hosts", # https://askubuntu.com/a/59517
28 | ]
29 | }
30 |
31 | provisioner "remote-exec" {
32 | script = "${path.module}/provision-docker.sh"
33 | }
34 |
35 | provisioner "file" {
36 | source = "${path.module}/provision-swap.sh"
37 | destination = "/home/${var.ssh_username}/provision-swap.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 | inline = [
42 | "sh /home/${var.ssh_username}/provision-swap.sh ${var.swap_file_size} ${var.swap_swappiness}",
43 | "rm /home/${var.ssh_username}/provision-swap.sh",
44 | ]
45 | }
46 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.this
File: /aws/aws_ec2_ebs_docker_host/main.tf:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
3 | resource "aws_instance" "this" {
4 | instance_type = "${var.instance_type}"
5 | ami = "${var.instance_ami}"
6 | availability_zone = "${local.availability_zone}"
7 | key_name = "${aws_key_pair.this.id}" # the name of the SSH keypair to use for provisioning
8 | vpc_security_group_ids = ["${aws_security_group.this.id}"]
9 | subnet_id = "${data.aws_subnet.this.id}"
10 | user_data = "${sha1(local.reprovision_trigger)}" # this value isn't used by the EC2 instance, but its change will trigger re-creation of the resource
11 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
12 | volume_tags = "${merge(var.tags, map("Name", "${var.hostname}"))}" # give the root EBS volume a name (+ other possible tags) that makes it easier to identify as belonging to this host
13 |
14 | root_block_device {
15 | volume_size = "${var.root_volume_size}"
16 | }
17 |
18 | connection {
19 | user = "${var.ssh_username}"
20 | private_key = "${file("${var.ssh_private_key_path}")}"
21 | agent = false # don't use SSH agent because we have the private key right here
22 | }
23 |
24 | provisioner "remote-exec" {
25 | inline = [
26 | "sudo hostnamectl set-hostname ${var.hostname}",
27 | "echo 127.0.0.1 ${var.hostname} | sudo tee -a /etc/hosts", # https://askubuntu.com/a/59517
28 | ]
29 | }
30 |
31 | provisioner "remote-exec" {
32 | script = "${path.module}/provision-docker.sh"
33 | }
34 |
35 | provisioner "file" {
36 | source = "${path.module}/provision-swap.sh"
37 | destination = "/home/${var.ssh_username}/provision-swap.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 | inline = [
42 | "sh /home/${var.ssh_username}/provision-swap.sh ${var.swap_file_size} ${var.swap_swappiness}",
43 | "rm /home/${var.ssh_username}/provision-swap.sh",
44 | ]
45 | }
46 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.this
File: /aws/aws_ec2_ebs_docker_host/main.tf:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
3 | resource "aws_instance" "this" {
4 | instance_type = "${var.instance_type}"
5 | ami = "${var.instance_ami}"
6 | availability_zone = "${local.availability_zone}"
7 | key_name = "${aws_key_pair.this.id}" # the name of the SSH keypair to use for provisioning
8 | vpc_security_group_ids = ["${aws_security_group.this.id}"]
9 | subnet_id = "${data.aws_subnet.this.id}"
10 | user_data = "${sha1(local.reprovision_trigger)}" # this value isn't used by the EC2 instance, but its change will trigger re-creation of the resource
11 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
12 | volume_tags = "${merge(var.tags, map("Name", "${var.hostname}"))}" # give the root EBS volume a name (+ other possible tags) that makes it easier to identify as belonging to this host
13 |
14 | root_block_device {
15 | volume_size = "${var.root_volume_size}"
16 | }
17 |
18 | connection {
19 | user = "${var.ssh_username}"
20 | private_key = "${file("${var.ssh_private_key_path}")}"
21 | agent = false # don't use SSH agent because we have the private key right here
22 | }
23 |
24 | provisioner "remote-exec" {
25 | inline = [
26 | "sudo hostnamectl set-hostname ${var.hostname}",
27 | "echo 127.0.0.1 ${var.hostname} | sudo tee -a /etc/hosts", # https://askubuntu.com/a/59517
28 | ]
29 | }
30 |
31 | provisioner "remote-exec" {
32 | script = "${path.module}/provision-docker.sh"
33 | }
34 |
35 | provisioner "file" {
36 | source = "${path.module}/provision-swap.sh"
37 | destination = "/home/${var.ssh_username}/provision-swap.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 | inline = [
42 | "sh /home/${var.ssh_username}/provision-swap.sh ${var.swap_file_size} ${var.swap_swappiness}",
43 | "rm /home/${var.ssh_username}/provision-swap.sh",
44 | ]
45 | }
46 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.this
File: /aws/aws_ec2_ebs_docker_host/security.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
7 | resource "aws_security_group" "this" {
8 | vpc_id = "${data.aws_vpc.this.id}"
9 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.outgoing_any
File: /aws/aws_ec2_ebs_docker_host/security.tf:14-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
14 | resource "aws_security_group_rule" "outgoing_any" {
15 | security_group_id = "${aws_security_group.this.id}"
16 | type = "egress"
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.incoming_ssh
File: /aws/aws_ec2_ebs_docker_host/security.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group_rule" "incoming_ssh" {
24 | security_group_id = "${aws_security_group.this.id}"
25 | type = "ingress"
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.incoming_ssh
File: /aws/aws_ec2_ebs_docker_host/security.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
23 | resource "aws_security_group_rule" "incoming_ssh" {
24 | security_group_id = "${aws_security_group.this.id}"
25 | type = "ingress"
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
Check: CKV_AWS_237: "Ensure Create before destroy for API GATEWAY"
FAILED for resource: aws_api_gateway_rest_api.this
File: /aws/aws_lambda_api/api_gateway_config.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy.html
1 | resource "aws_api_gateway_rest_api" "this" {
2 | name = "${local.prefix_with_domain}"
3 | description = "${var.comment_prefix}${var.api_domain}"
4 | }
Check: CKV_AWS_217: "Ensure Create before destroy for API deployments"
FAILED for resource: aws_api_gateway_deployment.this
File: /aws/aws_lambda_api/api_gateway_config.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-deployments-enable-create-before-destroy.html
6 | resource "aws_api_gateway_deployment" "this" {
7 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
8 |
9 | depends_on = [
10 | "aws_api_gateway_integration.proxy_root",
11 | "aws_api_gateway_integration.proxy_other",
12 | ]
13 | }
Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled.html
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-15.html
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV_AWS_225: "Ensure API Gateway method setting caching is enabled"
FAILED for resource: aws_api_gateway_method_settings.this
File: /aws/aws_lambda_api/api_gateway_config.tf:23-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-method-settings-enable-caching.html
23 | resource "aws_api_gateway_method_settings" "this" {
24 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
25 | stage_name = "${aws_api_gateway_stage.this.stage_name}"
26 | method_path = "*/*"
27 |
28 | settings {
29 | metrics_enabled = "${var.api_gateway_cloudwatch_metrics}"
30 | logging_level = "${var.api_gateway_logging_level}"
31 | data_trace_enabled = "${var.api_gateway_logging_level == "OFF" ? false : true}"
32 | throttling_rate_limit = "${var.throttling_rate_limit}"
33 | throttling_burst_limit = "${var.throttling_burst_limit}"
34 | }
35 | }
Check: CKV_AWS_308: "Ensure API Gateway method setting caching is set to encrypted"
FAILED for resource: aws_api_gateway_method_settings.this
File: /aws/aws_lambda_api/api_gateway_config.tf:23-35
23 | resource "aws_api_gateway_method_settings" "this" {
24 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
25 | stage_name = "${aws_api_gateway_stage.this.stage_name}"
26 | method_path = "*/*"
27 |
28 | settings {
29 | metrics_enabled = "${var.api_gateway_cloudwatch_metrics}"
30 | logging_level = "${var.api_gateway_logging_level}"
31 | data_trace_enabled = "${var.api_gateway_logging_level == "OFF" ? false : true}"
32 | throttling_rate_limit = "${var.throttling_rate_limit}"
33 | throttling_burst_limit = "${var.throttling_burst_limit}"
34 | }
35 | }
Check: CKV_AWS_206: "Ensure API Gateway Domain uses a modern security Policy"
FAILED for resource: aws_api_gateway_domain_name.this
File: /aws/aws_lambda_api/api_gateway_config.tf:37-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-domain-uses-a-modern-security-policy.html
37 | resource "aws_api_gateway_domain_name" "this" {
38 | domain_name = "${var.api_domain}"
39 | regional_certificate_arn = "${aws_acm_certificate_validation.this.certificate_arn}"
40 |
41 | endpoint_configuration {
42 | types = ["REGIONAL"]
43 | }
44 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy_root
File: /aws/aws_lambda_api/api_gateway_resources.tf:3-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
3 | resource "aws_api_gateway_method" "proxy_root" {
4 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
5 | resource_id = "${aws_api_gateway_rest_api.this.root_resource_id}"
6 | http_method = "ANY"
7 | authorization = "NONE"
8 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy_other
File: /aws/aws_lambda_api/api_gateway_resources.tf:27-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
27 | resource "aws_api_gateway_method" "proxy_other" {
28 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
29 | resource_id = "${aws_api_gateway_resource.proxy_other.id}"
30 | http_method = "ANY"
31 | authorization = "NONE"
32 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.this
File: /aws/aws_lambda_api/certificate.tf:3-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
3 | resource "aws_acm_certificate" "this" {
4 | domain_name = "${var.api_domain}"
5 | validation_method = "DNS" # the required records are created below
6 | tags = "${merge(var.tags, map("Name", "${var.comment_prefix}${var.api_domain}"))}"
7 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_api/main.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
6 | resource "aws_lambda_function" "local_zipfile" {
7 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
8 |
9 | # These are SPECIFIC to the deployment method:
10 | filename = "${var.function_zipfile}"
11 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
12 |
13 | # These are the SAME for both:
14 | description = "${var.comment_prefix}${var.api_domain}"
15 | function_name = "${local.prefix_with_domain}"
16 | handler = "${var.function_handler}"
17 | runtime = "${var.function_runtime}"
18 | timeout = "${var.function_timeout}"
19 | memory_size = "${var.memory_size}"
20 | role = "${aws_iam_role.this.arn}"
21 | tags = "${var.tags}"
22 |
23 | environment {
24 | variables = "${var.function_env_vars}"
25 | }
26 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_api/main.tf:29-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
29 | resource "aws_lambda_function" "s3_zipfile" {
30 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
31 |
32 | # These are SPECIFIC to the deployment method:
33 | s3_bucket = "${var.function_s3_bucket}"
34 | s3_key = "${var.function_zipfile}"
35 |
36 | # These are the SAME for both:
37 | description = "${var.comment_prefix}${var.api_domain}"
38 | function_name = "${local.prefix_with_domain}"
39 | handler = "${var.function_handler}"
40 | runtime = "${var.function_runtime}"
41 | timeout = "${var.function_timeout}"
42 | memory_size = "${var.memory_size}"
43 | role = "${aws_iam_role.this.arn}"
44 | tags = "${var.tags}"
45 |
46 | environment {
47 | variables = "${var.function_env_vars}"
48 | }
49 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.local_zipfile
File: /aws/aws_lambda_cronjob/main.tf:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
2 | resource "aws_lambda_function" "local_zipfile" {
3 | count = "${var.function_s3_bucket == "" ? 1 : 0}"
4 |
5 | # These are SPECIFIC to the deployment method:
6 | filename = "${var.function_zipfile}"
7 | source_code_hash = "${var.function_s3_bucket == "" ? "${base64sha256(file("${var.function_zipfile}"))}" : ""}"
8 |
9 | # These are the SAME for both:
10 | description = "${var.comment_prefix}${var.cronjob_name}"
11 | function_name = "${local.prefix_with_name}"
12 | handler = "${var.function_handler}"
13 | runtime = "${var.function_runtime}"
14 | timeout = "${var.function_timeout}"
15 | memory_size = "${var.memory_size}"
16 | role = "${aws_iam_role.this.arn}"
17 | tags = "${var.tags}"
18 |
19 | environment {
20 | variables = "${var.function_env_vars}"
21 | }
22 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.s3_zipfile[0]
File: /aws/aws_lambda_cronjob/main.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "s3_zipfile" {
26 | count = "${var.function_s3_bucket == "" ? 0 : 1}"
27 |
28 | # These are SPECIFIC to the deployment method:
29 | s3_bucket = "${var.function_s3_bucket}"
30 | s3_key = "${var.function_zipfile}"
31 |
32 | # These are the SAME for both:
33 | description = "${var.comment_prefix}${var.cronjob_name}"
34 | function_name = "${local.prefix_with_name}"
35 | handler = "${var.function_handler}"
36 | runtime = "${var.function_runtime}"
37 | timeout = "${var.function_timeout}"
38 | memory_size = "${var.memory_size}"
39 | role = "${aws_iam_role.this.arn}"
40 | tags = "${var.tags}"
41 |
42 | environment {
43 | variables = "${var.function_env_vars}"
44 | }
45 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.this
File: /aws/aws_reverse_proxy/certificate.tf:3-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
3 | resource "aws_acm_certificate" "this" {
4 | provider = "aws.us_east_1" # because ACM is only available in the "us-east-1" region
5 | domain_name = "${var.site_domain}"
6 | validation_method = "DNS" # the required records are created below
7 | tags = "${merge(var.tags, map("Name", "${var.comment_prefix}${var.site_domain}"))}"
8 | }
Check: CKV_AWS_305: "Ensure Cloudfront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_86: "Ensure Cloudfront distribution has Access Logging enabled"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_68: "CloudFront Distribution should have WAF enabled"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_174: "Verify CloudFront Distribution Viewer Certificate is using TLS v1.2"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.viewer_request
File: /aws/aws_reverse_proxy/lambda.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
35 | resource "aws_lambda_function" "viewer_request" {
36 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
37 |
38 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
39 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
40 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
41 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
42 |
43 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
44 | function_name = "${local.prefix_with_domain}---viewer_request"
45 | role = "${aws_iam_role.this.arn}"
46 | description = "${var.comment_prefix}${var.site_domain} (request handler)"
47 | handler = "lambda.viewer_request"
48 | runtime = "nodejs8.10"
49 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
50 | tags = "${var.tags}"
51 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.viewer_response
File: /aws/aws_reverse_proxy/lambda.tf:53-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
53 | resource "aws_lambda_function" "viewer_response" {
54 | provider = "aws.us_east_1" # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function must be in region 'us-east-1'
55 |
56 | # lambda_zip.output_path will be absolute, i.e. different on different machines.
57 | # This can cause Terraform to notice differences that aren't actually there, so let's convert it to a relative one.
58 | # https://github.com/hashicorp/terraform/issues/7613#issuecomment-332238441
59 | filename = "${substr(data.archive_file.lambda_zip.output_path, length(path.cwd) + 1, -1)}"
60 |
61 | source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
62 | function_name = "${local.prefix_with_domain}---viewer_response"
63 | role = "${aws_iam_role.this.arn}"
64 | description = "${var.comment_prefix}${var.site_domain} (response handler)"
65 | handler = "lambda.viewer_response"
66 | runtime = "nodejs8.10"
67 | publish = true # because: error creating CloudFront Distribution: InvalidLambdaFunctionAssociation: The function ARN must reference a specific function version. (The ARN must end with the version number.)
68 | tags = "${var.tags}"
69 | }
Check: CKV_AWS_70: "Ensure S3 bucket does not allow an action with any Principal"
FAILED for resource: aws_s3_bucket_policy.this
File: /aws/aws_static_site/s3.tf:30-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-23.html
30 | resource "aws_s3_bucket_policy" "this" {
31 | depends_on = ["aws_s3_bucket.this"] # because we refer to the bucket indirectly, we need to explicitly define the dependency
32 | count = "${var.bucket_override_name == "" ? 1 : 0}"
33 | bucket = "${local.bucket_name}"
34 |
35 | # https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2
36 | policy = <" to make someone an operator (admin)
93 | # Use 'sudo journalctl -u google-startup-scripts.service' to retrieve the startup script output
94 | metadata_startup_script = "docker run -d -p 25565:25565 -e EULA=TRUE -e VERSION=1.12.2 -v /var/minecraft:/data --name mc -e TYPE=FORGE -e FORGEVERSION=14.23.0.2552 -e MEMORY=2G --rm=true itzg/minecraft-server:latest;"
95 |
96 | metadata = {
97 | enable-oslogin = "TRUE"
98 | }
99 |
100 | boot_disk {
101 | auto_delete = false # Keep disk after shutdown (game data)
102 | source = google_compute_disk.minecraft.self_link
103 | }
104 |
105 | network_interface {
106 | network = google_compute_network.minecraft.name
107 | access_config {
108 | nat_ip = google_compute_address.minecraft.address
109 | }
110 | }
111 |
112 | service_account {
113 | email = google_service_account.minecraft.email
114 | scopes = ["userinfo-email"]
115 | }
116 |
117 | scheduling {
118 | preemptible = true # Closes within 24 hours (sometimes sooner)
119 | automatic_restart = false
120 | }
121 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.minecraft
File: /google_cloud/minecraft/main.tf:81-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
81 | resource "google_compute_instance" "minecraft" {
82 | name = "minecraft"
83 | machine_type = "n1-standard-1"
84 | zone = local.zone
85 | tags = ["minecraft"]
86 |
87 | # Run itzg/minecraft-server docker image on startup
88 | # The instructions of https://hub.docker.com/r/itzg/minecraft-server/ are applicable
89 | # For instance, Ssh into the instance and you can run
90 | # docker logs mc
91 | # docker exec -i mc rcon-cli
92 | # Once in rcon-cli you can "op " to make someone an operator (admin)
93 | # Use 'sudo journalctl -u google-startup-scripts.service' to retrieve the startup script output
94 | metadata_startup_script = "docker run -d -p 25565:25565 -e EULA=TRUE -e VERSION=1.12.2 -v /var/minecraft:/data --name mc -e TYPE=FORGE -e FORGEVERSION=14.23.0.2552 -e MEMORY=2G --rm=true itzg/minecraft-server:latest;"
95 |
96 | metadata = {
97 | enable-oslogin = "TRUE"
98 | }
99 |
100 | boot_disk {
101 | auto_delete = false # Keep disk after shutdown (game data)
102 | source = google_compute_disk.minecraft.self_link
103 | }
104 |
105 | network_interface {
106 | network = google_compute_network.minecraft.name
107 | access_config {
108 | nat_ip = google_compute_address.minecraft.address
109 | }
110 | }
111 |
112 | service_account {
113 | email = google_service_account.minecraft.email
114 | scopes = ["userinfo-email"]
115 | }
116 |
117 | scheduling {
118 | preemptible = true # Closes within 24 hours (sometimes sooner)
119 | automatic_restart = false
120 | }
121 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.minecraft
File: /google_cloud/minecraft/main.tf:81-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
81 | resource "google_compute_instance" "minecraft" {
82 | name = "minecraft"
83 | machine_type = "n1-standard-1"
84 | zone = local.zone
85 | tags = ["minecraft"]
86 |
87 | # Run itzg/minecraft-server docker image on startup
88 | # The instructions of https://hub.docker.com/r/itzg/minecraft-server/ are applicable
89 | # For instance, Ssh into the instance and you can run
90 | # docker logs mc
91 | # docker exec -i mc rcon-cli
92 | # Once in rcon-cli you can "op " to make someone an operator (admin)
93 | # Use 'sudo journalctl -u google-startup-scripts.service' to retrieve the startup script output
94 | metadata_startup_script = "docker run -d -p 25565:25565 -e EULA=TRUE -e VERSION=1.12.2 -v /var/minecraft:/data --name mc -e TYPE=FORGE -e FORGEVERSION=14.23.0.2552 -e MEMORY=2G --rm=true itzg/minecraft-server:latest;"
95 |
96 | metadata = {
97 | enable-oslogin = "TRUE"
98 | }
99 |
100 | boot_disk {
101 | auto_delete = false # Keep disk after shutdown (game data)
102 | source = google_compute_disk.minecraft.self_link
103 | }
104 |
105 | network_interface {
106 | network = google_compute_network.minecraft.name
107 | access_config {
108 | nat_ip = google_compute_address.minecraft.address
109 | }
110 | }
111 |
112 | service_account {
113 | email = google_service_account.minecraft.email
114 | scopes = ["userinfo-email"]
115 | }
116 |
117 | scheduling {
118 | preemptible = true # Closes within 24 hours (sometimes sooner)
119 | automatic_restart = false
120 | }
121 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.minecraft
File: /google_cloud/minecraft/main.tf:81-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
81 | resource "google_compute_instance" "minecraft" {
82 | name = "minecraft"
83 | machine_type = "n1-standard-1"
84 | zone = local.zone
85 | tags = ["minecraft"]
86 |
87 | # Run itzg/minecraft-server docker image on startup
88 | # The instructions of https://hub.docker.com/r/itzg/minecraft-server/ are applicable
89 | # For instance, Ssh into the instance and you can run
90 | # docker logs mc
91 | # docker exec -i mc rcon-cli
92 | # Once in rcon-cli you can "op " to make someone an operator (admin)
93 | # Use 'sudo journalctl -u google-startup-scripts.service' to retrieve the startup script output
94 | metadata_startup_script = "docker run -d -p 25565:25565 -e EULA=TRUE -e VERSION=1.12.2 -v /var/minecraft:/data --name mc -e TYPE=FORGE -e FORGEVERSION=14.23.0.2552 -e MEMORY=2G --rm=true itzg/minecraft-server:latest;"
95 |
96 | metadata = {
97 | enable-oslogin = "TRUE"
98 | }
99 |
100 | boot_disk {
101 | auto_delete = false # Keep disk after shutdown (game data)
102 | source = google_compute_disk.minecraft.self_link
103 | }
104 |
105 | network_interface {
106 | network = google_compute_network.minecraft.name
107 | access_config {
108 | nat_ip = google_compute_address.minecraft.address
109 | }
110 | }
111 |
112 | service_account {
113 | email = google_service_account.minecraft.email
114 | scopes = ["userinfo-email"]
115 | }
116 |
117 | scheduling {
118 | preemptible = true # Closes within 24 hours (sometimes sooner)
119 | automatic_restart = false
120 | }
121 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.minecraft
File: /google_cloud/minecraft/main.tf:130-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
130 | resource "google_compute_firewall" "minecraft" {
131 | name = "minecraft"
132 | network = google_compute_network.minecraft.name
133 | # Minecraft client port
134 | allow {
135 | protocol = "tcp"
136 | ports = ["25565"]
137 | }
138 | # ICMP (ping)
139 | allow {
140 | protocol = "icmp"
141 | }
142 | # SSH (for RCON-CLI access)
143 | allow {
144 | protocol = "tcp"
145 | ports = ["22"]
146 | }
147 | source_ranges = ["0.0.0.0/0"]
148 | target_tags = ["minecraft"]
149 | }
Check: CKV_GCP_113: "Ensure IAM policy should not define public access"
FAILED for resource: google_iam_policy.noauth
File: /google_cloud/oathkeeper/main.tf:30-35
30 | data "google_iam_policy" "noauth" {
31 | binding {
32 | role = "roles/run.invoker"
33 | members = ["allUsers"]
34 | }
35 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.config
File: /google_cloud/oathkeeper/main.tf:46-50
46 | resource "google_storage_bucket" "config" {
47 | name = "${local.project}_${local.region}_oathkeeper"
48 | location = local.location
49 | bucket_policy_only = true
50 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.config
File: /google_cloud/oathkeeper/main.tf:46-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
46 | resource "google_storage_bucket" "config" {
47 | name = "${local.project}_${local.region}_oathkeeper"
48 | location = local.location
49 | bucket_policy_only = true
50 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.config
File: /google_cloud/oathkeeper/main.tf:46-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
46 | resource "google_storage_bucket" "config" {
47 | name = "${local.project}_${local.region}_oathkeeper"
48 | location = local.location
49 | bucket_policy_only = true
50 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.config
File: /google_cloud/oathkeeper/main.tf:46-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
46 | resource "google_storage_bucket" "config" {
47 | name = "${local.project}_${local.region}_oathkeeper"
48 | location = local.location
49 | bucket_policy_only = true
50 | }
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
FAILED for resource: google_storage_bucket_iam_member.oathkeeper-viewer
File: /google_cloud/oathkeeper/main.tf:66-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1.html
66 | resource "google_storage_bucket_iam_member" "oathkeeper-viewer" {
67 | bucket = google_storage_bucket.config.name
68 | role = "roles/storage.objectViewer"
69 | # member = "serviceAccount:${google_service_account.oathkeeper.email}"
70 | member = "allUsers" # work around until we can use the cloud API https://github.com/ory/oathkeeper/issues/425
71 | }
Check: CKV_GCP_113: "Ensure IAM policy should not define public access"
FAILED for resource: google_iam_policy.noauth
File: /google_cloud/openresty-beyondcorp/main.tf:54-59
54 | data "google_iam_policy" "noauth" {
55 | binding {
56 | role = "roles/run.invoker"
57 | members = ["allUsers"]
58 | }
59 | }
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_pubsub_topic.httpwal
File: /google_cloud/openresty-beyondcorp/main.tf:123-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
123 | resource "google_pubsub_topic" "httpwal" {
124 | name = "openresty_wal"
125 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_member.pubsub_token_creator
File: /google_cloud/openresty-beyondcorp/main.tf:128-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
128 | resource "google_project_iam_member" "pubsub_token_creator" {
129 | project = local.project
130 | role = "roles/iam.serviceAccountTokenCreator"
131 | member = "serviceAccount:service-${local.project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
132 | }
Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
FAILED for resource: google_project_iam_member.pubsub_token_creator
File: /google_cloud/openresty-beyondcorp/main.tf:128-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3.html
128 | resource "google_project_iam_member" "pubsub_token_creator" {
129 | project = local.project
130 | role = "roles/iam.serviceAccountTokenCreator"
131 | member = "serviceAccount:service-${local.project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
132 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.storage
File: /azure/layers/main.tf:45-52
45 | resource "azurerm_storage_account" "storage" {
46 | name = "${var.resource_name_prefix}storage"
47 | resource_group_name = azurerm_resource_group.storage.name
48 | location = var.location
49 | account_tier = "Standard"
50 | account_replication_type = "LRS"
51 | enable_https_traffic_only = true
52 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.storage
File: /azure/layers/main.tf:54-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
54 | resource "azurerm_storage_container" "storage" {
55 | name = "${var.resource_name_prefix}container"
56 | storage_account_name = azurerm_storage_account.storage.name
57 | container_access_type = "private"
58 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.storage
File: /azure/layers/main.tf:45-52
45 | resource "azurerm_storage_account" "storage" {
46 | name = "${var.resource_name_prefix}storage"
47 | resource_group_name = azurerm_resource_group.storage.name
48 | location = var.location
49 | account_tier = "Standard"
50 | account_replication_type = "LRS"
51 | enable_https_traffic_only = true
52 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.storage
File: /azure/layers/main.tf:45-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
45 | resource "azurerm_storage_account" "storage" {
46 | name = "${var.resource_name_prefix}storage"
47 | resource_group_name = azurerm_resource_group.storage.name
48 | location = var.location
49 | account_tier = "Standard"
50 | account_replication_type = "LRS"
51 | enable_https_traffic_only = true
52 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet
File: /azure/layers/main.tf:25-38
25 | resource "azurerm_subnet" "subnet" {
26 | name = "${var.resource_name_prefix}-subnet"
27 | virtual_network_name = azurerm_virtual_network.network.name
28 | resource_group_name = azurerm_resource_group.network.name
29 | address_prefix = "10.137.1.0/24"
30 | service_endpoints = ["Microsoft.KeyVault"]
31 |
32 | lifecycle {
33 | ignore_changes = [
34 | network_security_group_id,
35 | route_table_id
36 | ]
37 | }
38 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: azurerm_key_vault.current
File: /azure/azure_linux_docker_app_service/shared.tf:18-29
18 | resource "azurerm_key_vault" "current" {
19 | name = local.key_vault_name
20 | location = data.azurerm_resource_group.current.location
21 | resource_group_name = data.azurerm_resource_group.current.name
22 | tenant_id = data.azurerm_client_config.current.tenant_id
23 |
24 | soft_delete_enabled = true
25 | soft_delete_retention_days = 7
26 | purge_protection_enabled = false
27 |
28 | sku_name = "standard"
29 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.functions.google_cloudfunctions_function.memorystoreloader
File: /google_cloud/CQRS_bigquery_memorystore/functions/function_memorystoreloader.tf:5-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
5 | resource "google_cloudfunctions_function" "memorystoreloader" {
6 | name = "memorystoreloader"
7 | runtime = "nodejs10"
8 | /* Testing has minimal resource requirements */
9 | max_instances = 2
10 | available_memory_mb = 2048 // Cache loading speed is improved with better instance type, linearly
11 | timeout = 60
12 | entry_point = "memorystoreload"
13 | region = var.config.region
14 |
15 | source_archive_bucket = var.config.code_bucket.name
16 | source_archive_object = google_storage_bucket_object.memorystoreload_code.name
17 |
18 | // Function triggered by mutations in the upload bucket
19 | event_trigger {
20 | event_type = "providers/cloud.storage/eventTypes/object.change"
21 | resource = google_storage_bucket.memorystore_uploads.name
22 | failure_policy {
23 | retry = false
24 | }
25 | }
26 |
27 | provider = "google-beta"
28 | vpc_connector = google_vpc_access_connector.serverless_vpc_connector.name
29 |
30 | environment_variables = {
31 | REDIS_HOST = var.memorystore_host
32 | REDIS_PORT = 6379
33 | EXPIRY = 60 * 60 * 24 * 30 // 30d expiry for keys
34 | }
35 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.functions.google_cloudfunctions_function.prober
File: /google_cloud/CQRS_bigquery_memorystore/functions/function_prober.tf:5-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
5 | resource "google_cloudfunctions_function" "prober" {
6 | name = "prober"
7 | runtime = "nodejs10"
8 | /* Probing has minimal resource requirements */
9 | max_instances = 1
10 | available_memory_mb = 128
11 | timeout = 30
12 | entry_point = "probe"
13 | region = var.config.region
14 |
15 | source_archive_bucket = var.config.code_bucket.name
16 | source_archive_object = google_storage_bucket_object.probe_code.name
17 |
18 | event_trigger {
19 | event_type = "providers/cloud.pubsub/eventTypes/topic.publish"
20 | resource = google_pubsub_topic.version_every_minute.name
21 | failure_policy {
22 | retry = false
23 | }
24 | }
25 |
26 | environment_variables = {
27 | PROBE_DATASET = var.prober_ingress_table.dataset_id
28 | PROBE_TABLE = var.prober_ingress_table.table_id
29 | CONTROLS_DATASET = var.control_dataset.dataset_id
30 | }
31 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.functions.google_cloudfunctions_function.test
File: /google_cloud/CQRS_bigquery_memorystore/functions/function_test.tf:5-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
5 | resource "google_cloudfunctions_function" "test" {
6 | name = "test"
7 | runtime = "nodejs10"
8 | /* Testing has minimal resource requirements */
9 | max_instances = 1
10 | available_memory_mb = 128
11 | timeout = 30
12 | entry_point = "test"
13 | region = var.config.region
14 |
15 | source_archive_bucket = var.config.code_bucket.name
16 | source_archive_object = google_storage_bucket_object.test_code.name
17 |
18 | trigger_http = true
19 |
20 | provider = "google-beta"
21 | vpc_connector = google_vpc_access_connector.serverless_vpc_connector.name
22 |
23 | environment_variables = {
24 | CONFIG_BUCKET = var.config.code_bucket.name
25 | PROBER_DATASET = var.prober_ingress_table.dataset_id
26 | PROBER_TABLE = var.prober_ingress_table.table_id
27 | UNIFIED_VALUES_DATASET = var.unified_values_table.dataset_id
28 | UNIFIED_VALUES_TABLE = var.unified_values_table.table_id
29 | /*
30 | UNIFIED_METABOLICS_DATASET = var.unified_metabolics_table.dataset_id
31 | UNIFIED_METABOLICS_TABLE = var.unified_metabolics_table.table_id
32 | */
33 | CURRENT_TOTALS_DATASET = var.current_totals_table.dataset_id
34 | CURRENT_TOTALS_TABLE = var.current_totals_table.table_id
35 | /*
36 | DAILY_METABOLICS_PRECOMPUTE_DATASET = var.daily_metabolics_precompute_table.dataset_id
37 | DAILY_METABOLICS_PRECOMPUTE_TABLE = var.daily_metabolics_precompute_table.table_id
38 | */
39 | MEMORYSTORE_UPLOADS_BUCKET = google_storage_bucket.memorystore_uploads.name
40 | REDIS_HOST = var.memorystore_host
41 | REDIS_PORT = 6379
42 | }
43 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.functions.google_cloudfunctions_function.update_current
File: /google_cloud/CQRS_bigquery_memorystore/functions/function_update_current.tf:5-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
5 | resource "google_cloudfunctions_function" "update_current" {
6 | name = "update_current"
7 | runtime = "nodejs10"
8 | /* Running BQ client has minimal resource requirements */
9 | max_instances = 1
10 | available_memory_mb = 128
11 | timeout = 30
12 | entry_point = "materialize"
13 | region = var.config.region
14 |
15 | source_archive_bucket = var.config.code_bucket.name
16 | source_archive_object = google_storage_bucket_object.materialize_code.name
17 |
18 | // Function triggered by mutations in the upload bucket
19 | event_trigger {
20 | event_type = "providers/cloud.pubsub/eventTypes/topic.publish"
21 | resource = google_pubsub_topic.version_every_two_minutes.name
22 | failure_policy {
23 | retry = false
24 | }
25 | }
26 |
27 | environment_variables = {
28 | PROJECT = var.config.project
29 | DATASET = var.current_totals_table.dataset_id
30 | TABLE = var.current_totals_table.table_id
31 | SOURCE_DATASET = var.current_totals_latest_table.dataset_id
32 | SOURCE_TABLE = var.current_totals_latest_table.table_id
33 | BUCKET = google_storage_bucket.memorystore_uploads.name
34 | FILE = "current_totals.json"
35 | }
36 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.functions.google_cloudfunctions_function.update_historical
File: /google_cloud/CQRS_bigquery_memorystore/functions/function_update_historical.tf:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
1 | resource "google_cloudfunctions_function" "update_historical" {
2 | name = "update_historical"
3 | runtime = "nodejs10"
4 | /* Running BQ client has minimal resource requirements */
5 | max_instances = 1
6 | available_memory_mb = 128
7 | timeout = 30
8 | entry_point = "materialize"
9 | region = var.config.region
10 |
11 | source_archive_bucket = var.config.code_bucket.name
12 | // Note we reuse source code setup in function_update_current.tf
13 | source_archive_object = google_storage_bucket_object.materialize_code.name
14 |
15 | // Function triggered by mutations in the upload bucket
16 | event_trigger {
17 | event_type = "providers/cloud.pubsub/eventTypes/topic.publish"
18 | resource = google_pubsub_topic.version_every_hour.name
19 | failure_policy {
20 | retry = false
21 | }
22 | }
23 |
24 | environment_variables = {
25 | PROJECT = var.config.project
26 | DATASET = var.historical_totals_table.dataset_id
27 | TABLE = var.historical_totals_table.table_id
28 | SOURCE_DATASET = var.historical_totals_latest_table.dataset_id
29 | SOURCE_TABLE = var.historical_totals_latest_table.table_id
30 | N_DAYS = var.config.retention_days
31 | BUCKET = google_storage_bucket.memorystore_uploads.name
32 | FILE = "historical_totals.json"
33 | }
34 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat
File: /aws/aws_vpc_msk/network-routing.tf:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
14 | resource "aws_eip" "nat" {
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.msk_vpc
File: /aws/aws_vpc_msk/vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "msk_vpc" {
2 | cidr_block = var.vpc_cidr
3 | tags = merge(
4 | local.common-tags,
5 | map(
6 | "Name", "msk-${lower(var.environment)}-vpc",
7 | "Description", "VPC for creating MSK resources",
8 | )
9 | )
10 | }
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:65-139
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/wordpress_fargate/cloudfront.tf:15-141
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_29: "Ensure public API gateway are protected by WAF"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-api-gateway-are-protected-by-waf.html
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_8: "Ensure that RDS clusters has backup plan of AWS Backup"
FAILED for resource: aws_rds_cluster.this
File: /aws/wordpress_fargate/db.tf:6-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-clusters-has-backup-plan-of-aws-backup.html
6 | resource "aws_rds_cluster" "this" {
7 | cluster_identifier = "${var.prefix}-${var.environment}"
8 | engine = "aurora"
9 | engine_mode = "serverless"
10 | vpc_security_group_ids = [aws_security_group.db.id]
11 | db_subnet_group_name = aws_db_subnet_group.this.name
12 | engine_version = var.db_engine_version
13 | availability_zones = data.aws_availability_zones.this.names
14 | database_name = "wordpress"
15 | master_username = var.db_master_username
16 | master_password = var.db_master_password
17 | backup_retention_period = var.db_backup_retention_days
18 | preferred_backup_window = var.db_backup_window
19 | scaling_configuration {
20 | auto_pause = var.db_auto_pause
21 | seconds_until_auto_pause = var.db_seconds_until_auto_pause
22 | max_capacity = var.db_max_capacity
23 | min_capacity = var.db_min_capacity
24 | }
25 | final_snapshot_identifier = "${var.prefix}-${var.environment}-${random_string.snapshot_suffix.result}"
26 | tags = var.tags
27 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.wordpress
File: /aws/wordpress_fargate/fargate.tf:104-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
104 | resource "aws_security_group" "wordpress" {
105 | name = "${var.prefix}-wordpress-${var.environment}"
106 | description = "Fargate wordpress"
107 | vpc_id = module.vpc.vpc_id
108 |
109 | egress {
110 | from_port = 0
111 | to_port = 0
112 | protocol = "-1"
113 | cidr_blocks = ["0.0.0.0/0"]
114 | }
115 |
116 | ingress {
117 | from_port = 0
118 | to_port = 0
119 | protocol = "tcp"
120 | security_groups = [aws_security_group.alb.id, aws_security_group.efs.id]
121 | }
122 |
123 | tags = var.tags
124 | }
Check: CKV2_AWS_27: "Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled"
FAILED for resource: aws_rds_cluster.this
File: /aws/wordpress_fargate/db.tf:6-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-logging-32.html
6 | resource "aws_rds_cluster" "this" {
7 | cluster_identifier = "${var.prefix}-${var.environment}"
8 | engine = "aurora"
9 | engine_mode = "serverless"
10 | vpc_security_group_ids = [aws_security_group.db.id]
11 | db_subnet_group_name = aws_db_subnet_group.this.name
12 | engine_version = var.db_engine_version
13 | availability_zones = data.aws_availability_zones.this.names
14 | database_name = "wordpress"
15 | master_username = var.db_master_username
16 | master_password = var.db_master_password
17 | backup_retention_period = var.db_backup_retention_days
18 | preferred_backup_window = var.db_backup_window
19 | scaling_configuration {
20 | auto_pause = var.db_auto_pause
21 | seconds_until_auto_pause = var.db_seconds_until_auto_pause
22 | max_capacity = var.db_max_capacity
23 | min_capacity = var.db_min_capacity
24 | }
25 | final_snapshot_identifier = "${var.prefix}-${var.environment}-${random_string.snapshot_suffix.result}"
26 | tags = var.tags
27 | }
Check: CKV2_AWS_51: "Ensure AWS API Gateway endpoints uses client certificate authentication"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV2_AWS_4: "Ensure API Gateway stage have logging level defined as appropriate"
FAILED for resource: aws_api_gateway_stage.this
File: /aws/aws_lambda_api/api_gateway_config.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-api-gateway-stage-have-logging-level-defined-as-appropiate.html
15 | resource "aws_api_gateway_stage" "this" {
16 | stage_name = "${var.stage_name}"
17 | description = "${var.comment_prefix}${var.api_domain}"
18 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
19 | deployment_id = "${aws_api_gateway_deployment.this.id}"
20 | tags = "${var.tags}"
21 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_53: "Ensure AWS API gateway request is validated"
FAILED for resource: aws_api_gateway_method.proxy_root
File: /aws/aws_lambda_api/api_gateway_resources.tf:3-8
3 | resource "aws_api_gateway_method" "proxy_root" {
4 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
5 | resource_id = "${aws_api_gateway_rest_api.this.root_resource_id}"
6 | http_method = "ANY"
7 | authorization = "NONE"
8 | }
Check: CKV2_AWS_53: "Ensure AWS API gateway request is validated"
FAILED for resource: aws_api_gateway_method.proxy_other
File: /aws/aws_lambda_api/api_gateway_resources.tf:27-32
27 | resource "aws_api_gateway_method" "proxy_other" {
28 | rest_api_id = "${aws_api_gateway_rest_api.this.id}"
29 | resource_id = "${aws_api_gateway_resource.proxy_other.id}"
30 | http_method = "ANY"
31 | authorization = "NONE"
32 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.msk_vpc
File: /aws/aws_vpc_msk/vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "msk_vpc" {
2 | cidr_block = var.vpc_cidr
3 | tags = merge(
4 | local.common-tags,
5 | map(
6 | "Name", "msk-${lower(var.environment)}-vpc",
7 | "Description", "VPC for creating MSK resources",
8 | )
9 | )
10 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.this
File: /aws/aws_static_site/s3.tf:5-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "this" {
6 | count = "${var.bucket_override_name == "" ? 1 : 0}"
7 | bucket = "${local.bucket_name}"
8 | tags = "${var.tags}"
9 |
10 | # Add a CORS configuration, so that we don't have issues with webfont loading
11 | # http://www.holovaty.com/writing/cors-ie-cloudfront/
12 | cors_rule {
13 | allowed_headers = ["*"]
14 | allowed_methods = ["GET"]
15 | allowed_origins = ["*"]
16 | max_age_seconds = 3000
17 | }
18 |
19 | # Enable website hosting
20 | # Note, though, that when accessing the bucket over its SSL endpoint, the index_document will not be used
21 | website {
22 | index_document = "index.html"
23 | error_document = "error.html"
24 | }
25 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
19 | resource "aws_s3_bucket" "this" {
20 | bucket = var.bucket_name
21 | tags = var.tags
22 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/aws_reverse_proxy/cloudfront.tf:3-139
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/static_website_ssl_cloudfront_private_s3/main.tf:65-139
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.this
File: /aws/wordpress_fargate/cloudfront.tf:15-141
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
FAILED for resource: google_sql_database_instance.camunda-db
File: /google_cloud/camunda-secure/cloudsql.tf:1-13
1 | resource "google_sql_database_instance" "camunda-db" {
2 | name = "camunda-db-postgres"
3 | database_version = "POSTGRES_11"
4 | region = local.config.region
5 |
6 | settings {
7 | # Very small instance for testing.
8 | tier = "db-f1-micro"
9 | ip_configuration {
10 | ipv4_enabled = true
11 | }
12 | }
13 | }
Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
FAILED for resource: google_sql_database_instance.camunda-db
File: /google_cloud/camunda/cloudsql.tf:1-13
1 | resource "google_sql_database_instance" "camunda-db" {
2 | name = "camunda-db-postgres"
3 | database_version = "POSTGRES_11"
4 | region = local.config.region
5 |
6 | settings {
7 | # Very small instance for testing.
8 | tier = "db-f1-micro"
9 | ip_configuration {
10 | ipv4_enabled = true
11 | }
12 | }
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.this
File: /aws/aws_ec2_ebs_docker_host/main.tf:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "this" {
4 | instance_type = "${var.instance_type}"
5 | ami = "${var.instance_ami}"
6 | availability_zone = "${local.availability_zone}"
7 | key_name = "${aws_key_pair.this.id}" # the name of the SSH keypair to use for provisioning
8 | vpc_security_group_ids = ["${aws_security_group.this.id}"]
9 | subnet_id = "${data.aws_subnet.this.id}"
10 | user_data = "${sha1(local.reprovision_trigger)}" # this value isn't used by the EC2 instance, but its change will trigger re-creation of the resource
11 | tags = "${merge(var.tags, map("Name", "${var.hostname}"))}"
12 | volume_tags = "${merge(var.tags, map("Name", "${var.hostname}"))}" # give the root EBS volume a name (+ other possible tags) that makes it easier to identify as belonging to this host
13 |
14 | root_block_device {
15 | volume_size = "${var.root_volume_size}"
16 | }
17 |
18 | connection {
19 | user = "${var.ssh_username}"
20 | private_key = "${file("${var.ssh_private_key_path}")}"
21 | agent = false # don't use SSH agent because we have the private key right here
22 | }
23 |
24 | provisioner "remote-exec" {
25 | inline = [
26 | "sudo hostnamectl set-hostname ${var.hostname}",
27 | "echo 127.0.0.1 ${var.hostname} | sudo tee -a /etc/hosts", # https://askubuntu.com/a/59517
28 | ]
29 | }
30 |
31 | provisioner "remote-exec" {
32 | script = "${path.module}/provision-docker.sh"
33 | }
34 |
35 | provisioner "file" {
36 | source = "${path.module}/provision-swap.sh"
37 | destination = "/home/${var.ssh_username}/provision-swap.sh"
38 | }
39 |
40 | provisioner "remote-exec" {
41 | inline = [
42 | "sh /home/${var.ssh_username}/provision-swap.sh ${var.swap_file_size} ${var.swap_swappiness}",
43 | "rm /home/${var.ssh_username}/provision-swap.sh",
44 | ]
45 | }
46 | }
dockerfile scan results:
Passed checks: 315, Failed checks: 12, Skipped checks: 0
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /google_cloud/oathkeeper/Dockerfile.template.ADD
File: /google_cloud/oathkeeper/Dockerfile.template:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
2 | ADD config.yml /config.yaml
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /google_cloud/oathkeeper/Dockerfile.template.
File: /google_cloud/oathkeeper/Dockerfile.template:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | ADD config.yml /config.yaml
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /google_cloud/oathkeeper/Dockerfile.template.
File: /google_cloud/oathkeeper/Dockerfile.template:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | ADD config.yml /config.yaml
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /google_cloud/camunda-secure/Dockerfile.template.
File: /google_cloud/camunda-secure/Dockerfile.template:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | # https://forum.camunda.org/t/apt-get-is-missing-on-camunda-bpm-platform-7-9-0-image/7789
3 | USER root
4 | RUN apk add --no-cache wget
5 | USER camunda
6 | RUN rm /camunda/lib/postgresql-*.jar
7 | RUN wget --directory-prefix=/camunda/lib https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/releases/download/v1.0.15/postgres-socket-factory-1.0.15-jar-with-driver-and-dependencies.jar
8 |
9 | # json-path and deps
10 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/com/jayway/jsonpath/json-path/2.4.0/json-path-2.4.0.jar
11 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/net/minidev/json-smart/2.3/json-smart-2.3.jar
12 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/net/minidev/accessors-smart/1.2/accessors-smart-1.2.jar
13 |
14 | COPY bpm-platform.xml /camunda/conf/
15 | # COPY server.xml /camunda/conf/
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /azure/azure_linux_docker_app_service/example-app/Dockerfile.
File: /azure/azure_linux_docker_app_service/example-app/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM node:14-slim
2 |
3 | WORKDIR /app
4 | COPY package.json package-lock.json ./
5 | RUN npm ci
6 | COPY index.js ./
7 |
8 | EXPOSE 4000
9 | CMD ["node", "index.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /azure/azure_linux_docker_app_service/example-app/Dockerfile.
File: /azure/azure_linux_docker_app_service/example-app/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:14-slim
2 |
3 | WORKDIR /app
4 | COPY package.json package-lock.json ./
5 | RUN npm ci
6 | COPY index.js ./
7 |
8 | EXPOSE 4000
9 | CMD ["node", "index.js"]
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /google_cloud/openresty-beyondcorp/Dockerfile.template.ADD
File: /google_cloud/openresty-beyondcorp/Dockerfile.template:7-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
7 | ADD default.conf /etc/nginx/conf.d/default.conf
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /google_cloud/openresty-beyondcorp/Dockerfile.template.ADD
File: /google_cloud/openresty-beyondcorp/Dockerfile.template:8-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
8 | ADD login /assets/login
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /google_cloud/openresty-beyondcorp/Dockerfile.template.ADD
File: /google_cloud/openresty-beyondcorp/Dockerfile.template:9-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
9 | ADD swiss/ /usr/local/openresty/lualib/swiss/
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /google_cloud/openresty-beyondcorp/Dockerfile.template.
File: /google_cloud/openresty-beyondcorp/Dockerfile.template:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | RUN apk add --no-cache curl perl
3 | RUN opm get ledgetech/lua-resty-http
4 | RUN opm get bungle/lua-resty-reqargs
5 | RUN opm get jkeys089/lua-resty-hmac
6 |
7 | ADD default.conf /etc/nginx/conf.d/default.conf
8 | ADD login /assets/login
9 | ADD swiss/ /usr/local/openresty/lualib/swiss/
10 |
11 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /google_cloud/openresty-beyondcorp/Dockerfile.template.
File: /google_cloud/openresty-beyondcorp/Dockerfile.template:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | RUN apk add --no-cache curl perl
3 | RUN opm get ledgetech/lua-resty-http
4 | RUN opm get bungle/lua-resty-reqargs
5 | RUN opm get jkeys089/lua-resty-hmac
6 |
7 | ADD default.conf /etc/nginx/conf.d/default.conf
8 | ADD login /assets/login
9 | ADD swiss/ /usr/local/openresty/lualib/swiss/
10 |
11 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /google_cloud/camunda/Dockerfile.template.
File: /google_cloud/camunda/Dockerfile.template:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM eu.gcr.io/${project}/${image}:${tag}
2 | # https://forum.camunda.org/t/apt-get-is-missing-on-camunda-bpm-platform-7-9-0-image/7789
3 | USER root
4 | RUN apk add --no-cache wget
5 | USER camunda
6 | RUN rm /camunda/lib/postgresql-*.jar
7 | RUN wget --directory-prefix=/camunda/lib https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/releases/download/v1.0.15/postgres-socket-factory-1.0.15-jar-with-driver-and-dependencies.jar
8 |
9 | # json-path and deps
10 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/com/jayway/jsonpath/json-path/2.4.0/json-path-2.4.0.jar
11 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/net/minidev/json-smart/2.3/json-smart-2.3.jar
12 | RUN wget --directory-prefix=/camunda/lib https://repo1.maven.org/maven2/net/minidev/accessors-smart/1.2/accessors-smart-1.2.jar
13 |
14 | COPY bpm-platform.xml /camunda/conf/
secrets scan results:
Passed checks: 0, Failed checks: 1, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: ef36e488ad3b81642c5554f9b9442bdcda150c08
File: /google_cloud/openresty-beyondcorp/main.tf:76-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
76 | SLACK_SIGNING_SECRET = "projec**********************************************************"
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools