Repository | ned1313 / Deep-Dive-Terraform |
Description | Exercise files for my Pluralsight course. |
Stars | 184 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:52:32,358 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:32,359 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/key-pair/aws:~>2.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 64, Failed checks: 43, Skipped checks: 0
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
FAILED for resource: github_repository.main
File: /m5/github_config/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/ensure-repository-is-private.html
1 | resource "github_repository" "main" {
2 | name = var.repository_name
3 | description = "Terraform Deep Dive Repository for Globomantics Networking"
4 | visibility = "public"
5 | auto_init = true
6 | gitignore_template = "Terraform"
7 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.main
File: /m7/application_config_example/resources.tf:95-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
95 | resource "aws_lb" "main" {
96 | name = "${local.name_prefix}-webapp"
97 | internal = false
98 | load_balancer_type = "application"
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 | subnets = var.public_subnets
101 |
102 | enable_deletion_protection = false
103 |
104 | tags = local.common_tags
105 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.main
File: /m7/application_config_example/resources.tf:95-105
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
95 | resource "aws_lb" "main" {
96 | name = "${local.name_prefix}-webapp"
97 | internal = false
98 | load_balancer_type = "application"
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 | subnets = var.public_subnets
101 |
102 | enable_deletion_protection = false
103 |
104 | tags = local.common_tags
105 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.main
File: /m7/application_config_example/resources.tf:95-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
95 | resource "aws_lb" "main" {
96 | name = "${local.name_prefix}-webapp"
97 | internal = false
98 | load_balancer_type = "application"
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 | subnets = var.public_subnets
101 |
102 | enable_deletion_protection = false
103 |
104 | tags = local.common_tags
105 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.main
File: /m7/application_config_example/resources.tf:107-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
107 | resource "aws_lb_listener" "main" {
108 | load_balancer_arn = aws_lb.main.arn
109 | port = "80"
110 | protocol = "HTTP"
111 |
112 | default_action {
113 | type = "forward"
114 | target_group_arn = aws_lb_target_group.main.arn
115 | }
116 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.main
File: /m7/application_config_example/resources.tf:118-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
118 | resource "aws_lb_target_group" "main" {
119 | name = "${local.name_prefix}-webapp"
120 | port = 80
121 | target_type = "instance"
122 | protocol = "HTTP"
123 | vpc_id = var.vpc_id
124 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /m7/application_config_example/security_groups.tf:5-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "${local.name_prefix}-http-inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = var.vpc_id
24 |
25 | tags = local.common_tags
26 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /m7/application_config_example/security_groups.tf:5-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "${local.name_prefix}-http-inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = var.vpc_id
24 |
25 | tags = local.common_tags
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /m7/application_config_example/security_groups.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
28 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
29 | name = "${local.name_prefix}-ssh-inbound"
30 | description = "Allow SSH from certain ranges"
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = [var.ip_range]
37 | }
38 |
39 | vpc_id = var.vpc_id
40 |
41 | tags = local.common_tags
42 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /m7/application_config_example/security_groups.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
28 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
29 | name = "${local.name_prefix}-ssh-inbound"
30 | description = "Allow SSH from certain ranges"
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = [var.ip_range]
37 | }
38 |
39 | vpc_id = var.vpc_id
40 |
41 | tags = local.common_tags
42 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_outbound_sg
File: /m7/application_config_example/security_groups.tf:44-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
44 | resource "aws_security_group" "webapp_outbound_sg" {
45 | name = "${local.name_prefix}-webapp-outbound"
46 | description = "Allow outbound connections"
47 |
48 | egress {
49 | from_port = 0
50 | to_port = 0
51 | protocol = "-1"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | }
54 |
55 | vpc_id = var.vpc_id
56 |
57 | tags = local.common_tags
58 | }
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
FAILED for resource: github_repository.main
File: /m7/github_config_application/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/ensure-repository-is-private.html
1 | resource "github_repository" "main" {
2 | name = var.repository_name
3 | description = "Terraform Deep Dive Repository for Globomantics Application"
4 | visibility = "public"
5 | auto_init = true
6 | gitignore_template = "Terraform"
7 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.main
File: /m9/application_config_complete/resources.tf:34-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
34 | resource "aws_instance" "main" {
35 | count = length(data.tfe_outputs.networking.nonsensitive_values.public_subnets)
36 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
37 | instance_type = var.instance_type
38 | subnet_id = data.tfe_outputs.networking.nonsensitive_values.public_subnets[count.index]
39 | vpc_security_group_ids = [
40 | aws_security_group.webapp_http_inbound_sg.id,
41 | aws_security_group.webapp_ssh_inbound_sg.id,
42 | aws_security_group.webapp_outbound_sg.id,
43 | ]
44 |
45 | key_name = module.ssh_keys.key_pair_name
46 |
47 | tags = merge(local.common_tags, {
48 | "Name" = "${local.name_prefix}-webapp-${count.index}"
49 | })
50 |
51 | user_data = templatefile("${path.module}/templates/userdata.sh", {
52 | playbook_repository = var.playbook_repository
53 | secret_id = var.api_key_secret_id
54 | host_list_ssm_name = local.host_list_ssm_name
55 | site_name_ssm_name = local.site_name_ssm_name
56 | })
57 |
58 | user_data_replace_on_change = true
59 | iam_instance_profile = aws_iam_instance_profile.main.name
60 |
61 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.main
File: /m9/application_config_complete/resources.tf:34-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
34 | resource "aws_instance" "main" {
35 | count = length(data.tfe_outputs.networking.nonsensitive_values.public_subnets)
36 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
37 | instance_type = var.instance_type
38 | subnet_id = data.tfe_outputs.networking.nonsensitive_values.public_subnets[count.index]
39 | vpc_security_group_ids = [
40 | aws_security_group.webapp_http_inbound_sg.id,
41 | aws_security_group.webapp_ssh_inbound_sg.id,
42 | aws_security_group.webapp_outbound_sg.id,
43 | ]
44 |
45 | key_name = module.ssh_keys.key_pair_name
46 |
47 | tags = merge(local.common_tags, {
48 | "Name" = "${local.name_prefix}-webapp-${count.index}"
49 | })
50 |
51 | user_data = templatefile("${path.module}/templates/userdata.sh", {
52 | playbook_repository = var.playbook_repository
53 | secret_id = var.api_key_secret_id
54 | host_list_ssm_name = local.host_list_ssm_name
55 | site_name_ssm_name = local.site_name_ssm_name
56 | })
57 |
58 | user_data_replace_on_change = true
59 | iam_instance_profile = aws_iam_instance_profile.main.name
60 |
61 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.main
File: /m9/application_config_complete/resources.tf:34-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
34 | resource "aws_instance" "main" {
35 | count = length(data.tfe_outputs.networking.nonsensitive_values.public_subnets)
36 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
37 | instance_type = var.instance_type
38 | subnet_id = data.tfe_outputs.networking.nonsensitive_values.public_subnets[count.index]
39 | vpc_security_group_ids = [
40 | aws_security_group.webapp_http_inbound_sg.id,
41 | aws_security_group.webapp_ssh_inbound_sg.id,
42 | aws_security_group.webapp_outbound_sg.id,
43 | ]
44 |
45 | key_name = module.ssh_keys.key_pair_name
46 |
47 | tags = merge(local.common_tags, {
48 | "Name" = "${local.name_prefix}-webapp-${count.index}"
49 | })
50 |
51 | user_data = templatefile("${path.module}/templates/userdata.sh", {
52 | playbook_repository = var.playbook_repository
53 | secret_id = var.api_key_secret_id
54 | host_list_ssm_name = local.host_list_ssm_name
55 | site_name_ssm_name = local.site_name_ssm_name
56 | })
57 |
58 | user_data_replace_on_change = true
59 | iam_instance_profile = aws_iam_instance_profile.main.name
60 |
61 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.main
File: /m9/application_config_complete/resources.tf:34-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
34 | resource "aws_instance" "main" {
35 | count = length(data.tfe_outputs.networking.nonsensitive_values.public_subnets)
36 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
37 | instance_type = var.instance_type
38 | subnet_id = data.tfe_outputs.networking.nonsensitive_values.public_subnets[count.index]
39 | vpc_security_group_ids = [
40 | aws_security_group.webapp_http_inbound_sg.id,
41 | aws_security_group.webapp_ssh_inbound_sg.id,
42 | aws_security_group.webapp_outbound_sg.id,
43 | ]
44 |
45 | key_name = module.ssh_keys.key_pair_name
46 |
47 | tags = merge(local.common_tags, {
48 | "Name" = "${local.name_prefix}-webapp-${count.index}"
49 | })
50 |
51 | user_data = templatefile("${path.module}/templates/userdata.sh", {
52 | playbook_repository = var.playbook_repository
53 | secret_id = var.api_key_secret_id
54 | host_list_ssm_name = local.host_list_ssm_name
55 | site_name_ssm_name = local.site_name_ssm_name
56 | })
57 |
58 | user_data_replace_on_change = true
59 | iam_instance_profile = aws_iam_instance_profile.main.name
60 |
61 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.main
File: /m9/application_config_complete/resources.tf:63-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
63 | resource "aws_lb" "main" {
64 | name = "${local.name_prefix}-webapp"
65 | internal = false
66 | load_balancer_type = "application"
67 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
68 | subnets = data.tfe_outputs.networking.nonsensitive_values.public_subnets
69 |
70 | enable_deletion_protection = false
71 |
72 | tags = local.common_tags
73 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.main
File: /m9/application_config_complete/resources.tf:63-73
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
63 | resource "aws_lb" "main" {
64 | name = "${local.name_prefix}-webapp"
65 | internal = false
66 | load_balancer_type = "application"
67 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
68 | subnets = data.tfe_outputs.networking.nonsensitive_values.public_subnets
69 |
70 | enable_deletion_protection = false
71 |
72 | tags = local.common_tags
73 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.main
File: /m9/application_config_complete/resources.tf:63-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
63 | resource "aws_lb" "main" {
64 | name = "${local.name_prefix}-webapp"
65 | internal = false
66 | load_balancer_type = "application"
67 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
68 | subnets = data.tfe_outputs.networking.nonsensitive_values.public_subnets
69 |
70 | enable_deletion_protection = false
71 |
72 | tags = local.common_tags
73 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.main
File: /m9/application_config_complete/resources.tf:75-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
75 | resource "aws_lb_listener" "main" {
76 | load_balancer_arn = aws_lb.main.arn
77 | port = "80"
78 | protocol = "HTTP"
79 |
80 | default_action {
81 | type = "forward"
82 | target_group_arn = aws_lb_target_group.main.arn
83 | }
84 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.main
File: /m9/application_config_complete/resources.tf:86-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
86 | resource "aws_lb_target_group" "main" {
87 | name = "${local.name_prefix}-webapp"
88 | port = 80
89 | target_type = "instance"
90 | protocol = "HTTP"
91 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
92 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /m9/application_config_complete/security_groups.tf:5-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "${local.name_prefix}-http-inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
24 |
25 | tags = local.common_tags
26 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /m9/application_config_complete/security_groups.tf:5-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "${local.name_prefix}-http-inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
24 |
25 | tags = local.common_tags
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /m9/application_config_complete/security_groups.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
28 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
29 | name = "${local.name_prefix}-ssh-inbound"
30 | description = "Allow SSH from certain ranges"
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = [var.ip_range]
37 | }
38 |
39 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
40 |
41 | tags = local.common_tags
42 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /m9/application_config_complete/security_groups.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
28 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
29 | name = "${local.name_prefix}-ssh-inbound"
30 | description = "Allow SSH from certain ranges"
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = [var.ip_range]
37 | }
38 |
39 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
40 |
41 | tags = local.common_tags
42 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_outbound_sg
File: /m9/application_config_complete/security_groups.tf:44-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
44 | resource "aws_security_group" "webapp_outbound_sg" {
45 | name = "${local.name_prefix}-webapp-outbound"
46 | description = "Allow outbound connections"
47 |
48 | egress {
49 | from_port = 0
50 | to_port = 0
51 | protocol = "-1"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | }
54 |
55 | vpc_id = data.tfe_outputs.networking.nonsensitive_values.vpc_id
56 |
57 | tags = local.common_tags
58 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.host_list
File: /m9/application_config_complete/ssm_parameters.tf:6-10
6 | resource "aws_ssm_parameter" "host_list" {
7 | name = local.host_list_ssm_name
8 | type = "StringList"
9 | value = join(",", aws_instance.main.*.private_dns)
10 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.site_name
File: /m9/application_config_complete/ssm_parameters.tf:12-16
12 | resource "aws_ssm_parameter" "site_name" {
13 | name = local.site_name_ssm_name
14 | type = "String"
15 | value = "${local.name_prefix}-taco-wagon"
16 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.api_key
File: /m9/create_secrets_manager/main.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
5 | resource "aws_secretsmanager_secret" "api_key" {
6 | name = "taco_wagon_dev_api_key"
7 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.web_app_access
File: /m9/create_secrets_manager/main.tf:14-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
14 | data "aws_iam_policy_document" "web_app_access" {
15 | statement {
16 | principals {
17 | type = "AWS"
18 | identifiers = [aws_iam_role.web_app.arn]
19 | }
20 |
21 | actions = ["secretsmanager:GetSecretValue"]
22 |
23 | resources = ["*"]
24 | }
25 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.web_app_access
File: /m9/create_secrets_manager/main.tf:14-25
14 | data "aws_iam_policy_document" "web_app_access" {
15 | statement {
16 | principals {
17 | type = "AWS"
18 | identifiers = [aws_iam_role.web_app.arn]
19 | }
20 |
21 | actions = ["secretsmanager:GetSecretValue"]
22 |
23 | resources = ["*"]
24 | }
25 | }
Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
FAILED for resource: github_repository.main
File: /m5/github_config/main.tf:1-7
1 | resource "github_repository" "main" {
2 | name = var.repository_name
3 | description = "Terraform Deep Dive Repository for Globomantics Networking"
4 | visibility = "public"
5 | auto_init = true
6 | gitignore_template = "Terraform"
7 | }
Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
FAILED for resource: github_repository.main
File: /m7/github_config_application/main.tf:1-7
1 | resource "github_repository" "main" {
2 | name = var.repository_name
3 | description = "Terraform Deep Dive Repository for Globomantics Application"
4 | visibility = "public"
5 | auto_init = true
6 | gitignore_template = "Terraform"
7 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.main
File: /m7/application_config_example/resources.tf:107-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
107 | resource "aws_lb_listener" "main" {
108 | load_balancer_arn = aws_lb.main.arn
109 | port = "80"
110 | protocol = "HTTP"
111 |
112 | default_action {
113 | type = "forward"
114 | target_group_arn = aws_lb_target_group.main.arn
115 | }
116 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.main
File: /m9/application_config_complete/resources.tf:75-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
75 | resource "aws_lb_listener" "main" {
76 | load_balancer_arn = aws_lb.main.arn
77 | port = "80"
78 | protocol = "HTTP"
79 |
80 | default_action {
81 | type = "forward"
82 | target_group_arn = aws_lb_target_group.main.arn
83 | }
84 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.main
File: /m7/application_config_example/resources.tf:95-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
95 | resource "aws_lb" "main" {
96 | name = "${local.name_prefix}-webapp"
97 | internal = false
98 | load_balancer_type = "application"
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 | subnets = var.public_subnets
101 |
102 | enable_deletion_protection = false
103 |
104 | tags = local.common_tags
105 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.main
File: /m9/application_config_complete/resources.tf:63-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
63 | resource "aws_lb" "main" {
64 | name = "${local.name_prefix}-webapp"
65 | internal = false
66 | load_balancer_type = "application"
67 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
68 | subnets = data.tfe_outputs.networking.nonsensitive_values.public_subnets
69 |
70 | enable_deletion_protection = false
71 |
72 | tags = local.common_tags
73 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.api_key
File: /m9/create_secrets_manager/main.tf:5-7
5 | resource "aws_secretsmanager_secret" "api_key" {
6 | name = "taco_wagon_dev_api_key"
7 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.main
File: /m7/application_config_example/resources.tf:95-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
95 | resource "aws_lb" "main" {
96 | name = "${local.name_prefix}-webapp"
97 | internal = false
98 | load_balancer_type = "application"
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 | subnets = var.public_subnets
101 |
102 | enable_deletion_protection = false
103 |
104 | tags = local.common_tags
105 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.main
File: /m9/application_config_complete/resources.tf:63-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
63 | resource "aws_lb" "main" {
64 | name = "${local.name_prefix}-webapp"
65 | internal = false
66 | load_balancer_type = "application"
67 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
68 | subnets = data.tfe_outputs.networking.nonsensitive_values.public_subnets
69 |
70 | enable_deletion_protection = false
71 |
72 | tags = local.common_tags
73 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.host_list
File: /m9/application_config_complete/ssm_parameters.tf:6-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
6 | resource "aws_ssm_parameter" "host_list" {
7 | name = local.host_list_ssm_name
8 | type = "StringList"
9 | value = join(",", aws_instance.main.*.private_dns)
10 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.site_name
File: /m9/application_config_complete/ssm_parameters.tf:12-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
12 | resource "aws_ssm_parameter" "site_name" {
13 | name = local.site_name_ssm_name
14 | type = "String"
15 | value = "${local.name_prefix}-taco-wagon"
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.main
File: /m7/application_config_example/resources.tf:28-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
28 | resource "aws_instance" "main" {
29 | count = length(var.public_subnets)
30 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
31 | instance_type = var.instance_type
32 | subnet_id = var.public_subnets[count.index]
33 | vpc_security_group_ids = [
34 | aws_security_group.webapp_http_inbound_sg.id,
35 | aws_security_group.webapp_ssh_inbound_sg.id,
36 | aws_security_group.webapp_outbound_sg.id,
37 | ]
38 |
39 | key_name = module.ssh_keys.key_pair_name
40 |
41 | tags = merge(local.common_tags, {
42 | "Name" = "${local.name_prefix}-webapp-${count.index}"
43 | })
44 |
45 | # Provisioner Stuff
46 | connection {
47 | type = "ssh"
48 | user = "ec2-user"
49 | port = "22"
50 | host = self.public_ip
51 | private_key = module.ssh_keys.private_key_openssh
52 | }
53 |
54 | provisioner "file" {
55 | source = "./templates/userdata.sh"
56 | destination = "/home/ec2-user/userdata.sh"
57 | }
58 |
59 | provisioner "remote-exec" {
60 | inline = [
61 | "chmod +x /home/ec2-user/userdata.sh",
62 | "sh /home/ec2-user/userdata.sh",
63 | ]
64 | on_failure = continue
65 | }
66 |
67 | }
cloudformation scan results:
Passed checks: 4, Failed checks: 0, Skipped checks: 0
github_actions scan results:
Passed checks: 52, Failed checks: 2, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform)
File: /m7/application_config_example/.github/workflows/terraform.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform)
File: /m9/application_config_complete/.github/workflows/terraform.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools