Repository | getamis / vishwakarma |
Description | Terraform modules to create a self-hosting Kubernetes cluster on opinionated Cloud Platform. |
Stars | 145 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:00,665 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-kubernetes//modules/extra-addons/aws-pod-identity-webhook?ref=v1.27.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,666 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/docker?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,666 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/locksmithd?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,666 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/update-ca-certificates?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,666 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/node-exporter?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,667 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/sshd?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,667 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-etcd?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,667 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-aws-asg-lifecycle//modules/kubernetes?ref=v1.19.16.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,667 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-kubernetes?ref=v1.27.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,667 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/locksmithd?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,668 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/update-ca-certificates?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,668 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/sshd?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,668 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/containerd?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,669 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/ecr-credential-provider?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,669 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/systemd-networkd?ref=v1.27.2.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,669 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-reinforcements//modules/systemd-networkd?ref=v1.23.10.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,669 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-kubernetes//modules/kubelet?ref=v1.27.4.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:00,669 [MainThread ] [WARNI] Failed to download module github.com/getamis/terraform-ignition-kubernetes//modules/extra-addons/aws-iam-authenticator?ref=v1.27.4.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 499, Failed checks: 125, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.etcd
File: /examples/etcd-cluster/network.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
27 | resource "aws_security_group" "etcd" {
28 | name_prefix = "${module.label.id}-etcd-"
29 | vpc_id = data.aws_vpc.etcd.id
30 |
31 | tags = merge(module.label.tags, map(
32 | "Name", "${module.label.id}-etcd",
33 | "Role", "etcd"
34 | ))
35 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.etcd_egress
File: /examples/etcd-cluster/network.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
37 | resource "aws_security_group_rule" "etcd_egress" {
38 | type = "egress"
39 | security_group_id = local.etcd_sg_id
40 |
41 | protocol = "-1"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | from_port = 0
44 | to_port = 0
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.etcd_ingress_icmp
File: /examples/etcd-cluster/network.tf:47-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
47 | resource "aws_security_group_rule" "etcd_ingress_icmp" {
48 | type = "ingress"
49 | security_group_id = local.etcd_sg_id
50 |
51 | protocol = "icmp"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | from_port = 0
54 | to_port = 0
55 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.etcd_ingress_icmp
File: /examples/etcd-cluster/network.tf:47-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
47 | resource "aws_security_group_rule" "etcd_ingress_icmp" {
48 | type = "ingress"
49 | security_group_id = local.etcd_sg_id
50 |
51 | protocol = "icmp"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | from_port = 0
54 | to_port = 0
55 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: aws_security_group_rule.etcd_ingress_icmp
File: /examples/etcd-cluster/network.tf:47-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
47 | resource "aws_security_group_rule" "etcd_ingress_icmp" {
48 | type = "ingress"
49 | security_group_id = local.etcd_sg_id
50 |
51 | protocol = "icmp"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | from_port = 0
54 | to_port = 0
55 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.etcd_ingress_icmp
File: /examples/etcd-cluster/network.tf:47-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
47 | resource "aws_security_group_rule" "etcd_ingress_icmp" {
48 | type = "ingress"
49 | security_group_id = local.etcd_sg_id
50 |
51 | protocol = "icmp"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | from_port = 0
54 | to_port = 0
55 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.etcd_ingress_etcd
File: /examples/etcd-cluster/network.tf:57-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
57 | resource "aws_security_group_rule" "etcd_ingress_etcd" {
58 | type = "ingress"
59 | security_group_id = local.etcd_sg_id
60 |
61 | protocol = "tcp"
62 | from_port = 2379
63 | to_port = 2380
64 | self = true
65 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.etcd_all_self
File: /examples/etcd-cluster/network.tf:67-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
67 | resource "aws_security_group_rule" "etcd_all_self" {
68 | type = "ingress"
69 | security_group_id = local.etcd_sg_id
70 |
71 | protocol = -1
72 | from_port = 0
73 | to_port = 0
74 | self = true
75 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.etcd_ssh
File: /examples/etcd-cluster/network.tf:77-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
77 | resource "aws_security_group_rule" "etcd_ssh" {
78 | type = "ingress"
79 | security_group_id = local.etcd_sg_id
80 |
81 | protocol = "tcp"
82 | cidr_blocks = [data.aws_vpc.etcd.cidr_block]
83 | from_port = 22
84 | to_port = 22
85 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.master_ingress_flannel_from_worker
File: /modules/aws/elastikube/sg-worker.tf:91-100
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
91 | resource "aws_security_group_rule" "master_ingress_flannel_from_worker" {
92 | count = var.network_plugin == "flannel" ? 1 : 0
93 | type = "ingress"
94 | security_group_id = module.master.master_sg_id
95 | source_security_group_id = aws_security_group.workers.id
96 |
97 | protocol = "udp"
98 | from_port = 4789
99 | to_port = 4789
100 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.master_ingress_cilium_vxlan_from_worker
File: /modules/aws/elastikube/sg-worker.tf:128-137
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
128 | resource "aws_security_group_rule" "master_ingress_cilium_vxlan_from_worker" {
129 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
130 | type = "ingress"
131 | security_group_id = module.master.master_sg_id
132 | source_security_group_id = aws_security_group.workers.id
133 |
134 | protocol = "udp"
135 | from_port = 8472
136 | to_port = 8472
137 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.master_ingress_cilium_tcp_healthcheck_from_worker
File: /modules/aws/elastikube/sg-worker.tf:139-148
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
139 | resource "aws_security_group_rule" "master_ingress_cilium_tcp_healthcheck_from_worker" {
140 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
141 | type = "ingress"
142 | security_group_id = module.master.master_sg_id
143 | source_security_group_id = aws_security_group.workers.id
144 |
145 | protocol = "tcp"
146 | from_port = 4240
147 | to_port = 4240
148 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.master_ingress_cilium_icmp_healthcheck_from_worker
File: /modules/aws/elastikube/sg-worker.tf:150-159
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
150 | resource "aws_security_group_rule" "master_ingress_cilium_icmp_healthcheck_from_worker" {
151 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
152 | type = "ingress"
153 | security_group_id = module.master.master_sg_id
154 | source_security_group_id = aws_security_group.workers.id
155 |
156 | protocol = "icmp"
157 | from_port = 8
158 | to_port = 0
159 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.master_ingress_cilium_hubble_relay_from_worker
File: /modules/aws/elastikube/sg-worker.tf:161-170
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
161 | resource "aws_security_group_rule" "master_ingress_cilium_hubble_relay_from_worker" {
162 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
163 | type = "ingress"
164 | security_group_id = module.master.master_sg_id
165 | source_security_group_id = aws_security_group.workers.id
166 |
167 | protocol = "tcp"
168 | from_port = 4244
169 | to_port = 4244
170 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.worker_ingress_cilium_vxlan_from_master
File: /modules/aws/elastikube/sg-worker.tf:172-181
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
172 | resource "aws_security_group_rule" "worker_ingress_cilium_vxlan_from_master" {
173 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
174 | type = "ingress"
175 | security_group_id = aws_security_group.workers.id
176 | source_security_group_id = module.master.master_sg_id
177 |
178 | protocol = "udp"
179 | from_port = 8472
180 | to_port = 8472
181 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.worker_ingress_cilium_tcp_healthcheck_from_master
File: /modules/aws/elastikube/sg-worker.tf:183-192
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
183 | resource "aws_security_group_rule" "worker_ingress_cilium_tcp_healthcheck_from_master" {
184 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
185 | type = "ingress"
186 | security_group_id = aws_security_group.workers.id
187 | source_security_group_id = module.master.master_sg_id
188 |
189 | protocol = "tcp"
190 | from_port = 4240
191 | to_port = 4240
192 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.aws_security_group_rule.worker_ingress_cilium_icmp_healthcheck_from_master
File: /modules/aws/elastikube/sg-worker.tf:194-203
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:38-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
194 | resource "aws_security_group_rule" "worker_ingress_cilium_icmp_healthcheck_from_master" {
195 | count = var.network_plugin == "cilium-vxlan" ? 1 : 0
196 | type = "ingress"
197 | security_group_id = aws_security_group.workers.id
198 | source_security_group_id = module.master.master_sg_id
199 |
200 | protocol = "icmp"
201 | from_port = 8
202 | to_port = 0
203 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.master.module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: module.master.module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.master.module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.master.module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.master.module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.master.module.etcd.aws_instance.etcd
File: /modules/aws/kube-etcd/main.tf:86-116
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
86 | resource "aws_instance" "etcd" {
87 | count = var.instance_config["count"]
88 |
89 | ami = var.instance_config["image_id"]
90 | instance_type = var.instance_config["ec2_type"]
91 | subnet_id = var.subnet_ids[count.index % length(var.subnet_ids)]
92 | key_name = var.debug_mode ? var.ssh_key : ""
93 | iam_instance_profile = aws_iam_instance_profile.etcd.id
94 |
95 | user_data = data.ignition_config.s3.rendered
96 | user_data_replace_on_change = true
97 |
98 | root_block_device {
99 | volume_size = var.instance_config["root_volume_size"]
100 | volume_type = var.instance_volume_config.root.type
101 | iops = lookup(local.iops_by_type.root, var.instance_volume_config.root.type, null)
102 | throughput = lookup(local.throughput_by_type.root, var.instance_volume_config.root.type, null)
103 | }
104 |
105 | volume_tags = merge(var.extra_tags, {
106 | "Name" = "${var.name}-etcd-${count.index}"
107 | "Role" = "etcd"
108 | "kubernetes.io/cluster/${var.name}" = "owned"
109 | })
110 |
111 | tags = merge(var.extra_tags, {
112 | "Name" = "${var.name}-etcd-${count.index}"
113 | "Role" = "etcd"
114 | "kubernetes.io/cluster/${var.name}" = "owned"
115 | })
116 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group.etcd
File: /modules/aws/kube-etcd/sg.tf:5-13
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "etcd" {
6 | name_prefix = "${var.name}-etcd-"
7 | vpc_id = local.vpc_id
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}-etcd"
11 | "Role" = "etcd"
12 | })
13 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.etcd_egress
File: /modules/aws/kube-etcd/sg.tf:15-23
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
15 | resource "aws_security_group_rule" "etcd_egress" {
16 | type = "egress"
17 | security_group_id = aws_security_group.etcd.id
18 |
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.etcd_ingress
File: /modules/aws/kube-etcd/sg.tf:25-33
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
25 | resource "aws_security_group_rule" "etcd_ingress" {
26 | type = "ingress"
27 | security_group_id = aws_security_group.etcd.id
28 |
29 | protocol = "tcp"
30 | from_port = min(local.peer_port, local.client_port)
31 | to_port = max(local.peer_port, local.client_port)
32 | self = true
33 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.etcd_ingress_from_master
File: /modules/aws/kube-etcd/sg.tf:35-43
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
35 | resource "aws_security_group_rule" "etcd_ingress_from_master" {
36 | type = "ingress"
37 | security_group_id = aws_security_group.etcd.id
38 | source_security_group_id = var.master_security_group_id
39 |
40 | protocol = "tcp"
41 | from_port = local.client_port
42 | to_port = local.client_port
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.etcd_ssh[0]
File: /modules/aws/kube-etcd/sg.tf:45-54
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
45 | resource "aws_security_group_rule" "etcd_ssh" {
46 | count = (var.debug_mode && length(var.allowed_ssh_cidr) != 0) ? 1 : 0
47 | type = "ingress"
48 | security_group_id = aws_security_group.etcd.id
49 |
50 | protocol = "tcp"
51 | cidr_blocks = var.allowed_ssh_cidr
52 | from_port = 22
53 | to_port = 22
54 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.etcd_management[0]
File: /modules/aws/kube-etcd/sg.tf:56-65
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group_rule" "etcd_management" {
57 | count = length(var.allowed_etcd_mgmt_cidr) != 0 ? 1 : 0
58 | type = "ingress"
59 | security_group_id = aws_security_group.etcd.id
60 |
61 | protocol = "tcp"
62 | cidr_blocks = var.allowed_etcd_mgmt_cidr
63 | from_port = local.client_port
64 | to_port = local.client_port
65 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.ingress_node_exporter_from_worker
File: /modules/aws/kube-etcd/sg.tf:67-75
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
67 | resource "aws_security_group_rule" "ingress_node_exporter_from_worker" {
68 | type = "ingress"
69 | security_group_id = aws_security_group.etcd.id
70 |
71 | protocol = "tcp"
72 | cidr_blocks = [data.aws_vpc.etcd.cidr_block]
73 | from_port = local.node_exporter_port
74 | to_port = local.node_exporter_port
75 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.etcd.aws_security_group_rule.ingress_etcd_metrics_exporter_from_worker
File: /modules/aws/kube-etcd/sg.tf:77-85
Calling File: /examples/etcd-cluster/main.tf:26-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
77 | resource "aws_security_group_rule" "ingress_etcd_metrics_exporter_from_worker" {
78 | type = "ingress"
79 | security_group_id = aws_security_group.etcd.id
80 |
81 | protocol = "tcp"
82 | cidr_blocks = [data.aws_vpc.etcd.cidr_block]
83 | from_port = local.proxy_port
84 | to_port = local.proxy_port
85 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group.etcd
File: /modules/aws/kube-etcd/sg.tf:5-13
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "etcd" {
6 | name_prefix = "${var.name}-etcd-"
7 | vpc_id = local.vpc_id
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}-etcd"
11 | "Role" = "etcd"
12 | })
13 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.etcd_egress
File: /modules/aws/kube-etcd/sg.tf:15-23
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
15 | resource "aws_security_group_rule" "etcd_egress" {
16 | type = "egress"
17 | security_group_id = aws_security_group.etcd.id
18 |
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.etcd_ingress
File: /modules/aws/kube-etcd/sg.tf:25-33
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
25 | resource "aws_security_group_rule" "etcd_ingress" {
26 | type = "ingress"
27 | security_group_id = aws_security_group.etcd.id
28 |
29 | protocol = "tcp"
30 | from_port = min(local.peer_port, local.client_port)
31 | to_port = max(local.peer_port, local.client_port)
32 | self = true
33 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.etcd_ingress_from_master
File: /modules/aws/kube-etcd/sg.tf:35-43
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
35 | resource "aws_security_group_rule" "etcd_ingress_from_master" {
36 | type = "ingress"
37 | security_group_id = aws_security_group.etcd.id
38 | source_security_group_id = var.master_security_group_id
39 |
40 | protocol = "tcp"
41 | from_port = local.client_port
42 | to_port = local.client_port
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.etcd_ssh[0]
File: /modules/aws/kube-etcd/sg.tf:45-54
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
45 | resource "aws_security_group_rule" "etcd_ssh" {
46 | count = (var.debug_mode && length(var.allowed_ssh_cidr) != 0) ? 1 : 0
47 | type = "ingress"
48 | security_group_id = aws_security_group.etcd.id
49 |
50 | protocol = "tcp"
51 | cidr_blocks = var.allowed_ssh_cidr
52 | from_port = 22
53 | to_port = 22
54 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.etcd_management[0]
File: /modules/aws/kube-etcd/sg.tf:56-65
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group_rule" "etcd_management" {
57 | count = length(var.allowed_etcd_mgmt_cidr) != 0 ? 1 : 0
58 | type = "ingress"
59 | security_group_id = aws_security_group.etcd.id
60 |
61 | protocol = "tcp"
62 | cidr_blocks = var.allowed_etcd_mgmt_cidr
63 | from_port = local.client_port
64 | to_port = local.client_port
65 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.ingress_node_exporter_from_worker
File: /modules/aws/kube-etcd/sg.tf:67-75
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
67 | resource "aws_security_group_rule" "ingress_node_exporter_from_worker" {
68 | type = "ingress"
69 | security_group_id = aws_security_group.etcd.id
70 |
71 | protocol = "tcp"
72 | cidr_blocks = [data.aws_vpc.etcd.cidr_block]
73 | from_port = local.node_exporter_port
74 | to_port = local.node_exporter_port
75 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.etcd.aws_security_group_rule.ingress_etcd_metrics_exporter_from_worker
File: /modules/aws/kube-etcd/sg.tf:77-85
Calling File: /modules/aws/elastikube/etcd.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
77 | resource "aws_security_group_rule" "ingress_etcd_metrics_exporter_from_worker" {
78 | type = "ingress"
79 | security_group_id = aws_security_group.etcd.id
80 |
81 | protocol = "tcp"
82 | cidr_blocks = [data.aws_vpc.etcd.cidr_block]
83 | from_port = local.proxy_port
84 | to_port = local.proxy_port
85 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: module.master.module.master.aws_elb.master_internal
File: /modules/aws/kube-master/lb.tf:1-35
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
1 | resource "aws_elb" "master_internal" {
2 | name = "${var.name}-master"
3 | subnets = split(",", var.endpoint_public_access == true ? join(",", var.public_subnet_ids) : join(",", var.private_subnet_ids))
4 | internal = var.endpoint_public_access == true ? false : true
5 |
6 | security_groups = compact(concat(
7 | [aws_security_group.master_lb.id],
8 | var.lb_security_group_ids
9 | ))
10 |
11 | idle_timeout = 3600
12 | connection_draining = true
13 | connection_draining_timeout = 300
14 |
15 | listener {
16 | instance_port = var.apiserver_secure_port
17 | instance_protocol = "tcp"
18 | lb_port = 443
19 | lb_protocol = "tcp"
20 | }
21 |
22 | health_check {
23 | healthy_threshold = 2
24 | unhealthy_threshold = 2
25 | timeout = 3
26 | target = "SSL:${var.apiserver_secure_port}"
27 | interval = 5
28 | }
29 |
30 | tags = merge(var.extra_tags, {
31 | "Name" = "${var.name}-master"
32 | "Role" = "k8s-master"
33 | "kubernetes.io/cluster/${var.name}" = "owned"
34 | })
35 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: module.master.module.master.aws_elb.master_internal
File: /modules/aws/kube-master/lb.tf:1-35
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
1 | resource "aws_elb" "master_internal" {
2 | name = "${var.name}-master"
3 | subnets = split(",", var.endpoint_public_access == true ? join(",", var.public_subnet_ids) : join(",", var.private_subnet_ids))
4 | internal = var.endpoint_public_access == true ? false : true
5 |
6 | security_groups = compact(concat(
7 | [aws_security_group.master_lb.id],
8 | var.lb_security_group_ids
9 | ))
10 |
11 | idle_timeout = 3600
12 | connection_draining = true
13 | connection_draining_timeout = 300
14 |
15 | listener {
16 | instance_port = var.apiserver_secure_port
17 | instance_protocol = "tcp"
18 | lb_port = 443
19 | lb_protocol = "tcp"
20 | }
21 |
22 | health_check {
23 | healthy_threshold = 2
24 | unhealthy_threshold = 2
25 | timeout = 3
26 | target = "SSL:${var.apiserver_secure_port}"
27 | interval = 5
28 | }
29 |
30 | tags = merge(var.extra_tags, {
31 | "Name" = "${var.name}-master"
32 | "Role" = "k8s-master"
33 | "kubernetes.io/cluster/${var.name}" = "owned"
34 | })
35 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group.master_lb
File: /modules/aws/kube-master/lb.tf:37-46
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
37 | resource "aws_security_group" "master_lb" {
38 | name_prefix = "${var.name}-master-lb-"
39 | vpc_id = data.aws_vpc.master.id
40 |
41 | tags = merge(var.extra_tags, {
42 | "Name" = "${var.name}-master-lb"
43 | "Role" = "k8s-master"
44 | "kubernetes.io/cluster/${var.name}" = "owned"
45 | })
46 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_lb_egress
File: /modules/aws/kube-master/lb.tf:48-56
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
48 | resource "aws_security_group_rule" "master_lb_egress" {
49 | type = "egress"
50 | security_group_id = aws_security_group.master_lb.id
51 |
52 | protocol = "-1"
53 | cidr_blocks = ["0.0.0.0/0"]
54 | from_port = 0
55 | to_port = 0
56 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_lb_ingress_from_internal
File: /modules/aws/kube-master/lb.tf:58-66
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
58 | resource "aws_security_group_rule" "master_lb_ingress_from_internal" {
59 | type = "ingress"
60 | security_group_id = aws_security_group.master_lb.id
61 |
62 | protocol = "tcp"
63 | cidr_blocks = [var.endpoint_public_access == true ? "0.0.0.0/0" : data.aws_vpc.master.cidr_block]
64 | from_port = 443
65 | to_port = 443
66 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.master.module.master.aws_autoscaling_group.master
File: /modules/aws/kube-master/main.tf:22-82
Calling File: /modules/aws/elastikube/main.tf:1-74
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.master.module.master.aws_launch_template.master
File: /modules/aws/kube-master/main.tf:84-115
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
84 | resource "aws_launch_template" "master" {
85 | instance_type = var.instance_config["ec2_type"][0]
86 | image_id = var.instance_config["image_id"]
87 | name_prefix = "${var.name}-master-"
88 |
89 | vpc_security_group_ids = compact(concat(
90 | var.security_group_ids,
91 | [local.master_sg_id]
92 | ))
93 |
94 | iam_instance_profile {
95 | arn = aws_iam_instance_profile.master.arn
96 | }
97 |
98 | key_name = var.debug_mode ? var.ssh_key : ""
99 | user_data = base64encode(data.ignition_config.s3.rendered)
100 |
101 | block_device_mappings {
102 | device_name = "/dev/xvda"
103 |
104 | ebs {
105 | volume_type = var.instance_config["root_volume_type"]
106 | volume_size = var.instance_config["root_volume_size"]
107 | iops = lookup(local.iops_by_type.root, var.instance_config["root_volume_type"], null)
108 | throughput = lookup(local.throughput_by_type.root, var.instance_config["root_volume_type"], null)
109 | }
110 | }
111 |
112 | lifecycle {
113 | create_before_destroy = true
114 | }
115 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.master.module.master.aws_iam_policy_document.master
File: /modules/aws/kube-master/role.tf:27-90
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.master.module.master.aws_iam_policy_document.master
File: /modules/aws/kube-master/role.tf:27-90
Calling File: /modules/aws/elastikube/main.tf:1-74
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.master.module.master.aws_iam_policy_document.master_vpc_cni
File: /modules/aws/kube-master/role.tf:100-129
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
100 | data "aws_iam_policy_document" "master_vpc_cni" {
101 | statement {
102 | sid = "EC2General"
103 | actions = [
104 | "ec2:AssignPrivateIpAddresses",
105 | "ec2:AttachNetworkInterface",
106 | "ec2:CreateNetworkInterface",
107 | "ec2:DeleteNetworkInterface",
108 | "ec2:DescribeInstances",
109 | "ec2:DescribeInstanceTypes",
110 | "ec2:DescribeTags",
111 | "ec2:DescribeNetworkInterfaces",
112 | "ec2:DetachNetworkInterface",
113 | "ec2:ModifyNetworkInterfaceAttribute",
114 | "ec2:UnassignPrivateIpAddresses"
115 | ]
116 | resources = [
117 | "*"
118 | ]
119 | }
120 | statement {
121 | sid = "EC2Specific"
122 | actions = [
123 | "ec2:CreateTags"
124 | ]
125 | resources = [
126 | "arn:aws:ec2:*:*:network-interface/*"
127 | ]
128 | }
129 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.master.module.master.aws_iam_policy_document.master_vpc_cni
File: /modules/aws/kube-master/role.tf:100-129
Calling File: /modules/aws/elastikube/main.tf:1-74
100 | data "aws_iam_policy_document" "master_vpc_cni" {
101 | statement {
102 | sid = "EC2General"
103 | actions = [
104 | "ec2:AssignPrivateIpAddresses",
105 | "ec2:AttachNetworkInterface",
106 | "ec2:CreateNetworkInterface",
107 | "ec2:DeleteNetworkInterface",
108 | "ec2:DescribeInstances",
109 | "ec2:DescribeInstanceTypes",
110 | "ec2:DescribeTags",
111 | "ec2:DescribeNetworkInterfaces",
112 | "ec2:DetachNetworkInterface",
113 | "ec2:ModifyNetworkInterfaceAttribute",
114 | "ec2:UnassignPrivateIpAddresses"
115 | ]
116 | resources = [
117 | "*"
118 | ]
119 | }
120 | statement {
121 | sid = "EC2Specific"
122 | actions = [
123 | "ec2:CreateTags"
124 | ]
125 | resources = [
126 | "arn:aws:ec2:*:*:network-interface/*"
127 | ]
128 | }
129 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group.master
File: /modules/aws/kube-master/sg.tf:5-16
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "master" {
6 | name_prefix = "${var.name}-master-"
7 | vpc_id = data.aws_vpc.master.id
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}-master"
11 | "Role" = "k8s-master"
12 | "kubernetes.io/cluster/${var.name}" = "owned"
13 | })
14 |
15 | count = var.master_security_group_id == "" ? 1 : 0
16 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_egress
File: /modules/aws/kube-master/sg.tf:22-30
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
22 | resource "aws_security_group_rule" "master_egress" {
23 | type = "egress"
24 | security_group_id = local.master_sg_id
25 |
26 | protocol = "-1"
27 | cidr_blocks = ["0.0.0.0/0"]
28 | from_port = 0
29 | to_port = 0
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress_icmp
File: /modules/aws/kube-master/sg.tf:32-40
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group_rule" "master_ingress_icmp" {
33 | type = "ingress"
34 | security_group_id = local.master_sg_id
35 |
36 | protocol = "icmp"
37 | cidr_blocks = [data.aws_vpc.master.cidr_block]
38 | from_port = 0
39 | to_port = 0
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress_etcd
File: /modules/aws/kube-master/sg.tf:42-50
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
42 | resource "aws_security_group_rule" "master_ingress_etcd" {
43 | type = "ingress"
44 | security_group_id = local.master_sg_id
45 |
46 | protocol = "tcp"
47 | from_port = 2379
48 | to_port = 2380
49 | self = true
50 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress_services
File: /modules/aws/kube-master/sg.tf:52-60
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group_rule" "master_ingress_services" {
53 | type = "ingress"
54 | security_group_id = local.master_sg_id
55 |
56 | protocol = "tcp"
57 | from_port = 30000
58 | to_port = 32767
59 | self = true
60 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_all_self
File: /modules/aws/kube-master/sg.tf:62-70
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
62 | resource "aws_security_group_rule" "master_all_self" {
63 | type = "ingress"
64 | security_group_id = local.master_sg_id
65 |
66 | protocol = -1
67 | from_port = 0
68 | to_port = 0
69 | self = true
70 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress
File: /modules/aws/kube-master/sg.tf:72-80
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
72 | resource "aws_security_group_rule" "master_ingress" {
73 | type = "ingress"
74 | security_group_id = local.master_sg_id
75 |
76 | protocol = "tcp"
77 | cidr_blocks = [data.aws_vpc.master.cidr_block]
78 | from_port = var.apiserver_secure_port
79 | to_port = var.apiserver_secure_port
80 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress_from_lb
File: /modules/aws/kube-master/sg.tf:82-90
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
82 | resource "aws_security_group_rule" "master_ingress_from_lb" {
83 | type = "ingress"
84 | security_group_id = local.master_sg_id
85 | source_security_group_id = aws_security_group.master_lb.id
86 |
87 | protocol = "tcp"
88 | from_port = var.apiserver_secure_port
89 | to_port = var.apiserver_secure_port
90 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ssh[0]
File: /modules/aws/kube-master/sg.tf:92-101
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
92 | resource "aws_security_group_rule" "master_ssh" {
93 | count = (var.debug_mode && length(var.allowed_ssh_cidr) != 0) ? 1 : 0
94 | type = "ingress"
95 | security_group_id = local.master_sg_id
96 |
97 | protocol = "tcp"
98 | cidr_blocks = var.allowed_ssh_cidr
99 | from_port = 22
100 | to_port = 22
101 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.master.module.master.aws_security_group_rule.master_ingress_kubelet_secure_from_worker
File: /modules/aws/kube-master/sg.tf:103-111
Calling File: /modules/aws/elastikube/main.tf:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
103 | resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
104 | type = "ingress"
105 | security_group_id = local.master_sg_id
106 |
107 | protocol = "tcp"
108 | cidr_blocks = [data.aws_vpc.master.cidr_block]
109 | from_port = 10255
110 | to_port = 10255
111 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.worker_on_demand.aws_launch_template.worker
File: /modules/aws/kube-worker/main.tf:125-153
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:108-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
125 | resource "aws_launch_template" "worker" {
126 | instance_type = var.instance_config["ec2_type"][0]
127 | image_id = var.instance_config["image_id"]
128 | name_prefix = "${var.name}-worker-${var.instance_config["name"]}-"
129 |
130 | vpc_security_group_ids = local.vpc_security_group_ids
131 |
132 | iam_instance_profile {
133 | arn = aws_iam_instance_profile.worker.arn
134 | }
135 |
136 | key_name = var.debug_mode ? var.ssh_key : ""
137 | user_data = base64encode(data.ignition_config.s3.rendered)
138 |
139 | block_device_mappings {
140 | device_name = "/dev/xvda"
141 |
142 | ebs {
143 | volume_type = var.instance_config["root_volume_type"]
144 | volume_size = var.instance_config["root_volume_size"]
145 | iops = lookup(local.iops_by_type.root, var.instance_config["root_volume_type"], null)
146 | throughput = lookup(local.throughput_by_type.root, var.instance_config["root_volume_type"], null)
147 | }
148 | }
149 |
150 | lifecycle {
151 | create_before_destroy = true
152 | }
153 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.worker_spot.aws_launch_template.worker
File: /modules/aws/kube-worker/main.tf:125-153
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:174-227
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
125 | resource "aws_launch_template" "worker" {
126 | instance_type = var.instance_config["ec2_type"][0]
127 | image_id = var.instance_config["image_id"]
128 | name_prefix = "${var.name}-worker-${var.instance_config["name"]}-"
129 |
130 | vpc_security_group_ids = local.vpc_security_group_ids
131 |
132 | iam_instance_profile {
133 | arn = aws_iam_instance_profile.worker.arn
134 | }
135 |
136 | key_name = var.debug_mode ? var.ssh_key : ""
137 | user_data = base64encode(data.ignition_config.s3.rendered)
138 |
139 | block_device_mappings {
140 | device_name = "/dev/xvda"
141 |
142 | ebs {
143 | volume_type = var.instance_config["root_volume_type"]
144 | volume_size = var.instance_config["root_volume_size"]
145 | iops = lookup(local.iops_by_type.root, var.instance_config["root_volume_type"], null)
146 | throughput = lookup(local.throughput_by_type.root, var.instance_config["root_volume_type"], null)
147 | }
148 | }
149 |
150 | lifecycle {
151 | create_before_destroy = true
152 | }
153 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.worker_on_demand.aws_iam_policy_document.worker
File: /modules/aws/kube-worker/role.tf:27-67
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:108-168
27 | data "aws_iam_policy_document" "worker" {
28 | statement {
29 | sid = "EC2"
30 | actions = [
31 | "ec2:DescribeInstances",
32 | "ec2:DescribeRegions"
33 | ]
34 | resources = [
35 | "*"
36 | ]
37 | }
38 | statement {
39 | sid = "S3"
40 | actions = [
41 | "s3:GetObject",
42 | ]
43 | resources = [
44 | "arn:aws:s3:::${var.s3_bucket}/*"
45 | ]
46 | }
47 | statement {
48 | sid = "ECR"
49 | actions = [
50 | "ecr:GetAuthorizationToken",
51 | "ecr:BatchCheckLayerAvailability",
52 | "ecr:GetDownloadUrlForLayer",
53 | "ecr:GetRepositoryPolicy",
54 | "ecr:DescribeRepositories",
55 | "ecr:ListImages",
56 | "ecr:DescribeImages",
57 | "ecr:BatchGetImage",
58 | "ecr:GetLifecyclePolicy",
59 | "ecr:GetLifecyclePolicyPreview",
60 | "ecr:ListTagsForResource",
61 | "ecr:DescribeImageScanFindings"
62 | ]
63 | resources = [
64 | "*"
65 | ]
66 | }
67 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.worker_on_demand.aws_iam_policy_document.worker_vpc_cni
File: /modules/aws/kube-worker/role.tf:77-106
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:108-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
77 | data "aws_iam_policy_document" "worker_vpc_cni" {
78 | statement {
79 | sid = "EC2General"
80 | actions = [
81 | "ec2:AssignPrivateIpAddresses",
82 | "ec2:AttachNetworkInterface",
83 | "ec2:CreateNetworkInterface",
84 | "ec2:DeleteNetworkInterface",
85 | "ec2:DescribeInstances",
86 | "ec2:DescribeInstanceTypes",
87 | "ec2:DescribeTags",
88 | "ec2:DescribeNetworkInterfaces",
89 | "ec2:DetachNetworkInterface",
90 | "ec2:ModifyNetworkInterfaceAttribute",
91 | "ec2:UnassignPrivateIpAddresses"
92 | ]
93 | resources = [
94 | "*"
95 | ]
96 | }
97 | statement {
98 | sid = "EC2Specific"
99 | actions = [
100 | "ec2:CreateTags"
101 | ]
102 | resources = [
103 | "arn:aws:ec2:*:*:network-interface/*"
104 | ]
105 | }
106 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.worker_on_demand.aws_iam_policy_document.worker_vpc_cni
File: /modules/aws/kube-worker/role.tf:77-106
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:108-168
77 | data "aws_iam_policy_document" "worker_vpc_cni" {
78 | statement {
79 | sid = "EC2General"
80 | actions = [
81 | "ec2:AssignPrivateIpAddresses",
82 | "ec2:AttachNetworkInterface",
83 | "ec2:CreateNetworkInterface",
84 | "ec2:DeleteNetworkInterface",
85 | "ec2:DescribeInstances",
86 | "ec2:DescribeInstanceTypes",
87 | "ec2:DescribeTags",
88 | "ec2:DescribeNetworkInterfaces",
89 | "ec2:DetachNetworkInterface",
90 | "ec2:ModifyNetworkInterfaceAttribute",
91 | "ec2:UnassignPrivateIpAddresses"
92 | ]
93 | resources = [
94 | "*"
95 | ]
96 | }
97 | statement {
98 | sid = "EC2Specific"
99 | actions = [
100 | "ec2:CreateTags"
101 | ]
102 | resources = [
103 | "arn:aws:ec2:*:*:network-interface/*"
104 | ]
105 | }
106 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.worker_spot.aws_iam_policy_document.worker
File: /modules/aws/kube-worker/role.tf:27-67
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:174-227
27 | data "aws_iam_policy_document" "worker" {
28 | statement {
29 | sid = "EC2"
30 | actions = [
31 | "ec2:DescribeInstances",
32 | "ec2:DescribeRegions"
33 | ]
34 | resources = [
35 | "*"
36 | ]
37 | }
38 | statement {
39 | sid = "S3"
40 | actions = [
41 | "s3:GetObject",
42 | ]
43 | resources = [
44 | "arn:aws:s3:::${var.s3_bucket}/*"
45 | ]
46 | }
47 | statement {
48 | sid = "ECR"
49 | actions = [
50 | "ecr:GetAuthorizationToken",
51 | "ecr:BatchCheckLayerAvailability",
52 | "ecr:GetDownloadUrlForLayer",
53 | "ecr:GetRepositoryPolicy",
54 | "ecr:DescribeRepositories",
55 | "ecr:ListImages",
56 | "ecr:DescribeImages",
57 | "ecr:BatchGetImage",
58 | "ecr:GetLifecyclePolicy",
59 | "ecr:GetLifecyclePolicyPreview",
60 | "ecr:ListTagsForResource",
61 | "ecr:DescribeImageScanFindings"
62 | ]
63 | resources = [
64 | "*"
65 | ]
66 | }
67 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.worker_spot.aws_iam_policy_document.worker_vpc_cni
File: /modules/aws/kube-worker/role.tf:77-106
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:174-227
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
77 | data "aws_iam_policy_document" "worker_vpc_cni" {
78 | statement {
79 | sid = "EC2General"
80 | actions = [
81 | "ec2:AssignPrivateIpAddresses",
82 | "ec2:AttachNetworkInterface",
83 | "ec2:CreateNetworkInterface",
84 | "ec2:DeleteNetworkInterface",
85 | "ec2:DescribeInstances",
86 | "ec2:DescribeInstanceTypes",
87 | "ec2:DescribeTags",
88 | "ec2:DescribeNetworkInterfaces",
89 | "ec2:DetachNetworkInterface",
90 | "ec2:ModifyNetworkInterfaceAttribute",
91 | "ec2:UnassignPrivateIpAddresses"
92 | ]
93 | resources = [
94 | "*"
95 | ]
96 | }
97 | statement {
98 | sid = "EC2Specific"
99 | actions = [
100 | "ec2:CreateTags"
101 | ]
102 | resources = [
103 | "arn:aws:ec2:*:*:network-interface/*"
104 | ]
105 | }
106 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.worker_spot.aws_iam_policy_document.worker_vpc_cni
File: /modules/aws/kube-worker/role.tf:77-106
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:174-227
77 | data "aws_iam_policy_document" "worker_vpc_cni" {
78 | statement {
79 | sid = "EC2General"
80 | actions = [
81 | "ec2:AssignPrivateIpAddresses",
82 | "ec2:AttachNetworkInterface",
83 | "ec2:CreateNetworkInterface",
84 | "ec2:DeleteNetworkInterface",
85 | "ec2:DescribeInstances",
86 | "ec2:DescribeInstanceTypes",
87 | "ec2:DescribeTags",
88 | "ec2:DescribeNetworkInterfaces",
89 | "ec2:DetachNetworkInterface",
90 | "ec2:ModifyNetworkInterfaceAttribute",
91 | "ec2:UnassignPrivateIpAddresses"
92 | ]
93 | resources = [
94 | "*"
95 | ]
96 | }
97 | statement {
98 | sid = "EC2Specific"
99 | actions = [
100 | "ec2:CreateTags"
101 | ]
102 | resources = [
103 | "arn:aws:ec2:*:*:network-interface/*"
104 | ]
105 | }
106 | }
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.network.aws_iam_policy_document.bastion
File: /modules/aws/network/bastion.tf:64-102
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
64 | data "aws_iam_policy_document" "bastion" {
65 | statement {
66 | sid = "IAM"
67 | actions = [
68 | "iam:*",
69 | "organizations:DescribeAccount",
70 | "organizations:DescribeOrganization",
71 | "organizations:DescribeOrganizationalUnit",
72 | "organizations:DescribePolicy",
73 | "organizations:ListChildren",
74 | "organizations:ListParents",
75 | "organizations:ListPoliciesForTarget",
76 | "organizations:ListRoots",
77 | "organizations:ListPolicies",
78 | "organizations:ListTargetsForPolicy"
79 | ]
80 | resources = [
81 | "*"
82 | ]
83 | }
84 | statement {
85 | sid = "S3"
86 | actions = [
87 | "s3:*"
88 | ]
89 | resources = [
90 | "*"
91 | ]
92 | }
93 | statement {
94 | sid = "STS"
95 | actions = [
96 | "sts:AssumeRole"
97 | ]
98 | resources = [
99 | "*"
100 | ]
101 | }
102 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.network.aws_security_group.bastion
File: /modules/aws/network/bastion.tf:1-8
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "bastion" {
2 | vpc_id = aws_vpc.new_vpc.id
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-bastion"
6 | "Role" = "bastion"
7 | })
8 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.network.aws_security_group_rule.bastion_egress
File: /modules/aws/network/bastion.tf:10-18
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
10 | resource "aws_security_group_rule" "bastion_egress" {
11 | type = "egress"
12 | security_group_id = aws_security_group.bastion.id
13 |
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.network.aws_security_group_rule.bastion_ingress_ssh
File: /modules/aws/network/bastion.tf:20-28
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
20 | resource "aws_security_group_rule" "bastion_ingress_ssh" {
21 | type = "ingress"
22 | security_group_id = aws_security_group.bastion.id
23 |
24 | protocol = "tcp"
25 | cidr_blocks = ["0.0.0.0/0"]
26 | from_port = 22
27 | to_port = 22
28 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.network.aws_security_group_rule.bastion_ingress_ssh
File: /modules/aws/network/bastion.tf:20-28
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
20 | resource "aws_security_group_rule" "bastion_ingress_ssh" {
21 | type = "ingress"
22 | security_group_id = aws_security_group.bastion.id
23 |
24 | protocol = "tcp"
25 | cidr_blocks = ["0.0.0.0/0"]
26 | from_port = 22
27 | to_port = 22
28 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.network.aws_instance.bastion
File: /modules/aws/network/bastion.tf:116-139
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
116 | resource "aws_instance" "bastion" {
117 | ami = var.bastion_ami_id == "" ? module.os_ami.image_id : var.bastion_ami_id
118 | associate_public_ip_address = true
119 | instance_type = var.bastion_instance_type
120 | iam_instance_profile = aws_iam_instance_profile.bastion.name
121 | key_name = var.bastion_key_name
122 | source_dest_check = true
123 | subnet_id = aws_subnet.public_subnet.*.id[0]
124 | user_data = data.template_file.user_data.rendered
125 |
126 | root_block_device {
127 | volume_type = "standard"
128 | volume_size = "40"
129 | }
130 |
131 | vpc_security_group_ids = [
132 | aws_security_group.bastion.id,
133 | ]
134 |
135 | tags = merge(var.extra_tags, {
136 | "Name" = "${var.name}-bastion"
137 | "Role" = "bastion"
138 | })
139 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.network.aws_instance.bastion
File: /modules/aws/network/bastion.tf:116-139
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
116 | resource "aws_instance" "bastion" {
117 | ami = var.bastion_ami_id == "" ? module.os_ami.image_id : var.bastion_ami_id
118 | associate_public_ip_address = true
119 | instance_type = var.bastion_instance_type
120 | iam_instance_profile = aws_iam_instance_profile.bastion.name
121 | key_name = var.bastion_key_name
122 | source_dest_check = true
123 | subnet_id = aws_subnet.public_subnet.*.id[0]
124 | user_data = data.template_file.user_data.rendered
125 |
126 | root_block_device {
127 | volume_type = "standard"
128 | volume_size = "40"
129 | }
130 |
131 | vpc_security_group_ids = [
132 | aws_security_group.bastion.id,
133 | ]
134 |
135 | tags = merge(var.extra_tags, {
136 | "Name" = "${var.name}-bastion"
137 | "Role" = "bastion"
138 | })
139 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.network.aws_instance.bastion
File: /modules/aws/network/bastion.tf:116-139
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
116 | resource "aws_instance" "bastion" {
117 | ami = var.bastion_ami_id == "" ? module.os_ami.image_id : var.bastion_ami_id
118 | associate_public_ip_address = true
119 | instance_type = var.bastion_instance_type
120 | iam_instance_profile = aws_iam_instance_profile.bastion.name
121 | key_name = var.bastion_key_name
122 | source_dest_check = true
123 | subnet_id = aws_subnet.public_subnet.*.id[0]
124 | user_data = data.template_file.user_data.rendered
125 |
126 | root_block_device {
127 | volume_type = "standard"
128 | volume_size = "40"
129 | }
130 |
131 | vpc_security_group_ids = [
132 | aws_security_group.bastion.id,
133 | ]
134 |
135 | tags = merge(var.extra_tags, {
136 | "Name" = "${var.name}-bastion"
137 | "Role" = "bastion"
138 | })
139 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.network.aws_instance.bastion
File: /modules/aws/network/bastion.tf:116-139
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
116 | resource "aws_instance" "bastion" {
117 | ami = var.bastion_ami_id == "" ? module.os_ami.image_id : var.bastion_ami_id
118 | associate_public_ip_address = true
119 | instance_type = var.bastion_instance_type
120 | iam_instance_profile = aws_iam_instance_profile.bastion.name
121 | key_name = var.bastion_key_name
122 | source_dest_check = true
123 | subnet_id = aws_subnet.public_subnet.*.id[0]
124 | user_data = data.template_file.user_data.rendered
125 |
126 | root_block_device {
127 | volume_type = "standard"
128 | volume_size = "40"
129 | }
130 |
131 | vpc_security_group_ids = [
132 | aws_security_group.bastion.id,
133 | ]
134 |
135 | tags = merge(var.extra_tags, {
136 | "Name" = "${var.name}-bastion"
137 | "Role" = "bastion"
138 | })
139 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.network.aws_instance.bastion
File: /modules/aws/network/bastion.tf:116-139
Calling File: /examples/kubernetes-cluster-cilium-vxlan/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
116 | resource "aws_instance" "bastion" {
117 | ami = var.bastion_ami_id == "" ? module.os_ami.image_id : var.bastion_ami_id
118 | associate_public_ip_address = true
119 | instance_type = var.bastion_instance_type
120 | iam_instance_profile = aws_iam_instance_profile.bastion.name
121 | key_name = var.bastion_key_name
122 | source_dest_check = true
123 | subnet_id = aws_subnet.public_subnet.*.id[0]
124 | user_data = data.template_file.user_data.rendered
125 |
126 | root_block_device {
127 | volume_type = "standard"
128 | volume_size = "40"
129 | }
130 |
131 | vpc_security_group_ids = [
132 | aws_security_group.bastion.id,
133 | ]
134 |
135 | tags = merge(var.extra_tags, {
136 | "Name" = "${var.name}-bastion"
137 | "Role" = "bastion"
138 | })
139 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.master.aws_s3_bucket_ownership_controls.ignition
File: /modules/aws/elastikube/s3.tf:11-17
11 | resource "aws_s3_bucket_ownership_controls" "ignition" {
12 | bucket = aws_s3_bucket.ignition.id
13 |
14 | rule {
15 | object_ownership = "BucketOwnerPreferred"
16 | }
17 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.network.aws_vpc.new_vpc
File: /modules/aws/network/vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "new_vpc" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 |
6 | tags = merge(var.extra_tags, {
7 | "Name" = var.name
8 | "Role" = "network"
9 | })
10 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.master.aws_security_group.workers
File: /modules/aws/elastikube/sg-worker.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "workers" {
2 | name_prefix = "${var.name}-worker-"
3 | description = "Security group for all nodes in the cluster."
4 | vpc_id = local.vpc_id
5 |
6 | tags = merge(var.extra_tags, {
7 | "Name" = "${var.name}-worker"
8 | "Role" = "k8s-worker"
9 | "kubernetes.io/cluster/${var.name}" = "owned"
10 | })
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.master.module.master.aws_security_group.master
File: /modules/aws/kube-master/sg.tf:5-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
5 | resource "aws_security_group" "master" {
6 | name_prefix = "${var.name}-master-"
7 | vpc_id = data.aws_vpc.master.id
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}-master"
11 | "Role" = "k8s-master"
12 | "kubernetes.io/cluster/${var.name}" = "owned"
13 | })
14 |
15 | count = var.master_security_group_id == "" ? 1 : 0
16 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.worker_on_demand.aws_security_group.worker_group
File: /modules/aws/kube-worker/sg.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "worker_group" {
2 | count = var.enable_extra_sg ? 1 : 0
3 |
4 | name_prefix = "${var.name}-worker-${var.instance_config["name"]}-"
5 | description = "Security group for ${var.instance_config["name"]} workers."
6 | vpc_id = local.vpc_id
7 |
8 | tags = merge(var.extra_tags, tomap({
9 | "Name" = "${var.name}-worker-${var.instance_config["name"]}",
10 | "Role" = "k8s-worker"
11 | }
12 | ))
13 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.worker_spot.aws_security_group.worker_group
File: /modules/aws/kube-worker/sg.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "worker_group" {
2 | count = var.enable_extra_sg ? 1 : 0
3 |
4 | name_prefix = "${var.name}-worker-${var.instance_config["name"]}-"
5 | description = "Security group for ${var.instance_config["name"]} workers."
6 | vpc_id = local.vpc_id
7 |
8 | tags = merge(var.extra_tags, tomap({
9 | "Name" = "${var.name}-worker-${var.instance_config["name"]}",
10 | "Role" = "k8s-worker"
11 | }
12 | ))
13 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /examples/etcd-cluster/network.tf:14-25
14 | resource "aws_route53_zone" "private" {
15 | name = local.private_zone_name
16 |
17 | vpc {
18 | vpc_id = local.vpc_id
19 | }
20 |
21 | tags = merge(module.label.tags, map(
22 | "Name", local.private_zone_name,
23 | "Role", "etcd"
24 | ))
25 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.master.aws_route53_zone.private
File: /modules/aws/elastikube/zone.tf:10-21
10 | resource "aws_route53_zone" "private" {
11 | name = local.private_zone_name
12 |
13 | vpc {
14 | vpc_id = local.vpc_id
15 | }
16 |
17 | tags = merge(var.extra_tags, {
18 | "Name" = local.private_zone_name
19 | "kubernetes.io/cluster/${var.name}" = "shared"
20 | })
21 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.network.aws_route53_zone.zone
File: /modules/aws/network/zone.tf:1-13
1 | resource "aws_route53_zone" "zone" {
2 | count = var.private_zone ? 1 : 0
3 | name = "${var.name}.com"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.new_vpc.id
7 | }
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}.com"
11 | "Role" = "dns"
12 | })
13 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: module.etcd.aws_route53_record.etcd
File: /modules/aws/kube-etcd/dns.tf:48-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
48 | resource "aws_route53_record" "etcd" {
49 | count = var.instance_config["count"]
50 | zone_id = data.aws_route53_zone.etcd.zone_id
51 | name = "ip-${replace(local.etcd_private_ips[count.index], ".", "-")}.${local.discovery_service}"
52 | type = "A"
53 | ttl = "300"
54 | records = [local.etcd_private_ips[count.index]]
55 | }
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: module.master.module.etcd.aws_route53_record.etcd
File: /modules/aws/kube-etcd/dns.tf:48-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
48 | resource "aws_route53_record" "etcd" {
49 | count = var.instance_config["count"]
50 | zone_id = data.aws_route53_zone.etcd.zone_id
51 | name = "ip-${replace(local.etcd_private_ips[count.index], ".", "-")}.${local.discovery_service}"
52 | type = "A"
53 | ttl = "300"
54 | records = [local.etcd_private_ips[count.index]]
55 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.network.aws_vpc.new_vpc
File: /modules/aws/network/vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "new_vpc" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 |
6 | tags = merge(var.extra_tags, {
7 | "Name" = var.name
8 | "Role" = "network"
9 | })
10 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ignition
File: /examples/etcd-cluster/s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(module.label.tags, map(
5 | "Name", "${module.label.id}-${md5(aws_route53_zone.private.zone_id)}",
6 | "Role", "etcd"
7 | ))
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.master.aws_s3_bucket.ignition
File: /modules/aws/elastikube/s3.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "ignition" {
2 | bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
3 |
4 | tags = merge(var.extra_tags, {
5 | "Name" = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
6 | "Role" = "k8s-master"
7 | "kubernetes.io/cluster/${var.name}" = "owned"
8 | })
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.irsa.aws_s3_bucket.oidc
File: /modules/aws/irsa/main.tf:64-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
64 | resource "aws_s3_bucket" "oidc" {
65 | bucket = var.oidc_s3_bucket
66 |
67 | tags = merge(
68 | { "Name" = "${var.name}-oidc-${md5("${var.name}-oidc")}" },
69 | var.extra_tags)
70 | }
Check: CKV2_AWS_2: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
FAILED for resource: module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV2_AWS_2: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
FAILED for resource: module.master.module.etcd.aws_ebs_volume.etcd
File: /modules/aws/kube-etcd/main.tf:63-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances.html
63 | resource "aws_ebs_volume" "etcd" {
64 | count = var.instance_config["count"]
65 | availability_zone = data.aws_subnet.etcd[count.index].availability_zone
66 | size = var.instance_config["data_volume_size"]
67 | type = var.instance_volume_config.data.type
68 | iops = lookup(local.iops_by_type.data, var.instance_volume_config.data.type, null)
69 | # aws_ebs_volume always checks the range of throughput.(125 ~ 1000)
70 | throughput = lookup(local.throughput_by_type.data, var.instance_volume_config.data.type, null)
71 |
72 | tags = merge(var.extra_tags, {
73 | "Name" = "${var.name}-etcd-${count.index}"
74 | "Role" = "etcd"
75 | "kubernetes.io/cluster/${var.name}" = "owned"
76 | })
77 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /examples/etcd-cluster/network.tf:14-25
14 | resource "aws_route53_zone" "private" {
15 | name = local.private_zone_name
16 |
17 | vpc {
18 | vpc_id = local.vpc_id
19 | }
20 |
21 | tags = merge(module.label.tags, map(
22 | "Name", local.private_zone_name,
23 | "Role", "etcd"
24 | ))
25 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.master.aws_route53_zone.private
File: /modules/aws/elastikube/zone.tf:10-21
10 | resource "aws_route53_zone" "private" {
11 | name = local.private_zone_name
12 |
13 | vpc {
14 | vpc_id = local.vpc_id
15 | }
16 |
17 | tags = merge(var.extra_tags, {
18 | "Name" = local.private_zone_name
19 | "kubernetes.io/cluster/${var.name}" = "shared"
20 | })
21 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.network.aws_route53_zone.zone
File: /modules/aws/network/zone.tf:1-13
1 | resource "aws_route53_zone" "zone" {
2 | count = var.private_zone ? 1 : 0
3 | name = "${var.name}.com"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.new_vpc.id
7 | }
8 |
9 | tags = merge(var.extra_tags, {
10 | "Name" = "${var.name}.com"
11 | "Role" = "dns"
12 | })
13 | }
circleci_pipelines scan results:
Passed checks: 17, Failed checks: 1, Skipped checks: 0
Check: CKV_CIRCLECIPIPELINES_2: "Ensure the pipeline image version is referenced via hash not arbitrary tag."
FAILED for resource: jobs
File: /.circleci/config.yml:29-31
29 | - image: cimg/go:1.18
30 | environment:
31 | GO111MODULE: "on"
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools