Repository | garutilorenzo / k3s-aws-terraform-cluster |
Description | Deploy an high available K3s cluster on Amazon AWS |
Stars | 130 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 140, Failed checks: 43, Skipped checks: 0
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.k3s_cluster.aws_autoscaling_group.k3s_servers_asg
File: /k3s_cluster/asg.tf:1-74
Calling File: /main.tf:15-28
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.k3s_cluster.aws_autoscaling_group.k3s_workers_asg
File: /k3s_cluster/asg.tf:76-148
Calling File: /main.tf:15-28
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.k3s_cluster.aws_efs_file_system.k3s_persistent_storage[0]
File: /k3s_cluster/efs.tf:1-12
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
1 | resource "aws_efs_file_system" "k3s_persistent_storage" {
2 | count = var.efs_persistent_storage ? 1 : 0
3 | creation_token = "${var.common_prefix}-efs-persistent-storage-${var.environment}"
4 | encrypted = true
5 |
6 | tags = merge(
7 | local.global_tags,
8 | {
9 | "Name" = lower("${var.common_prefix}-efs-persistent-storage-${var.environment}")
10 | }
11 | )
12 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.k3s_cluster.aws_lb.external_lb[0]
File: /k3s_cluster/extlb.tf:2-17
Calling File: /main.tf:15-28
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
2 | resource "aws_lb" "external_lb" {
3 | count = var.create_extlb ? 1 : 0
4 | name = "${var.common_prefix}-ext-lb-${var.environment}"
5 | load_balancer_type = "network"
6 | internal = "false"
7 | subnets = var.vpc_subnets
8 |
9 | enable_cross_zone_load_balancing = true
10 |
11 | tags = merge(
12 | local.global_tags,
13 | {
14 | "Name" = lower("${var.common_prefix}-ext-lb-${var.environment}")
15 | }
16 | )
17 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.k3s_cluster.aws_lb.external_lb[0]
File: /k3s_cluster/extlb.tf:2-17
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
2 | resource "aws_lb" "external_lb" {
3 | count = var.create_extlb ? 1 : 0
4 | name = "${var.common_prefix}-ext-lb-${var.environment}"
5 | load_balancer_type = "network"
6 | internal = "false"
7 | subnets = var.vpc_subnets
8 |
9 | enable_cross_zone_load_balancing = true
10 |
11 | tags = merge(
12 | local.global_tags,
13 | {
14 | "Name" = lower("${var.common_prefix}-ext-lb-${var.environment}")
15 | }
16 | )
17 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.k3s_cluster.aws_iam_policy.cluster_autoscaler
File: /k3s_cluster/iam.tf:39-71
Calling File: /main.tf:15-28
39 | resource "aws_iam_policy" "cluster_autoscaler" {
40 | name = "${var.common_prefix}-cluster-autoscaler-policy-${var.environment}"
41 | path = "/"
42 | description = "Cluster autoscaler policy"
43 |
44 | policy = jsonencode({
45 | Version = "2012-10-17"
46 | Statement = [
47 | {
48 | Effect = "Allow"
49 | Action = [
50 | "autoscaling:DescribeAutoScalingGroups",
51 | "autoscaling:DescribeAutoScalingInstances",
52 | "autoscaling:DescribeLaunchConfigurations",
53 | "autoscaling:SetDesiredCapacity",
54 | "autoscaling:TerminateInstanceInAutoScalingGroup",
55 | "autoscaling:DescribeTags",
56 | "ec2:DescribeLaunchTemplateVersions"
57 | ],
58 | Resource = [
59 | "*"
60 | ]
61 | }
62 | ]
63 | })
64 |
65 | tags = merge(
66 | local.global_tags,
67 | {
68 | "Name" = lower("${var.common_prefix}-cluster-autoscaler-policy-${var.environment}")
69 | }
70 | )
71 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.k3s_cluster.aws_iam_policy.cluster_autoscaler
File: /k3s_cluster/iam.tf:39-71
Calling File: /main.tf:15-28
39 | resource "aws_iam_policy" "cluster_autoscaler" {
40 | name = "${var.common_prefix}-cluster-autoscaler-policy-${var.environment}"
41 | path = "/"
42 | description = "Cluster autoscaler policy"
43 |
44 | policy = jsonencode({
45 | Version = "2012-10-17"
46 | Statement = [
47 | {
48 | Effect = "Allow"
49 | Action = [
50 | "autoscaling:DescribeAutoScalingGroups",
51 | "autoscaling:DescribeAutoScalingInstances",
52 | "autoscaling:DescribeLaunchConfigurations",
53 | "autoscaling:SetDesiredCapacity",
54 | "autoscaling:TerminateInstanceInAutoScalingGroup",
55 | "autoscaling:DescribeTags",
56 | "ec2:DescribeLaunchTemplateVersions"
57 | ],
58 | Resource = [
59 | "*"
60 | ]
61 | }
62 | ]
63 | })
64 |
65 | tags = merge(
66 | local.global_tags,
67 | {
68 | "Name" = lower("${var.common_prefix}-cluster-autoscaler-policy-${var.environment}")
69 | }
70 | )
71 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.k3s_cluster.aws_iam_policy.aws_efs_csi_driver_policy
File: /k3s_cluster/iam.tf:73-130
Calling File: /main.tf:15-28
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.k3s_cluster.aws_iam_policy.allow_secrets_manager
File: /k3s_cluster/iam.tf:133-165
Calling File: /main.tf:15-28
133 | resource "aws_iam_policy" "allow_secrets_manager" {
134 | name = "${var.common_prefix}-secrets-manager-policy-${var.environment}"
135 | path = "/"
136 | description = "Secrets Manager Policy"
137 |
138 | policy = jsonencode({
139 | Version = "2012-10-17"
140 | Statement = [
141 | {
142 | Effect = "Allow"
143 | Action = [
144 | "secretsmanager:GetSecretValue",
145 | "secretsmanager:UpdateSecret",
146 | "secretsmanager:DeleteSecret",
147 | "secretsmanager:DescribeSecret",
148 | "secretsmanager:ListSecrets",
149 | "secretsmanager:CreateSecret",
150 | "secretsmanager:PutSecretValue"
151 | ],
152 | Resource = [
153 | "*"
154 | ]
155 | }
156 | ]
157 | })
158 |
159 | tags = merge(
160 | local.global_tags,
161 | {
162 | "Name" = lower("${var.common_prefix}-secrets-manager-policy-${var.environment}")
163 | }
164 | )
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.k3s_cluster.aws_iam_policy.allow_secrets_manager
File: /k3s_cluster/iam.tf:133-165
Calling File: /main.tf:15-28
133 | resource "aws_iam_policy" "allow_secrets_manager" {
134 | name = "${var.common_prefix}-secrets-manager-policy-${var.environment}"
135 | path = "/"
136 | description = "Secrets Manager Policy"
137 |
138 | policy = jsonencode({
139 | Version = "2012-10-17"
140 | Statement = [
141 | {
142 | Effect = "Allow"
143 | Action = [
144 | "secretsmanager:GetSecretValue",
145 | "secretsmanager:UpdateSecret",
146 | "secretsmanager:DeleteSecret",
147 | "secretsmanager:DescribeSecret",
148 | "secretsmanager:ListSecrets",
149 | "secretsmanager:CreateSecret",
150 | "secretsmanager:PutSecretValue"
151 | ],
152 | Resource = [
153 | "*"
154 | ]
155 | }
156 | ]
157 | })
158 |
159 | tags = merge(
160 | local.global_tags,
161 | {
162 | "Name" = lower("${var.common_prefix}-secrets-manager-policy-${var.environment}")
163 | }
164 | )
165 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.k3s_cluster.aws_iam_policy.allow_secrets_manager
File: /k3s_cluster/iam.tf:133-165
Calling File: /main.tf:15-28
133 | resource "aws_iam_policy" "allow_secrets_manager" {
134 | name = "${var.common_prefix}-secrets-manager-policy-${var.environment}"
135 | path = "/"
136 | description = "Secrets Manager Policy"
137 |
138 | policy = jsonencode({
139 | Version = "2012-10-17"
140 | Statement = [
141 | {
142 | Effect = "Allow"
143 | Action = [
144 | "secretsmanager:GetSecretValue",
145 | "secretsmanager:UpdateSecret",
146 | "secretsmanager:DeleteSecret",
147 | "secretsmanager:DescribeSecret",
148 | "secretsmanager:ListSecrets",
149 | "secretsmanager:CreateSecret",
150 | "secretsmanager:PutSecretValue"
151 | ],
152 | Resource = [
153 | "*"
154 | ]
155 | }
156 | ]
157 | })
158 |
159 | tags = merge(
160 | local.global_tags,
161 | {
162 | "Name" = lower("${var.common_prefix}-secrets-manager-policy-${var.environment}")
163 | }
164 | )
165 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.k3s_cluster.aws_iam_policy.kube_cleaner_lambda_policy
File: /k3s_cluster/iam.tf:215-250
Calling File: /main.tf:15-28
215 | resource "aws_iam_policy" "kube_cleaner_lambda_policy" {
216 | name = "${var.common_prefix}-kube-cleaner-policy-${var.environment}"
217 | description = "Policy for kube_cleaner_lambda_policy"
218 |
219 | policy = jsonencode({
220 | Version = "2012-10-17"
221 | Statement = [
222 | {
223 | Effect = "Allow"
224 | Action = [
225 | "secretsmanager:GetSecretValue",
226 | "secretsmanager:UpdateSecret",
227 | "secretsmanager:DeleteSecret",
228 | "secretsmanager:DescribeSecret",
229 | "secretsmanager:ListSecrets",
230 | "secretsmanager:CreateSecret",
231 | "secretsmanager:PutSecretValue",
232 | "sqs:SendMessage",
233 | "sqs:ReceiveMessage",
234 | "sqs:DeleteMessage",
235 | "sqs:GetQueueAttributes"
236 | ],
237 | Resource = [
238 | "*"
239 | ]
240 | }
241 | ]
242 | })
243 |
244 | tags = merge(
245 | local.global_tags,
246 | {
247 | "Name" = lower("${var.common_prefix}-kube-cleaner-policy-${var.environment}")
248 | }
249 | )
250 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.k3s_cluster.aws_iam_policy.kube_cleaner_lambda_policy
File: /k3s_cluster/iam.tf:215-250
Calling File: /main.tf:15-28
215 | resource "aws_iam_policy" "kube_cleaner_lambda_policy" {
216 | name = "${var.common_prefix}-kube-cleaner-policy-${var.environment}"
217 | description = "Policy for kube_cleaner_lambda_policy"
218 |
219 | policy = jsonencode({
220 | Version = "2012-10-17"
221 | Statement = [
222 | {
223 | Effect = "Allow"
224 | Action = [
225 | "secretsmanager:GetSecretValue",
226 | "secretsmanager:UpdateSecret",
227 | "secretsmanager:DeleteSecret",
228 | "secretsmanager:DescribeSecret",
229 | "secretsmanager:ListSecrets",
230 | "secretsmanager:CreateSecret",
231 | "secretsmanager:PutSecretValue",
232 | "sqs:SendMessage",
233 | "sqs:ReceiveMessage",
234 | "sqs:DeleteMessage",
235 | "sqs:GetQueueAttributes"
236 | ],
237 | Resource = [
238 | "*"
239 | ]
240 | }
241 | ]
242 | })
243 |
244 | tags = merge(
245 | local.global_tags,
246 | {
247 | "Name" = lower("${var.common_prefix}-kube-cleaner-policy-${var.environment}")
248 | }
249 | )
250 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.k3s_cluster.aws_iam_policy.kube_cleaner_lambda_policy
File: /k3s_cluster/iam.tf:215-250
Calling File: /main.tf:15-28
215 | resource "aws_iam_policy" "kube_cleaner_lambda_policy" {
216 | name = "${var.common_prefix}-kube-cleaner-policy-${var.environment}"
217 | description = "Policy for kube_cleaner_lambda_policy"
218 |
219 | policy = jsonencode({
220 | Version = "2012-10-17"
221 | Statement = [
222 | {
223 | Effect = "Allow"
224 | Action = [
225 | "secretsmanager:GetSecretValue",
226 | "secretsmanager:UpdateSecret",
227 | "secretsmanager:DeleteSecret",
228 | "secretsmanager:DescribeSecret",
229 | "secretsmanager:ListSecrets",
230 | "secretsmanager:CreateSecret",
231 | "secretsmanager:PutSecretValue",
232 | "sqs:SendMessage",
233 | "sqs:ReceiveMessage",
234 | "sqs:DeleteMessage",
235 | "sqs:GetQueueAttributes"
236 | ],
237 | Resource = [
238 | "*"
239 | ]
240 | }
241 | ]
242 | })
243 |
244 | tags = merge(
245 | local.global_tags,
246 | {
247 | "Name" = lower("${var.common_prefix}-kube-cleaner-policy-${var.environment}")
248 | }
249 | )
250 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.k3s_cluster.aws_lb.k3s_server_lb
File: /k3s_cluster/k3slb.tf:1-15
Calling File: /main.tf:15-28
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
1 | resource "aws_lb" "k3s_server_lb" {
2 | name = "${var.common_prefix}-int-lb-${var.environment}"
3 | load_balancer_type = "network"
4 | internal = "true"
5 | subnets = var.vpc_subnets
6 |
7 | enable_cross_zone_load_balancing = true
8 |
9 | tags = merge(
10 | local.global_tags,
11 | {
12 | "Name" = lower("${var.common_prefix}-int-lb-${var.environment}")
13 | }
14 | )
15 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.k3s_cluster.aws_lb.k3s_server_lb
File: /k3s_cluster/k3slb.tf:1-15
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
1 | resource "aws_lb" "k3s_server_lb" {
2 | name = "${var.common_prefix}-int-lb-${var.environment}"
3 | load_balancer_type = "network"
4 | internal = "true"
5 | subnets = var.vpc_subnets
6 |
7 | enable_cross_zone_load_balancing = true
8 |
9 | tags = merge(
10 | local.global_tags,
11 | {
12 | "Name" = lower("${var.common_prefix}-int-lb-${var.environment}")
13 | }
14 | )
15 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: module.k3s_cluster.aws_lambda_function.kube_cleaner_lambda_function
File: /k3s_cluster/lambda.tf:1-31
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
1 | resource "aws_lambda_function" "kube_cleaner_lambda_function" {
2 | function_name = "${var.common_prefix}-kube-cleaner-${var.environment}"
3 | filename = "${path.module}/lambda/kube_cleaner.zip"
4 | source_code_hash = filebase64sha256("${path.module}/lambda/kube_cleaner.zip")
5 | handler = "lambda.lambda_handler"
6 | runtime = "python3.9"
7 | timeout = 5
8 | memory_size = 128
9 |
10 | vpc_config {
11 | subnet_ids = var.vpc_subnets
12 | security_group_ids = [aws_security_group.lambda_sg.id]
13 | }
14 |
15 | role = aws_iam_role.kube_cleaner_lambda_role.arn
16 |
17 | environment {
18 | variables = {
19 | KUBECONFIG_SECRET_NAME = local.kubeconfig_secret_name
20 | INFO_LOGGING = "false"
21 | DEBUG = "false"
22 | }
23 | }
24 |
25 | tags = merge(
26 | local.global_tags,
27 | {
28 | "Name" = lower("${var.common_prefix}-kube-cleaner-${var.environment}")
29 | }
30 | )
31 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.k3s_cluster.aws_lambda_function.kube_cleaner_lambda_function
File: /k3s_cluster/lambda.tf:1-31
Calling File: /main.tf:15-28
1 | resource "aws_lambda_function" "kube_cleaner_lambda_function" {
2 | function_name = "${var.common_prefix}-kube-cleaner-${var.environment}"
3 | filename = "${path.module}/lambda/kube_cleaner.zip"
4 | source_code_hash = filebase64sha256("${path.module}/lambda/kube_cleaner.zip")
5 | handler = "lambda.lambda_handler"
6 | runtime = "python3.9"
7 | timeout = 5
8 | memory_size = 128
9 |
10 | vpc_config {
11 | subnet_ids = var.vpc_subnets
12 | security_group_ids = [aws_security_group.lambda_sg.id]
13 | }
14 |
15 | role = aws_iam_role.kube_cleaner_lambda_role.arn
16 |
17 | environment {
18 | variables = {
19 | KUBECONFIG_SECRET_NAME = local.kubeconfig_secret_name
20 | INFO_LOGGING = "false"
21 | DEBUG = "false"
22 | }
23 | }
24 |
25 | tags = merge(
26 | local.global_tags,
27 | {
28 | "Name" = lower("${var.common_prefix}-kube-cleaner-${var.environment}")
29 | }
30 | )
31 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.k3s_cluster.aws_lambda_function.kube_cleaner_lambda_function
File: /k3s_cluster/lambda.tf:1-31
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "kube_cleaner_lambda_function" {
2 | function_name = "${var.common_prefix}-kube-cleaner-${var.environment}"
3 | filename = "${path.module}/lambda/kube_cleaner.zip"
4 | source_code_hash = filebase64sha256("${path.module}/lambda/kube_cleaner.zip")
5 | handler = "lambda.lambda_handler"
6 | runtime = "python3.9"
7 | timeout = 5
8 | memory_size = 128
9 |
10 | vpc_config {
11 | subnet_ids = var.vpc_subnets
12 | security_group_ids = [aws_security_group.lambda_sg.id]
13 | }
14 |
15 | role = aws_iam_role.kube_cleaner_lambda_role.arn
16 |
17 | environment {
18 | variables = {
19 | KUBECONFIG_SECRET_NAME = local.kubeconfig_secret_name
20 | INFO_LOGGING = "false"
21 | DEBUG = "false"
22 | }
23 | }
24 |
25 | tags = merge(
26 | local.global_tags,
27 | {
28 | "Name" = lower("${var.common_prefix}-kube-cleaner-${var.environment}")
29 | }
30 | )
31 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.k3s_cluster.aws_lambda_function.kube_cleaner_lambda_function
File: /k3s_cluster/lambda.tf:1-31
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "kube_cleaner_lambda_function" {
2 | function_name = "${var.common_prefix}-kube-cleaner-${var.environment}"
3 | filename = "${path.module}/lambda/kube_cleaner.zip"
4 | source_code_hash = filebase64sha256("${path.module}/lambda/kube_cleaner.zip")
5 | handler = "lambda.lambda_handler"
6 | runtime = "python3.9"
7 | timeout = 5
8 | memory_size = 128
9 |
10 | vpc_config {
11 | subnet_ids = var.vpc_subnets
12 | security_group_ids = [aws_security_group.lambda_sg.id]
13 | }
14 |
15 | role = aws_iam_role.kube_cleaner_lambda_role.arn
16 |
17 | environment {
18 | variables = {
19 | KUBECONFIG_SECRET_NAME = local.kubeconfig_secret_name
20 | INFO_LOGGING = "false"
21 | DEBUG = "false"
22 | }
23 | }
24 |
25 | tags = merge(
26 | local.global_tags,
27 | {
28 | "Name" = lower("${var.common_prefix}-kube-cleaner-${var.environment}")
29 | }
30 | )
31 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.k3s_cluster.aws_lambda_function.kube_cleaner_lambda_function
File: /k3s_cluster/lambda.tf:1-31
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "kube_cleaner_lambda_function" {
2 | function_name = "${var.common_prefix}-kube-cleaner-${var.environment}"
3 | filename = "${path.module}/lambda/kube_cleaner.zip"
4 | source_code_hash = filebase64sha256("${path.module}/lambda/kube_cleaner.zip")
5 | handler = "lambda.lambda_handler"
6 | runtime = "python3.9"
7 | timeout = 5
8 | memory_size = 128
9 |
10 | vpc_config {
11 | subnet_ids = var.vpc_subnets
12 | security_group_ids = [aws_security_group.lambda_sg.id]
13 | }
14 |
15 | role = aws_iam_role.kube_cleaner_lambda_role.arn
16 |
17 | environment {
18 | variables = {
19 | KUBECONFIG_SECRET_NAME = local.kubeconfig_secret_name
20 | INFO_LOGGING = "false"
21 | DEBUG = "false"
22 | }
23 | }
24 |
25 | tags = merge(
26 | local.global_tags,
27 | {
28 | "Name" = lower("${var.common_prefix}-kube-cleaner-${var.environment}")
29 | }
30 | )
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.k3s_cluster.aws_launch_template.k3s_server
File: /k3s_cluster/launchtemplate.tf:1-38
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_launch_template" "k3s_server" {
2 | name_prefix = "${var.common_prefix}-k3s-server-tpl-${var.environment}"
3 | image_id = var.AMIS[var.AWS_REGION]
4 | instance_type = var.default_instance_type
5 | user_data = data.cloudinit_config.k3s_server.rendered
6 |
7 | iam_instance_profile {
8 | name = aws_iam_instance_profile.ec2_instance_profile.name
9 | }
10 |
11 | block_device_mappings {
12 | device_name = "/dev/sda1"
13 |
14 | ebs {
15 | volume_size = 20
16 | encrypted = true
17 | }
18 | }
19 |
20 | key_name = aws_key_pair.my_ssh_public_key.key_name
21 |
22 | network_interfaces {
23 | associate_public_ip_address = true
24 | security_groups = [aws_security_group.allow_strict.id]
25 | }
26 |
27 | private_dns_name_options {
28 | hostname_type = "resource-name"
29 | }
30 |
31 | tags = merge(
32 | local.global_tags,
33 | {
34 | "Name" = lower("${var.common_prefix}-k3s-server-tpl-${var.environment}")
35 | }
36 | )
37 |
38 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.k3s_cluster.aws_launch_template.k3s_server
File: /k3s_cluster/launchtemplate.tf:1-38
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
1 | resource "aws_launch_template" "k3s_server" {
2 | name_prefix = "${var.common_prefix}-k3s-server-tpl-${var.environment}"
3 | image_id = var.AMIS[var.AWS_REGION]
4 | instance_type = var.default_instance_type
5 | user_data = data.cloudinit_config.k3s_server.rendered
6 |
7 | iam_instance_profile {
8 | name = aws_iam_instance_profile.ec2_instance_profile.name
9 | }
10 |
11 | block_device_mappings {
12 | device_name = "/dev/sda1"
13 |
14 | ebs {
15 | volume_size = 20
16 | encrypted = true
17 | }
18 | }
19 |
20 | key_name = aws_key_pair.my_ssh_public_key.key_name
21 |
22 | network_interfaces {
23 | associate_public_ip_address = true
24 | security_groups = [aws_security_group.allow_strict.id]
25 | }
26 |
27 | private_dns_name_options {
28 | hostname_type = "resource-name"
29 | }
30 |
31 | tags = merge(
32 | local.global_tags,
33 | {
34 | "Name" = lower("${var.common_prefix}-k3s-server-tpl-${var.environment}")
35 | }
36 | )
37 |
38 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.k3s_cluster.aws_launch_template.k3s_worker
File: /k3s_cluster/launchtemplate.tf:40-76
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
40 | resource "aws_launch_template" "k3s_worker" {
41 | name_prefix = "${var.common_prefix}-k3s-worker-tpl-${var.environment}"
42 | image_id = var.AMIS[var.AWS_REGION]
43 | instance_type = var.default_instance_type
44 | user_data = data.cloudinit_config.k3s_worker.rendered
45 |
46 | iam_instance_profile {
47 | name = aws_iam_instance_profile.ec2_instance_profile.name
48 | }
49 |
50 | block_device_mappings {
51 | device_name = "/dev/sda1"
52 |
53 | ebs {
54 | volume_size = 20
55 | encrypted = true
56 | }
57 | }
58 |
59 | key_name = aws_key_pair.my_ssh_public_key.key_name
60 |
61 | network_interfaces {
62 | associate_public_ip_address = true
63 | security_groups = [aws_security_group.allow_strict.id]
64 | }
65 |
66 | private_dns_name_options {
67 | hostname_type = "resource-name"
68 | }
69 |
70 | tags = merge(
71 | local.global_tags,
72 | {
73 | "Name" = lower("${var.common_prefix}-k3s-worker-tpl-${var.environment}")
74 | }
75 | )
76 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.k3s_cluster.aws_launch_template.k3s_worker
File: /k3s_cluster/launchtemplate.tf:40-76
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
40 | resource "aws_launch_template" "k3s_worker" {
41 | name_prefix = "${var.common_prefix}-k3s-worker-tpl-${var.environment}"
42 | image_id = var.AMIS[var.AWS_REGION]
43 | instance_type = var.default_instance_type
44 | user_data = data.cloudinit_config.k3s_worker.rendered
45 |
46 | iam_instance_profile {
47 | name = aws_iam_instance_profile.ec2_instance_profile.name
48 | }
49 |
50 | block_device_mappings {
51 | device_name = "/dev/sda1"
52 |
53 | ebs {
54 | volume_size = 20
55 | encrypted = true
56 | }
57 | }
58 |
59 | key_name = aws_key_pair.my_ssh_public_key.key_name
60 |
61 | network_interfaces {
62 | associate_public_ip_address = true
63 | security_groups = [aws_security_group.allow_strict.id]
64 | }
65 |
66 | private_dns_name_options {
67 | hostname_type = "resource-name"
68 | }
69 |
70 | tags = merge(
71 | local.global_tags,
72 | {
73 | "Name" = lower("${var.common_prefix}-k3s-worker-tpl-${var.environment}")
74 | }
75 | )
76 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.k3s_cluster.aws_secretsmanager_secret.kubeconfig_secret
File: /k3s_cluster/secrets.tf:1-11
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
1 | resource "aws_secretsmanager_secret" "kubeconfig_secret" {
2 | name = local.kubeconfig_secret_name
3 | description = "Kubeconfig k3s. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
4 |
5 | tags = merge(
6 | local.global_tags,
7 | {
8 | "Name" = lower("${local.kubeconfig_secret_name}")
9 | }
10 | )
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.ingress_self
File: /k3s_cluster/securitygroup.tf:14-21
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
14 | resource "aws_security_group_rule" "ingress_self" {
15 | type = "ingress"
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | self = true
20 | security_group_id = aws_security_group.allow_strict.id
21 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.ingress_kubeapi
File: /k3s_cluster/securitygroup.tf:23-30
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group_rule" "ingress_kubeapi" {
24 | type = "ingress"
25 | from_port = var.kube_api_port
26 | to_port = var.kube_api_port
27 | protocol = "tcp"
28 | cidr_blocks = [var.vpc_subnet_cidr]
29 | security_group_id = aws_security_group.allow_strict.id
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.ingress_ssh
File: /k3s_cluster/securitygroup.tf:32-39
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group_rule" "ingress_ssh" {
33 | type = "ingress"
34 | from_port = 22
35 | to_port = 22
36 | protocol = "tcp"
37 | cidr_blocks = [var.my_public_ip_cidr]
38 | security_group_id = aws_security_group.allow_strict.id
39 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.egress_all
File: /k3s_cluster/securitygroup.tf:41-48
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
41 | resource "aws_security_group_rule" "egress_all" {
42 | type = "egress"
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | security_group_id = aws_security_group.allow_strict.id
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.allow_lb_http_traffic[0]
File: /k3s_cluster/securitygroup.tf:50-58
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group_rule" "allow_lb_http_traffic" {
51 | count = var.create_extlb ? 1 : 0
52 | type = "ingress"
53 | from_port = var.extlb_http_port
54 | to_port = var.extlb_http_port
55 | protocol = "tcp"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | security_group_id = aws_security_group.allow_strict.id
58 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.allow_lb_http_traffic[0]
File: /k3s_cluster/securitygroup.tf:50-58
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
50 | resource "aws_security_group_rule" "allow_lb_http_traffic" {
51 | count = var.create_extlb ? 1 : 0
52 | type = "ingress"
53 | from_port = var.extlb_http_port
54 | to_port = var.extlb_http_port
55 | protocol = "tcp"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | security_group_id = aws_security_group.allow_strict.id
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.allow_lb_https_traffic[0]
File: /k3s_cluster/securitygroup.tf:60-68
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
60 | resource "aws_security_group_rule" "allow_lb_https_traffic" {
61 | count = var.create_extlb ? 1 : 0
62 | type = "ingress"
63 | from_port = var.extlb_https_port
64 | to_port = var.extlb_https_port
65 | protocol = "tcp"
66 | cidr_blocks = ["0.0.0.0/0"]
67 | security_group_id = aws_security_group.allow_strict.id
68 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group_rule.allow_lb_kubeapi_traffic[0]
File: /k3s_cluster/securitygroup.tf:70-78
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
70 | resource "aws_security_group_rule" "allow_lb_kubeapi_traffic" {
71 | count = var.create_extlb && var.expose_kubeapi ? 1 : 0
72 | type = "ingress"
73 | from_port = var.kube_api_port
74 | to_port = var.kube_api_port
75 | protocol = "tcp"
76 | cidr_blocks = [var.my_public_ip_cidr]
77 | security_group_id = aws_security_group.allow_strict.id
78 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group.efs_sg[0]
File: /k3s_cluster/securitygroup.tf:80-106
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
80 | resource "aws_security_group" "efs_sg" {
81 | count = var.efs_persistent_storage ? 1 : 0
82 | vpc_id = var.vpc_id
83 | name = "${var.common_prefix}-efs-sg-${var.environment}"
84 | description = "Allow EFS access from VPC subnets"
85 |
86 | egress {
87 | from_port = 0
88 | to_port = 0
89 | protocol = "-1"
90 | cidr_blocks = ["0.0.0.0/0"]
91 | }
92 |
93 | ingress {
94 | from_port = 2049
95 | to_port = 2049
96 | protocol = "tcp"
97 | cidr_blocks = [var.vpc_subnet_cidr]
98 | }
99 |
100 | tags = merge(
101 | local.global_tags,
102 | {
103 | "Name" = lower("${var.common_prefix}-efs-sg-${var.environment}")
104 | }
105 | )
106 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group.lambda_sg
File: /k3s_cluster/securitygroup.tf:108-140
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
108 | resource "aws_security_group" "lambda_sg" {
109 | vpc_id = var.vpc_id
110 | name = "${var.common_prefix}-lambda-sg-${var.environment}"
111 | description = "Allow lambda function to access kubeapi"
112 |
113 | egress {
114 | from_port = 0
115 | to_port = 0
116 | protocol = "-1"
117 | cidr_blocks = ["0.0.0.0/0"]
118 | }
119 |
120 | ingress {
121 | from_port = var.kube_api_port
122 | to_port = var.kube_api_port
123 | protocol = "tcp"
124 | cidr_blocks = [var.vpc_subnet_cidr]
125 | }
126 |
127 | ingress {
128 | protocol = "-1"
129 | self = true
130 | from_port = 0
131 | to_port = 0
132 | }
133 |
134 | tags = merge(
135 | local.global_tags,
136 | {
137 | "Name" = lower("${var.common_prefix}-lambda-sg-${var.environment}")
138 | }
139 | )
140 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.k3s_cluster.aws_security_group.internal_vpce_sg
File: /k3s_cluster/securitygroup.tf:142-174
Calling File: /main.tf:15-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
142 | resource "aws_security_group" "internal_vpce_sg" {
143 | vpc_id = var.vpc_id
144 | name = "${var.common_prefix}-int-vpce-sg-${var.environment}"
145 | description = "Allow all traffic trought vpce"
146 |
147 | egress {
148 | from_port = 0
149 | to_port = 0
150 | protocol = "-1"
151 | cidr_blocks = [var.vpc_subnet_cidr]
152 | }
153 |
154 | ingress {
155 | from_port = 0
156 | to_port = 0
157 | protocol = "-1"
158 | cidr_blocks = [var.vpc_subnet_cidr]
159 | }
160 |
161 | ingress {
162 | protocol = "-1"
163 | self = true
164 | from_port = 0
165 | to_port = 0
166 | }
167 |
168 | tags = merge(
169 | local.global_tags,
170 | {
171 | "Name" = lower("${var.common_prefix}-int-vpce-sg-${var.environment}")
172 | }
173 | )
174 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.k3s_cluster.aws_secretsmanager_secret.kubeconfig_secret
File: /k3s_cluster/secrets.tf:1-11
1 | resource "aws_secretsmanager_secret" "kubeconfig_secret" {
2 | name = local.kubeconfig_secret_name
3 | description = "Kubeconfig k3s. Cluster name: ${var.cluster_name}, environment: ${var.environment}"
4 |
5 | tags = merge(
6 | local.global_tags,
7 | {
8 | "Name" = lower("${local.kubeconfig_secret_name}")
9 | }
10 | )
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.k3s_cluster.aws_security_group.efs_sg[0]
File: /k3s_cluster/securitygroup.tf:80-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
80 | resource "aws_security_group" "efs_sg" {
81 | count = var.efs_persistent_storage ? 1 : 0
82 | vpc_id = var.vpc_id
83 | name = "${var.common_prefix}-efs-sg-${var.environment}"
84 | description = "Allow EFS access from VPC subnets"
85 |
86 | egress {
87 | from_port = 0
88 | to_port = 0
89 | protocol = "-1"
90 | cidr_blocks = ["0.0.0.0/0"]
91 | }
92 |
93 | ingress {
94 | from_port = 2049
95 | to_port = 2049
96 | protocol = "tcp"
97 | cidr_blocks = [var.vpc_subnet_cidr]
98 | }
99 |
100 | tags = merge(
101 | local.global_tags,
102 | {
103 | "Name" = lower("${var.common_prefix}-efs-sg-${var.environment}")
104 | }
105 | )
106 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.k3s_cluster.aws_autoscaling_attachment.target_http[0]
File: /k3s_cluster/extlb.tf:66-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
66 | resource "aws_autoscaling_attachment" "target_http" {
67 | count = var.create_extlb ? 1 : 0
68 | depends_on = [
69 | aws_autoscaling_group.k3s_workers_asg,
70 | aws_lb_target_group.external_lb_tg_http
71 | ]
72 |
73 | autoscaling_group_name = aws_autoscaling_group.k3s_workers_asg.name
74 | lb_target_group_arn = aws_lb_target_group.external_lb_tg_http[count.index].arn
75 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.k3s_cluster.aws_autoscaling_attachment.target_https[0]
File: /k3s_cluster/extlb.tf:126-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
126 | resource "aws_autoscaling_attachment" "target_https" {
127 | count = var.create_extlb ? 1 : 0
128 | depends_on = [
129 | aws_autoscaling_group.k3s_workers_asg,
130 | aws_lb_target_group.external_lb_tg_https
131 | ]
132 |
133 | autoscaling_group_name = aws_autoscaling_group.k3s_workers_asg.name
134 | lb_target_group_arn = aws_lb_target_group.external_lb_tg_https[count.index].arn
135 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.k3s_cluster.aws_autoscaling_attachment.target_kubeapi[0]
File: /k3s_cluster/extlb.tf:185-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
185 | resource "aws_autoscaling_attachment" "target_kubeapi" {
186 | count = var.expose_kubeapi ? 1 : 0
187 | depends_on = [
188 | aws_autoscaling_group.k3s_servers_asg,
189 | aws_lb_target_group.external_lb_tg_kubeapi
190 | ]
191 |
192 | autoscaling_group_name = aws_autoscaling_group.k3s_servers_asg.name
193 | lb_target_group_arn = aws_lb_target_group.external_lb_tg_kubeapi[count.index].arn
194 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.k3s_cluster.aws_autoscaling_attachment.k3s_server_target_kubeapi
File: /k3s_cluster/k3slb.tf:62-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
62 | resource "aws_autoscaling_attachment" "k3s_server_target_kubeapi" {
63 |
64 | depends_on = [
65 | aws_autoscaling_group.k3s_servers_asg,
66 | aws_lb_target_group.k3s_server_tg
67 | ]
68 |
69 | autoscaling_group_name = aws_autoscaling_group.k3s_servers_asg.name
70 | lb_target_group_arn = aws_lb_target_group.k3s_server_tg.arn
71 | }
github_actions scan results:
Passed checks: 35, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform CI)
File: /.github/workflows/ci.yml:0-1