Repository | jmhale / terraform-aws-wireguard |
Description | Terraform module to deploy WireGuard on AWS |
Stars | 122 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 15:02:31,435 [MainThread ] [WARNI] Failed to download module [email protected]:jmhale/terraform-wireguard.git:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 42, Failed checks: 14, Skipped checks: 0
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.wireguard
File: /examples/complex_elb/main.tf:19-24
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
19 | resource "aws_lb" "wireguard" {
20 | name = "wireguard"
21 | load_balancer_type = "network"
22 | internal = false
23 | subnets = ["subnet-876543210"] # typically a public subnet
24 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.wireguard
File: /examples/complex_elb/main.tf:19-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
19 | resource "aws_lb" "wireguard" {
20 | name = "wireguard"
21 | load_balancer_type = "network"
22 | internal = false
23 | subnets = ["subnet-876543210"] # typically a public subnet
24 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.wireguard
File: /examples/complex_elb/main.tf:19-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
19 | resource "aws_lb" "wireguard" {
20 | name = "wireguard"
21 | load_balancer_type = "network"
22 | internal = false
23 | subnets = ["subnet-876543210"] # typically a public subnet
24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.wireguard_ssh_check
File: /examples/complex_elb/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
26 | resource "aws_security_group" "wireguard_ssh_check" {
27 | name = "wireguard_ssh_check"
28 | vpc_id = "vpc-01234567"
29 |
30 | # SSH access from the CIDR, which allows our healthcheck to complete
31 | ingress {
32 | from_port = 22
33 | to_port = 22
34 | protocol = "tcp"
35 | cidr_blocks = ["192.168.1.0/24"] # range that covers public subnet_ids, aws_lb will check the hosts from these ranges
36 | }
37 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.wireguard_launch_config
File: /main.tf:50-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
50 | resource "aws_launch_configuration" "wireguard_launch_config" {
51 | name_prefix = "wireguard-${var.env}-"
52 | image_id = var.ami_id == null ? data.aws_ami.ubuntu.id : var.ami_id
53 | instance_type = var.instance_type
54 | key_name = var.ssh_key_id
55 | iam_instance_profile = (var.use_eip ? aws_iam_instance_profile.wireguard_profile[0].name : null)
56 | user_data = data.template_file.user_data.rendered
57 | security_groups = local.security_groups_ids
58 | associate_public_ip_address = var.use_eip
59 |
60 | lifecycle {
61 | create_before_destroy = true
62 | }
63 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.wireguard_launch_config
File: /main.tf:50-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
50 | resource "aws_launch_configuration" "wireguard_launch_config" {
51 | name_prefix = "wireguard-${var.env}-"
52 | image_id = var.ami_id == null ? data.aws_ami.ubuntu.id : var.ami_id
53 | instance_type = var.instance_type
54 | key_name = var.ssh_key_id
55 | iam_instance_profile = (var.use_eip ? aws_iam_instance_profile.wireguard_profile[0].name : null)
56 | user_data = data.template_file.user_data.rendered
57 | security_groups = local.security_groups_ids
58 | associate_public_ip_address = var.use_eip
59 |
60 | lifecycle {
61 | create_before_destroy = true
62 | }
63 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.wireguard_asg
File: /main.tf:65-102
65 | resource "aws_autoscaling_group" "wireguard_asg" {
66 | name = aws_launch_configuration.wireguard_launch_config.name
67 | launch_configuration = aws_launch_configuration.wireguard_launch_config.name
68 | min_size = var.asg_min_size
69 | desired_capacity = var.asg_desired_capacity
70 | max_size = var.asg_max_size
71 | vpc_zone_identifier = var.subnet_ids
72 | health_check_type = "EC2"
73 | termination_policies = ["OldestLaunchConfiguration", "OldestInstance"]
74 | target_group_arns = var.target_group_arns
75 |
76 | lifecycle {
77 | create_before_destroy = true
78 | }
79 |
80 | tags = [
81 | {
82 | key = "Name"
83 | value = aws_launch_configuration.wireguard_launch_config.name
84 | propagate_at_launch = true
85 | },
86 | {
87 | key = "Project"
88 | value = "wireguard"
89 | propagate_at_launch = true
90 | },
91 | {
92 | key = "env"
93 | value = var.env
94 | propagate_at_launch = true
95 | },
96 | {
97 | key = "tf-managed"
98 | value = "True"
99 | propagate_at_launch = true
100 | },
101 | ]
102 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.wireguard_policy_doc
File: /wireguard-iam.tf:14-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
14 | data "aws_iam_policy_document" "wireguard_policy_doc" {
15 | statement {
16 | actions = [
17 | "ec2:AssociateAddress",
18 | ]
19 |
20 | resources = ["*"]
21 | }
22 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.wireguard_policy_doc
File: /wireguard-iam.tf:14-22
14 | data "aws_iam_policy_document" "wireguard_policy_doc" {
15 | statement {
16 | actions = [
17 | "ec2:AssociateAddress",
18 | ]
19 |
20 | resources = ["*"]
21 | }
22 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg_wireguard_external
File: /wireguard-securitygroups.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "sg_wireguard_external" {
2 | name = "wireguard-${var.env}-external"
3 | description = "Terraform Managed. Allow Wireguard client traffic from internet."
4 | vpc_id = var.vpc_id
5 |
6 | tags = {
7 | Name = "wireguard-${var.env}-external"
8 | Project = "wireguard"
9 | tf-managed = "True"
10 | env = var.env
11 | }
12 |
13 | ingress {
14 | from_port = var.wg_server_port
15 | to_port = var.wg_server_port
16 | protocol = "udp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | egress {
21 | from_port = 0
22 | to_port = 0
23 | protocol = "-1"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg_wireguard_admin
File: /wireguard-securitygroups.tf:28-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
28 | resource "aws_security_group" "sg_wireguard_admin" {
29 | name = "wireguard-${var.env}-admin"
30 | description = "Terraform Managed. Allow admin traffic to internal resources from VPN"
31 | vpc_id = var.vpc_id
32 |
33 | tags = {
34 | Name = "wireguard-${var.env}-admin"
35 | Project = "vpn"
36 | tf-managed = "True"
37 | env = var.env
38 | }
39 |
40 | ingress {
41 | from_port = 0
42 | to_port = 0
43 | protocol = "-1"
44 | security_groups = [aws_security_group.sg_wireguard_external.id]
45 | }
46 |
47 | ingress {
48 | from_port = 8
49 | to_port = 0
50 | protocol = "icmp"
51 | security_groups = [aws_security_group.sg_wireguard_external.id]
52 | }
53 |
54 | egress {
55 | from_port = 0
56 | to_port = 0
57 | protocol = "-1"
58 | cidr_blocks = ["0.0.0.0/0"]
59 | }
60 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.wireguard
File: /examples/simple_eip/main.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "wireguard" {
2 | vpc = true
3 | tags = {
4 | Name = "wireguard"
5 | }
6 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.wireguard_ssh_check
File: /examples/complex_elb/main.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
26 | resource "aws_security_group" "wireguard_ssh_check" {
27 | name = "wireguard_ssh_check"
28 | vpc_id = "vpc-01234567"
29 |
30 | # SSH access from the CIDR, which allows our healthcheck to complete
31 | ingress {
32 | from_port = 22
33 | to_port = 22
34 | protocol = "tcp"
35 | cidr_blocks = ["192.168.1.0/24"] # range that covers public subnet_ids, aws_lb will check the hosts from these ranges
36 | }
37 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.sg_wireguard_admin
File: /wireguard-securitygroups.tf:28-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
28 | resource "aws_security_group" "sg_wireguard_admin" {
29 | name = "wireguard-${var.env}-admin"
30 | description = "Terraform Managed. Allow admin traffic to internal resources from VPN"
31 | vpc_id = var.vpc_id
32 |
33 | tags = {
34 | Name = "wireguard-${var.env}-admin"
35 | Project = "vpn"
36 | tf-managed = "True"
37 | env = var.env
38 | }
39 |
40 | ingress {
41 | from_port = 0
42 | to_port = 0
43 | protocol = "-1"
44 | security_groups = [aws_security_group.sg_wireguard_external.id]
45 | }
46 |
47 | ingress {
48 | from_port = 8
49 | to_port = 0
50 | protocol = "icmp"
51 | security_groups = [aws_security_group.sg_wireguard_external.id]
52 | }
53 |
54 | egress {
55 | from_port = 0
56 | to_port = 0
57 | protocol = "-1"
58 | cidr_blocks = ["0.0.0.0/0"]
59 | }
60 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools