Repository | GoogleCloudPlatform / cloud-foundation-fabric |
Description | End-to-end modular samples and landing zones toolkit for Terraform on GCP. |
Stars | 1120 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:42:19,323 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc:latest failed to load via
2023-10-05 14:42:19,323 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc
2023-10-05 14:42:19,330 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/folder:latest failed to load via
2023-10-05 14:42:19,330 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/folder, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/folder
2023-10-05 14:42:19,330 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project:latest failed to load via
2023-10-05 14:42:19,330 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project
2023-10-05 14:42:19,331 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project:latest failed to load via
2023-10-05 14:42:19,331 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project
2023-10-05 14:42:19,331 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project:latest failed to load via
2023-10-05 14:42:19,331 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc:latest failed to load via
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall:latest failed to load via
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic:latest failed to load via
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic:latest failed to load via
2023-10-05 14:42:20,505 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpn-dynamic
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/dns
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm:latest failed to load via
2023-10-05 14:42:20,506 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm:latest failed to load via
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/onprem:latest failed to load via
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/onprem, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/onprem
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account:latest failed to load via
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm:latest failed to load via
2023-10-05 14:42:20,507 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project:latest failed to load via
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/project
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc:latest failed to load via
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall:latest failed to load via
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-vpc-firewall
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat:latest failed to load via
2023-10-05 14:42:20,532 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-cloudnat
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/iam-service-account
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx-tls:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx-tls, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/cloud-config-container/nginx-tls
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-mig:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-mig, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-mig
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/compute-vm
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-lb-app-ext:latest failed to load via
2023-10-05 14:42:20,533 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-lb-app-ext, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/modules/net-lb-app-ext
2023-10-05 14:42:21,163 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/networking/onprem-google-access-dns:latest failed to load via
2023-10-05 14:42:21,163 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/networking/onprem-google-access-dns, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/cloud-foundation-fabric/blueprints/networking/onprem-google-access-dns
terraform scan results:
Passed checks: 4923, Failed checks: 715, Skipped checks: 0, Parsing errors: 7
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.iam_bindings
File: /blueprints/cloud-operations/iam-delegated-role-grants/main.tf:65-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
65 | resource "google_project_iam_binding" "iam_bindings" {
66 | for_each = local.delegated_binding_pairs
67 | project = var.project_id
68 | role = var.restricted_role_grant
69 | members = var.project_administrators
70 | condition {
71 | title = "delegated_role_grant_${each.value.index}"
72 | description = "Delegated role grants (${each.value.index}/${length(local.expressions)})."
73 | expression = each.value.expression
74 | }
75 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.test-bucket
File: /blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/main.tf:20-25
20 | resource "google_storage_bucket" "test-bucket" {
21 | project = var.project_id
22 | name = "${var.project_id}-test"
23 | location = "US"
24 | force_destroy = true
25 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.test-bucket
File: /blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/main.tf:20-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
20 | resource "google_storage_bucket" "test-bucket" {
21 | project = var.project_id
22 | name = "${var.project_id}-test"
23 | location = "US"
24 | force_destroy = true
25 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.test-bucket
File: /blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/main.tf:20-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
20 | resource "google_storage_bucket" "test-bucket" {
21 | project = var.project_id
22 | name = "${var.project_id}-test"
23 | location = "US"
24 | force_destroy = true
25 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.test-bucket
File: /blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/main.tf:20-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
20 | resource "google_storage_bucket" "test-bucket" {
21 | project = var.project_id
22 | name = "${var.project_id}-test"
23 | location = "US"
24 | force_destroy = true
25 | }
Check: CKV_GCP_118: "Ensure IAM workload identity pool provider is restricted"
FAILED for resource: google_iam_workload_identity_pool_provider.provider
File: /blueprints/cloud-operations/workload-identity-federation/google-cloud.tf:49-61
49 | resource "google_iam_workload_identity_pool_provider" "provider" {
50 | provider = google-beta
51 | project = module.prj.project_id
52 | workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
53 | workload_identity_pool_provider_id = "test-provider"
54 | attribute_mapping = {
55 | "google.subject" = "assertion.sub"
56 | }
57 | oidc {
58 | allowed_audiences = ["api://${local.app_name}"]
59 | issuer_uri = "https://sts.windows.net/${data.azuread_client_config.config.tenant_id}"
60 | }
61 | }
Check: CKV_GCP_118: "Ensure IAM workload identity pool provider is restricted"
FAILED for resource: google_iam_workload_identity_pool_provider.github_provider[0]
File: /blueprints/data-solutions/vertex-mlops/ci-cd.tf:25-39
25 | resource "google_iam_workload_identity_pool_provider" "github_provider" {
26 | count = var.identity_pool_claims == null ? 0 : 1
27 | project = module.project.project_id
28 | workload_identity_pool_id = google_iam_workload_identity_pool.github_pool[0].workload_identity_pool_id
29 | workload_identity_pool_provider_id = "gh-provider"
30 | display_name = "Github Actions provider"
31 | description = "OIDC provider for Github Actions"
32 | attribute_mapping = {
33 | "google.subject" = "assertion.sub"
34 | "attribute.repository" = "assertion.repository"
35 | }
36 | oidc {
37 | issuer_uri = "https://token.actions.githubusercontent.com"
38 | }
39 | }
Check: CKV_GCP_89: "Ensure Vertex AI instances are private"
FAILED for resource: google_notebooks_instance.playground
File: /blueprints/data-solutions/vertex-mlops/vertex.tf:82-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-vertex-ai-workbench-does-not-have-public-ips.html
82 | resource "google_notebooks_instance" "playground" {
83 | for_each = { for k, v in var.notebooks : k => v if v.type == "USER_MANAGED" }
84 | name = "${var.prefix}-${each.key}"
85 | location = "${var.region}-b"
86 | machine_type = var.notebooks[each.key].machine_type
87 | project = module.project.project_id
88 |
89 | container_image {
90 | repository = "gcr.io/deeplearning-platform-release/base-cpu"
91 | tag = "latest"
92 | }
93 |
94 | install_gpu_driver = true
95 | boot_disk_type = "PD_SSD"
96 | boot_disk_size_gb = 110
97 | disk_encryption = var.service_encryption_keys.notebooks != null ? "CMEK" : null
98 | kms_key = var.service_encryption_keys.notebooks
99 |
100 | no_public_ip = var.notebooks[each.key].internal_ip_only
101 | no_proxy_access = false
102 |
103 | network = local.vpc
104 | subnet = local.subnet
105 |
106 | instance_owners = try(tolist(var.notebooks[each.key].owner), null)
107 | service_account = module.service-account-notebook.email
108 |
109 | metadata = {
110 | notebook-disable-nbconvert = "false"
111 | notebook-disable-downloads = "false"
112 | notebook-disable-terminal = "false"
113 | notebook-disable-root = "true"
114 | }
115 |
116 | # Remove once terraform-provider-google/issues/9164 is fixed
117 | lifecycle {
118 | ignore_changes = [disk_encryption, kms_key]
119 | }
120 |
121 | #TODO Uncomment once terraform-provider-google/issues/9273 is fixed
122 | # tags = ["ssh"]
123 | depends_on = [
124 | google_project_iam_member.shared_vpc,
125 | ]
126 | }
Check: CKV_GCP_73: "Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: google_compute_security_policy.policy[0]
File: /blueprints/networking/glb-and-armor/main.tf:210-236
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-cloud-armor-prevents-message-lookup-in-log4j2.html
210 | resource "google_compute_security_policy" "policy" {
211 | count = var.enforce_security_policy ? 1 : 0
212 | name = "${var.prefix}-denylist-siege"
213 | project = module.project.project_id
214 | rule {
215 | action = "deny(403)"
216 | priority = "1000"
217 | match {
218 | versioned_expr = "SRC_IPS_V1"
219 | config {
220 | src_ip_ranges = [module.vm_siege.external_ip]
221 | }
222 | }
223 | description = "Deny access to siege VM IP"
224 | }
225 | rule {
226 | action = "allow"
227 | priority = "2147483647"
228 | match {
229 | versioned_expr = "SRC_IPS_V1"
230 | config {
231 | src_ip_ranges = ["*"]
232 | }
233 | }
234 | description = "default rule"
235 | }
236 | }
Check: CKV_GCP_73: "Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: google_compute_security_policy.policy
File: /blueprints/networking/psc-glb-and-armor/consumer.tf:75-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-cloud-armor-prevents-message-lookup-in-log4j2.html
75 | resource "google_compute_security_policy" "policy" {
76 | provider = google-beta
77 | project = module.consumer_project.project_id
78 | name = "ddos-protection"
79 | adaptive_protection_config {
80 | layer_7_ddos_defense_config {
81 | enable = true
82 | }
83 | }
84 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.psc_private_subnetwork
File: /blueprints/networking/psc-glb-and-armor/producer.tf:164-173
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
164 | resource "google_compute_subnetwork" "psc_private_subnetwork" {
165 | name = "psc-private-subnetwork"
166 | region = var.region
167 | project = module.producer_project.project_id
168 |
169 | network = google_compute_network.psc_ilb_network.id
170 | ip_cidr_range = "10.3.0.0/16"
171 | purpose = "PRIVATE"
172 | role = "ACTIVE"
173 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.psc_private_subnetwork
File: /blueprints/networking/psc-glb-and-armor/producer.tf:164-173
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
164 | resource "google_compute_subnetwork" "psc_private_subnetwork" {
165 | name = "psc-private-subnetwork"
166 | region = var.region
167 | project = module.producer_project.project_id
168 |
169 | network = google_compute_network.psc_ilb_network.id
170 | ip_cidr_range = "10.3.0.0/16"
171 | purpose = "PRIVATE"
172 | role = "ACTIVE"
173 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.psc_private_subnetwork
File: /blueprints/networking/psc-glb-and-armor/producer.tf:164-173
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
164 | resource "google_compute_subnetwork" "psc_private_subnetwork" {
165 | name = "psc-private-subnetwork"
166 | region = var.region
167 | project = module.producer_project.project_id
168 |
169 | network = google_compute_network.psc_ilb_network.id
170 | ip_cidr_range = "10.3.0.0/16"
171 | purpose = "PRIVATE"
172 | role = "ACTIVE"
173 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.psc_ilb_nat
File: /blueprints/networking/psc-glb-and-armor/producer.tf:175-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
175 | resource "google_compute_subnetwork" "psc_ilb_nat" {
176 | name = "psc-ilb-nat"
177 | region = var.region
178 | project = module.producer_project.project_id
179 |
180 | network = google_compute_network.psc_ilb_network.id
181 | purpose = "PRIVATE_SERVICE_CONNECT"
182 | ip_cidr_range = "10.1.0.0/16"
183 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.psc_ilb_nat
File: /blueprints/networking/psc-glb-and-armor/producer.tf:175-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
175 | resource "google_compute_subnetwork" "psc_ilb_nat" {
176 | name = "psc-ilb-nat"
177 | region = var.region
178 | project = module.producer_project.project_id
179 |
180 | network = google_compute_network.psc_ilb_network.id
181 | purpose = "PRIVATE_SERVICE_CONNECT"
182 | ip_cidr_range = "10.1.0.0/16"
183 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.psc_ilb_nat
File: /blueprints/networking/psc-glb-and-armor/producer.tf:175-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
175 | resource "google_compute_subnetwork" "psc_ilb_nat" {
176 | name = "psc-ilb-nat"
177 | region = var.region
178 | project = module.producer_project.project_id
179 |
180 | network = google_compute_network.psc_ilb_network.id
181 | purpose = "PRIVATE_SERVICE_CONNECT"
182 | ip_cidr_range = "10.1.0.0/16"
183 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.vms
File: /blueprints/networking/psc-glb-and-armor/producer.tf:185-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
185 | resource "google_compute_subnetwork" "vms" {
186 | name = "vms"
187 | region = var.region
188 | project = module.producer_project.project_id
189 |
190 | network = google_compute_network.psc_ilb_network.id
191 | ip_cidr_range = "10.4.0.0/16"
192 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.vms
File: /blueprints/networking/psc-glb-and-armor/producer.tf:185-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
185 | resource "google_compute_subnetwork" "vms" {
186 | name = "vms"
187 | region = var.region
188 | project = module.producer_project.project_id
189 |
190 | network = google_compute_network.psc_ilb_network.id
191 | ip_cidr_range = "10.4.0.0/16"
192 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.vms
File: /blueprints/networking/psc-glb-and-armor/producer.tf:185-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
185 | resource "google_compute_subnetwork" "vms" {
186 | name = "vms"
187 | region = var.region
188 | project = module.producer_project.project_id
189 |
190 | network = google_compute_network.psc_ilb_network.id
191 | ip_cidr_range = "10.4.0.0/16"
192 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.noop-vm
File: /blueprints/networking/psc-glb-and-armor/producer.tf:212-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
212 | resource "google_compute_instance" "noop-vm" {
213 | project = module.producer_project.project_id
214 | name = "noop-ilb-vm"
215 | machine_type = "e2-medium"
216 | zone = var.zone
217 | boot_disk {
218 | initialize_params {
219 | image = "debian-cloud/debian-11"
220 | }
221 | }
222 |
223 | network_interface {
224 | network = google_compute_network.psc_ilb_network.id
225 | subnetwork = google_compute_subnetwork.vms.id
226 | }
227 | service_account {
228 | email = google_service_account.noop.email
229 | scopes = []
230 | }
231 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.noop-vm
File: /blueprints/networking/psc-glb-and-armor/producer.tf:212-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
212 | resource "google_compute_instance" "noop-vm" {
213 | project = module.producer_project.project_id
214 | name = "noop-ilb-vm"
215 | machine_type = "e2-medium"
216 | zone = var.zone
217 | boot_disk {
218 | initialize_params {
219 | image = "debian-cloud/debian-11"
220 | }
221 | }
222 |
223 | network_interface {
224 | network = google_compute_network.psc_ilb_network.id
225 | subnetwork = google_compute_subnetwork.vms.id
226 | }
227 | service_account {
228 | email = google_service_account.noop.email
229 | scopes = []
230 | }
231 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.noop-vm
File: /blueprints/networking/psc-glb-and-armor/producer.tf:212-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
212 | resource "google_compute_instance" "noop-vm" {
213 | project = module.producer_project.project_id
214 | name = "noop-ilb-vm"
215 | machine_type = "e2-medium"
216 | zone = var.zone
217 | boot_disk {
218 | initialize_params {
219 | image = "debian-cloud/debian-11"
220 | }
221 | }
222 |
223 | network_interface {
224 | network = google_compute_network.psc_ilb_network.id
225 | subnetwork = google_compute_subnetwork.vms.id
226 | }
227 | service_account {
228 | email = google_service_account.noop.email
229 | scopes = []
230 | }
231 | }
Check: CKV_GCP_73: "Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: google_compute_security_policy.policy
File: /blueprints/serverless/cloud-run-explore/main.tf:112-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-cloud-armor-prevents-message-lookup-in-log4j2.html
112 | resource "google_compute_security_policy" "policy" {
113 | count = local.gclb_create && var.security_policy.enabled ? 1 : 0
114 | name = "cloud-run-policy"
115 | project = module.project.project_id
116 | rule {
117 | action = "deny(403)"
118 | priority = 1000
119 | match {
120 | versioned_expr = "SRC_IPS_V1"
121 | config {
122 | src_ip_ranges = var.security_policy.ip_blacklist
123 | }
124 | }
125 | description = "Deny access to list of IPs"
126 | }
127 | rule {
128 | action = "deny(403)"
129 | priority = 900
130 | match {
131 | expr {
132 | expression = "request.path.matches(\"${var.security_policy.path_blocked}\")"
133 | }
134 | }
135 | description = "Deny access to specific URL paths"
136 | }
137 | rule {
138 | action = "allow"
139 | priority = "2147483647"
140 | match {
141 | versioned_expr = "SRC_IPS_V1"
142 | config {
143 | src_ip_ranges = ["*"]
144 | }
145 | }
146 | description = "Default rule"
147 | }
148 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.bootstrap-ignition
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:17-22
17 | resource "google_storage_bucket" "bootstrap-ignition" {
18 | project = var.service_project.project_id
19 | name = local.infra_id
20 | location = var.region
21 | force_destroy = true
22 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.bootstrap-ignition
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
17 | resource "google_storage_bucket" "bootstrap-ignition" {
18 | project = var.service_project.project_id
19 | name = local.infra_id
20 | location = var.region
21 | force_destroy = true
22 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.bootstrap-ignition
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
17 | resource "google_storage_bucket" "bootstrap-ignition" {
18 | project = var.service_project.project_id
19 | name = local.infra_id
20 | location = var.region
21 | force_destroy = true
22 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.bootstrap-ignition
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
17 | resource "google_storage_bucket" "bootstrap-ignition" {
18 | project = var.service_project.project_id
19 | name = local.infra_id
20 | location = var.region
21 | force_destroy = true
22 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.bootstrap
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:38-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
38 | resource "google_compute_instance" "bootstrap" {
39 | count = local.bootstrapping ? 1 : 0
40 | project = var.service_project.project_id
41 | name = "${local.infra_id}-b"
42 | hostname = "${local.infra_id}-bootstrap.${local.subdomain}"
43 | machine_type = "n1-standard-4"
44 | zone = "${var.region}-${element(var.zones, 0)}"
45 | network_interface {
46 | subnetwork = var.host_project.masters_subnet_name
47 | subnetwork_project = var.host_project.project_id
48 | }
49 | boot_disk {
50 | initialize_params {
51 | image = var.rhcos_gcp_image
52 | size = 16
53 | type = "pd-balanced"
54 | }
55 | kms_key_self_link = local.disk_encryption_key
56 | }
57 | service_account {
58 | email = google_service_account.default["m"].email
59 | scopes = ["cloud-platform", "userinfo-email"]
60 | }
61 | tags = concat(
62 | [local.tags.bootstrap, local.tags.master, "ocp-master"],
63 | var.tags == null ? [] : var.tags
64 | )
65 | metadata = {
66 | user-data = jsonencode({
67 | ignition = {
68 | config = {
69 | replace = !local.bootstrapping ? {} : {
70 | source = data.google_storage_object_signed_url.bootstrap-ignition.0.signed_url
71 | }
72 | }
73 | version = "3.1.0"
74 | }
75 | })
76 | VmDnsSetting = "GlobalDefault"
77 | }
78 | labels = var.install_config_params.labels
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.bootstrap
File: /blueprints/third-party-solutions/openshift/tf/bootstrap.tf:38-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
38 | resource "google_compute_instance" "bootstrap" {
39 | count = local.bootstrapping ? 1 : 0
40 | project = var.service_project.project_id
41 | name = "${local.infra_id}-b"
42 | hostname = "${local.infra_id}-bootstrap.${local.subdomain}"
43 | machine_type = "n1-standard-4"
44 | zone = "${var.region}-${element(var.zones, 0)}"
45 | network_interface {
46 | subnetwork = var.host_project.masters_subnet_name
47 | subnetwork_project = var.host_project.project_id
48 | }
49 | boot_disk {
50 | initialize_params {
51 | image = var.rhcos_gcp_image
52 | size = 16
53 | type = "pd-balanced"
54 | }
55 | kms_key_self_link = local.disk_encryption_key
56 | }
57 | service_account {
58 | email = google_service_account.default["m"].email
59 | scopes = ["cloud-platform", "userinfo-email"]
60 | }
61 | tags = concat(
62 | [local.tags.bootstrap, local.tags.master, "ocp-master"],
63 | var.tags == null ? [] : var.tags
64 | )
65 | metadata = {
66 | user-data = jsonencode({
67 | ignition = {
68 | config = {
69 | replace = !local.bootstrapping ? {} : {
70 | source = data.google_storage_object_signed_url.bootstrap-ignition.0.signed_url
71 | }
72 | }
73 | version = "3.1.0"
74 | }
75 | })
76 | VmDnsSetting = "GlobalDefault"
77 | }
78 | labels = var.install_config_params.labels
79 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_member.service-master["roles/iam.serviceAccountUser"]
File: /blueprints/third-party-solutions/openshift/tf/iam.tf:55-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
55 | resource "google_project_iam_member" "service-master" {
56 | for_each = toset(concat(local.minimal_sa_roles, [
57 | "roles/compute.instanceAdmin",
58 | "roles/compute.networkAdmin",
59 | "roles/compute.securityAdmin",
60 | "roles/iam.serviceAccountUser",
61 | "roles/storage.admin"
62 | ]))
63 | project = var.service_project.project_id
64 | role = each.key
65 | member = "serviceAccount:${google_service_account.default["m"].email}"
66 | }
Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
FAILED for resource: google_project_iam_member.service-master["roles/iam.serviceAccountUser"]
File: /blueprints/third-party-solutions/openshift/tf/iam.tf:55-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3.html
55 | resource "google_project_iam_member" "service-master" {
56 | for_each = toset(concat(local.minimal_sa_roles, [
57 | "roles/compute.instanceAdmin",
58 | "roles/compute.networkAdmin",
59 | "roles/compute.securityAdmin",
60 | "roles/iam.serviceAccountUser",
61 | "roles/storage.admin"
62 | ]))
63 | project = var.service_project.project_id
64 | role = each.key
65 | member = "serviceAccount:${google_service_account.default["m"].email}"
66 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.master["c"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.master["c"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.master["d"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.master["d"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.master["b"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.master["b"]
File: /blueprints/third-party-solutions/openshift/tf/masters.tf:17-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
17 | resource "google_compute_instance" "master" {
18 | for_each = toset(var.zones)
19 | project = var.service_project.project_id
20 | name = "${local.infra_id}-master-${each.key}"
21 | hostname = "${local.infra_id}-master-${each.key}.${local.subdomain}"
22 | machine_type = "n1-standard-4"
23 | zone = "${var.region}-${each.key}"
24 | network_interface {
25 | subnetwork = var.host_project.masters_subnet_name
26 | subnetwork_project = var.host_project.project_id
27 | }
28 | boot_disk {
29 | initialize_params {
30 | image = var.rhcos_gcp_image
31 | size = var.install_config_params.disk_size
32 | type = "pd-ssd"
33 | }
34 | kms_key_self_link = local.disk_encryption_key
35 | }
36 | service_account {
37 | email = google_service_account.default["m"].email
38 | scopes = ["cloud-platform", "userinfo-email"]
39 | }
40 | tags = concat(
41 | [local.tags.master, "ocp-master"],
42 | var.tags == null ? [] : var.tags
43 | )
44 | metadata = {
45 | user-data = file("${local.fs_paths.config_dir}/master.ign"),
46 | VmDnsSetting = "GlobalDefault"
47 | }
48 | labels = var.install_config_params.labels
49 | }
Check: CKV_GCP_73: "Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: google_compute_security_policy.policy
File: /blueprints/third-party-solutions/phpipam/glb.tf:75-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-cloud-armor-prevents-message-lookup-in-log4j2.html
75 | resource "google_compute_security_policy" "policy" {
76 | count = local.glb_create && var.security_policy.enabled ? 1 : 0
77 | project = module.project.project_id
78 | name = "cloud-run-policy"
79 |
80 | rule {
81 | action = "deny(403)"
82 | priority = 1000
83 | match {
84 | versioned_expr = "SRC_IPS_V1"
85 | config {
86 | src_ip_ranges = var.security_policy.ip_blacklist
87 | }
88 | }
89 | description = "Deny access to list of IPs"
90 | }
91 | rule {
92 | action = "deny(403)"
93 | priority = 900
94 | match {
95 | expr {
96 | expression = "request.path.matches(\"${var.security_policy.path_blocked}\")"
97 | }
98 | }
99 | description = "Deny access to specific URL paths"
100 | }
101 | rule {
102 | action = "allow"
103 | priority = "2147483647"
104 | match {
105 | versioned_expr = "SRC_IPS_V1"
106 | config {
107 | src_ip_ranges = ["*"]
108 | }
109 | }
110 | description = "Default rule"
111 | }
112 | }
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
FAILED for resource: github_repository.default
File: /fast/extras/0-cicd-github/main.tf:73-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/ensure-repository-is-private.html
73 | resource "github_repository" "default" {
74 | for_each = {
75 | for k, v in var.repositories : k => v if v.create_options != null
76 | }
77 | name = each.key
78 | description = (
79 | each.value.create_options.description != null
80 | ? each.value.create_options.description
81 | : "FAST stage ${each.key}."
82 | )
83 | visibility = each.value.create_options.visibility
84 | auto_init = each.value.create_options.auto_init
85 | allow_auto_merge = try(each.value.create_options.allow.auto_merge, null)
86 | allow_merge_commit = try(each.value.create_options.allow.merge_commit, null)
87 | allow_rebase_merge = try(each.value.create_options.allow.rebase_merge, null)
88 | allow_squash_merge = try(each.value.create_options.allow.squash_merge, null)
89 | has_issues = try(each.value.create_options.features.issues, null)
90 | has_projects = try(each.value.create_options.features.projects, null)
91 | has_wiki = try(each.value.create_options.features.wiki, null)
92 | gitignore_template = try(each.value.create_options.templates.gitignore, null)
93 | license_template = try(each.value.create_options.templates.license, null)
94 |
95 | dynamic "template" {
96 | for_each = (
97 | try(each.value.create_options.templates.repository, null) != null
98 | ? [""]
99 | : []
100 | )
101 | content {
102 | owner = each.value.create_options.templates.repository.owner
103 | repository = each.value.create_options.templates.repository.name
104 | }
105 | }
106 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.dev_spoke_project_iam_delegated
File: /fast/stages/2-networking-a-peering/spoke-dev.tf:89-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
89 | resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
90 | project = module.dev-spoke-project.project_id
91 | role = "roles/resourcemanager.projectIamAdmin"
92 | members = compact([
93 | try(local.service_accounts.data-platform-dev, null),
94 | try(local.service_accounts.project-factory-dev, null),
95 | try(local.service_accounts.project-factory-prod, null),
96 | try(local.service_accounts.gke-dev, null),
97 | ])
98 | condition {
99 | title = "dev_stage3_sa_delegated_grants"
100 | description = "Development host project delegated grants."
101 | expression = format(
102 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
103 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
104 | )
105 | }
106 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.prod_spoke_project_iam_delegated
File: /fast/stages/2-networking-a-peering/spoke-prod.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
88 | resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
89 | project = module.prod-spoke-project.project_id
90 | role = "roles/resourcemanager.projectIamAdmin"
91 | members = compact([
92 | try(local.service_accounts.data-platform-prod, null),
93 | try(local.service_accounts.project-factory-prod, null),
94 | try(local.service_accounts.gke-prod, null),
95 | ])
96 | condition {
97 | title = "prod_stage3_sa_delegated_grants"
98 | description = "Production host project delegated grants."
99 | expression = format(
100 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
101 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
102 | )
103 | }
104 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.dev_spoke_project_iam_delegated
File: /fast/stages/2-networking-b-vpn/spoke-dev.tf:89-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
89 | resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
90 | project = module.dev-spoke-project.project_id
91 | role = "roles/resourcemanager.projectIamAdmin"
92 | members = compact([
93 | try(local.service_accounts.data-platform-dev, null),
94 | try(local.service_accounts.project-factory-dev, null),
95 | try(local.service_accounts.project-factory-prod, null),
96 | try(local.service_accounts.gke-dev, null),
97 | ])
98 | condition {
99 | title = "dev_stage3_sa_delegated_grants"
100 | description = "Development host project delegated grants."
101 | expression = format(
102 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
103 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
104 | )
105 | }
106 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.prod_spoke_project_iam_delegated
File: /fast/stages/2-networking-b-vpn/spoke-prod.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
88 | resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
89 | project = module.prod-spoke-project.project_id
90 | role = "roles/resourcemanager.projectIamAdmin"
91 | members = compact([
92 | try(local.service_accounts.data-platform-prod, null),
93 | try(local.service_accounts.project-factory-prod, null),
94 | try(local.service_accounts.gke-prod, null),
95 | ])
96 | condition {
97 | title = "prod_stage3_sa_delegated_grants"
98 | description = "Production host project delegated grants."
99 | expression = format(
100 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
101 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
102 | )
103 | }
104 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.dev_spoke_project_iam_delegated
File: /fast/stages/2-networking-c-nva/spoke-dev.tf:115-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
115 | resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
116 | project = module.dev-spoke-project.project_id
117 | role = "roles/resourcemanager.projectIamAdmin"
118 | members = compact([
119 | try(local.service_accounts.data-platform-dev, null),
120 | try(local.service_accounts.project-factory-dev, null),
121 | try(local.service_accounts.project-factory-prod, null),
122 | try(local.service_accounts.gke-dev, null),
123 | ])
124 | condition {
125 | title = "dev_stage3_sa_delegated_grants"
126 | description = "Development host project delegated grants."
127 | expression = format(
128 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
129 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
130 | )
131 | }
132 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.prod_spoke_project_iam_delegated
File: /fast/stages/2-networking-c-nva/spoke-prod.tf:114-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
114 | resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
115 | project = module.prod-spoke-project.project_id
116 | role = "roles/resourcemanager.projectIamAdmin"
117 | members = compact([
118 | try(local.service_accounts.data-platform-prod, null),
119 | try(local.service_accounts.project-factory-prod, null),
120 | try(local.service_accounts.gke-prod, null),
121 | ])
122 | condition {
123 | title = "prod_stage3_sa_delegated_grants"
124 | description = "Production host project delegated grants."
125 | expression = format(
126 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
127 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
128 | )
129 | }
130 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.dev_spoke_project_iam_delegated
File: /fast/stages/2-networking-d-separate-envs/spoke-dev.tf:89-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
89 | resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
90 | project = module.dev-spoke-project.project_id
91 | role = "roles/resourcemanager.projectIamAdmin"
92 | members = compact([
93 | try(local.service_accounts.data-platform-dev, null),
94 | try(local.service_accounts.gke-dev, null),
95 | try(local.service_accounts.project-factory-dev, null),
96 | try(local.service_accounts.project-factory-prod, null),
97 | ])
98 | condition {
99 | title = "dev_stage3_sa_delegated_grants"
100 | description = "Development host project delegated grants."
101 | expression = format(
102 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
103 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
104 | )
105 | }
106 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.prod_spoke_project_iam_delegated
File: /fast/stages/2-networking-d-separate-envs/spoke-prod.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
88 | resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
89 | project = module.prod-spoke-project.project_id
90 | role = "roles/resourcemanager.projectIamAdmin"
91 | members = compact([
92 | try(local.service_accounts.data-platform-prod, null),
93 | try(local.service_accounts.gke-platform-prod, null),
94 | try(local.service_accounts.project-factory-prod, null),
95 | ])
96 | condition {
97 | title = "prod_stage3_sa_delegated_grants"
98 | description = "Production host project delegated grants."
99 | expression = format(
100 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
101 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
102 | )
103 | }
104 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.dev_spoke_project_iam_delegated
File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:85-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
85 | resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
86 | project = module.dev-spoke-project.project_id
87 | role = "roles/resourcemanager.projectIamAdmin"
88 | members = compact([
89 | try(local.service_accounts.data-platform-dev, null),
90 | try(local.service_accounts.project-factory-dev, null),
91 | try(local.service_accounts.project-factory-prod, null),
92 | try(local.service_accounts.gke-dev, null),
93 | ])
94 | condition {
95 | title = "dev_stage3_sa_delegated_grants"
96 | description = "Development host project delegated grants."
97 | expression = format(
98 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
99 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
100 | )
101 | }
102 | }
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
FAILED for resource: google_project_iam_binding.prod_spoke_project_iam_delegated
File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:84-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10.html
84 | resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
85 | project = module.prod-spoke-project.project_id
86 | role = "roles/resourcemanager.projectIamAdmin"
87 | members = compact([
88 | try(local.service_accounts.data-platform-prod, null),
89 | try(local.service_accounts.project-factory-prod, null),
90 | try(local.service_accounts.gke-prod, null),
91 | ])
92 | condition {
93 | title = "prod_stage3_sa_delegated_grants"
94 | description = "Production host project delegated grants."
95 | expression = format(
96 | "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
97 | join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
98 | )
99 | }
100 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bigquery_dataset.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:226-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bigquery_dataset.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:226-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bq.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/factories/bigquery-factory/main.tf:64-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bq.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/factories/bigquery-factory/main.tf:64-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.dataset.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-playground/main.tf:169-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.dataset.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-playground/main.tf:169-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.drop-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-foundations/01-dropoff.tf:132-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.drop-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-foundations/01-dropoff.tf:132-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-conf-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:143-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-conf-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:143-149
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-cur-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:135-141
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-cur-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:135-141
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-lnd-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:127-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-lnd-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:127-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.land-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-minimal/01-landing.tf:106-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.land-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-minimal/01-landing.tf:106-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.cur-bq-0.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/data-platform-minimal/03-curated.tf:124-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.cur-bq-0.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/data-platform-minimal/03-curated.tf:124-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bigquery-dataset.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:37-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bigquery-dataset.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:37-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gke-multitenant.module.gke-dataset-resource-usage.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /blueprints/gke/multitenant-fleet/main.tf:79-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gke-multitenant.module.gke-dataset-resource-usage.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /blueprints/gke/multitenant-fleet/main.tf:79-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.log-export-dataset.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /fast/stages/0-bootstrap/log-export.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.log-export-dataset.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /fast/stages/0-bootstrap/log-export.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.billing-export-dataset.google_bigquery_table.views
File: /modules/bigquery-dataset/main.tf:255-270
Calling File: /fast/stages/0-bootstrap/billing.tf:58-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
255 | resource "google_bigquery_table" "views" {
256 | depends_on = [google_bigquery_table.default]
257 | for_each = var.views
258 | project = var.project_id
259 | dataset_id = google_bigquery_dataset.default.dataset_id
260 | table_id = each.key
261 | friendly_name = each.value.friendly_name
262 | description = each.value.description
263 | labels = each.value.labels
264 | deletion_protection = each.value.deletion_protection
265 |
266 | view {
267 | query = each.value.query
268 | use_legacy_sql = each.value.use_legacy_sql
269 | }
270 | }
Check: CKV_GCP_80: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.billing-export-dataset.google_bigquery_table.materialized_view
File: /modules/bigquery-dataset/main.tf:272-313
Calling File: /fast/stages/0-bootstrap/billing.tf:58-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek.html
272 | resource "google_bigquery_table" "materialized_view" {
273 | depends_on = [google_bigquery_table.default]
274 | for_each = var.materialized_views
275 | project = var.project_id
276 | dataset_id = google_bigquery_dataset.default.dataset_id
277 | table_id = each.key
278 | friendly_name = each.value.friendly_name
279 | description = each.value.description
280 | labels = each.value.labels
281 | clustering = each.value.options.clustering
282 | expiration_time = each.value.options.expiration_time
283 | deletion_protection = each.value.deletion_protection
284 |
285 | dynamic "range_partitioning" {
286 | for_each = try(each.value.partitioning.range, null) != null ? [""] : []
287 | content {
288 | field = each.value.partitioning.field
289 | range {
290 | start = each.value.partitioning.range.start
291 | end = each.value.partitioning.range.end
292 | interval = each.value.partitioning.range.interval
293 | }
294 | }
295 | }
296 |
297 | dynamic "time_partitioning" {
298 | for_each = try(each.value.partitioning.time, null) != null ? [""] : []
299 | content {
300 | expiration_ms = each.value.partitioning.time.expiration_ms
301 | field = each.value.partitioning.time.field
302 | type = each.value.partitioning.time.type
303 | require_partition_filter = each.value.partitioning.time.require_partition_filter
304 | }
305 | }
306 |
307 | materialized_view {
308 | query = each.value.query
309 | enable_refresh = each.value.enable_refresh
310 | refresh_interval_ms = each.value.refresh_interval_ms
311 | allow_non_incremental_definition = each.value.allow_non_incremental_definition
312 | }
313 | }
Check: CKV_GCP_85: "Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_bigtable_instance.default
File: /modules/bigtable-instance/main.tf:38-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-table-instances-are-encrypted-with-customer-supplied-encryption-keys-cseks.html
38 | resource "google_bigtable_instance" "default" {
39 | project = var.project_id
40 | name = var.name
41 |
42 | instance_type = var.instance_type
43 | display_name = var.display_name == null ? var.display_name : var.name
44 | deletion_protection = var.deletion_protection
45 |
46 | dynamic "cluster" {
47 | for_each = local.clusters_autoscaling
48 | content {
49 | cluster_id = cluster.key
50 | zone = cluster.value.zone
51 | storage_type = cluster.value.storage_type
52 | num_nodes = cluster.value.num_nodes
53 |
54 | dynamic "autoscaling_config" {
55 | for_each = cluster.value.autoscaling == null ? [] : [""]
56 | content {
57 | min_nodes = cluster.value.autoscaling.min_nodes
58 | max_nodes = cluster.value.autoscaling.max_nodes
59 | cpu_target = cluster.value.autoscaling.cpu_target
60 | storage_target = cluster.value.autoscaling.storage_target
61 | }
62 | }
63 | }
64 | }
65 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.function_export.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:154-188
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.function_export.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:154-188
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.function_gcs2bq.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:190-224
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.function_gcs2bq.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:190-224
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cf.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf:87-105
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.cf.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf:87-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cloud-function.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf:53-91
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.cloud-function.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf:53-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cffile.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf:107-129
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.cffile.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf:107-129
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cf-healthchecker.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf:141-184
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.cf-healthchecker.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf:141-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cf-restarter.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf:110-139
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.cf-restarter.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf:110-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.function-hello.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:179-195
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: module.function-hello.google_storage_bucket.bucket[0]
File: /modules/cloud-function-v1/main.tf:131-160
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:179-195
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
131 | resource "google_storage_bucket" "bucket" {
132 | count = var.bucket_config == null ? 0 : 1
133 | project = var.project_id
134 | name = "${local.prefix}${var.bucket_name}"
135 | uniform_bucket_level_access = true
136 | location = (
137 | var.bucket_config.location == null
138 | ? var.region
139 | : var.bucket_config.location
140 | )
141 | labels = var.labels
142 |
143 | dynamic "lifecycle_rule" {
144 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
145 | content {
146 | action { type = "Delete" }
147 | condition {
148 | age = var.bucket_config.lifecycle_delete_age_days
149 | with_state = "ARCHIVED"
150 | }
151 | }
152 | }
153 |
154 | dynamic "versioning" {
155 | for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
156 | content {
157 | enabled = true
158 | }
159 | }
160 | }
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.db.google_sql_database_instance.replicas
File: /modules/cloudsql-instance/main.tf:126-170
Calling File: /blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf:15-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
126 | resource "google_sql_database_instance" "replicas" {
127 | provider = google-beta
128 | for_each = local.has_replicas ? var.replicas : {}
129 | project = var.project_id
130 | name = "${local.prefix}${each.key}"
131 | region = each.value.region
132 | database_version = var.database_version
133 | encryption_key_name = each.value.encryption_key_name
134 | master_instance_name = google_sql_database_instance.primary.name
135 |
136 | settings {
137 | tier = var.tier
138 | deletion_protection_enabled = var.deletion_protection_enabled
139 | disk_autoresize = var.disk_size == null
140 | disk_size = var.disk_size
141 | disk_type = var.disk_type
142 | # availability_type = var.availability_type
143 | user_labels = var.labels
144 | activation_policy = var.activation_policy
145 |
146 | ip_configuration {
147 | ipv4_enabled = var.ipv4_enabled
148 | private_network = var.network
149 | allocated_ip_range = var.allocated_ip_ranges.replica
150 | dynamic "authorized_networks" {
151 | for_each = var.authorized_networks != null ? var.authorized_networks : {}
152 | iterator = network
153 | content {
154 | name = network.key
155 | value = network.value
156 | }
157 | }
158 | }
159 |
160 | dynamic "database_flags" {
161 | for_each = var.flags != null ? var.flags : {}
162 | iterator = flag
163 | content {
164 | name = flag.key
165 | value = flag.value
166 | }
167 | }
168 | }
169 | deletion_protection = var.deletion_protection
170 | }
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.cloudsql.google_sql_database_instance.replicas
File: /modules/cloudsql-instance/main.tf:126-170
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:54-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
126 | resource "google_sql_database_instance" "replicas" {
127 | provider = google-beta
128 | for_each = local.has_replicas ? var.replicas : {}
129 | project = var.project_id
130 | name = "${local.prefix}${each.key}"
131 | region = each.value.region
132 | database_version = var.database_version
133 | encryption_key_name = each.value.encryption_key_name
134 | master_instance_name = google_sql_database_instance.primary.name
135 |
136 | settings {
137 | tier = var.tier
138 | deletion_protection_enabled = var.deletion_protection_enabled
139 | disk_autoresize = var.disk_size == null
140 | disk_size = var.disk_size
141 | disk_type = var.disk_type
142 | # availability_type = var.availability_type
143 | user_labels = var.labels
144 | activation_policy = var.activation_policy
145 |
146 | ip_configuration {
147 | ipv4_enabled = var.ipv4_enabled
148 | private_network = var.network
149 | allocated_ip_range = var.allocated_ip_ranges.replica
150 | dynamic "authorized_networks" {
151 | for_each = var.authorized_networks != null ? var.authorized_networks : {}
152 | iterator = network
153 | content {
154 | name = network.key
155 | value = network.value
156 | }
157 | }
158 | }
159 |
160 | dynamic "database_flags" {
161 | for_each = var.flags != null ? var.flags : {}
162 | iterator = flag
163 | content {
164 | name = flag.key
165 | value = flag.value
166 | }
167 | }
168 | }
169 | deletion_protection = var.deletion_protection
170 | }
Check: CKV_GCP_104: "Ensure Datafusion has stack driver logging enabled"
FAILED for resource: google_data_fusion_instance.default
File: /modules/datafusion/main.tf:63-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-datafusion-has-stack-driver-logging-enabled.html
63 | resource "google_data_fusion_instance" "default" {
64 | provider = google-beta
65 | project = var.project_id
66 | name = var.name
67 | type = var.type
68 | description = var.description
69 | labels = var.labels
70 | region = var.region
71 | private_instance = var.private_instance
72 | enable_stackdriver_logging = var.enable_stackdriver_logging
73 | enable_stackdriver_monitoring = var.enable_stackdriver_monitoring
74 | network_config {
75 | network = var.network
76 | ip_allocation = local.ip_allocation
77 | }
78 | }
Check: CKV_GCP_105: "Ensure Datafusion has stack driver monitoring enabled"
FAILED for resource: google_data_fusion_instance.default
File: /modules/datafusion/main.tf:63-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-datafusion-has-stack-driver-monitoring-enabled.html
63 | resource "google_data_fusion_instance" "default" {
64 | provider = google-beta
65 | project = var.project_id
66 | name = var.name
67 | type = var.type
68 | description = var.description
69 | labels = var.labels
70 | region = var.region
71 | private_instance = var.private_instance
72 | enable_stackdriver_logging = var.enable_stackdriver_logging
73 | enable_stackdriver_monitoring = var.enable_stackdriver_monitoring
74 | network_config {
75 | network = var.network
76 | ip_allocation = local.ip_allocation
77 | }
78 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.bucket_export.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:135-152
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.bucket_export.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:135-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bucket_export.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/apigee/bigquery-analytics/main.tf:135-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.bucket.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-playground/main.tf:159-167
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.bucket.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-playground/main.tf:159-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bucket.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-playground/main.tf:159-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/cloudsql-multiregion/main.tf:136-145
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/cloudsql-multiregion/main.tf:136-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/cloudsql-multiregion/main.tf:136-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.kms-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:158-167
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.kms-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:158-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.kms-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:158-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.drop-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/01-dropoff.tf:86-99
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.drop-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/01-dropoff.tf:86-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.drop-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/01-dropoff.tf:86-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.load-cs-df-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:93-102
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.load-cs-df-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:93-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.load-cs-df-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:93-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.orch-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:104-113
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.orch-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:104-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.orch-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:104-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.orch-cs-build-staging.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:171-180
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.orch-cs-build-staging.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:171-180
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.orch-cs-build-staging.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:171-180
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.orch-cs-df-template.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:160-169
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.orch-cs-df-template.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:160-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.orch-cs-df-template.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:160-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.transf-cs-df-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:92-101
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.transf-cs-df-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:92-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.transf-cs-df-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:92-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.dwh-conf-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:173-182
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.dwh-conf-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:173-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-conf-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:173-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.dwh-cur-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:162-171
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.dwh-cur-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:162-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-cur-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:162-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.data-platform.module.dwh-lnd-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:151-160
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.data-platform.module.dwh-lnd-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:151-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.data-platform.module.dwh-lnd-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf:151-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.land-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/01-landing.tf:95-104
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.land-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/01-landing.tf:95-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.land-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/01-landing.tf:95-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.processing-dp-history.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:17-27
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.processing-dp-history.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.processing-dp-history.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.processing-log-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:68-77
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.processing-log-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:68-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.processing-log-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:68-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.processing-staging-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:46-55
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.processing-staging-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:46-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.processing-staging-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:46-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.processing-temp-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:57-66
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.processing-temp-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:57-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.processing-temp-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/02-dataproc.tf:57-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.processing-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:152-161
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.processing-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:152-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.processing-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:152-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.cur-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/03-curated.tf:134-143
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.cur-cs-0.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/data-platform-minimal/03-curated.tf:134-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.cur-cs-0.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/data-platform-minimal/03-curated.tf:134-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.gcs-data.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:15-24
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.gcs-data.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gcs-data.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.gcs-df-tmp.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:26-35
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.gcs-df-tmp.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:26-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gcs-df-tmp.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf:26-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.gcs-bucket-cloudbuild.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /blueprints/data-solutions/vertex-mlops/main.tf:117-126
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.gcs-bucket-cloudbuild.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /blueprints/data-solutions/vertex-mlops/main.tf:117-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.automation-tf-output-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/0-bootstrap/automation.tf:93-102
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.automation-tf-output-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/0-bootstrap/automation.tf:93-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.automation-tf-resman-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/0-bootstrap/automation.tf:136-148
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.automation-tf-resman-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/0-bootstrap/automation.tf:136-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.log-export-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/0-bootstrap/log-export.tf:65-73
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.log-export-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/0-bootstrap/log-export.tf:65-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.log-export-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/0-bootstrap/log-export.tf:65-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-dp-dev-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-data-platform.tf:113-125
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-dp-dev-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-data-platform.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-dp-prod-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-data-platform.tf:127-139
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-dp-prod-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-data-platform.tf:127-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-gke-dev-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-gke.tf:119-131
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-gke-dev-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-gke.tf:119-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-gke-prod-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-gke.tf:133-145
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-gke-prod-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-gke.tf:133-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-network-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-networking.tf:104-115
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-network-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-networking.tf:104-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-pf-dev-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-project-factory.tf:55-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-pf-dev-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-project-factory.tf:55-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-pf-prod-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-project-factory.tf:69-81
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-pf-prod-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-project-factory.tf:69-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-sandbox-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-sandbox.tf:41-53
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-sandbox-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-sandbox.tf:41-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-security-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-security.tf:72-83
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-security-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-security.tf:72-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-teams-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-teams.tf:54-66
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-teams-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-teams.tf:54-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.branch-teams-team-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-teams.tf:104-116
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.branch-teams-team-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-teams.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/0-bootstrap/automation.tf:106-115
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.automation-tf-bootstrap-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/0-bootstrap/automation.tf:106-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.tenant-core-gcs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-tenants.tf:140-152
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.tenant-core-gcs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-tenants.tf:140-152
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.tenant-self-iac-gcs-outputs.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-tenants.tf:202-214
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.tenant-self-iac-gcs-outputs.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-tenants.tf:202-214
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.tenant-self-iac-gcs-state.google_storage_bucket.bucket
File: /modules/gcs/main.tf:22-100
Calling File: /fast/stages/1-resman/branch-tenants.tf:216-225
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.tenant-self-iac-gcs-state.google_pubsub_topic.topic
File: /modules/gcs/main.tf:147-151
Calling File: /fast/stages/1-resman/branch-tenants.tf:216-225
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
147 | resource "google_pubsub_topic" "topic" {
148 | count = local.notification ? 1 : 0
149 | project = var.project_id
150 | name = var.notification_config.topic_name
151 | }
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: module.cluster.google_container_cluster.cluster
File: /modules/gke-cluster-autopilot/main.tf:17-300
Calling File: /blueprints/gke/autopilot/cluster.tf:17-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.cluster.google_container_cluster.cluster
File: /modules/gke-cluster-autopilot/main.tf:17-300
Calling File: /blueprints/gke/autopilot/cluster.tf:17-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.cluster.google_container_cluster.cluster
File: /modules/gke-cluster-autopilot/main.tf:17-300
Calling File: /blueprints/gke/autopilot/cluster.tf:17-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: module.cluster.google_container_cluster.cluster
File: /modules/gke-cluster-autopilot/main.tf:17-300
Calling File: /blueprints/gke/autopilot/cluster.tf:17-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.cluster.google_pubsub_topic.notifications[0]
File: /modules/gke-cluster-autopilot/main.tf:352-362
Calling File: /blueprints/gke/autopilot/cluster.tf:17-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
352 | resource "google_pubsub_topic" "notifications" {
353 | count = (
354 | try(var.enable_features.upgrade_notifications, null) != null &&
355 | try(var.enable_features.upgrade_notifications.topic_id, null) == null ? 1 : 0
356 | )
357 | project = var.project_id
358 | name = "gke-pubsub-notifications"
359 | labels = {
360 | content = "gke-notifications"
361 | }
362 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.kms.google_kms_crypto_key.default["key-gce"]
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:102-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.kms.google_kms_crypto_key.default["key-gce"]
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:102-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.kms.google_kms_crypto_key.default["key-gcs"]
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:102-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.kms.google_kms_crypto_key.default["key-gcs"]
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/cmek-via-centralized-kms/main.tf:102-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/gke/binauthz/main.tf:114-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/gke/binauthz/main.tf:114-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.log-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/shielded-folder/kms.tf:96-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.log-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/shielded-folder/kms.tf:96-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/shielded-folder/kms.tf:81-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /blueprints/data-solutions/shielded-folder/kms.tf:81-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.dev-sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /fast/stages/2-security/core-dev.tf:46-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.dev-sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /fast/stages/2-security/core-dev.tf:46-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_43: "Ensure KMS encryption keys are rotated within a period of 90 days"
FAILED for resource: module.prod-sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /fast/stages/2-security/core-prod.tf:45-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-4.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: module.prod-sec-kms.google_kms_crypto_key.default
File: /modules/kms/main.tf:39-55
Calling File: /fast/stages/2-security/core-prod.tf:45-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
39 | resource "google_kms_crypto_key" "default" {
40 | for_each = var.keys
41 | key_ring = local.keyring.id
42 | name = each.key
43 | rotation_period = each.value.rotation_period
44 | labels = each.value.labels
45 | purpose = each.value.purpose
46 | skip_initial_version_creation = each.value.skip_initial_version_creation
47 |
48 | dynamic "version_template" {
49 | for_each = each.value.version_template == null ? [] : [""]
50 | content {
51 | algorithm = each.value.version_template.algorithm
52 | protection_level = each.value.version_template.protection_level
53 | }
54 | }
55 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf:23-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.apigee_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee.tf:34-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.onprem_vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/onprem.tf:27-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/cloud-operations/dns-shared-vpc/main.tf:34-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-b-vpn/landing.tf:45-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/02-load.tf:104-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/03-orchestration.tf:115-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-foundations/04-transformation.tf:120-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.processing-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/data-solutions/data-platform-minimal/02-processing.tf:165-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.svpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.svpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.svpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.svpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.svpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.svpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.svpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.svpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/gke/multi-cluster-mesh-gke-fleet-api/vpc.tf:19-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-dev.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:62-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-prod.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/decentralized-firewall/main.tf:49-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/filtering-proxy-psc/consumer.tf:21-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_trusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:79-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_landing_untrusted.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/main.tf:47-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_spoke_01.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/glb-hybrid-neg-internal/spoke.tf:41-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-hub.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:59-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:85-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-spoke-2.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-peering/main.tf:130-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-dev.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/hub-and-spoke-vpn/net-prod.tf:17-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-left.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-left.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-left.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-left.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-left.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-left.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-left.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-left.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-left.tf:17-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-right.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-right.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-right.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-right.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-right.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-right.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-right.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-right.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/ilb-next-hop/vpc-right.tf:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/private-cloud-function-from-onprem/main.tf:39-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_consumer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:113-125
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_producer.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/psc-hybrid/main.tf:65-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc-shared.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/networking/shared-vpc-gke/main.tf:96-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_main.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_main.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_main.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_main.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_main.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_main.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_main.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_main.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_onprem.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:244-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.vpc_prj1.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /blueprints/serverless/cloud-run-corporate/main.tf:271-283
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:30-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/plugins/2-networking-serverless-connector/local-serverless-connector.tf:45-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.dev-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-dev.tf:47-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.prod-spoke-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/spoke-prod.tf:46-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-trusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:110-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.subnetwork
File: /modules/net-vpc/subnets.tf:132-170
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
132 | resource "google_compute_subnetwork" "subnetwork" {
133 | for_each = local.subnets
134 | project = var.project_id
135 | network = local.network.name
136 | name = each.value.name
137 | region = each.value.region
138 | ip_cidr_range = each.value.ip_cidr_range
139 | description = (
140 | each.value.description == null
141 | ? "Terraform-managed."
142 | : each.value.description
143 | )
144 | private_ip_google_access = each.value.enable_private_access
145 | secondary_ip_range = each.value.secondary_ip_ranges == null ? [] : [
146 | for name, range in each.value.secondary_ip_ranges :
147 | { range_name = name, ip_cidr_range = range }
148 | ]
149 | stack_type = (
150 | try(each.value.ipv6, null) != null ? "IPV4_IPV6" : null
151 | )
152 | ipv6_access_type = (
153 | try(each.value.ipv6, null) != null ? each.value.ipv6.access_type : null
154 | )
155 | # private_ipv6_google_access = try(each.value.ipv6.enable_private_access, null)
156 | dynamic "log_config" {
157 | for_each = each.value.flow_logs_config != null ? [""] : []
158 | content {
159 | aggregation_interval = each.value.flow_logs_config.aggregation_interval
160 | filter_expr = each.value.flow_logs_config.filter_expression
161 | flow_sampling = each.value.flow_logs_config.flow_sampling
162 | metadata = each.value.flow_logs_config.metadata
163 | metadata_fields = (
164 | each.value.flow_logs_config.metadata == "CUSTOM_METADATA"
165 | ? each.value.flow_logs_config.metadata_fields
166 | : null
167 | )
168 | }
169 | }
170 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.proxy_only
File: /modules/net-vpc/subnets.tf:172-185
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
172 | resource "google_compute_subnetwork" "proxy_only" {
173 | for_each = local.subnets_proxy_only
174 | project = var.project_id
175 | network = local.network.name
176 | name = each.value.name
177 | region = each.value.region
178 | ip_cidr_range = each.value.ip_cidr_range
179 | description = coalesce(
180 | each.value.description,
181 | "Terraform-managed proxy-only subnet for Regional HTTPS, Internal HTTPS or Cross-Regional HTTPS Internal LB."
182 | )
183 | purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
184 | role = each.value.active ? "ACTIVE" : "BACKUP"
185 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.landing-untrusted-vpc.google_compute_subnetwork.psc
File: /modules/net-vpc/subnets.tf:187-199
Calling File: /fast/stages/2-networking-e-nva-bgp/landing.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
187 | resource "google_compute_subnetwork" "psc" {
188 | for_each = local.subnets_psc
189 | project = var.project_id
190 | network = local.network.name
191 | name = each.value.name
192 | region = each.value.region
193 | ip_cidr_range = each.value.ip_cidr_range
194 | description = coalesce(
195 | each.value.description,
196 | "Terraform-managed subnet for Private Service Connect (PSC NAT)."
197 | )
198 | purpose = "PRIVATE_SERVICE_CONNECT"
199 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: module.projects.module.projects.google_project.project[0]
File: /modules/project/main.tf:44-54
Calling File: /blueprints/factories/project-factory/main.tf:17-65
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.nic
File: /blueprints/cloud-operations/workload-identity-federation/azure.tf:77-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
77 | resource "azurerm_network_interface" "nic" {
78 | count = var.vm_test ? 1 : 0
79 | name = "nic"
80 | resource_group_name = azurerm_resource_group.resource_group[0].name
81 | location = azurerm_resource_group.resource_group[0].location
82 |
83 | ip_configuration {
84 | name = "ipconfig"
85 | subnet_id = azurerm_subnet.subnet[0].id
86 | private_ip_address_allocation = "Dynamic"
87 | public_ip_address_id = azurerm_public_ip.public_ip[0].id
88 | }
89 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall-a.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.landing-vpc-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-firewall[0].google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall[0].google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall-consumer.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall_landing_untrusted.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall_spoke_01.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-hub-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-spoke-1-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-spoke-2-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.dev-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.landing-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.prod-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall-onprem.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.vpc-shared-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall_main.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall_onprem.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.firewall_prj1.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.landing-trusted-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.landing-untrusted-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.dev-spoke-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.prod-spoke-firewall.google_compute_firewall.allow-admins[0]
File: /modules/net-vpc-firewall/default-rules.tf:27-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
27 | resource "google_compute_firewall" "allow-admins" {
28 | count = length(local.default_rules.admin_ranges) > 0 ? 1 : 0
29 | name = "${var.network}-ingress-admins"
30 | description = "Access from the admin subnet to all subnets."
31 | network = var.network
32 | project = var.project_id
33 | source_ranges = local.default_rules.admin_ranges
34 | allow { protocol = "all" }
35 | }
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
FAILED for resource: module.cloudsql.google_sql_database_instance.replicas
File: /modules/cloudsql-instance/main.tf:126-170
126 | resource "google_sql_database_instance" "replicas" {
127 | provider = google-beta
128 | for_each = local.has_replicas ? var.replicas : {}
129 | project = var.project_id
130 | name = "${local.prefix}${each.key}"
131 | region = each.value.region
132 | database_version = var.database_version
133 | encryption_key_name = each.value.encryption_key_name
134 | master_instance_name = google_sql_database_instance.primary.name
135 |
136 | settings {
137 | tier = var.tier
138 | deletion_protection_enabled = var.deletion_protection_enabled
139 | disk_autoresize = var.disk_size == null
140 | disk_size = var.disk_size
141 | disk_type = var.disk_type
142 | # availability_type = var.availability_type
143 | user_labels = var.labels
144 | activation_policy = var.activation_policy
145 |
146 | ip_configuration {
147 | ipv4_enabled = var.ipv4_enabled
148 | private_network = var.network
149 | allocated_ip_range = var.allocated_ip_ranges.replica
150 | dynamic "authorized_networks" {
151 | for_each = var.authorized_networks != null ? var.authorized_networks : {}
152 | iterator = network
153 | content {
154 | name = network.key
155 | value = network.value
156 | }
157 | }
158 | }
159 |
160 | dynamic "database_flags" {
161 | for_each = var.flags != null ? var.flags : {}
162 | iterator = flag
163 | content {
164 | name = flag.key
165 | value = flag.value
166 | }
167 | }
168 | }
169 | deletion_protection = var.deletion_protection
170 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.sas.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.integration-sa["data-uploader"].google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-image-builder.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-image-builder-vm.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.sa-tfc.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-healthchecker.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-restarter.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-scheduler.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.m4ce-service-account.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-notebook.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-vertex.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-sql.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.comp-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.drop-sa-bq-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.drop-sa-cs-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.drop-sa-ps-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.load-sa-df-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.orch-sa-cmp-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.orch-sa-df-build.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.transf-sa-bq-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.data-platform.module.transf-sa-df-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.land-sa-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.processing-sa-cmp-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.processing-sa-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.cur-sa-0.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-bq.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-df.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-landing.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-orch.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.compute-service-account.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.witness-service-account.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-github.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-mlops.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.projects.module.service-accounts.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.node_sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.monitoring_sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.app_cb_sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.image_cb_sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-squid.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-gce.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-account-gke-node.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.service-accounts.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-resman-sa-stage2-3.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-resman-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-cicd-sa-bootstrap.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-cicd-sa-resman.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-org-resman-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-dp-dev-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-dp-prod-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-gke-dev-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-gke-prod-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-network-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-pf-dev-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-pf-prod-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-security-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-teams-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-teams-team-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-dp-dev-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-dp-prod-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-gke-dev-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-gke-prod-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-network-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-pf-dev-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-pf-prod-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-security-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-bootstrap-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.automation-tf-cicd-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-sandbox-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.tenant-core-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.tenant-self-iac-sa.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.branch-teams-team-sa-cicd.google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_3: "Ensure that there are only GCP-managed service account keys for each service account"
FAILED for resource: module.integration-sa["prisma-security"].google_service_account_key.upload_key
File: /modules/iam-service-account/main.tf:83-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-that-there-are-only-gcp-managed-service-account-keys-for-each-service-account.html
83 | resource "google_service_account_key" "upload_key" {
84 | for_each = local.public_keys_data
85 | service_account_id = local.service_account.email
86 | public_key_data = each.value
87 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.function_export.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.function_gcs2bq.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.cf.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.cloud-function.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.cffile.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.cf-healthchecker.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.cf-restarter.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.function-hello.google_cloudfunctions_function.function
File: /modules/cloud-function-v1/main.tf:53-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.psc_ilb_network
File: /blueprints/networking/psc-glb-and-armor/producer.tf:147-151
147 | resource "google_compute_network" "psc_ilb_network" {
148 | name = "psc-ilb-network"
149 | auto_create_subnetworks = false
150 | project = module.producer_project.project_id
151 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.default
File: /modules/__experimental/alloydb-instance/main.tf:144-146
144 | resource "google_compute_network" "default" {
145 | name = var.network_name
146 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc.google_compute_network.network
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.apigee_vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.onprem_vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.cloud-dns.module.vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.landing-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc[0].google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.data-platform.module.load-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.data-platform.module.orch-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.data-platform.module.transf-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.processing-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-local[0].google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.svpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-dev.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-prod.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-consumer.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_landing_trusted.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_landing_untrusted.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_spoke_01.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-hub.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-spoke-1.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-spoke-2.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.dev-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.prod-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-left.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-right.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-onprem.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_consumer.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_producer.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc-shared.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_main.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_onprem.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.vpc_prj1.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.dev-spoke-vpc-serverless.google_compute_network.network
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.prod-spoke-vpc-serverless.google_compute_network.network
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.dev-spoke-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.prod-spoke-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.landing-trusted-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.landing-untrusted-vpc.google_compute_network.network[0]
File: /modules/net-vpc/main.tf:36-48
36 | resource "google_compute_network" "network" {
37 | count = var.vpc_create ? 1 : 0
38 | project = var.project_id
39 | name = var.name
40 | description = var.description
41 | auto_create_subnetworks = var.auto_create_subnetworks
42 | delete_default_routes_on_create = var.delete_default_routes_on_create
43 | mtu = var.mtu
44 | routing_mode = var.routing_mode
45 | network_firewall_policy_enforcement_order = var.firewall_policy_enforcement_order
46 | enable_ula_internal_ipv6 = var.ipv6_config.enable_ula_internal
47 | internal_ipv6_range = var.ipv6_config.internal_range
48 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet
File: /blueprints/cloud-operations/workload-identity-federation/azure.tf:60-66
60 | resource "azurerm_subnet" "subnet" {
61 | count = var.vm_test ? 1 : 0
62 | name = "subnet"
63 | resource_group_name = azurerm_resource_group.resource_group[0].name
64 | virtual_network_name = azurerm_virtual_network.vnet[0].name
65 | address_prefixes = ["10.0.1.0/24"]
66 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.apigee_project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.onprem_project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.cloud-dns.module.project["appteam2"].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.host-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.target-projects.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.sharedvpc_host_project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.landing-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.prj.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-kms.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-service.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.drop-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.load-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.orch-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.transf-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.dwh-conf-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.dwh-cur-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.dwh-lnd-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.common-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.data-platform.module.exp-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.land-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.processing-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.cur-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.common-project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.sec-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.log-export-project[0].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.projects.module.projects.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.fleet_project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.host_project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.mgmt_project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.gke-multitenant.module.gke-project-0.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-host-dev.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-host-prod.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-app.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-host.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_landing.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_spoke_01.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.consumer_project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.producer_project.google_project.project
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-svc-gce.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project-svc-gke.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_main.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_onprem[0].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_prj1[0].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project_svc1[0].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.automation-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.log-export-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.billing-export-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.tenant-self-iac-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.dev-spoke-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.prod-spoke-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.dev-sec-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.prod-sec-project.google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.cloud-dns.module.project["appteam1"].google_project.project[0]
File: /modules/project/main.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
44 | resource "google_project" "project" {
45 | count = var.project_create ? 1 : 0
46 | org_id = local.parent_type == "organizations" ? local.parent_id : null
47 | folder_id = local.parent_type == "folders" ? local.parent_id : null
48 | project_id = "${local.prefix}${var.name}"
49 | name = local.descriptive_name
50 | billing_account = var.billing_account
51 | auto_create_network = var.auto_create_network
52 | labels = var.labels
53 | skip_delete = var.skip_delete
54 | }
Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
FAILED for resource: github_repository.default
File: /fast/extras/0-cicd-github/main.tf:73-106
73 | resource "github_repository" "default" {
74 | for_each = {
75 | for k, v in var.repositories : k => v if v.create_options != null
76 | }
77 | name = each.key
78 | description = (
79 | each.value.create_options.description != null
80 | ? each.value.create_options.description
81 | : "FAST stage ${each.key}."
82 | )
83 | visibility = each.value.create_options.visibility
84 | auto_init = each.value.create_options.auto_init
85 | allow_auto_merge = try(each.value.create_options.allow.auto_merge, null)
86 | allow_merge_commit = try(each.value.create_options.allow.merge_commit, null)
87 | allow_rebase_merge = try(each.value.create_options.allow.rebase_merge, null)
88 | allow_squash_merge = try(each.value.create_options.allow.squash_merge, null)
89 | has_issues = try(each.value.create_options.features.issues, null)
90 | has_projects = try(each.value.create_options.features.projects, null)
91 | has_wiki = try(each.value.create_options.features.wiki, null)
92 | gitignore_template = try(each.value.create_options.templates.gitignore, null)
93 | license_template = try(each.value.create_options.templates.license, null)
94 |
95 | dynamic "template" {
96 | for_each = (
97 | try(each.value.create_options.templates.repository, null) != null
98 | ? [""]
99 | : []
100 | )
101 | content {
102 | owner = each.value.create_options.templates.repository.owner
103 | repository = each.value.create_options.templates.repository.name
104 | }
105 | }
106 | }
kubernetes scan results:
Passed checks: 581, Failed checks: 103, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.gmp-public.kube-state-metrics
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.custom-metrics-stackdriver-adapter
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.external-metrics-reader
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:159-172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
159 | apiVersion: rbac.authorization.k8s.io/v1
160 | kind: ClusterRole
161 | metadata:
162 | name: external-metrics-reader
163 | rules:
164 | - apiGroups:
165 | - "external.metrics.k8s.io"
166 | resources:
167 | - "*"
168 | verbs:
169 | - list
170 | - get
171 | - watch©
172 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.locust.locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.locust.locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.sample.nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: ClusterRoleBinding.default.external-metrics-reader
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:173-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
173 | apiVersion: rbac.authorization.k8s.io/v1
174 | kind: ClusterRoleBinding
175 | metadata:
176 | name: external-metrics-reader
177 | roleRef:
178 | apiGroup: rbac.authorization.k8s.io
179 | kind: ClusterRole
180 | name: external-metrics-reader
181 | subjects:
182 | - kind: ServiceAccount
183 | name: horizontal-pod-autoscaler
184 | namespace: kube-system
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kube-state-metrics.app.kubernetes.io/name-kube-state-metrics.app.kubernetes.io/version-2.3.0
File: /blueprints/gke/autopilot/bundle/monitoring/kube-state-metrics.yaml:15-98
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.custom-metrics-stackdriver-adapter.run-custom-metrics-stackdriver-adapter.k8s-app-custom-metrics-stackdriver-adapter.kubernetes.io/cluster-service-true
File: /blueprints/gke/autopilot/bundle/monitoring/custom-stackdriver-metrics-adapter.yaml:61-96
61 | apiVersion: apps/v1
62 | kind: Deployment
63 | metadata:
64 | name: custom-metrics-stackdriver-adapter
65 | namespace: monitoring
66 | labels:
67 | run: custom-metrics-stackdriver-adapter
68 | k8s-app: custom-metrics-stackdriver-adapter
69 | spec:
70 | replicas: 1
71 | selector:
72 | matchLabels:
73 | run: custom-metrics-stackdriver-adapter
74 | k8s-app: custom-metrics-stackdriver-adapter
75 | template:
76 | metadata:
77 | labels:
78 | run: custom-metrics-stackdriver-adapter
79 | k8s-app: custom-metrics-stackdriver-adapter
80 | kubernetes.io/cluster-service: "true"
81 | spec:
82 | serviceAccountName: custom-metrics-stackdriver-adapter
83 | containers:
84 | - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.13.1-gke.0
85 | imagePullPolicy: Always
86 | name: pod-custom-metrics-stackdriver-adapter
87 | command:
88 | - /adapter
89 | - --use-new-resource-model=false
90 | resources:
91 | limits:
92 | cpu: 250m
93 | memory: 500Mi
94 | requests:
95 | memory: 500Mi
96 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.grafana.app-grafana
File: /blueprints/gke/autopilot/bundle/monitoring/grafana.yaml:71-168
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.frontend.app-frontend
File: /blueprints/gke/autopilot/bundle/monitoring/frontend.yaml:21-67
21 | apiVersion: apps/v1
22 | kind: Deployment
23 | metadata:
24 | name: frontend
25 | namespace: monitoring
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: frontend
31 | template:
32 | metadata:
33 | labels:
34 | app: frontend
35 | spec:
36 | serviceAccountName: frontend
37 | tolerations:
38 | - key: group
39 | operator: Equal
40 | value: monitoring
41 | effect: NoSchedule
42 | nodeSelector:
43 | group: monitoring
44 | automountServiceAccountToken: true
45 | containers:
46 | - name: frontend
47 | image: "gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0"
48 | args:
49 | - "--web.listen-address=:9090"
50 | ports:
51 | - name: web
52 | containerPort: 9090
53 | resources:
54 | requests:
55 | cpu: 250m
56 | memory: 500Mi
57 | limits:
58 | memory: 500Mi
59 | readinessProbe:
60 | httpGet:
61 | path: /-/ready
62 | port: web
63 | livenessProbe:
64 | httpGet:
65 | path: /-/healthy
66 | port: web
67 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.locust-worker.app-locust-worker
File: /blueprints/gke/autopilot/bundle/locust/workers.yaml:15-52
15 | apiVersion: "apps/v1"
16 | kind: "Deployment"
17 | metadata:
18 | name: locust-worker
19 | namespace: locust
20 | labels:
21 | name: locust-worker
22 | spec:
23 | replicas: 5
24 | selector:
25 | matchLabels:
26 | app: locust-worker
27 | template:
28 | metadata:
29 | labels:
30 | app: locust-worker
31 | spec:
32 | tolerations:
33 | - key: group
34 | operator: Equal
35 | value: "locust"
36 | effect: NoSchedule
37 | nodeSelector:
38 | group: "locust"
39 | containers:
40 | - name: locust-worker
41 | image: load-test-image
42 | env:
43 | - name: LOCUST_MODE
44 | value: worker
45 | - name: LOCUST_MASTER
46 | value: locust-master
47 | resources:
48 | requests:
49 | cpu: 250m
50 | memory: 500Mi
51 | limits:
52 | memory: 500Mi
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.locust-master.app-locust-master
File: /blueprints/gke/autopilot/bundle/locust/master.yaml:15-72
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx.app-nginx
File: /blueprints/gke/autopilot/bundle/app/nginx.yaml:39-97
Code lines for this resource are too many. Please use IDE of your choice to review the file.
dockerfile scan results:
Passed checks: 508, Failed checks: 21, Skipped checks: 0
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile.FROM
File: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM marketplace.gcr.io/google/debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile.
File: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | FROM marketplace.gcr.io/google/debian11
15 |
16 | RUN apt-get update && apt-get dist-upgrade -y && apt-get install -y curl gnupg2
17 | RUN curl -sSO https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
18 | RUN bash add-google-cloud-ops-agent-repo.sh --also-install
19 | RUN rm -f add-google-cloud-ops-agent-repo.sh
20 |
21 | RUN echo '#!/bin/bash' > /entrypoint.sh
22 | RUN echo 'cd /tmp' >> /entrypoint.sh
23 | RUN echo '/opt/google-cloud-ops-agent/libexec/google_cloud_ops_agent_engine -service=otel -in /etc/google-cloud-ops-agent/config.yaml' >> /entrypoint.sh
24 | RUN echo '/opt/google-cloud-ops-agent/subagents/opentelemetry-collector/otelopscol --config=/tmp/otel.yaml --feature-gates=exporter.googlecloud.OTLPDirect' >> /entrypoint.sh
25 | RUN chmod +x /entrypoint.sh
26 |
27 | ENTRYPOINT /entrypoint.sh
28 | CMD []
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile.
File: /blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | FROM marketplace.gcr.io/google/debian11
15 |
16 | RUN apt-get update && apt-get dist-upgrade -y && apt-get install -y curl gnupg2
17 | RUN curl -sSO https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
18 | RUN bash add-google-cloud-ops-agent-repo.sh --also-install
19 | RUN rm -f add-google-cloud-ops-agent-repo.sh
20 |
21 | RUN echo '#!/bin/bash' > /entrypoint.sh
22 | RUN echo 'cd /tmp' >> /entrypoint.sh
23 | RUN echo '/opt/google-cloud-ops-agent/libexec/google_cloud_ops_agent_engine -service=otel -in /etc/google-cloud-ops-agent/config.yaml' >> /entrypoint.sh
24 | RUN echo '/opt/google-cloud-ops-agent/subagents/opentelemetry-collector/otelopscol --config=/tmp/otel.yaml --feature-gates=exporter.googlecloud.OTLPDirect' >> /entrypoint.sh
25 | RUN chmod +x /entrypoint.sh
26 |
27 | ENTRYPOINT /entrypoint.sh
28 | CMD []
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile.ADD
File: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile:17-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
17 | ADD locust-files /home/locust/locust-files
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile.ADD
File: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile:19-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
19 | ADD run.sh /home/locust/run.sh
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile.FROM
File: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
15 | FROM locustio/locust:latest
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile.
File: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2023 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM locustio/locust:latest
16 |
17 | ADD locust-files /home/locust/locust-files
18 |
19 | ADD run.sh /home/locust/run.sh
20 |
21 | ENTRYPOINT ["/home/locust/run.sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile.
File: /blueprints/gke/autopilot/bundle/locust/image/Dockerfile:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2023 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM locustio/locust:latest
16 |
17 | ADD locust-files /home/locust/locust-files
18 |
19 | ADD run.sh /home/locust/run.sh
20 |
21 | ENTRYPOINT ["/home/locust/run.sh"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile.FROM
File: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
15 | FROM gcr.io/dataflow-templates-base/python39-template-launcher-base
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile.
File: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2023 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM gcr.io/dataflow-templates-base/python39-template-launcher-base
16 |
17 | ENV FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE="/template/requirements.txt"
18 | ENV FLEX_TEMPLATE_PYTHON_PY_FILE="/template/csv2bq.py"
19 |
20 | COPY ./src/ /template
21 |
22 | RUN apt-get update \
23 | && apt-get install -y libffi-dev git \
24 | && rm -rf /var/lib/apt/lists/* \
25 | && pip install --no-cache-dir --upgrade pip \
26 | && pip install --no-cache-dir -r $FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE \
27 | && pip download --no-cache-dir --dest /tmp/dataflow-requirements-cache -r $FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE
28 |
29 | ENV PIP_NO_DEPS=True
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile.
File: /blueprints/data-solutions/data-platform-foundations/demo/dataflow-csv2bq/Dockerfile:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2023 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM gcr.io/dataflow-templates-base/python39-template-launcher-base
16 |
17 | ENV FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE="/template/requirements.txt"
18 | ENV FLEX_TEMPLATE_PYTHON_PY_FILE="/template/csv2bq.py"
19 |
20 | COPY ./src/ /template
21 |
22 | RUN apt-get update \
23 | && apt-get install -y libffi-dev git \
24 | && rm -rf /var/lib/apt/lists/* \
25 | && pip install --no-cache-dir --upgrade pip \
26 | && pip install --no-cache-dir -r $FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE \
27 | && pip download --no-cache-dir --dest /tmp/dataflow-requirements-cache -r $FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE
28 |
29 | ENV PIP_NO_DEPS=True
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /blueprints/networking/decentralized-firewall/validator/Dockerfile.
File: /blueprints/networking/decentralized-firewall/validator/Dockerfile:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | FROM python:3.9-slim
15 |
16 | RUN mkdir /validator
17 | COPY requirements.txt /validator/requirements.txt
18 | RUN pip install -r /validator/requirements.txt
19 | COPY validator.py /validator/validator.py
20 |
21 | RUN mkdir /schemas
22 | COPY firewallSchema.yaml /schemas/firewallSchema.yaml
23 | COPY firewallSchemaAutoApprove.yaml /schemas/firewallAutoApprove.yaml
24 | COPY firewallSchemaSettings.yaml /schemas/firewallSchemaSettings.yaml
25 |
26 | RUN mkdir /rules
27 |
28 | CMD ["/rules/**/*.yaml"]
29 | ENTRYPOINT ["python3", "/validator/validator.py"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /blueprints/networking/decentralized-firewall/validator/Dockerfile.
File: /blueprints/networking/decentralized-firewall/validator/Dockerfile:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | FROM python:3.9-slim
15 |
16 | RUN mkdir /validator
17 | COPY requirements.txt /validator/requirements.txt
18 | RUN pip install -r /validator/requirements.txt
19 | COPY validator.py /validator/validator.py
20 |
21 | RUN mkdir /schemas
22 | COPY firewallSchema.yaml /schemas/firewallSchema.yaml
23 | COPY firewallSchemaAutoApprove.yaml /schemas/firewallAutoApprove.yaml
24 | COPY firewallSchemaSettings.yaml /schemas/firewallSchemaSettings.yaml
25 |
26 | RUN mkdir /rules
27 |
28 | CMD ["/rules/**/*.yaml"]
29 | ENTRYPOINT ["python3", "/validator/validator.py"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile.
File: /modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 |
16 | FROM google/cloud-sdk:alpine
17 |
18 | COPY entrypoint.sh /entrypoint.sh
19 | RUN chmod 0755 /entrypoint.sh
20 |
21 | RUN apk update && \
22 | apk add bash curl bind-tools busybox-extras netcat-openbsd && \
23 | rm /var/cache/apk/*
24 |
25 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && \
26 | chmod 755 kubectl && mv kubectl /usr/local/bin/
27 |
28 | CMD ["/bin/bash"]
29 |
30 | ENTRYPOINT ["/entrypoint.sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile.
File: /modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile:1-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 |
16 | FROM google/cloud-sdk:alpine
17 |
18 | COPY entrypoint.sh /entrypoint.sh
19 | RUN chmod 0755 /entrypoint.sh
20 |
21 | RUN apk update && \
22 | apk add bash curl bind-tools busybox-extras netcat-openbsd && \
23 | rm /var/cache/apk/*
24 |
25 | RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && \
26 | chmod 755 kubectl && mv kubectl /usr/local/bin/
27 |
28 | CMD ["/bin/bash"]
29 |
30 | ENTRYPOINT ["/entrypoint.sh"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile.
File: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM debian:bullseye-slim
16 |
17 | ENV STRONGSWAN_VERSION=5.9
18 |
19 | RUN apt-get update \
20 | && DEBIAN_FRONTEND=noninteractive apt-get install -y sudo iptables procps strongswan=${STRONGSWAN_VERSION}* \
21 | && rm -rf /var/lib/apt/lists/*
22 |
23 | COPY entrypoint.sh /entrypoint.sh
24 | RUN chmod 0755 /entrypoint.sh
25 |
26 | COPY ipsec-vti.sh /var/lib/strongswan/ipsec-vti.sh
27 | RUN chmod 0755 /var/lib/strongswan/ipsec-vti.sh
28 |
29 | RUN echo 'ipsec ALL=NOPASSWD:SETENV:/usr/sbin/ipsec,/sbin/ip,/sbin/sysctl' > /etc/sudoers.d/ipsec
30 | RUN chmod 0440 /etc/sudoers.d/ipsec
31 |
32 | ENV VPN_DEVICE=eth0
33 | ENV LAN_NETWORKS=192.168.0.0/24
34 |
35 | EXPOSE 500/udp 4500/udp
36 |
37 | ENTRYPOINT ["/entrypoint.sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile.
File: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM debian:bullseye-slim
16 |
17 | ENV STRONGSWAN_VERSION=5.9
18 |
19 | RUN apt-get update \
20 | && DEBIAN_FRONTEND=noninteractive apt-get install -y sudo iptables procps strongswan=${STRONGSWAN_VERSION}* \
21 | && rm -rf /var/lib/apt/lists/*
22 |
23 | COPY entrypoint.sh /entrypoint.sh
24 | RUN chmod 0755 /entrypoint.sh
25 |
26 | COPY ipsec-vti.sh /var/lib/strongswan/ipsec-vti.sh
27 | RUN chmod 0755 /var/lib/strongswan/ipsec-vti.sh
28 |
29 | RUN echo 'ipsec ALL=NOPASSWD:SETENV:/usr/sbin/ipsec,/sbin/ip,/sbin/sysctl' > /etc/sudoers.d/ipsec
30 | RUN chmod 0440 /etc/sudoers.d/ipsec
31 |
32 | ENV VPN_DEVICE=eth0
33 | ENV LAN_NETWORKS=192.168.0.0/24
34 |
35 | EXPOSE 500/udp 4500/udp
36 |
37 | ENTRYPOINT ["/entrypoint.sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /modules/cloud-config-container/squid/docker/Dockerfile.
File: /modules/cloud-config-container/squid/docker/Dockerfile:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2022 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM debian:buster-slim
16 |
17 | ENV SQUID_VERSION=4.6 \
18 | SQUID_CACHE_DIR=/var/spool/squid \
19 | SQUID_LOG_DIR=/var/log/squid \
20 | SQUID_PID_DIR=/var/run/squid \
21 | SQUID_USER=proxy
22 |
23 | RUN apt-get update \
24 | && DEBIAN_FRONTEND=noninteractive apt-get install -y squid=${SQUID_VERSION}* \
25 | && rm -rf /var/lib/apt/lists/*
26 |
27 | COPY entrypoint.sh /sbin/entrypoint.sh
28 | RUN chmod 755 /sbin/entrypoint.sh
29 |
30 | # Create the PID file directory as root, as the non-privileged user squid is not
31 | # allowed to write in /var/run.
32 | RUN mkdir -p ${SQUID_PID_DIR} \
33 | && chown ${SQUID_USER}:${SQUID_USER} ${SQUID_PID_DIR}
34 |
35 | USER ${SQUID_USER}
36 |
37 | EXPOSE 3128/tcp
38 | ENTRYPOINT ["/sbin/entrypoint.sh"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /blueprints/gke/binauthz/image/Dockerfile.
File: /blueprints/gke/binauthz/image/Dockerfile:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM node:18-alpine
16 |
17 | WORKDIR /app
18 |
19 | COPY ["package.json", "package-lock.json*", "./"]
20 |
21 | RUN npm install
22 |
23 | COPY . .
24 |
25 | CMD [ "node", "index.js" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /blueprints/gke/binauthz/image/Dockerfile.
File: /blueprints/gke/binauthz/image/Dockerfile:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright 2019 Google LLC
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | FROM node:18-alpine
16 |
17 | WORKDIR /app
18 |
19 | COPY ["package.json", "package-lock.json*", "./"]
20 |
21 | RUN npm install
22 |
23 | COPY . .
24 |
25 | CMD [ "node", "index.js" ]
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
FAILED for resource: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile.RUN
File: /modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile:19-21
19 | RUN apt-get update \
20 | && DEBIAN_FRONTEND=noninteractive apt-get install -y sudo iptables procps strongswan=${STRONGSWAN_VERSION}* \
21 | && rm -rf /var/lib/apt/lists/*
secrets scan results:
Passed checks: 0, Failed checks: 5, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 41ef4fb5227fcffe324aebe771f3fd42694ae673
File: /blueprints/cloud-operations/adfs/ansible/roles/ad-provisioning/files/users.json:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | "password": "Ig********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 2ff2dfe36322448c6953616740a910be57bbd4ca
File: /blueprints/cloud-operations/workload-identity-federation/credential.json:13-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
13 | "subject_token_field_name": "acc*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: f4f979173b068d5c4a8f28a6e90a3fe02baa9154
File: /tests/modules/alloydb_instance/examples/alloydb_instance.yaml:20-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
20 | - password: alloyd******************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 75e38ad5d682dcae3e8cf74a5b3a7fcad222d8f4
File: /tests/modules/cloud_function_v1/examples/secrets.yaml:25-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
25 | secret: pa*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 75e38ad5d682dcae3e8cf74a5b3a7fcad222d8f4
File: /tests/modules/cloud_function_v2/examples/secrets.yaml:27-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
27 | secret: pa*********
github_actions scan results:
Passed checks: 212, Failed checks: 4, Skipped checks: 0
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(Create a new release
)
File: /.github/workflows/release.yml:21-30
21 | version:
22 | description: "Release version"
23 | required: true
24 | changelog:
25 | description: "I have updated the CHANGELOG"
26 | required: true
27 | type: boolean
28 |
29 | permissions:
30 | contents: write
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Tests)
File: /.github/workflows/tests.yml:12-13
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Label Pull Requests)
File: /.github/workflows/labeler.yml:12-13
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Linting)
File: /.github/workflows/linting.yml:12-13
ansible scan results:
Passed checks: 24, Failed checks: 0, Skipped checks: 0