ned1313 / Getting-Started-Terraform

Repository	ned1313 / Getting-Started-Terraform
Description	Exercise files for my Pluralsight course
Stars	520
Failed Checks	Security Scanning Linting
Scan Date	2023-10-30 17:57:40
Security Scanning

This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
Remediate the findings identified by one of the recommended Terraform security scanning tools (example checkov output found below)
Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output

                
                  2023-10-05 14:45:24,584 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:4.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:24,683 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3:latest failed to load via 
2023-10-05 14:45:24,698 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3
terraform scan results:

Passed checks: 148, Failed checks: 129, Skipped checks: 0

Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
	FAILED for resource: aws_subnet.public_subnet1
	File: /base_web_app/main.tf:35-39
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html

		35 | resource "aws_subnet" "public_subnet1" {
		36 |   cidr_block              = "10.0.0.0/24"
		37 |   vpc_id                  = aws_vpc.app.id
		38 |   map_public_ip_on_launch = true
		39 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.nginx_sg
	File: /base_web_app/main.tf:58-77
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		58 | resource "aws_security_group" "nginx_sg" {
		59 |   name   = "nginx_sg"
		60 |   vpc_id = aws_vpc.app.id
		61 | 
		62 |   # HTTP access from anywhere
		63 |   ingress {
		64 |     from_port   = 80
		65 |     to_port     = 80
		66 |     protocol    = "tcp"
		67 |     cidr_blocks = ["0.0.0.0/0"]
		68 |   }
		69 | 
		70 |   # outbound internet access
		71 |   egress {
		72 |     from_port   = 0
		73 |     to_port     = 0
		74 |     protocol    = "-1"
		75 |     cidr_blocks = ["0.0.0.0/0"]
		76 |   }
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.nginx_sg
	File: /base_web_app/main.tf:58-77
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html

		58 | resource "aws_security_group" "nginx_sg" {
		59 |   name   = "nginx_sg"
		60 |   vpc_id = aws_vpc.app.id
		61 | 
		62 |   # HTTP access from anywhere
		63 |   ingress {
		64 |     from_port   = 80
		65 |     to_port     = 80
		66 |     protocol    = "tcp"
		67 |     cidr_blocks = ["0.0.0.0/0"]
		68 |   }
		69 | 
		70 |   # outbound internet access
		71 |   egress {
		72 |     from_port   = 0
		73 |     to_port     = 0
		74 |     protocol    = "-1"
		75 |     cidr_blocks = ["0.0.0.0/0"]
		76 |   }
		77 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.nginx1
	File: /base_web_app/main.tf:80-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		80 | resource "aws_instance" "nginx1" {
		81 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		82 |   instance_type          = "t3.micro"
		83 |   subnet_id              = aws_subnet.public_subnet1.id
		84 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		85 | 
		86 |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		92 | EOF
		93 | 
		94 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.nginx1
	File: /base_web_app/main.tf:80-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html

		80 | resource "aws_instance" "nginx1" {
		81 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		82 |   instance_type          = "t3.micro"
		83 |   subnet_id              = aws_subnet.public_subnet1.id
		84 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		85 | 
		86 |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		92 | EOF
		93 | 
		94 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.nginx1
	File: /base_web_app/main.tf:80-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		80 | resource "aws_instance" "nginx1" {
		81 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		82 |   instance_type          = "t3.micro"
		83 |   subnet_id              = aws_subnet.public_subnet1.id
		84 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		85 | 
		86 |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		92 | EOF
		93 | 
		94 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.nginx1
	File: /base_web_app/main.tf:80-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html

		80 | resource "aws_instance" "nginx1" {
		81 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		82 |   instance_type          = "t3.micro"
		83 |   subnet_id              = aws_subnet.public_subnet1.id
		84 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		85 | 
		86 |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		92 | EOF
		93 | 
		94 | }

Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
	FAILED for resource: aws_subnet.public_subnet1
	File: /m4_solution/main.tf:37-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html

		37 | resource "aws_subnet" "public_subnet1" {
		38 |   cidr_block              = var.vpc_public_subnet1_cidr_block
		39 |   vpc_id                  = aws_vpc.app.id
		40 |   map_public_ip_on_launch = var.map_public_ip_on_launch
		41 | 
		42 |   tags = local.common_tags
		43 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.nginx_sg
	File: /m4_solution/main.tf:64-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group" "nginx_sg" {
		65 |   name   = "nginx_sg"
		66 |   vpc_id = aws_vpc.app.id
		67 | 
		68 |   # HTTP access from anywhere
		69 |   ingress {
		70 |     from_port   = 80
		71 |     to_port     = 80
		72 |     protocol    = "tcp"
		73 |     cidr_blocks = ["0.0.0.0/0"]
		74 |   }
		75 | 
		76 |   # outbound internet access
		77 |   egress {
		78 |     from_port   = 0
		79 |     to_port     = 0
		80 |     protocol    = "-1"
		81 |     cidr_blocks = ["0.0.0.0/0"]
		82 |   }
		83 | 
		84 |   tags = local.common_tags
		85 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.nginx_sg
	File: /m4_solution/main.tf:64-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html

		64 | resource "aws_security_group" "nginx_sg" {
		65 |   name   = "nginx_sg"
		66 |   vpc_id = aws_vpc.app.id
		67 | 
		68 |   # HTTP access from anywhere
		69 |   ingress {
		70 |     from_port   = 80
		71 |     to_port     = 80
		72 |     protocol    = "tcp"
		73 |     cidr_blocks = ["0.0.0.0/0"]
		74 |   }
		75 | 
		76 |   # outbound internet access
		77 |   egress {
		78 |     from_port   = 0
		79 |     to_port     = 0
		80 |     protocol    = "-1"
		81 |     cidr_blocks = ["0.0.0.0/0"]
		82 |   }
		83 | 
		84 |   tags = local.common_tags
		85 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.nginx1
	File: /m4_solution/main.tf:88-104
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		88  | resource "aws_instance" "nginx1" {
		89  |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		90  |   instance_type          = var.instance_type
		91  |   subnet_id              = aws_subnet.public_subnet1.id
		92  |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		93  | 
		94  |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		100 | EOF
		101 | 
		102 |   tags = local.common_tags
		103 | 
		104 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.nginx1
	File: /m4_solution/main.tf:88-104
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html

		88  | resource "aws_instance" "nginx1" {
		89  |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		90  |   instance_type          = var.instance_type
		91  |   subnet_id              = aws_subnet.public_subnet1.id
		92  |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		93  | 
		94  |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		100 | EOF
		101 | 
		102 |   tags = local.common_tags
		103 | 
		104 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.nginx1
	File: /m4_solution/main.tf:88-104
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		88  | resource "aws_instance" "nginx1" {
		89  |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		90  |   instance_type          = var.instance_type
		91  |   subnet_id              = aws_subnet.public_subnet1.id
		92  |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		93  | 
		94  |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		100 | EOF
		101 | 
		102 |   tags = local.common_tags
		103 | 
		104 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.nginx1
	File: /m4_solution/main.tf:88-104
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html

		88  | resource "aws_instance" "nginx1" {
		89  |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		90  |   instance_type          = var.instance_type
		91  |   subnet_id              = aws_subnet.public_subnet1.id
		92  |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		93  | 
		94  |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		100 | EOF
		101 | 
		102 |   tags = local.common_tags
		103 | 
		104 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.nginx1
	File: /m5_solution/instances.tf:14-30
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.public_subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		19 | 
		20 |   user_data = <Taco Team Server 1You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		26 | EOF
		27 | 
		28 |   tags = local.common_tags
		29 | 
		30 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.nginx1
	File: /m5_solution/instances.tf:14-30
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.public_subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		19 | 
		20 |   user_data = <Taco Team Server 1You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		26 | EOF
		27 | 
		28 |   tags = local.common_tags
		29 | 
		30 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.nginx1
	File: /m5_solution/instances.tf:14-30
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.public_subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		19 | 
		20 |   user_data = <Taco Team Server 1You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		26 | EOF
		27 | 
		28 |   tags = local.common_tags
		29 | 
		30 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.nginx1
	File: /m5_solution/instances.tf:14-30
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.public_subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		19 | 
		20 |   user_data = <Taco Team Server 1You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		26 | EOF
		27 | 
		28 |   tags = local.common_tags
		29 | 
		30 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.nginx2
	File: /m5_solution/instances.tf:32-48
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		32 | resource "aws_instance" "nginx2" {
		33 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		34 |   instance_type          = var.instance_type
		35 |   subnet_id              = aws_subnet.public_subnet2.id
		36 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		37 | 
		38 |   user_data = <Taco Team Server 2You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		44 | EOF
		45 | 
		46 |   tags = local.common_tags
		47 | 
		48 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.nginx2
	File: /m5_solution/instances.tf:32-48
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html

		32 | resource "aws_instance" "nginx2" {
		33 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		34 |   instance_type          = var.instance_type
		35 |   subnet_id              = aws_subnet.public_subnet2.id
		36 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		37 | 
		38 |   user_data = <Taco Team Server 2You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		44 | EOF
		45 | 
		46 |   tags = local.common_tags
		47 | 
		48 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.nginx2
	File: /m5_solution/instances.tf:32-48
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		32 | resource "aws_instance" "nginx2" {
		33 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		34 |   instance_type          = var.instance_type
		35 |   subnet_id              = aws_subnet.public_subnet2.id
		36 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		37 | 
		38 |   user_data = <Taco Team Server 2You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		44 | EOF
		45 | 
		46 |   tags = local.common_tags
		47 | 
		48 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.nginx2
	File: /m5_solution/instances.tf:32-48
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html

		32 | resource "aws_instance" "nginx2" {
		33 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		34 |   instance_type          = var.instance_type
		35 |   subnet_id              = aws_subnet.public_subnet2.id
		36 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		37 | 
		38 |   user_data = <Taco Team Server 2You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		44 | EOF
		45 | 
		46 |   tags = local.common_tags
		47 | 
		48 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.nginx
	File: /m5_solution/loadbalancer.tf:2-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		2  | resource "aws_lb" "nginx" {
		3  |   name               = "globo-web-alb"
		4  |   internal           = false
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.alb_sg.id]
		7  |   subnets            = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
		8  | 
		9  |   enable_deletion_protection = false
		10 | 
		11 |   tags = local.common_tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.nginx
	File: /m5_solution/loadbalancer.tf:2-12
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		2  | resource "aws_lb" "nginx" {
		3  |   name               = "globo-web-alb"
		4  |   internal           = false
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.alb_sg.id]
		7  |   subnets            = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
		8  | 
		9  |   enable_deletion_protection = false
		10 | 
		11 |   tags = local.common_tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.nginx
	File: /m5_solution/loadbalancer.tf:2-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		2  | resource "aws_lb" "nginx" {
		3  |   name               = "globo-web-alb"
		4  |   internal           = false
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.alb_sg.id]
		7  |   subnets            = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
		8  | 
		9  |   enable_deletion_protection = false
		10 | 
		11 |   tags = local.common_tags
		12 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.nginx
	File: /m5_solution/loadbalancer.tf:15-22
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		15 | resource "aws_lb_target_group" "nginx" {
		16 |   name     = "nginx-alb-tg"
		17 |   port     = 80
		18 |   protocol = "HTTP"
		19 |   vpc_id   = aws_vpc.app.id
		20 | 
		21 |   tags = local.common_tags
		22 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.nginx
	File: /m5_solution/loadbalancer.tf:25-36
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html

		25 | resource "aws_lb_listener" "nginx" {
		26 |   load_balancer_arn = aws_lb.nginx.arn
		27 |   port              = "80"
		28 |   protocol          = "HTTP"
		29 | 
		30 |   default_action {
		31 |     type             = "forward"
		32 |     target_group_arn = aws_lb_target_group.nginx.arn
		33 |   }
		34 | 
		35 |   tags = local.common_tags
		36 | }

Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
	FAILED for resource: aws_subnet.public_subnet1
	File: /m5_solution/network.tf:37-44
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html

		37 | resource "aws_subnet" "public_subnet1" {
		38 |   cidr_block              = var.vpc_public_subnets_cidr_block[0]
		39 |   vpc_id                  = aws_vpc.app.id
		40 |   availability_zone       = data.aws_availability_zones.available.names[0]
		41 |   map_public_ip_on_launch = var.map_public_ip_on_launch
		42 | 
		43 |   tags = local.common_tags
		44 | }

Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
	FAILED for resource: aws_subnet.public_subnet2
	File: /m5_solution/network.tf:46-53
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html

		46 | resource "aws_subnet" "public_subnet2" {
		47 |   cidr_block              = var.vpc_public_subnets_cidr_block[1]
		48 |   vpc_id                  = aws_vpc.app.id
		49 |   availability_zone       = data.aws_availability_zones.available.names[1]
		50 |   map_public_ip_on_launch = var.map_public_ip_on_launch
		51 | 
		52 |   tags = local.common_tags
		53 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.nginx_sg
	File: /m5_solution/network.tf:79-100
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		79  | resource "aws_security_group" "nginx_sg" {
		80  |   name   = "nginx_sg"
		81  |   vpc_id = aws_vpc.app.id
		82  | 
		83  |   # HTTP access from anywhere
		84  |   ingress {
		85  |     from_port   = 80
		86  |     to_port     = 80
		87  |     protocol    = "tcp"
		88  |     cidr_blocks = [var.vpc_cidr_block]
		89  |   }
		90  | 
		91  |   # outbound internet access
		92  |   egress {
		93  |     from_port   = 0
		94  |     to_port     = 0
		95  |     protocol    = "-1"
		96  |     cidr_blocks = ["0.0.0.0/0"]
		97  |   }
		98  | 
		99  |   tags = local.common_tags
		100 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.alb_sg
	File: /m5_solution/network.tf:103-124
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		103 | resource "aws_security_group" "alb_sg" {
		104 |   name   = "nginx_alb_sg"
		105 |   vpc_id = aws_vpc.app.id
		106 | 
		107 |   # HTTP access from anywhere
		108 |   ingress {
		109 |     from_port   = 80
		110 |     to_port     = 80
		111 |     protocol    = "tcp"
		112 |     cidr_blocks = ["0.0.0.0/0"]
		113 |   }
		114 | 
		115 |   # outbound internet access
		116 |   egress {
		117 |     from_port   = 0
		118 |     to_port     = 0
		119 |     protocol    = "-1"
		120 |     cidr_blocks = ["0.0.0.0/0"]
		121 |   }
		122 | 
		123 |   tags = local.common_tags
		124 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.alb_sg
	File: /m5_solution/network.tf:103-124
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html

		103 | resource "aws_security_group" "alb_sg" {
		104 |   name   = "nginx_alb_sg"
		105 |   vpc_id = aws_vpc.app.id
		106 | 
		107 |   # HTTP access from anywhere
		108 |   ingress {
		109 |     from_port   = 80
		110 |     to_port     = 80
		111 |     protocol    = "tcp"
		112 |     cidr_blocks = ["0.0.0.0/0"]
		113 |   }
		114 | 
		115 |   # outbound internet access
		116 |   egress {
		117 |     from_port   = 0
		118 |     to_port     = 0
		119 |     protocol    = "-1"
		120 |     cidr_blocks = ["0.0.0.0/0"]
		121 |   }
		122 | 
		123 |   tags = local.common_tags
		124 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.nginx1
	File: /m6_solution/instances.tf:14-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.ami.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx-sg.id]
		19 |   iam_instance_profile   = aws_iam_instance_profile.nginx_profile.name
		20 |   depends_on             = [aws_iam_role_policy.allow_s3_all]
		21 | 
		22 |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		92 | EOF
		93 | 
		94 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.nginx1
	File: /m4_solution/main.tf:88-104
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html

		88  | resource "aws_instance" "nginx1" {
		89  |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		90  |   instance_type          = var.instance_type
		91  |   subnet_id              = aws_subnet.public_subnet1.id
		92  |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		93  | 
		94  |   user_data = <Taco Team ServerYou did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		100 | EOF
		101 | 
		102 |   tags = local.common_tags
		103 | 
		104 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.nginx1
	File: /m5_solution/instances.tf:14-30
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html

		14 | resource "aws_instance" "nginx1" {
		15 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		16 |   instance_type          = var.instance_type
		17 |   subnet_id              = aws_subnet.public_subnet1.id
		18 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		19 | 
		20 |   user_data = <Taco Team Server 1You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		26 | EOF
		27 | 
		28 |   tags = local.common_tags
		29 | 
		30 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.nginx2
	File: /m5_solution/instances.tf:32-48
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html

		32 | resource "aws_instance" "nginx2" {
		33 |   ami                    = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
		34 |   instance_type          = var.instance_type
		35 |   subnet_id              = aws_subnet.public_subnet2.id
		36 |   vpc_security_group_ids = [aws_security_group.nginx_sg.id]
		37 | 
		38 |   user_data = <Taco Team Server 2You did it! Have a 🌮' | sudo tee /usr/share/nginx/html/index.html
		44 | EOF
		45 | 
		46 |   tags = local.common_tags
		47 | 
		48 | }
Linting

This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
Remediate the findings identified by one of the recommended Terraform linting tools
Experience Builder

Terraform

< Back

Repository

ned1313 / Getting-Started-Terraform

Description

Stars

Failed Checks

Scan Date

Security Scanning

Checkov Output

Linting
