Repository | gruntwork-io / intro-to-terraform |
Description | Sample code for the blog post series "A Comprehensive Guide to Terraform." |
Stars | 736 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 58, Failed checks: 46, Skipped checks: 0
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /cluster-of-web-servers/main.tf:40-55
40 | resource "aws_autoscaling_group" "example" {
41 | launch_configuration = aws_launch_configuration.example.id
42 | availability_zones = data.aws_availability_zones.all.names
43 |
44 | min_size = 2
45 | max_size = 10
46 |
47 | load_balancers = [aws_elb.example.name]
48 | health_check_type = "ELB"
49 |
50 | tag {
51 | key = "Name"
52 | value = "terraform-asg-example"
53 | propagate_at_launch = true
54 | }
55 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /cluster-of-web-servers/main.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
61 | resource "aws_launch_configuration" "example" {
62 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
63 | image_id = "ami-0c55b159cbfafe1f0"
64 | instance_type = "t2.micro"
65 | security_groups = [aws_security_group.instance.id]
66 |
67 | user_data = <<-EOF
68 | #!/bin/bash
69 | echo "Hello, World" > index.html
70 | nohup busybox httpd -f -p "${var.server_port}" &
71 | EOF
72 |
73 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
74 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
75 | lifecycle {
76 | create_before_destroy = true
77 | }
78 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /cluster-of-web-servers/main.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
61 | resource "aws_launch_configuration" "example" {
62 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
63 | image_id = "ami-0c55b159cbfafe1f0"
64 | instance_type = "t2.micro"
65 | security_groups = [aws_security_group.instance.id]
66 |
67 | user_data = <<-EOF
68 | #!/bin/bash
69 | echo "Hello, World" > index.html
70 | nohup busybox httpd -f -p "${var.server_port}" &
71 | EOF
72 |
73 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
74 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
75 | lifecycle {
76 | create_before_destroy = true
77 | }
78 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /cluster-of-web-servers/main.tf:84-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
84 | resource "aws_security_group" "instance" {
85 | name = "terraform-example-instance"
86 |
87 | # Inbound HTTP from anywhere
88 | ingress {
89 | from_port = var.server_port
90 | to_port = var.server_port
91 | protocol = "tcp"
92 | cidr_blocks = ["0.0.0.0/0"]
93 | }
94 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.example
File: /cluster-of-web-servers/main.tf:100-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
100 | resource "aws_elb" "example" {
101 | name = "terraform-asg-example"
102 | security_groups = [aws_security_group.elb.id]
103 | availability_zones = data.aws_availability_zones.all.names
104 |
105 | health_check {
106 | target = "HTTP:${var.server_port}/"
107 | interval = 30
108 | timeout = 3
109 | healthy_threshold = 2
110 | unhealthy_threshold = 2
111 | }
112 |
113 | # This adds a listener for incoming HTTP requests.
114 | listener {
115 | lb_port = var.elb_port
116 | lb_protocol = "http"
117 | instance_port = var.server_port
118 | instance_protocol = "http"
119 | }
120 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.example
File: /cluster-of-web-servers/main.tf:100-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
100 | resource "aws_elb" "example" {
101 | name = "terraform-asg-example"
102 | security_groups = [aws_security_group.elb.id]
103 | availability_zones = data.aws_availability_zones.all.names
104 |
105 | health_check {
106 | target = "HTTP:${var.server_port}/"
107 | interval = 30
108 | timeout = 3
109 | healthy_threshold = 2
110 | unhealthy_threshold = 2
111 | }
112 |
113 | # This adds a listener for incoming HTTP requests.
114 | listener {
115 | lb_port = var.elb_port
116 | lb_protocol = "http"
117 | instance_port = var.server_port
118 | instance_protocol = "http"
119 | }
120 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.elb
File: /cluster-of-web-servers/main.tf:126-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
126 | resource "aws_security_group" "elb" {
127 | name = "terraform-example-elb"
128 |
129 | # Allow all outbound
130 | egress {
131 | from_port = 0
132 | to_port = 0
133 | protocol = "-1"
134 | cidr_blocks = ["0.0.0.0/0"]
135 | }
136 |
137 | # Inbound HTTP from anywhere
138 | ingress {
139 | from_port = var.elb_port
140 | to_port = var.elb_port
141 | protocol = "tcp"
142 | cidr_blocks = ["0.0.0.0/0"]
143 | }
144 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.elb
File: /cluster-of-web-servers/main.tf:126-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
126 | resource "aws_security_group" "elb" {
127 | name = "terraform-example-elb"
128 |
129 | # Allow all outbound
130 | egress {
131 | from_port = 0
132 | to_port = 0
133 | protocol = "-1"
134 | cidr_blocks = ["0.0.0.0/0"]
135 | }
136 |
137 | # Inbound HTTP from anywhere
138 | ingress {
139 | from_port = var.elb_port
140 | to_port = var.elb_port
141 | protocol = "tcp"
142 | cidr_blocks = ["0.0.0.0/0"]
143 | }
144 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[0]
File: /loops-with-count/main.tf:29-32
29 | resource "aws_iam_user" "example" {
30 | count = length(var.user_names)
31 | name = var.user_names[count.index]
32 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[1]
File: /loops-with-count/main.tf:29-32
29 | resource "aws_iam_user" "example" {
30 | count = length(var.user_names)
31 | name = var.user_names[count.index]
32 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example[2]
File: /loops-with-count/main.tf:29-32
29 | resource "aws_iam_user" "example" {
30 | count = length(var.user_names)
31 | name = var.user_names[count.index]
32 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /loops-with-for-each/main.tf:38-54
38 | resource "aws_autoscaling_group" "example" {
39 | launch_configuration = aws_launch_configuration.example.id
40 | availability_zones = data.aws_availability_zones.all.names
41 |
42 | min_size = 2
43 | max_size = 2
44 |
45 | # Use for_each to loop over var.custom_tags
46 | dynamic "tag" {
47 | for_each = var.custom_tags
48 | content {
49 | key = tag.key
50 | value = tag.value
51 | propagate_at_launch = true
52 | }
53 | }
54 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /loops-with-for-each/main.tf:61-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
61 | resource "aws_launch_configuration" "example" {
62 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
63 | image_id = "ami-0c55b159cbfafe1f0"
64 | instance_type = "t2.micro"
65 |
66 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
67 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
68 | lifecycle {
69 | create_before_destroy = true
70 | }
71 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /loops-with-for-each/main.tf:61-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
61 | resource "aws_launch_configuration" "example" {
62 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
63 | image_id = "ami-0c55b159cbfafe1f0"
64 | instance_type = "t2.micro"
65 |
66 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
67 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
68 | lifecycle {
69 | create_before_destroy = true
70 | }
71 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.webserver_cluster.aws_autoscaling_group.example
File: /modules/services/webserver-cluster/main.tf:32-47
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
32 | resource "aws_autoscaling_group" "example" {
33 | launch_configuration = aws_launch_configuration.example.id
34 | availability_zones = data.aws_availability_zones.all.names
35 |
36 | min_size = var.min_size
37 | max_size = var.max_size
38 |
39 | load_balancers = [aws_elb.example.name]
40 | health_check_type = "ELB"
41 |
42 | tag {
43 | key = "Name"
44 | value = var.cluster_name
45 | propagate_at_launch = true
46 | }
47 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /modules/services/webserver-cluster/main.tf:53-70
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
53 | resource "aws_launch_configuration" "example" {
54 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
55 | image_id = "ami-0c55b159cbfafe1f0"
56 | instance_type = var.instance_type
57 | security_groups = [aws_security_group.instance.id]
58 |
59 | user_data = <<-EOF
60 | #!/bin/bash
61 | echo "Hello, World" > index.html
62 | nohup busybox httpd -f -p "${var.server_port}" &
63 | EOF
64 |
65 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
66 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
67 | lifecycle {
68 | create_before_destroy = true
69 | }
70 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver_cluster.aws_launch_configuration.example
File: /modules/services/webserver-cluster/main.tf:53-70
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
53 | resource "aws_launch_configuration" "example" {
54 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
55 | image_id = "ami-0c55b159cbfafe1f0"
56 | instance_type = var.instance_type
57 | security_groups = [aws_security_group.instance.id]
58 |
59 | user_data = <<-EOF
60 | #!/bin/bash
61 | echo "Hello, World" > index.html
62 | nohup busybox httpd -f -p "${var.server_port}" &
63 | EOF
64 |
65 | # Whenever using a launch configuration with an auto scaling group, you must set create_before_destroy = true.
66 | # https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
67 | lifecycle {
68 | create_before_destroy = true
69 | }
70 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.instance
File: /modules/services/webserver-cluster/main.tf:76-86
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
76 | resource "aws_security_group" "instance" {
77 | name = "${var.cluster_name}-instance"
78 |
79 | # Inbound HTTP from anywhere
80 | ingress {
81 | from_port = var.server_port
82 | to_port = var.server_port
83 | protocol = "tcp"
84 | cidr_blocks = ["0.0.0.0/0"]
85 | }
86 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: module.webserver_cluster.aws_elb.example
File: /modules/services/webserver-cluster/main.tf:92-112
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
92 | resource "aws_elb" "example" {
93 | name = var.cluster_name
94 | security_groups = [aws_security_group.elb.id]
95 | availability_zones = data.aws_availability_zones.all.names
96 |
97 | health_check {
98 | target = "HTTP:${var.server_port}/"
99 | interval = 30
100 | timeout = 3
101 | healthy_threshold = 2
102 | unhealthy_threshold = 2
103 | }
104 |
105 | # This adds a listener for incoming HTTP requests.
106 | listener {
107 | lb_port = var.elb_port
108 | lb_protocol = "http"
109 | instance_port = var.server_port
110 | instance_protocol = "http"
111 | }
112 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: module.webserver_cluster.aws_elb.example
File: /modules/services/webserver-cluster/main.tf:92-112
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
92 | resource "aws_elb" "example" {
93 | name = var.cluster_name
94 | security_groups = [aws_security_group.elb.id]
95 | availability_zones = data.aws_availability_zones.all.names
96 |
97 | health_check {
98 | target = "HTTP:${var.server_port}/"
99 | interval = 30
100 | timeout = 3
101 | healthy_threshold = 2
102 | unhealthy_threshold = 2
103 | }
104 |
105 | # This adds a listener for incoming HTTP requests.
106 | listener {
107 | lb_port = var.elb_port
108 | lb_protocol = "http"
109 | instance_port = var.server_port
110 | instance_protocol = "http"
111 | }
112 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver_cluster.aws_security_group.elb
File: /modules/services/webserver-cluster/main.tf:118-136
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
118 | resource "aws_security_group" "elb" {
119 | name = "${var.cluster_name}-elb"
120 |
121 | # Allow all outbound
122 | egress {
123 | from_port = 0
124 | to_port = 0
125 | protocol = "-1"
126 | cidr_blocks = ["0.0.0.0/0"]
127 | }
128 |
129 | # Inbound HTTP from anywhere
130 | ingress {
131 | from_port = var.elb_port
132 | to_port = var.elb_port
133 | protocol = "tcp"
134 | cidr_blocks = ["0.0.0.0/0"]
135 | }
136 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver_cluster.aws_security_group.elb
File: /modules/services/webserver-cluster/main.tf:118-136
Calling File: /live/stage/services/webserver-cluster/main.tf:23-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
118 | resource "aws_security_group" "elb" {
119 | name = "${var.cluster_name}-elb"
120 |
121 | # Allow all outbound
122 | egress {
123 | from_port = 0
124 | to_port = 0
125 | protocol = "-1"
126 | cidr_blocks = ["0.0.0.0/0"]
127 | }
128 |
129 | # Inbound HTTP from anywhere
130 | ingress {
131 | from_port = var.elb_port
132 | to_port = var.elb_port
133 | protocol = "tcp"
134 | cidr_blocks = ["0.0.0.0/0"]
135 | }
136 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /s3-backend/main.tf:53-62
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
53 | resource "aws_dynamodb_table" "terraform_locks" {
54 | name = "terraform-up-and-running-locks"
55 | billing_mode = "PAY_PER_REQUEST"
56 | hash_key = "LockID"
57 |
58 | attribute {
59 | name = "LockID"
60 | type = "S"
61 | }
62 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /s3-backend/main.tf:53-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
53 | resource "aws_dynamodb_table" "terraform_locks" {
54 | name = "terraform-up-and-running-locks"
55 | billing_mode = "PAY_PER_REQUEST"
56 | hash_key = "LockID"
57 |
58 | attribute {
59 | name = "LockID"
60 | type = "S"
61 | }
62 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /single-web-server/main.tf:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
30 | resource "aws_instance" "example" {
31 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
32 | ami = "ami-0c55b159cbfafe1f0"
33 | instance_type = "t2.micro"
34 | vpc_security_group_ids = [aws_security_group.instance.id]
35 |
36 | user_data = <<-EOF
37 | #!/bin/bash
38 | echo "Hello, World" > index.html
39 | nohup busybox httpd -f -p "${var.server_port}" &
40 | EOF
41 |
42 | tags = {
43 | Name = "terraform-example"
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /single-web-server/main.tf:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
30 | resource "aws_instance" "example" {
31 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
32 | ami = "ami-0c55b159cbfafe1f0"
33 | instance_type = "t2.micro"
34 | vpc_security_group_ids = [aws_security_group.instance.id]
35 |
36 | user_data = <<-EOF
37 | #!/bin/bash
38 | echo "Hello, World" > index.html
39 | nohup busybox httpd -f -p "${var.server_port}" &
40 | EOF
41 |
42 | tags = {
43 | Name = "terraform-example"
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /single-web-server/main.tf:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
30 | resource "aws_instance" "example" {
31 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
32 | ami = "ami-0c55b159cbfafe1f0"
33 | instance_type = "t2.micro"
34 | vpc_security_group_ids = [aws_security_group.instance.id]
35 |
36 | user_data = <<-EOF
37 | #!/bin/bash
38 | echo "Hello, World" > index.html
39 | nohup busybox httpd -f -p "${var.server_port}" &
40 | EOF
41 |
42 | tags = {
43 | Name = "terraform-example"
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /single-web-server/main.tf:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
30 | resource "aws_instance" "example" {
31 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
32 | ami = "ami-0c55b159cbfafe1f0"
33 | instance_type = "t2.micro"
34 | vpc_security_group_ids = [aws_security_group.instance.id]
35 |
36 | user_data = <<-EOF
37 | #!/bin/bash
38 | echo "Hello, World" > index.html
39 | nohup busybox httpd -f -p "${var.server_port}" &
40 | EOF
41 |
42 | tags = {
43 | Name = "terraform-example"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /single-web-server/main.tf:51-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
51 | resource "aws_security_group" "instance" {
52 | name = "terraform-example-instance"
53 |
54 | # Inbound HTTP from anywhere
55 | ingress {
56 | from_port = var.server_port
57 | to_port = var.server_port
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.example
File: /database/main.tf:29-40
29 | resource "aws_db_instance" "example" {
30 | identifier_prefix = "terraform-up-and-running"
31 | engine = "mysql"
32 | allocated_storage = 10
33 | instance_class = "db.t2.micro"
34 | name = "example_database"
35 | username = "admin"
36 | password = var.db_password
37 |
38 | # Don't copy this to your production examples. It's only here to make it quicker to delete this DB.
39 | skip_final_snapshot = true
40 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:29-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
29 | resource "aws_s3_bucket" "terraform_state" {
30 | # TODO: change this to your own name! S3 bucket names must be *globally* unique.
31 | bucket = "terraform-up-and-running-state"
32 |
33 | # Enable versioning so we can see the full revision history of our
34 | # state files
35 | versioning {
36 | enabled = true
37 | }
38 |
39 | # Enable server-side encryption by default
40 | server_side_encryption_configuration {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /single-web-server/main.tf:30-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
30 | resource "aws_instance" "example" {
31 | # Ubuntu Server 18.04 LTS (HVM), SSD Volume Type in us-east-2
32 | ami = "ami-0c55b159cbfafe1f0"
33 | instance_type = "t2.micro"
34 | vpc_security_group_ids = [aws_security_group.instance.id]
35 |
36 | user_data = <<-EOF
37 | #!/bin/bash
38 | echo "Hello, World" > index.html
39 | nohup busybox httpd -f -p "${var.server_port}" &
40 | EOF
41 |
42 | tags = {
43 | Name = "terraform-example"
44 | }
45 | }
circleci_pipelines scan results:
Passed checks: 23, Failed checks: 1, Skipped checks: 0
Check: CKV_CIRCLECIPIPELINES_2: "Ensure the pipeline image version is referenced via hash not arbitrary tag."
FAILED for resource: jobs(precommit).docker.image[1](cimg/python:3.10.2)
File: /.circleci/config.yml:32-34
32 | - image: cimg/python:3.10.2
33 | resource_class: small
34 | steps:
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools