Repository | ned1313 / Getting-Started-Terraform |
Description | Exercise files for my Pluralsight course |
Stars | 520 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:45:24,584 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:24,683 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3:latest failed to load via
2023-10-05 14:45:24,698 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/Getting-Started-Terraform/m8_solution/modules/globo-webapp-s3
terraform scan results:
Passed checks: 148, Failed checks: 129, Skipped checks: 0
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet1
File: /base_web_app/main.tf:35-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
35 | resource "aws_subnet" "public_subnet1" {
36 | cidr_block = "10.0.0.0/24"
37 | vpc_id = aws_vpc.app.id
38 | map_public_ip_on_launch = true
39 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx_sg
File: /base_web_app/main.tf:58-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
58 | resource "aws_security_group" "nginx_sg" {
59 | name = "nginx_sg"
60 | vpc_id = aws_vpc.app.id
61 |
62 | # HTTP access from anywhere
63 | ingress {
64 | from_port = 80
65 | to_port = 80
66 | protocol = "tcp"
67 | cidr_blocks = ["0.0.0.0/0"]
68 | }
69 |
70 | # outbound internet access
71 | egress {
72 | from_port = 0
73 | to_port = 0
74 | protocol = "-1"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx_sg
File: /base_web_app/main.tf:58-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
58 | resource "aws_security_group" "nginx_sg" {
59 | name = "nginx_sg"
60 | vpc_id = aws_vpc.app.id
61 |
62 | # HTTP access from anywhere
63 | ingress {
64 | from_port = 80
65 | to_port = 80
66 | protocol = "tcp"
67 | cidr_blocks = ["0.0.0.0/0"]
68 | }
69 |
70 | # outbound internet access
71 | egress {
72 | from_port = 0
73 | to_port = 0
74 | protocol = "-1"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx1
File: /base_web_app/main.tf:80-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
80 | resource "aws_instance" "nginx1" {
81 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
82 | instance_type = "t3.micro"
83 | subnet_id = aws_subnet.public_subnet1.id
84 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
85 |
86 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
92 | EOF
93 |
94 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx1
File: /base_web_app/main.tf:80-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
80 | resource "aws_instance" "nginx1" {
81 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
82 | instance_type = "t3.micro"
83 | subnet_id = aws_subnet.public_subnet1.id
84 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
85 |
86 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
92 | EOF
93 |
94 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx1
File: /base_web_app/main.tf:80-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
80 | resource "aws_instance" "nginx1" {
81 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
82 | instance_type = "t3.micro"
83 | subnet_id = aws_subnet.public_subnet1.id
84 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
85 |
86 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
92 | EOF
93 |
94 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx1
File: /base_web_app/main.tf:80-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
80 | resource "aws_instance" "nginx1" {
81 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
82 | instance_type = "t3.micro"
83 | subnet_id = aws_subnet.public_subnet1.id
84 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
85 |
86 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
92 | EOF
93 |
94 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet1
File: /m4_solution/main.tf:37-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
37 | resource "aws_subnet" "public_subnet1" {
38 | cidr_block = var.vpc_public_subnet1_cidr_block
39 | vpc_id = aws_vpc.app.id
40 | map_public_ip_on_launch = var.map_public_ip_on_launch
41 |
42 | tags = local.common_tags
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx_sg
File: /m4_solution/main.tf:64-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
64 | resource "aws_security_group" "nginx_sg" {
65 | name = "nginx_sg"
66 | vpc_id = aws_vpc.app.id
67 |
68 | # HTTP access from anywhere
69 | ingress {
70 | from_port = 80
71 | to_port = 80
72 | protocol = "tcp"
73 | cidr_blocks = ["0.0.0.0/0"]
74 | }
75 |
76 | # outbound internet access
77 | egress {
78 | from_port = 0
79 | to_port = 0
80 | protocol = "-1"
81 | cidr_blocks = ["0.0.0.0/0"]
82 | }
83 |
84 | tags = local.common_tags
85 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx_sg
File: /m4_solution/main.tf:64-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
64 | resource "aws_security_group" "nginx_sg" {
65 | name = "nginx_sg"
66 | vpc_id = aws_vpc.app.id
67 |
68 | # HTTP access from anywhere
69 | ingress {
70 | from_port = 80
71 | to_port = 80
72 | protocol = "tcp"
73 | cidr_blocks = ["0.0.0.0/0"]
74 | }
75 |
76 | # outbound internet access
77 | egress {
78 | from_port = 0
79 | to_port = 0
80 | protocol = "-1"
81 | cidr_blocks = ["0.0.0.0/0"]
82 | }
83 |
84 | tags = local.common_tags
85 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx1
File: /m4_solution/main.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
88 | resource "aws_instance" "nginx1" {
89 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
90 | instance_type = var.instance_type
91 | subnet_id = aws_subnet.public_subnet1.id
92 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
93 |
94 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
100 | EOF
101 |
102 | tags = local.common_tags
103 |
104 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx1
File: /m4_solution/main.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
88 | resource "aws_instance" "nginx1" {
89 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
90 | instance_type = var.instance_type
91 | subnet_id = aws_subnet.public_subnet1.id
92 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
93 |
94 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
100 | EOF
101 |
102 | tags = local.common_tags
103 |
104 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx1
File: /m4_solution/main.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
88 | resource "aws_instance" "nginx1" {
89 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
90 | instance_type = var.instance_type
91 | subnet_id = aws_subnet.public_subnet1.id
92 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
93 |
94 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
100 | EOF
101 |
102 | tags = local.common_tags
103 |
104 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx1
File: /m4_solution/main.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
88 | resource "aws_instance" "nginx1" {
89 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
90 | instance_type = var.instance_type
91 | subnet_id = aws_subnet.public_subnet1.id
92 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
93 |
94 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
100 | EOF
101 |
102 | tags = local.common_tags
103 |
104 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx1
File: /m5_solution/instances.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.public_subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
19 |
20 | user_data = <Taco Team Server 1 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
26 | EOF
27 |
28 | tags = local.common_tags
29 |
30 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx1
File: /m5_solution/instances.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.public_subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
19 |
20 | user_data = <Taco Team Server 1 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
26 | EOF
27 |
28 | tags = local.common_tags
29 |
30 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx1
File: /m5_solution/instances.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.public_subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
19 |
20 | user_data = <Taco Team Server 1 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
26 | EOF
27 |
28 | tags = local.common_tags
29 |
30 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx1
File: /m5_solution/instances.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.public_subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
19 |
20 | user_data = <Taco Team Server 1 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
26 | EOF
27 |
28 | tags = local.common_tags
29 |
30 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx2
File: /m5_solution/instances.tf:32-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
32 | resource "aws_instance" "nginx2" {
33 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
34 | instance_type = var.instance_type
35 | subnet_id = aws_subnet.public_subnet2.id
36 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
37 |
38 | user_data = <Taco Team Server 2 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
44 | EOF
45 |
46 | tags = local.common_tags
47 |
48 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx2
File: /m5_solution/instances.tf:32-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
32 | resource "aws_instance" "nginx2" {
33 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
34 | instance_type = var.instance_type
35 | subnet_id = aws_subnet.public_subnet2.id
36 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
37 |
38 | user_data = <Taco Team Server 2 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
44 | EOF
45 |
46 | tags = local.common_tags
47 |
48 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx2
File: /m5_solution/instances.tf:32-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
32 | resource "aws_instance" "nginx2" {
33 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
34 | instance_type = var.instance_type
35 | subnet_id = aws_subnet.public_subnet2.id
36 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
37 |
38 | user_data = <Taco Team Server 2 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
44 | EOF
45 |
46 | tags = local.common_tags
47 |
48 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx2
File: /m5_solution/instances.tf:32-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
32 | resource "aws_instance" "nginx2" {
33 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
34 | instance_type = var.instance_type
35 | subnet_id = aws_subnet.public_subnet2.id
36 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
37 |
38 | user_data = <Taco Team Server 2 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
44 | EOF
45 |
46 | tags = local.common_tags
47 |
48 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.nginx
File: /m5_solution/loadbalancer.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
2 | resource "aws_lb" "nginx" {
3 | name = "globo-web-alb"
4 | internal = false
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.alb_sg.id]
7 | subnets = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
8 |
9 | enable_deletion_protection = false
10 |
11 | tags = local.common_tags
12 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.nginx
File: /m5_solution/loadbalancer.tf:2-12
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
2 | resource "aws_lb" "nginx" {
3 | name = "globo-web-alb"
4 | internal = false
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.alb_sg.id]
7 | subnets = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
8 |
9 | enable_deletion_protection = false
10 |
11 | tags = local.common_tags
12 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.nginx
File: /m5_solution/loadbalancer.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
2 | resource "aws_lb" "nginx" {
3 | name = "globo-web-alb"
4 | internal = false
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.alb_sg.id]
7 | subnets = [aws_subnet.public_subnet1.id, aws_subnet.public_subnet2.id]
8 |
9 | enable_deletion_protection = false
10 |
11 | tags = local.common_tags
12 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.nginx
File: /m5_solution/loadbalancer.tf:15-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
15 | resource "aws_lb_target_group" "nginx" {
16 | name = "nginx-alb-tg"
17 | port = 80
18 | protocol = "HTTP"
19 | vpc_id = aws_vpc.app.id
20 |
21 | tags = local.common_tags
22 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.nginx
File: /m5_solution/loadbalancer.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
25 | resource "aws_lb_listener" "nginx" {
26 | load_balancer_arn = aws_lb.nginx.arn
27 | port = "80"
28 | protocol = "HTTP"
29 |
30 | default_action {
31 | type = "forward"
32 | target_group_arn = aws_lb_target_group.nginx.arn
33 | }
34 |
35 | tags = local.common_tags
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet1
File: /m5_solution/network.tf:37-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
37 | resource "aws_subnet" "public_subnet1" {
38 | cidr_block = var.vpc_public_subnets_cidr_block[0]
39 | vpc_id = aws_vpc.app.id
40 | availability_zone = data.aws_availability_zones.available.names[0]
41 | map_public_ip_on_launch = var.map_public_ip_on_launch
42 |
43 | tags = local.common_tags
44 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet2
File: /m5_solution/network.tf:46-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
46 | resource "aws_subnet" "public_subnet2" {
47 | cidr_block = var.vpc_public_subnets_cidr_block[1]
48 | vpc_id = aws_vpc.app.id
49 | availability_zone = data.aws_availability_zones.available.names[1]
50 | map_public_ip_on_launch = var.map_public_ip_on_launch
51 |
52 | tags = local.common_tags
53 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx_sg
File: /m5_solution/network.tf:79-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
79 | resource "aws_security_group" "nginx_sg" {
80 | name = "nginx_sg"
81 | vpc_id = aws_vpc.app.id
82 |
83 | # HTTP access from anywhere
84 | ingress {
85 | from_port = 80
86 | to_port = 80
87 | protocol = "tcp"
88 | cidr_blocks = [var.vpc_cidr_block]
89 | }
90 |
91 | # outbound internet access
92 | egress {
93 | from_port = 0
94 | to_port = 0
95 | protocol = "-1"
96 | cidr_blocks = ["0.0.0.0/0"]
97 | }
98 |
99 | tags = local.common_tags
100 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb_sg
File: /m5_solution/network.tf:103-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
103 | resource "aws_security_group" "alb_sg" {
104 | name = "nginx_alb_sg"
105 | vpc_id = aws_vpc.app.id
106 |
107 | # HTTP access from anywhere
108 | ingress {
109 | from_port = 80
110 | to_port = 80
111 | protocol = "tcp"
112 | cidr_blocks = ["0.0.0.0/0"]
113 | }
114 |
115 | # outbound internet access
116 | egress {
117 | from_port = 0
118 | to_port = 0
119 | protocol = "-1"
120 | cidr_blocks = ["0.0.0.0/0"]
121 | }
122 |
123 | tags = local.common_tags
124 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb_sg
File: /m5_solution/network.tf:103-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
103 | resource "aws_security_group" "alb_sg" {
104 | name = "nginx_alb_sg"
105 | vpc_id = aws_vpc.app.id
106 |
107 | # HTTP access from anywhere
108 | ingress {
109 | from_port = 80
110 | to_port = 80
111 | protocol = "tcp"
112 | cidr_blocks = ["0.0.0.0/0"]
113 | }
114 |
115 | # outbound internet access
116 | egress {
117 | from_port = 0
118 | to_port = 0
119 | protocol = "-1"
120 | cidr_blocks = ["0.0.0.0/0"]
121 | }
122 |
123 | tags = local.common_tags
124 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx1
File: /m6_solution/instances.tf:14-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.ami.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx-sg.id]
19 | iam_instance_profile = aws_iam_instance_profile.nginx_profile.name
20 | depends_on = [aws_iam_role_policy.allow_s3_all]
21 |
22 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
92 | EOF
93 |
94 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx1
File: /m4_solution/main.tf:88-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
88 | resource "aws_instance" "nginx1" {
89 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
90 | instance_type = var.instance_type
91 | subnet_id = aws_subnet.public_subnet1.id
92 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
93 |
94 | user_data = <Taco Team Server You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
100 | EOF
101 |
102 | tags = local.common_tags
103 |
104 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx1
File: /m5_solution/instances.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "nginx1" {
15 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
16 | instance_type = var.instance_type
17 | subnet_id = aws_subnet.public_subnet1.id
18 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
19 |
20 | user_data = <Taco Team Server 1 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
26 | EOF
27 |
28 | tags = local.common_tags
29 |
30 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx2
File: /m5_solution/instances.tf:32-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
32 | resource "aws_instance" "nginx2" {
33 | ami = nonsensitive(data.aws_ssm_parameter.amzn2_linux.value)
34 | instance_type = var.instance_type
35 | subnet_id = aws_subnet.public_subnet2.id
36 | vpc_security_group_ids = [aws_security_group.nginx_sg.id]
37 |
38 | user_data = <Taco Team Server 2 You did it! Have a 🌮
' | sudo tee /usr/share/nginx/html/index.html
44 | EOF
45 |
46 | tags = local.common_tags
47 |
48 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools