Repository | gruntwork-io / terragrunt-infrastructure-modules-example |
Description | A repo used to show examples file/folder structures you can use with Terragrunt and Terraform |
Stars | 269 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 26, Failed checks: 20, Skipped checks: 0
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.webserver_example
File: /asg-elb-service/main.tf:29-44
29 | resource "aws_autoscaling_group" "webserver_example" {
30 | launch_configuration = aws_launch_configuration.webserver_example.id
31 | vpc_zone_identifier = data.aws_subnets.default.ids
32 |
33 | load_balancers = [aws_elb.webserver_example.name]
34 | health_check_type = "ELB"
35 |
36 | min_size = var.min_size
37 | max_size = var.max_size
38 |
39 | tag {
40 | key = "Name"
41 | value = var.name
42 | propagate_at_launch = true
43 | }
44 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.webserver_example
File: /asg-elb-service/main.tf:54-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
54 | resource "aws_launch_configuration" "webserver_example" {
55 | image_id = data.aws_ami.ubuntu.id
56 | instance_type = var.instance_type
57 | security_groups = [aws_security_group.asg.id]
58 |
59 | user_data = <<-EOF
60 | #!/bin/bash
61 | echo "Hello, World" > index.html
62 | nohup busybox httpd -f -p "${var.server_port}" &
63 | EOF
64 |
65 | lifecycle {
66 | create_before_destroy = true
67 | }
68 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.webserver_example
File: /asg-elb-service/main.tf:54-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
54 | resource "aws_launch_configuration" "webserver_example" {
55 | image_id = data.aws_ami.ubuntu.id
56 | instance_type = var.instance_type
57 | security_groups = [aws_security_group.asg.id]
58 |
59 | user_data = <<-EOF
60 | #!/bin/bash
61 | echo "Hello, World" > index.html
62 | nohup busybox httpd -f -p "${var.server_port}" &
63 | EOF
64 |
65 | lifecycle {
66 | create_before_destroy = true
67 | }
68 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.asg
File: /asg-elb-service/main.tf:101-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
101 | resource "aws_security_group" "asg" {
102 | name = "${var.name}-asg"
103 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.asg_allow_http_inbound
File: /asg-elb-service/main.tf:105-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
105 | resource "aws_security_group_rule" "asg_allow_http_inbound" {
106 | type = "ingress"
107 | from_port = var.server_port
108 | to_port = var.server_port
109 | protocol = "tcp"
110 | cidr_blocks = ["0.0.0.0/0"]
111 | security_group_id = aws_security_group.asg.id
112 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.webserver_example
File: /asg-elb-service/main.tf:118-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
118 | resource "aws_elb" "webserver_example" {
119 | name = var.name
120 | subnets = data.aws_subnets.default.ids
121 | security_groups = [aws_security_group.elb.id]
122 |
123 | listener {
124 | lb_port = var.elb_port
125 | lb_protocol = "http"
126 | instance_port = var.server_port
127 | instance_protocol = "http"
128 | }
129 |
130 | health_check {
131 | healthy_threshold = 2
132 | unhealthy_threshold = 2
133 | timeout = 3
134 | interval = 30
135 | target = "HTTP:${var.server_port}/"
136 | }
137 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.webserver_example
File: /asg-elb-service/main.tf:118-137
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
118 | resource "aws_elb" "webserver_example" {
119 | name = var.name
120 | subnets = data.aws_subnets.default.ids
121 | security_groups = [aws_security_group.elb.id]
122 |
123 | listener {
124 | lb_port = var.elb_port
125 | lb_protocol = "http"
126 | instance_port = var.server_port
127 | instance_protocol = "http"
128 | }
129 |
130 | health_check {
131 | healthy_threshold = 2
132 | unhealthy_threshold = 2
133 | timeout = 3
134 | interval = 30
135 | target = "HTTP:${var.server_port}/"
136 | }
137 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.elb
File: /asg-elb-service/main.tf:146-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
146 | resource "aws_security_group" "elb" {
147 | name = "${var.name}-elb"
148 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elb_allow_http_inbound
File: /asg-elb-service/main.tf:150-157
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
150 | resource "aws_security_group_rule" "elb_allow_http_inbound" {
151 | type = "ingress"
152 | from_port = var.elb_port
153 | to_port = var.elb_port
154 | protocol = "tcp"
155 | cidr_blocks = ["0.0.0.0/0"]
156 | security_group_id = aws_security_group.elb.id
157 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.elb_allow_all_outbound
File: /asg-elb-service/main.tf:159-166
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
159 | resource "aws_security_group_rule" "elb_allow_all_outbound" {
160 | type = "egress"
161 | from_port = 0
162 | to_port = 0
163 | protocol = "-1"
164 | cidr_blocks = ["0.0.0.0/0"]
165 | security_group_id = aws_security_group.elb.id
166 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mysql
File: /mysql/main.tf:27-41
27 | resource "aws_db_instance" "mysql" {
28 | engine = "mysql"
29 | engine_version = "5.6.41"
30 |
31 | name = var.name
32 | username = var.master_username
33 | password = var.master_password
34 |
35 | instance_class = var.instance_class
36 | allocated_storage = var.allocated_storage
37 | storage_type = var.storage_type
38 |
39 | # TODO: DO NOT COPY THIS SETTING INTO YOUR PRODUCTION DBS. It's only here to make testing this code easier!
40 | skip_final_snapshot = true
41 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools