Repository | ned1313 / Implementing-Terraform-on-Microsoft-Azure |
Description | Code examples for the Pluralsight course Implementing Terraform on Microsoft Azure |
Stars | 126 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:59,449 [MainThread ] [WARNI] Failed to download module Azure/vnet/azurerm:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:59,449 [MainThread ] [WARNI] Failed to download module Azure/compute/azurerm:~>3.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 25, Failed checks: 34, Skipped checks: 0
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV_AZURE_1: "Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: azurerm_virtual_machine.main[0]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-1.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV_AZURE_1: "Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: azurerm_virtual_machine.main[1]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-1.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.ct
File: /4-remote-state-prep/main.tf:63-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
63 | resource "azurerm_storage_container" "ct" {
64 | name = "terraform-state"
65 | storage_account_name = azurerm_storage_account.sa.name
66 |
67 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.ct
File: /8-app-remote-state/main.tf:63-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
63 | resource "azurerm_storage_container" "ct" {
64 | name = "terraform-state"
65 | storage_account_name = azurerm_storage_account.sa.name
66 |
67 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.ct
File: /zz-terraform-vm/vm.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
43 | resource "azurerm_storage_container" "ct" {
44 | name = "terraform-state"
45 | storage_account_name = azurerm_storage_account.sa.name
46 |
47 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: azurerm_virtual_machine.main[0]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: azurerm_virtual_machine.main[1]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: azurerm_virtual_machine.main[0]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: azurerm_virtual_machine.main[1]
File: /9-app-deploy/main.tf:138-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
138 | resource "azurerm_virtual_machine" "main" {
139 | count = var.vm_count
140 | name = "${local.prefix}-${count.index}"
141 | location = azurerm_resource_group.app.location
142 | resource_group_name = azurerm_resource_group.app.name
143 | network_interface_ids = [azurerm_network_interface.app[count.index].id]
144 | availability_set_id = azurerm_availability_set.app.id
145 | vm_size = "Standard_DS1_v2"
146 |
147 | # Uncomment this line to delete the OS disk automatically when deleting the VM
148 | delete_os_disk_on_termination = true
149 |
150 |
151 | # Uncomment this line to delete the data disks automatically when deleting the VM
152 | delete_data_disks_on_termination = true
153 |
154 | storage_image_reference {
155 | publisher = "Canonical"
156 | offer = "UbuntuServer"
157 | sku = "18.04-LTS"
158 | version = "latest"
159 | }
160 | storage_os_disk {
161 | name = "${local.prefix}${count.index}"
162 | caching = "ReadWrite"
163 | create_option = "FromImage"
164 | managed_disk_type = "Standard_LRS"
165 | }
166 | os_profile {
167 | computer_name = "${var.naming_prefix}${count.index}vm"
168 | admin_username = "tfadmin"
169 | admin_password = "Password1234!"
170 | }
171 | os_profile_linux_config {
172 | disable_password_authentication = false
173 | }
174 | tags = {
175 | environment = terraform.workspace
176 | }
177 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.sa
File: /4-remote-state-prep/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.sa
File: /8-app-remote-state/main.tf:54-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
54 | resource "azurerm_storage_account" "sa" {
55 | name = "${lower(var.naming_prefix)}${random_integer.sa_num.result}"
56 | resource_group_name = azurerm_resource_group.setup.name
57 | location = var.location
58 | account_tier = "Standard"
59 | account_replication_type = "LRS"
60 |
61 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.sa
File: /zz-terraform-vm/vm.tf:34-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
34 | resource "azurerm_storage_account" "sa" {
35 | name = local.storage_account_name
36 | resource_group_name = azurerm_resource_group.vnet_main.name
37 | location = var.location
38 | account_tier = "Standard"
39 | account_replication_type = "LRS"
40 |
41 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.app_service
File: /10-arm-template/subnet_delegation.tf:1-19
1 | resource "azurerm_subnet" "app_service" {
2 | name = "appservice"
3 | resource_group_name = azurerm_resource_group.vnet_main.name
4 | virtual_network_name = module.vnet-main.vnet_name
5 | address_prefix = cidrsubnet(var.vnet_cidr_range[terraform.workspace], 8, length(var.subnet_names))
6 |
7 | delegation {
8 | name = "appservicedelegation"
9 |
10 | service_delegation {
11 | name = "Microsoft.Web/serverFarms"
12 | actions = [
13 | "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
14 | "Microsoft.Network/virtualNetworks/subnets/action",
15 | "Microsoft.Network/virtualNetworks/subnets/join/action"
16 | ]
17 | }
18 | }
19 | }
arm scan results:
Passed checks: 0, Failed checks: 5, Skipped checks: 0
Check: CKV_AZURE_15: "Ensure web app is using the latest version of TLS encryption"
FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
File: /10-arm-template/azuredeploy.json:56-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-6.html
56 | {
57 | "apiVersion": "2018-11-01",
58 | "type": "Microsoft.Web/sites",
59 | "kind": "app",
60 | "name": "[variables('webAppPortalName')]",
61 | "location": "[parameters('location')]",
62 | "properties": {
63 | "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 | },
65 | "dependsOn": [
66 | "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 | ],
68 | "resources": [
69 | {
70 | "apiVersion": "2018-02-01",
71 | "type": "config",
72 | "name": "virtualNetwork",
73 | "location": "[parameters('location')]",
74 | "dependsOn": [
75 | "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 | ],
77 | "properties": {
78 | "subnetResourceId": "[parameters('subnetRef')]",
79 | "swiftSupported": true
80 | }
81 | }
82 | ]
83 | }
Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
File: /10-arm-template/azuredeploy.json:56-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7.html
56 | {
57 | "apiVersion": "2018-11-01",
58 | "type": "Microsoft.Web/sites",
59 | "kind": "app",
60 | "name": "[variables('webAppPortalName')]",
61 | "location": "[parameters('location')]",
62 | "properties": {
63 | "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 | },
65 | "dependsOn": [
66 | "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 | ],
68 | "resources": [
69 | {
70 | "apiVersion": "2018-02-01",
71 | "type": "config",
72 | "name": "virtualNetwork",
73 | "location": "[parameters('location')]",
74 | "dependsOn": [
75 | "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 | ],
77 | "properties": {
78 | "subnetResourceId": "[parameters('subnetRef')]",
79 | "swiftSupported": true
80 | }
81 | }
82 | ]
83 | }
Check: CKV_AZURE_14: "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service"
FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
File: /10-arm-template/azuredeploy.json:56-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-5.html
56 | {
57 | "apiVersion": "2018-11-01",
58 | "type": "Microsoft.Web/sites",
59 | "kind": "app",
60 | "name": "[variables('webAppPortalName')]",
61 | "location": "[parameters('location')]",
62 | "properties": {
63 | "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 | },
65 | "dependsOn": [
66 | "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 | ],
68 | "resources": [
69 | {
70 | "apiVersion": "2018-02-01",
71 | "type": "config",
72 | "name": "virtualNetwork",
73 | "location": "[parameters('location')]",
74 | "dependsOn": [
75 | "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 | ],
77 | "properties": {
78 | "subnetResourceId": "[parameters('subnetRef')]",
79 | "swiftSupported": true
80 | }
81 | }
82 | ]
83 | }
Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
File: /10-arm-template/azuredeploy.json:56-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8.html
56 | {
57 | "apiVersion": "2018-11-01",
58 | "type": "Microsoft.Web/sites",
59 | "kind": "app",
60 | "name": "[variables('webAppPortalName')]",
61 | "location": "[parameters('location')]",
62 | "properties": {
63 | "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 | },
65 | "dependsOn": [
66 | "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 | ],
68 | "resources": [
69 | {
70 | "apiVersion": "2018-02-01",
71 | "type": "config",
72 | "name": "virtualNetwork",
73 | "location": "[parameters('location')]",
74 | "dependsOn": [
75 | "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 | ],
77 | "properties": {
78 | "subnetResourceId": "[parameters('subnetRef')]",
79 | "swiftSupported": true
80 | }
81 | }
82 | ]
83 | }
Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
File: /10-arm-template/azuredeploy.json:56-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1.html
56 | {
57 | "apiVersion": "2018-11-01",
58 | "type": "Microsoft.Web/sites",
59 | "kind": "app",
60 | "name": "[variables('webAppPortalName')]",
61 | "location": "[parameters('location')]",
62 | "properties": {
63 | "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
64 | },
65 | "dependsOn": [
66 | "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
67 | ],
68 | "resources": [
69 | {
70 | "apiVersion": "2018-02-01",
71 | "type": "config",
72 | "name": "virtualNetwork",
73 | "location": "[parameters('location')]",
74 | "dependsOn": [
75 | "[concat('Microsoft.Web/sites/', variables('webAppPortalName'))]"
76 | ],
77 | "properties": {
78 | "subnetResourceId": "[parameters('subnetRef')]",
79 | "swiftSupported": true
80 | }
81 | }
82 | ]
83 | }
azure_pipelines scan results:
Passed checks: 1, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools