Repository | ned1313 / terraform-tuesdays |
Description | Demo files for various Terraform Tuesday Examples |
Stars | 347 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:49:50,604 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/vcn/oci:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,604 [MainThread ] [WARNI] Failed to download module Azure/vnet/azurerm:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,605 [MainThread ] [WARNI] Failed to download module Azure/network/azurerm:3.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,605 [MainThread ] [WARNI] Failed to download module Azure/network/azurerm:~>3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,605 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.19.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,605 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,606 [MainThread ] [WARNI] Failed to download module terraform-google-modules/vm/google//modules/instance_template:~>7.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,606 [MainThread ] [WARNI] Failed to download module terraform-google-modules/vm/google//modules/mig:~>7.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,606 [MainThread ] [WARNI] Failed to download module Azure/network/azurerm:~>3.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,606 [MainThread ] [WARNI] Failed to download module GoogleCloudPlatform/lb-http/google:~>5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,607 [MainThread ] [WARNI] Failed to download module Azure/vnet/azurerm:4.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,608 [MainThread ] [WARNI] Failed to download module Azure/virtual-machine/azurerm:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,608 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:2.64.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,610 [MainThread ] [WARNI] Failed to download module nozaq/remote-state-s3-backend/aws:0.4.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,611 [MainThread ] [WARNI] Failed to download module ned1313/github_oidc/azuread:>=1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,611 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:49:50,611 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>3.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 495, Failed checks: 390, Skipped checks: 0, Parsing errors: 1
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: google_project.project
File: /2020-09-29-GoogleCloud/main.tf:129-134
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
129 | resource "google_project" "project" {
130 | name = terraform.workspace
131 | project_id = random_id.id.hex
132 | billing_account = var.billing_account
133 | org_id = var.org_id
134 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.azure.azurerm_key_vault.boundary
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:8-28
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
8 | resource "azurerm_key_vault" "boundary" {
9 | name = local.vault_name
10 | location = var.location
11 | resource_group_name = azurerm_resource_group.boundary.name
12 | tenant_id = data.azurerm_client_config.current.tenant_id
13 | enabled_for_deployment = true
14 | soft_delete_enabled = true
15 | soft_delete_retention_days = 7
16 | purge_protection_enabled = false
17 |
18 | sku_name = "standard"
19 |
20 | network_acls {
21 | default_action = "Deny"
22 | bypass = "AzureServices"
23 | ip_rules = ["${data.http.my_ip.body}/32"]
24 | virtual_network_subnet_ids = [module.vnet.vnet_subnets[0],module.vnet.vnet_subnets[1]]
25 |
26 | }
27 |
28 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.azure.azurerm_key_vault.boundary
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:8-28
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
8 | resource "azurerm_key_vault" "boundary" {
9 | name = local.vault_name
10 | location = var.location
11 | resource_group_name = azurerm_resource_group.boundary.name
12 | tenant_id = data.azurerm_client_config.current.tenant_id
13 | enabled_for_deployment = true
14 | soft_delete_enabled = true
15 | soft_delete_retention_days = 7
16 | purge_protection_enabled = false
17 |
18 | sku_name = "standard"
19 |
20 | network_acls {
21 | default_action = "Deny"
22 | bypass = "AzureServices"
23 | ip_rules = ["${data.http.my_ip.body}/32"]
24 | virtual_network_subnet_ids = [module.vnet.vnet_subnets[0],module.vnet.vnet_subnets[1]]
25 |
26 | }
27 |
28 | }
Check: CKV_AZURE_40: "Ensure that the expiration date is set on all keys"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["recovery"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/set-an-expiration-date-on-all-keys.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["recovery"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-key-is-backed-by-hsm.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_40: "Ensure that the expiration date is set on all keys"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["worker"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/set-an-expiration-date-on-all-keys.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["worker"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-key-is-backed-by-hsm.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_40: "Ensure that the expiration date is set on all keys"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["root"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/set-an-expiration-date-on-all-keys.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
FAILED for resource: module.azure.azurerm_key_vault_key.keys["root"]
File: /2020-10-27-BoundaryonAzure/azure/keyvault.tf:88-103
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-key-is-backed-by-hsm.html
88 | resource "azurerm_key_vault_key" "keys" {
89 | for_each = toset(["root", "worker", "recovery"])
90 | name = each.key
91 | key_vault_id = azurerm_key_vault.boundary.id
92 | key_type = "RSA"
93 | key_size = 2048
94 |
95 | key_opts = [
96 | "decrypt",
97 | "encrypt",
98 | "sign",
99 | "unwrapKey",
100 | "verify",
101 | "wrapKey",
102 | ]
103 | }
Check: CKV_AZURE_102: "Ensure that PostgreSQL server enables geo-redundant backups"
FAILED for resource: module.azure.azurerm_postgresql_server.boundary
File: /2020-10-27-BoundaryonAzure/azure/postgres.tf:3-22
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-postgresql-server-enables-geo-redundant-backups.html
3 | resource "azurerm_postgresql_server" "boundary" {
4 | name = local.pg_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.boundary.name
7 |
8 | administrator_login = var.db_username
9 | administrator_login_password = var.db_password
10 |
11 | sku_name = "B_Gen5_2"
12 | version = "11"
13 | storage_mb = 51200
14 |
15 | backup_retention_days = 7
16 | geo_redundant_backup_enabled = false
17 | auto_grow_enabled = true
18 |
19 | ssl_enforcement_enabled = true
20 | ssl_minimal_tls_version_enforced = "TLS1_2"
21 |
22 | }
Check: CKV_AZURE_130: "Ensure that PostgreSQL server enables infrastructure encryption"
FAILED for resource: module.azure.azurerm_postgresql_server.boundary
File: /2020-10-27-BoundaryonAzure/azure/postgres.tf:3-22
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-postgresql-server-enables-infrastructure-encryption.html
3 | resource "azurerm_postgresql_server" "boundary" {
4 | name = local.pg_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.boundary.name
7 |
8 | administrator_login = var.db_username
9 | administrator_login_password = var.db_password
10 |
11 | sku_name = "B_Gen5_2"
12 | version = "11"
13 | storage_mb = 51200
14 |
15 | backup_retention_days = 7
16 | geo_redundant_backup_enabled = false
17 | auto_grow_enabled = true
18 |
19 | ssl_enforcement_enabled = true
20 | ssl_minimal_tls_version_enforced = "TLS1_2"
21 |
22 | }
Check: CKV_AZURE_68: "Ensure that PostgreSQL server disables public network access"
FAILED for resource: module.azure.azurerm_postgresql_server.boundary
File: /2020-10-27-BoundaryonAzure/azure/postgres.tf:3-22
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-postgresql-server-disables-public-network-access.html
3 | resource "azurerm_postgresql_server" "boundary" {
4 | name = local.pg_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.boundary.name
7 |
8 | administrator_login = var.db_username
9 | administrator_login_password = var.db_password
10 |
11 | sku_name = "B_Gen5_2"
12 | version = "11"
13 | storage_mb = 51200
14 |
15 | backup_retention_days = 7
16 | geo_redundant_backup_enabled = false
17 | auto_grow_enabled = true
18 |
19 | ssl_enforcement_enabled = true
20 | ssl_minimal_tls_version_enforced = "TLS1_2"
21 |
22 | }
Check: CKV_AZURE_128: "Ensure that PostgreSQL server enables Threat detection policy"
FAILED for resource: module.azure.azurerm_postgresql_server.boundary
File: /2020-10-27-BoundaryonAzure/azure/postgres.tf:3-22
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-postgresql-server-enables-threat-detection-policy.html
3 | resource "azurerm_postgresql_server" "boundary" {
4 | name = local.pg_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.boundary.name
7 |
8 | administrator_login = var.db_username
9 | administrator_login_password = var.db_password
10 |
11 | sku_name = "B_Gen5_2"
12 | version = "11"
13 | storage_mb = 51200
14 |
15 | backup_retention_days = 7
16 | geo_redundant_backup_enabled = false
17 | auto_grow_enabled = true
18 |
19 | ssl_enforcement_enabled = true
20 | ssl_minimal_tls_version_enforced = "TLS1_2"
21 |
22 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.azure.azurerm_linux_virtual_machine.controller[0]
File: /2020-10-27-BoundaryonAzure/azure/vm.tf:81-129
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
81 | resource "azurerm_linux_virtual_machine" "controller" {
82 | count = var.controller_vm_count
83 | name = "${local.controller_vm}-${count.index}"
84 | location = var.location
85 | resource_group_name = azurerm_resource_group.boundary.name
86 | size = var.controller_vm_size
87 | admin_username = "azureuser"
88 | computer_name = "controller-${count.index}"
89 | availability_set_id = azurerm_availability_set.controller.id
90 | network_interface_ids = [
91 | azurerm_network_interface.controller[count.index].id,
92 | ]
93 |
94 | admin_ssh_key {
95 | username = "azureuser"
96 | public_key = tls_private_key.boundary.public_key_openssh
97 | }
98 |
99 | # Using Standard SSD tier storage
100 | # Accepting the standard disk size from image
101 | # No data disk is being used
102 | os_disk {
103 | caching = "ReadWrite"
104 | storage_account_type = "StandardSSD_LRS"
105 | }
106 |
107 | #Source image is hardcoded b/c I said so
108 | source_image_reference {
109 | publisher = "Canonical"
110 | offer = "UbuntuServer"
111 | sku = "18.04-LTS"
112 | version = "latest"
113 | }
114 |
115 | identity {
116 | type = "UserAssigned"
117 | identity_ids = [azurerm_user_assigned_identity.controller.id]
118 | }
119 |
120 | secret {
121 | key_vault_id = azurerm_key_vault.boundary.id
122 |
123 | certificate {
124 | url = azurerm_key_vault_certificate.boundary.secret_id
125 | }
126 | }
127 |
128 | custom_data = base64encode(data.template_file.controller.rendered)
129 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.azure.azurerm_linux_virtual_machine.worker[0]
File: /2020-10-27-BoundaryonAzure/azure/vm.tf:175-225
Calling File: /2020-10-27-BoundaryonAzure/main.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.remote_state_access
File: /2020-11-24-MovingRemoteStateResources/remotestate-setup/main.tf:61-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
61 | resource "aws_iam_user_policy_attachment" "remote_state_access" {
62 | user = var.user_name
63 | policy_arn = module.remote_state.terraform_iam_policy.arn
64 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /2020-12-15-Terragrunt/remotestate/main.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
56 | resource "azurerm_storage_account" "sa" {
57 | name = local.storage_account_name
58 | resource_group_name = azurerm_resource_group.setup.name
59 | location = var.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /2020-12-15-Terragrunt/remotestate/main.tf:56-63
56 | resource "azurerm_storage_account" "sa" {
57 | name = local.storage_account_name
58 | resource_group_name = azurerm_resource_group.setup.name
59 | location = var.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /2020-12-15-Terragrunt/remotestate/main.tf:56-63
56 | resource "azurerm_storage_account" "sa" {
57 | name = local.storage_account_name
58 | resource_group_name = azurerm_resource_group.setup.name
59 | location = var.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /2020-12-15-Terragrunt/remotestate/main.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
56 | resource "azurerm_storage_account" "sa" {
57 | name = local.storage_account_name
58 | resource_group_name = azurerm_resource_group.setup.name
59 | location = var.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /2020-12-15-Terragrunt/remotestate/main.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
56 | resource "azurerm_storage_account" "sa" {
57 | name = local.storage_account_name
58 | resource_group_name = azurerm_resource_group.setup.name
59 | location = var.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.controller_nic_ssh
File: /2021-01-21/nsgs.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
1 | resource "azurerm_network_security_rule" "controller_nic_ssh" {
2 | name = "allow_ssh"
3 | priority = 100
4 | direction = "Inbound"
5 | access = "Allow"
6 | protocol = "Tcp"
7 | source_port_range = "*"
8 | destination_port_range = "22"
9 | source_address_prefix = "*"
10 | destination_address_prefix = "*"
11 | resource_group_name = azurerm_resource_group.cka.name
12 | network_security_group_name = azurerm_network_security_group.controller_nics.name
13 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.worker_nic_ssh
File: /2021-01-21/nsgs.tf:29-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
29 | resource "azurerm_network_security_rule" "worker_nic_ssh" {
30 | name = "allow_ssh_local"
31 | priority = 100
32 | direction = "Inbound"
33 | access = "Allow"
34 | protocol = "Tcp"
35 | source_port_range = "*"
36 | destination_port_range = "22"
37 | source_address_prefix = "*"
38 | destination_address_prefix = "*"
39 | resource_group_name = azurerm_resource_group.cka.name
40 | network_security_group_name = azurerm_network_security_group.worker_nics.name
41 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.controller[0]
File: /2021-01-21/vms.tf:53-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
53 | resource "azurerm_linux_virtual_machine" "controller" {
54 | count = var.controller_vm_count
55 | name = "${local.controller_vm}-${count.index}"
56 | location = var.location
57 | resource_group_name = azurerm_resource_group.cka.name
58 | size = var.controller_vm_size
59 | admin_username = "azureuser"
60 | computer_name = "controller-${count.index}"
61 | availability_set_id = azurerm_availability_set.controller.id
62 | network_interface_ids = [
63 | azurerm_network_interface.controller[count.index].id,
64 | ]
65 |
66 | admin_ssh_key {
67 | username = "azureuser"
68 | public_key = tls_private_key.cka.public_key_openssh
69 | }
70 |
71 | # Using Standard SSD tier storage
72 | # Accepting the standard disk size from image
73 | # No data disk is being used
74 | os_disk {
75 | caching = "ReadWrite"
76 | storage_account_type = "StandardSSD_LRS"
77 | }
78 |
79 | #Source image is hardcoded b/c I said so
80 | source_image_reference {
81 | publisher = "Canonical"
82 | offer = "UbuntuServer"
83 | sku = "18.04-LTS"
84 | version = "latest"
85 | }
86 |
87 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.worker[0]
File: /2021-01-21/vms.tf:110-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
110 | resource "azurerm_linux_virtual_machine" "worker" {
111 | count = var.worker_vm_count
112 | name = "${local.worker_vm}-${count.index}"
113 | location = var.location
114 | resource_group_name = azurerm_resource_group.cka.name
115 | size = var.worker_vm_size
116 | admin_username = "azureuser"
117 | computer_name = "worker-${count.index}"
118 | availability_set_id = azurerm_availability_set.controller.id
119 | network_interface_ids = [
120 | azurerm_network_interface.worker[count.index].id,
121 | ]
122 |
123 | admin_ssh_key {
124 | username = "azureuser"
125 | public_key = tls_private_key.cka.public_key_openssh
126 | }
127 |
128 | # Using Standard SSD tier storage
129 | # Accepting the standard disk size from image
130 | # No data disk is being used
131 | os_disk {
132 | caching = "ReadWrite"
133 | storage_account_type = "StandardSSD_LRS"
134 | }
135 |
136 | #Source image is hardcoded b/c I said so
137 | source_image_reference {
138 | publisher = "Canonical"
139 | offer = "UbuntuServer"
140 | sku = "18.04-LTS"
141 | version = "latest"
142 | }
143 |
144 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.worker[1]
File: /2021-01-21/vms.tf:110-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
110 | resource "azurerm_linux_virtual_machine" "worker" {
111 | count = var.worker_vm_count
112 | name = "${local.worker_vm}-${count.index}"
113 | location = var.location
114 | resource_group_name = azurerm_resource_group.cka.name
115 | size = var.worker_vm_size
116 | admin_username = "azureuser"
117 | computer_name = "worker-${count.index}"
118 | availability_set_id = azurerm_availability_set.controller.id
119 | network_interface_ids = [
120 | azurerm_network_interface.worker[count.index].id,
121 | ]
122 |
123 | admin_ssh_key {
124 | username = "azureuser"
125 | public_key = tls_private_key.cka.public_key_openssh
126 | }
127 |
128 | # Using Standard SSD tier storage
129 | # Accepting the standard disk size from image
130 | # No data disk is being used
131 | os_disk {
132 | caching = "ReadWrite"
133 | storage_account_type = "StandardSSD_LRS"
134 | }
135 |
136 | #Source image is hardcoded b/c I said so
137 | source_image_reference {
138 | publisher = "Canonical"
139 | offer = "UbuntuServer"
140 | sku = "18.04-LTS"
141 | version = "latest"
142 | }
143 |
144 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.worker[2]
File: /2021-01-21/vms.tf:110-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
110 | resource "azurerm_linux_virtual_machine" "worker" {
111 | count = var.worker_vm_count
112 | name = "${local.worker_vm}-${count.index}"
113 | location = var.location
114 | resource_group_name = azurerm_resource_group.cka.name
115 | size = var.worker_vm_size
116 | admin_username = "azureuser"
117 | computer_name = "worker-${count.index}"
118 | availability_set_id = azurerm_availability_set.controller.id
119 | network_interface_ids = [
120 | azurerm_network_interface.worker[count.index].id,
121 | ]
122 |
123 | admin_ssh_key {
124 | username = "azureuser"
125 | public_key = tls_private_key.cka.public_key_openssh
126 | }
127 |
128 | # Using Standard SSD tier storage
129 | # Accepting the standard disk size from image
130 | # No data disk is being used
131 | os_disk {
132 | caching = "ReadWrite"
133 | storage_account_type = "StandardSSD_LRS"
134 | }
135 |
136 | #Source image is hardcoded b/c I said so
137 | source_image_reference {
138 | publisher = "Canonical"
139 | offer = "UbuntuServer"
140 | sku = "18.04-LTS"
141 | version = "latest"
142 | }
143 |
144 | }
Check: CKV_AZURE_9: "Ensure that RDP access is restricted from the internet"
FAILED for resource: azurerm_network_security_group.NSG
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:116-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-2.html
116 | resource "azurerm_network_security_group" "NSG" {
117 | name = local.networkSecurityGroupName
118 | location = azurerm_resource_group.tacos.location
119 | resource_group_name = azurerm_resource_group.tacos.name
120 |
121 | security_rule {
122 | name = "RDP"
123 | priority = 1000
124 | direction = "Inbound"
125 | access = "Allow"
126 | protocol = "Tcp"
127 | source_port_range = "*"
128 | destination_port_range = "3389"
129 | source_address_prefix = "*"
130 | destination_address_prefix = "*"
131 | }
132 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.VMDiag
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:186-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
186 | resource "azurerm_storage_account" "VMDiag" {
187 | name = var.diagStorageAccountName
188 | location = azurerm_resource_group.tacos.location
189 | resource_group_name = azurerm_resource_group.tacos.name
190 | account_kind = "StorageV2"
191 | account_tier = "Standard"
192 | account_replication_type = "LRS"
193 |
194 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.VMDiag
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:186-194
186 | resource "azurerm_storage_account" "VMDiag" {
187 | name = var.diagStorageAccountName
188 | location = azurerm_resource_group.tacos.location
189 | resource_group_name = azurerm_resource_group.tacos.name
190 | account_kind = "StorageV2"
191 | account_tier = "Standard"
192 | account_replication_type = "LRS"
193 |
194 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.VMDiag
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:186-194
186 | resource "azurerm_storage_account" "VMDiag" {
187 | name = var.diagStorageAccountName
188 | location = azurerm_resource_group.tacos.location
189 | resource_group_name = azurerm_resource_group.tacos.name
190 | account_kind = "StorageV2"
191 | account_tier = "Standard"
192 | account_replication_type = "LRS"
193 |
194 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.VMDiag
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:186-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
186 | resource "azurerm_storage_account" "VMDiag" {
187 | name = var.diagStorageAccountName
188 | location = azurerm_resource_group.tacos.location
189 | resource_group_name = azurerm_resource_group.tacos.name
190 | account_kind = "StorageV2"
191 | account_tier = "Standard"
192 | account_replication_type = "LRS"
193 |
194 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.VMDiag
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:186-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
186 | resource "azurerm_storage_account" "VMDiag" {
187 | name = var.diagStorageAccountName
188 | location = azurerm_resource_group.tacos.location
189 | resource_group_name = azurerm_resource_group.tacos.name
190 | account_kind = "StorageV2"
191 | account_tier = "Standard"
192 | account_replication_type = "LRS"
193 |
194 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_windows_virtual_machine.VM
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:197-224
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
197 | resource "azurerm_windows_virtual_machine" "VM" {
198 | name = local.virtualMachineName
199 | resource_group_name = azurerm_resource_group.tacos.name
200 | location = azurerm_resource_group.tacos.location
201 | size = local.virtualMachineSize
202 | admin_username = var.adminUsername
203 | admin_password = var.adminPassword
204 | network_interface_ids = [
205 | azurerm_network_interface.nic1.id,
206 | azurerm_network_interface.nic2.id,
207 | ]
208 |
209 | os_disk {
210 | caching = "ReadWrite"
211 | storage_account_type = "Premium_LRS"
212 | }
213 |
214 | source_image_reference {
215 | publisher = "MicrosoftWindowsServer"
216 | offer = "WindowsServer"
217 | sku = "2019-Datacenter"
218 | version = "latest"
219 | }
220 |
221 | boot_diagnostics {
222 | storage_account_uri = azurerm_storage_account.VMDiag.primary_blob_endpoint
223 | }
224 | }
Check: CKV_AZURE_151: "Ensure Windows VM enables encryption"
FAILED for resource: azurerm_windows_virtual_machine.VM
File: /2021-02-01-ImportingInfra/complex_import/terraform/main.tf:197-224
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption.html
197 | resource "azurerm_windows_virtual_machine" "VM" {
198 | name = local.virtualMachineName
199 | resource_group_name = azurerm_resource_group.tacos.name
200 | location = azurerm_resource_group.tacos.location
201 | size = local.virtualMachineSize
202 | admin_username = var.adminUsername
203 | admin_password = var.adminPassword
204 | network_interface_ids = [
205 | azurerm_network_interface.nic1.id,
206 | azurerm_network_interface.nic2.id,
207 | ]
208 |
209 | os_disk {
210 | caching = "ReadWrite"
211 | storage_account_type = "Premium_LRS"
212 | }
213 |
214 | source_image_reference {
215 | publisher = "MicrosoftWindowsServer"
216 | offer = "WindowsServer"
217 | sku = "2019-Datacenter"
218 | version = "latest"
219 | }
220 |
221 | boot_diagnostics {
222 | storage_account_uri = azurerm_storage_account.VMDiag.primary_blob_endpoint
223 | }
224 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.webapp_lc
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:60-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
60 | resource "aws_launch_configuration" "webapp_lc" {
61 | lifecycle {
62 | create_before_destroy = true
63 | }
64 |
65 | name_prefix = "${terraform.workspace}-ddt-lc-"
66 | image_id = data.aws_ami.aws_linux.id
67 | instance_type = local.asg_instance_size
68 |
69 | security_groups = [
70 | aws_security_group.webapp_http_inbound_sg.id,
71 | aws_security_group.webapp_ssh_inbound_sg.id,
72 | aws_security_group.webapp_outbound_sg.id,
73 | ]
74 |
75 | user_data = file("./templates/userdata.sh")
76 | associate_public_ip_address = true
77 | iam_instance_profile = aws_iam_instance_profile.asg.name
78 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.webapp_lc
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:60-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
60 | resource "aws_launch_configuration" "webapp_lc" {
61 | lifecycle {
62 | create_before_destroy = true
63 | }
64 |
65 | name_prefix = "${terraform.workspace}-ddt-lc-"
66 | image_id = data.aws_ami.aws_linux.id
67 | instance_type = local.asg_instance_size
68 |
69 | security_groups = [
70 | aws_security_group.webapp_http_inbound_sg.id,
71 | aws_security_group.webapp_ssh_inbound_sg.id,
72 | aws_security_group.webapp_outbound_sg.id,
73 | ]
74 |
75 | user_data = file("./templates/userdata.sh")
76 | associate_public_ip_address = true
77 | iam_instance_profile = aws_iam_instance_profile.asg.name
78 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.webapp_elb
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:80-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
80 | resource "aws_elb" "webapp_elb" {
81 | name = "ddt-webapp-elb-${terraform.workspace}"
82 | subnets = data.terraform_remote_state.networking.outputs.public_subnets
83 |
84 | listener {
85 | instance_port = 80
86 | instance_protocol = "http"
87 | lb_port = 80
88 | lb_protocol = "http"
89 | }
90 |
91 | health_check {
92 | healthy_threshold = 2
93 | unhealthy_threshold = 2
94 | timeout = 3
95 | target = "HTTP:80/"
96 | interval = 10
97 | }
98 |
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 |
101 | tags = local.common_tags
102 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.webapp_elb
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:80-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
80 | resource "aws_elb" "webapp_elb" {
81 | name = "ddt-webapp-elb-${terraform.workspace}"
82 | subnets = data.terraform_remote_state.networking.outputs.public_subnets
83 |
84 | listener {
85 | instance_port = 80
86 | instance_protocol = "http"
87 | lb_port = 80
88 | lb_protocol = "http"
89 | }
90 |
91 | health_check {
92 | healthy_threshold = 2
93 | unhealthy_threshold = 2
94 | timeout = 3
95 | target = "HTTP:80/"
96 | interval = 10
97 | }
98 |
99 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
100 |
101 | tags = local.common_tags
102 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.webapp_asg
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:104-127
104 | resource "aws_autoscaling_group" "webapp_asg" {
105 | lifecycle {
106 | create_before_destroy = true
107 | #create_before_destroy = false
108 | }
109 |
110 | vpc_zone_identifier = data.terraform_remote_state.networking.outputs.public_subnets
111 | name = "ddt_webapp_asg-${terraform.workspace}"
112 | max_size = local.asg_max_size
113 | min_size = local.asg_min_size
114 | wait_for_elb_capacity = local.asg_min_size
115 | force_delete = true
116 | launch_configuration = aws_launch_configuration.webapp_lc.id
117 | load_balancers = [aws_elb.webapp_elb.name]
118 |
119 | dynamic "tag" {
120 | for_each = local.common_tags
121 | content {
122 | key = tag.key
123 | value = tag.value
124 | propagate_at_launch = true
125 | }
126 | }
127 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.rds
File: /2021-02-08-DynamicBlocks/ASG/resources.tf:196-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
196 | resource "aws_db_instance" "rds" {
197 | identifier = "${terraform.workspace}-ddt-rds"
198 | allocated_storage = local.rds_storage_size
199 | engine = local.rds_engine
200 | engine_version = local.rds_version
201 | instance_class = local.rds_instance_size
202 | multi_az = local.rds_multi_az
203 | name = "${terraform.workspace}${local.rds_db_name}"
204 | username = var.rds_username
205 | password = var.rds_password
206 | db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id
207 | vpc_security_group_ids = [aws_security_group.rds_sg.id]
208 | skip_final_snapshot = true
209 |
210 | tags = local.common_tags
211 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:5-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "demo_webapp_http_inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
24 |
25 | tags = {
26 | Name = "terraform_demo_webapp_http_inbound"
27 | }
28 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.webapp_http_inbound_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:5-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
5 | resource "aws_security_group" "webapp_http_inbound_sg" {
6 | name = "demo_webapp_http_inbound"
7 | description = "Allow HTTP from Anywhere"
8 |
9 | ingress {
10 | from_port = 80
11 | to_port = 80
12 | protocol = "tcp"
13 | cidr_blocks = ["0.0.0.0/0"]
14 | }
15 |
16 | egress {
17 | from_port = 0
18 | to_port = 0
19 | protocol = "-1"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
24 |
25 | tags = {
26 | Name = "terraform_demo_webapp_http_inbound"
27 | }
28 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:30-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
30 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
31 | name = "demo_webapp_ssh_inbound"
32 | description = "Allow SSH from certain ranges"
33 |
34 | ingress {
35 | from_port = 22
36 | to_port = 22
37 | protocol = "tcp"
38 | cidr_blocks = [var.ip_range]
39 | }
40 |
41 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
42 |
43 | tags = merge(local.common_tags,{
44 | Name = "terraform_demo_webapp_ssh_inbound"
45 | })
46 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.webapp_ssh_inbound_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:30-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
30 | resource "aws_security_group" "webapp_ssh_inbound_sg" {
31 | name = "demo_webapp_ssh_inbound"
32 | description = "Allow SSH from certain ranges"
33 |
34 | ingress {
35 | from_port = 22
36 | to_port = 22
37 | protocol = "tcp"
38 | cidr_blocks = [var.ip_range]
39 | }
40 |
41 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
42 |
43 | tags = merge(local.common_tags,{
44 | Name = "terraform_demo_webapp_ssh_inbound"
45 | })
46 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webapp_outbound_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:48-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
48 | resource "aws_security_group" "webapp_outbound_sg" {
49 | name = "demo_webapp_outbound"
50 | description = "Allow outbound connections"
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | }
58 |
59 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
60 |
61 | tags = merge(local.common_tags,{
62 | Name = "terraform_demo_webapp_outbound"
63 | })
64 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.rds_sg
File: /2021-02-08-DynamicBlocks/ASG/security_groups.tf:66-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
66 | resource "aws_security_group" "rds_sg" {
67 | name = "demo_rds_inbound"
68 | description = "Allow inbound from web tier"
69 | vpc_id = data.terraform_remote_state.networking.outputs.vpc_id
70 |
71 | tags = {
72 | Name = "demo_rds_inbound"
73 | }
74 |
75 | // allows traffic from the SG itself
76 | ingress {
77 | from_port = 0
78 | to_port = 0
79 | protocol = "-1"
80 | self = true
81 | }
82 |
83 | // allow traffic for TCP 3306
84 | ingress {
85 | from_port = 3306
86 | to_port = 3306
87 | protocol = "tcp"
88 | security_groups = [aws_security_group.webapp_http_inbound_sg.id]
89 | }
90 |
91 | // outbound internet access
92 | egress {
93 | from_port = 0
94 | to_port = 0
95 | protocol = "-1"
96 | cidr_blocks = ["0.0.0.0/0"]
97 | }
98 | }
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: module.bigip.azurerm_network_security_rule.http
File: /2021-03-09-Consul-Terraform-Sync/environment/f5/main.tf:44-56
Calling File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:66-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
44 | resource "azurerm_network_security_rule" "http" {
45 | name = "http"
46 | priority = 100
47 | direction = "Inbound"
48 | access = "Allow"
49 | protocol = "Tcp"
50 | source_port_range = "*"
51 | destination_port_range = "80"
52 | source_address_prefix = "*"
53 | destination_address_prefix = "*"
54 | resource_group_name = var.resource_group_name
55 | network_security_group_name = azurerm_network_security_group.bigip.name
56 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: module.bigip.azurerm_network_security_rule.ssh
File: /2021-03-09-Consul-Terraform-Sync/environment/f5/main.tf:58-70
Calling File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:66-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
58 | resource "azurerm_network_security_rule" "ssh" {
59 | name = "ssh"
60 | priority = 110
61 | direction = "Inbound"
62 | access = "Allow"
63 | protocol = "Tcp"
64 | source_port_range = "*"
65 | destination_port_range = "22"
66 | source_address_prefix = "*"
67 | destination_address_prefix = "*"
68 | resource_group_name = var.resource_group_name
69 | network_security_group_name = azurerm_network_security_group.bigip.name
70 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.bigip.azurerm_linux_virtual_machine.bigip
File: /2021-03-09-Consul-Terraform-Sync/environment/f5/main.tf:113-145
Calling File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:66-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
113 | resource "azurerm_linux_virtual_machine" "bigip" {
114 | name = "bigipVM"
115 | resource_group_name = var.resource_group_name
116 | location = var.location
117 | size = var.vmSize
118 | admin_username = var.adminUsername
119 | network_interface_ids = [
120 | azurerm_network_interface.bigip.id,
121 | ]
122 |
123 | admin_ssh_key {
124 | username = var.adminUsername
125 | public_key = var.ssh_key
126 | }
127 |
128 | os_disk {
129 | caching = "ReadWrite"
130 | storage_account_type = var.storageAccountType
131 | }
132 |
133 | source_image_reference {
134 | publisher = var.imageReference.publisher
135 | offer = var.imageReference.offer
136 | sku = var.imageReference.sku
137 | version = "latest"
138 | }
139 |
140 | plan {
141 | name = var.imageReference.sku
142 | product = var.imageReference.offer
143 | publisher = var.imageReference.publisher
144 | }
145 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.cts_vm
File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:100-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
100 | resource "azurerm_linux_virtual_machine" "cts_vm" {
101 | name = "ctsVm"
102 | location = var.location
103 | resource_group_name = azurerm_resource_group.cts.name
104 | size = "Standard_D2as_v4"
105 | admin_username = "azureuser"
106 | computer_name = local.cts_hostname
107 | network_interface_ids = [
108 | azurerm_network_interface.cts_vm.id,
109 | ]
110 |
111 | admin_ssh_key {
112 | username = "azureuser"
113 | public_key = tls_private_key.boundary.public_key_openssh
114 | }
115 |
116 | # Using Standard SSD tier storage
117 | # Accepting the standard disk size from image
118 | # No data disk is being used
119 | os_disk {
120 | caching = "ReadWrite"
121 | storage_account_type = "StandardSSD_LRS"
122 | }
123 |
124 | #Source image is hardcoded b/c I said so
125 | source_image_reference {
126 | publisher = "Canonical"
127 | offer = "UbuntuServer"
128 | sku = "18.04-LTS"
129 | version = "latest"
130 | }
131 |
132 | #Custom data from the boundary.tmpl file
133 | custom_data = base64encode(
134 | templatefile("${path.module}/CTS.tpl", {
135 | big_ip_address = module.bigip.private_ip_address
136 | big_ip_password = var.big_ip_password
137 | })
138 | )
139 | }
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.http
File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:150-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
150 | resource "azurerm_network_security_rule" "http" {
151 | name = "http"
152 | priority = 100
153 | direction = "Inbound"
154 | access = "Allow"
155 | protocol = "Tcp"
156 | source_port_range = "*"
157 | destination_port_range = "80"
158 | source_address_prefix = "*"
159 | destination_address_prefix = "*"
160 | resource_group_name = azurerm_resource_group.cts.name
161 | network_security_group_name = azurerm_network_security_group.cts.name
162 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.ssh
File: /2021-03-09-Consul-Terraform-Sync/environment/main.tf:164-176
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
164 | resource "azurerm_network_security_rule" "ssh" {
165 | name = "ssh"
166 | priority = 110
167 | direction = "Inbound"
168 | access = "Allow"
169 | protocol = "Tcp"
170 | source_port_range = "*"
171 | destination_port_range = "22"
172 | source_address_prefix = "*"
173 | destination_address_prefix = "*"
174 | resource_group_name = azurerm_resource_group.cts.name
175 | network_security_group_name = azurerm_network_security_group.cts.name
176 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.ebs
File: /2021-04-13-AWS-KMS/ebs/main.tf:24-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
24 | resource "aws_kms_key" "ebs" {
25 | description = "EBS key"
26 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.state
File: /2021-04-20-terraform15/azure_rm_backend/create_storage_backend/main.tf:30-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
30 | resource "azurerm_storage_account" "state" {
31 | name = local.name
32 | resource_group_name = azurerm_resource_group.state.name
33 | location = azurerm_resource_group.state.location
34 |
35 | account_kind = "StorageV2"
36 | account_tier = "Standard"
37 | account_replication_type = "LRS"
38 | enable_https_traffic_only = true
39 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.state
File: /2021-04-20-terraform15/azure_rm_backend/create_storage_backend/main.tf:30-39
30 | resource "azurerm_storage_account" "state" {
31 | name = local.name
32 | resource_group_name = azurerm_resource_group.state.name
33 | location = azurerm_resource_group.state.location
34 |
35 | account_kind = "StorageV2"
36 | account_tier = "Standard"
37 | account_replication_type = "LRS"
38 | enable_https_traffic_only = true
39 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.state
File: /2021-04-20-terraform15/azure_rm_backend/create_storage_backend/main.tf:30-39
30 | resource "azurerm_storage_account" "state" {
31 | name = local.name
32 | resource_group_name = azurerm_resource_group.state.name
33 | location = azurerm_resource_group.state.location
34 |
35 | account_kind = "StorageV2"
36 | account_tier = "Standard"
37 | account_replication_type = "LRS"
38 | enable_https_traffic_only = true
39 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.state
File: /2021-04-20-terraform15/azure_rm_backend/create_storage_backend/main.tf:30-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
30 | resource "azurerm_storage_account" "state" {
31 | name = local.name
32 | resource_group_name = azurerm_resource_group.state.name
33 | location = azurerm_resource_group.state.location
34 |
35 | account_kind = "StorageV2"
36 | account_tier = "Standard"
37 | account_replication_type = "LRS"
38 | enable_https_traffic_only = true
39 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.state
File: /2021-04-20-terraform15/azure_rm_backend/create_storage_backend/main.tf:30-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
30 | resource "azurerm_storage_account" "state" {
31 | name = local.name
32 | resource_group_name = azurerm_resource_group.state.name
33 | location = azurerm_resource_group.state.location
34 |
35 | account_kind = "StorageV2"
36 | account_tier = "Standard"
37 | account_replication_type = "LRS"
38 | enable_https_traffic_only = true
39 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ec2[0]
File: /2021-04-27-HCP/main.tf:80-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
80 | resource "aws_security_group" "ec2" {
81 | count = length(var.vpcs)
82 | name = "allow_ssh"
83 | description = "Allow SSH to instance"
84 | vpc_id = module.vpc[count.index].vpc_id
85 |
86 | ingress {
87 | cidr_blocks = [ "0.0.0.0/0" ]
88 | description = "Allow SSH"
89 | from_port = 22
90 | protocol = "tcp"
91 | to_port = 22
92 | }
93 |
94 | egress {
95 | from_port = 0
96 | to_port = 0
97 | protocol = -1
98 | cidr_blocks = ["0.0.0.0/0"]
99 | }
100 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.ec2[0]
File: /2021-04-27-HCP/main.tf:80-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
80 | resource "aws_security_group" "ec2" {
81 | count = length(var.vpcs)
82 | name = "allow_ssh"
83 | description = "Allow SSH to instance"
84 | vpc_id = module.vpc[count.index].vpc_id
85 |
86 | ingress {
87 | cidr_blocks = [ "0.0.0.0/0" ]
88 | description = "Allow SSH"
89 | from_port = 22
90 | protocol = "tcp"
91 | to_port = 22
92 | }
93 |
94 | egress {
95 | from_port = 0
96 | to_port = 0
97 | protocol = -1
98 | cidr_blocks = ["0.0.0.0/0"]
99 | }
100 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2[0]
File: /2021-04-27-HCP/main.tf:102-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
102 | resource "aws_instance" "ec2" {
103 | count = length(var.vpcs)
104 | ami = data.aws_ami.amazon_linux.id
105 | instance_type = "t2.micro"
106 | associate_public_ip_address = true
107 | key_name = var.keyname
108 | subnet_id = module.vpc[count.index].public_subnets[0]
109 | vpc_security_group_ids = [ aws_security_group.ec2[count.index].id ]
110 | user_data = templatefile("${path.module}/ec2.tmpl",{
111 | vault_token = nonsensitive(module.vault.vault_admin_token)
112 | vault_address = module.vault.vault_private_endpoint_url
113 | consul_token = nonsensitive(module.consul.consul_admin_token)
114 | consul_address = module.consul.consul_private_endpoint_url
115 | consul_ca_file = base64decode(module.consul.consul_ca_file)
116 | consul_config_file = base64decode(module.consul.consul_config_file)
117 | })
118 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2[0]
File: /2021-04-27-HCP/main.tf:102-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
102 | resource "aws_instance" "ec2" {
103 | count = length(var.vpcs)
104 | ami = data.aws_ami.amazon_linux.id
105 | instance_type = "t2.micro"
106 | associate_public_ip_address = true
107 | key_name = var.keyname
108 | subnet_id = module.vpc[count.index].public_subnets[0]
109 | vpc_security_group_ids = [ aws_security_group.ec2[count.index].id ]
110 | user_data = templatefile("${path.module}/ec2.tmpl",{
111 | vault_token = nonsensitive(module.vault.vault_admin_token)
112 | vault_address = module.vault.vault_private_endpoint_url
113 | consul_token = nonsensitive(module.consul.consul_admin_token)
114 | consul_address = module.consul.consul_private_endpoint_url
115 | consul_ca_file = base64decode(module.consul.consul_ca_file)
116 | consul_config_file = base64decode(module.consul.consul_config_file)
117 | })
118 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2[0]
File: /2021-04-27-HCP/main.tf:102-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
102 | resource "aws_instance" "ec2" {
103 | count = length(var.vpcs)
104 | ami = data.aws_ami.amazon_linux.id
105 | instance_type = "t2.micro"
106 | associate_public_ip_address = true
107 | key_name = var.keyname
108 | subnet_id = module.vpc[count.index].public_subnets[0]
109 | vpc_security_group_ids = [ aws_security_group.ec2[count.index].id ]
110 | user_data = templatefile("${path.module}/ec2.tmpl",{
111 | vault_token = nonsensitive(module.vault.vault_admin_token)
112 | vault_address = module.vault.vault_private_endpoint_url
113 | consul_token = nonsensitive(module.consul.consul_admin_token)
114 | consul_address = module.consul.consul_private_endpoint_url
115 | consul_ca_file = base64decode(module.consul.consul_ca_file)
116 | consul_config_file = base64decode(module.consul.consul_config_file)
117 | })
118 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ec2[0]
File: /2021-04-27-HCP/main.tf:102-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
102 | resource "aws_instance" "ec2" {
103 | count = length(var.vpcs)
104 | ami = data.aws_ami.amazon_linux.id
105 | instance_type = "t2.micro"
106 | associate_public_ip_address = true
107 | key_name = var.keyname
108 | subnet_id = module.vpc[count.index].public_subnets[0]
109 | vpc_security_group_ids = [ aws_security_group.ec2[count.index].id ]
110 | user_data = templatefile("${path.module}/ec2.tmpl",{
111 | vault_token = nonsensitive(module.vault.vault_admin_token)
112 | vault_address = module.vault.vault_private_endpoint_url
113 | consul_token = nonsensitive(module.consul.consul_admin_token)
114 | consul_address = module.consul.consul_private_endpoint_url
115 | consul_ca_file = base64decode(module.consul.consul_ca_file)
116 | consul_config_file = base64decode(module.consul.consul_config_file)
117 | })
118 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2[0]
File: /2021-04-27-HCP/main.tf:102-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
102 | resource "aws_instance" "ec2" {
103 | count = length(var.vpcs)
104 | ami = data.aws_ami.amazon_linux.id
105 | instance_type = "t2.micro"
106 | associate_public_ip_address = true
107 | key_name = var.keyname
108 | subnet_id = module.vpc[count.index].public_subnets[0]
109 | vpc_security_group_ids = [ aws_security_group.ec2[count.index].id ]
110 | user_data = templatefile("${path.module}/ec2.tmpl",{
111 | vault_token = nonsensitive(module.vault.vault_admin_token)
112 | vault_address = module.vault.vault_private_endpoint_url
113 | consul_token = nonsensitive(module.consul.consul_admin_token)
114 | consul_address = module.consul.consul_private_endpoint_url
115 | consul_ca_file = base64decode(module.consul.consul_ca_file)
116 | consul_config_file = base64decode(module.consul.consul_config_file)
117 | })
118 | }
Check: CKV_AZURE_98: "Ensure that Azure Container group is deployed into virtual network"
FAILED for resource: module.main.azurerm_container_group.webapp
File: /2021-05-04-ModuleTesting/web_app_test/main.tf:51-78
Calling File: /2021-05-04-ModuleTesting/web_app_test/tests/default/tests_default.tf:13-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-container-container-group-is-deployed-into-virtual-network.html
51 | resource "azurerm_container_group" "webapp" {
52 | name = local.name
53 | location = azurerm_resource_group.webapp.location
54 | resource_group_name = azurerm_resource_group.webapp.name
55 | ip_address_type = "public"
56 | dns_name_label = local.name
57 | os_type = "Linux"
58 |
59 | container {
60 | name = "petstore"
61 | image = "swaggerapi/petstore"
62 | cpu = "0.5"
63 | memory = "1.5"
64 | environment_variables = {
65 | SWAGGER_HOST = "http://${local.name}.${azurerm_resource_group.webapp.location}.azurecontainer.io"
66 | SWAGGER_URL = "http://${local.name}.${azurerm_resource_group.webapp.location}.azurecontainer.io:8080"
67 | }
68 |
69 | ports {
70 | port = 8080
71 | protocol = "TCP"
72 | }
73 | }
74 |
75 | tags = {
76 | environment = "testing"
77 | }
78 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-11-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-11-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-11-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-11-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-11-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: azurerm_key_vault.setup
File: /2021-05-25-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: azurerm_key_vault.setup
File: /2021-05-25-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: azurerm_key_vault.setup
File: /2021-05-25-ADO/setup/azurekeyvault.tf:6-13
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: azurerm_key_vault.setup
File: /2021-05-25-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-05-25-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-25-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-25-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-25-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-25-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-05-25-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: azurerm_key_vault.setup
File: /2021-06-22-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: azurerm_key_vault.setup
File: /2021-06-22-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: azurerm_key_vault.setup
File: /2021-06-22-ADO/setup/azurekeyvault.tf:6-13
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: azurerm_key_vault.setup
File: /2021-06-22-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-06-22-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /2021-06-22-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /2021-06-22-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-06-22-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /2021-06-22-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-06-22-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.apache
File: /2021-07-20-Getting-Started-GCP/ExampleOne/main.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
32 | resource "google_compute_instance" "apache" {
33 | name = "apache"
34 | zone = data.google_compute_zones.available_zones.names[0]
35 | tags = ["allow-http"]
36 |
37 | machine_type = "e2-micro"
38 |
39 | boot_disk {
40 | initialize_params {
41 | image = "ubuntu-os-cloud/ubuntu-1804-lts"
42 | }
43 | }
44 |
45 | network_interface {
46 | network = "default"
47 |
48 | access_config {
49 | nat_ip = google_compute_address.static.address
50 | }
51 | }
52 |
53 | metadata_startup_script = file("startup_script.sh")
54 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.apache
File: /2021-07-20-Getting-Started-GCP/ExampleOne/main.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
32 | resource "google_compute_instance" "apache" {
33 | name = "apache"
34 | zone = data.google_compute_zones.available_zones.names[0]
35 | tags = ["allow-http"]
36 |
37 | machine_type = "e2-micro"
38 |
39 | boot_disk {
40 | initialize_params {
41 | image = "ubuntu-os-cloud/ubuntu-1804-lts"
42 | }
43 | }
44 |
45 | network_interface {
46 | network = "default"
47 |
48 | access_config {
49 | nat_ip = google_compute_address.static.address
50 | }
51 | }
52 |
53 | metadata_startup_script = file("startup_script.sh")
54 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.apache
File: /2021-07-20-Getting-Started-GCP/ExampleOne/main.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
32 | resource "google_compute_instance" "apache" {
33 | name = "apache"
34 | zone = data.google_compute_zones.available_zones.names[0]
35 | tags = ["allow-http"]
36 |
37 | machine_type = "e2-micro"
38 |
39 | boot_disk {
40 | initialize_params {
41 | image = "ubuntu-os-cloud/ubuntu-1804-lts"
42 | }
43 | }
44 |
45 | network_interface {
46 | network = "default"
47 |
48 | access_config {
49 | nat_ip = google_compute_address.static.address
50 | }
51 | }
52 |
53 | metadata_startup_script = file("startup_script.sh")
54 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.apache
File: /2021-07-20-Getting-Started-GCP/ExampleOne/main.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
32 | resource "google_compute_instance" "apache" {
33 | name = "apache"
34 | zone = data.google_compute_zones.available_zones.names[0]
35 | tags = ["allow-http"]
36 |
37 | machine_type = "e2-micro"
38 |
39 | boot_disk {
40 | initialize_params {
41 | image = "ubuntu-os-cloud/ubuntu-1804-lts"
42 | }
43 | }
44 |
45 | network_interface {
46 | network = "default"
47 |
48 | access_config {
49 | nat_ip = google_compute_address.static.address
50 | }
51 | }
52 |
53 | metadata_startup_script = file("startup_script.sh")
54 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.apache
File: /2021-07-20-Getting-Started-GCP/ExampleOne/main.tf:32-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
32 | resource "google_compute_instance" "apache" {
33 | name = "apache"
34 | zone = data.google_compute_zones.available_zones.names[0]
35 | tags = ["allow-http"]
36 |
37 | machine_type = "e2-micro"
38 |
39 | boot_disk {
40 | initialize_params {
41 | image = "ubuntu-os-cloud/ubuntu-1804-lts"
42 | }
43 | }
44 |
45 | network_interface {
46 | network = "default"
47 |
48 | access_config {
49 | nat_ip = google_compute_address.static.address
50 | }
51 | }
52 |
53 | metadata_startup_script = file("startup_script.sh")
54 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: google_project.project
File: /2021-07-20-Getting-Started-GCP/ExampleTwo/main.tf:34-39
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
34 | resource "google_project" "project" {
35 | name = random_id.id.hex
36 | project_id = random_id.id.hex
37 | billing_account = var.billing_account
38 | org_id = var.org_id
39 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: azurerm_key_vault.setup
File: /2021-07-27-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: azurerm_key_vault.setup
File: /2021-07-27-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: azurerm_key_vault.setup
File: /2021-07-27-ADO/setup/azurekeyvault.tf:6-13
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: azurerm_key_vault.setup
File: /2021-07-27-ADO/setup/azurekeyvault.tf:6-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
6 | resource "azurerm_key_vault" "setup" {
7 | name = local.az_key_vault_name
8 | location = azurerm_resource_group.setup.location
9 | resource_group_name = azurerm_resource_group.setup.name
10 | tenant_id = data.azurerm_client_config.current.tenant_id
11 |
12 | sku_name = "standard"
13 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-id"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-client-secret"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-subscription"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["az-tenant"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["container-name"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["key"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["sas-token"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.pipeline["storageaccount"]
File: /2021-07-27-ADO/setup/azurekeyvault.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "pipeline" {
51 | depends_on = [
52 | azurerm_key_vault_access_policy.you
53 | ]
54 | for_each = local.pipeline_variables
55 | name = each.key
56 | value = each.value
57 | key_vault_id = azurerm_key_vault.setup.id
58 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sa
File: /2021-07-27-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sa
File: /2021-07-27-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-07-27-ADO/setup/azurestorage.tf:10-17
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sa
File: /2021-07-27-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sa
File: /2021-07-27-ADO/setup/azurestorage.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
10 | resource "azurerm_storage_account" "sa" {
11 | name = local.az_storage_account_name
12 | resource_group_name = azurerm_resource_group.setup.name
13 | location = var.az_location
14 | account_tier = "Standard"
15 | account_replication_type = "LRS"
16 |
17 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.taco-machines
File: /2021-08-03-EC2DynamicLoops/compute.tf:40-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
40 | resource "aws_launch_template" "taco-machines" {
41 | for_each = local.data_map
42 |
43 | name_prefix = each.key
44 |
45 | image_id = each.value.ImageId
46 | instance_type = each.value.InstanceType
47 |
48 | dynamic "block_device_mappings" {
49 | for_each = [for disks in local.all_disks : disks if each.key == disks.Group]
50 | content {
51 | device_name = block_device_mappings.value["device_name"]
52 |
53 | ebs {
54 | volume_size = block_device_mappings.value["disksize"]
55 | volume_type = block_device_mappings.value["diskperf"]
56 | }
57 | }
58 | }
59 |
60 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.hypervisor
File: /2021-09-07-NestedVirtualization/azure_vm/vm.tf:66-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
66 | resource "azurerm_linux_virtual_machine" "hypervisor" {
67 | name = local.hypervisor_vm
68 | location = azurerm_resource_group.vnet.location
69 | resource_group_name = azurerm_resource_group.vnet.name
70 | size = var.hypervisor_vm_size
71 | admin_username = "azureuser"
72 | computer_name = local.hypervisor_vm
73 | availability_set_id = azurerm_availability_set.hypervisor.id
74 | network_interface_ids = [
75 | azurerm_network_interface.hypervisor.id,
76 | ]
77 |
78 | admin_ssh_key {
79 | username = "azureuser"
80 | public_key = tls_private_key.hypervisor.public_key_openssh
81 | }
82 |
83 | os_disk {
84 | caching = "ReadWrite"
85 | storage_account_type = "StandardSSD_LRS"
86 | }
87 |
88 |
89 | #Source image is hardcoded b/c I said so
90 | source_image_reference {
91 | publisher = "Canonical"
92 | offer = "UbuntuServer"
93 | sku = "18.04-LTS"
94 | version = "latest"
95 | }
96 |
97 | custom_data = filebase64("${path.module}/setup.tpl")
98 | }
Check: CKV_AZURE_93: "Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption"
FAILED for resource: azurerm_managed_disk.hypervisor
File: /2021-09-07-NestedVirtualization/azure_vm/vm.tf:100-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption.html
100 | resource "azurerm_managed_disk" "hypervisor" {
101 | name = "${local.hypervisor_vm}-vms"
102 | location = azurerm_resource_group.vnet.location
103 | resource_group_name = azurerm_resource_group.vnet.name
104 | storage_account_type = var.data_disk_storage_class
105 | create_option = "Empty"
106 | disk_size_gb = var.data_disk_size
107 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.hypervisor_nic_ssh
File: /2021-09-07-NestedVirtualization/azure_vm/vnet.tf:26-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
26 | resource "azurerm_network_security_rule" "hypervisor_nic_ssh" {
27 | name = "allow_ssh"
28 | priority = 100
29 | direction = "Inbound"
30 | access = "Allow"
31 | protocol = "Tcp"
32 | source_port_range = "*"
33 | destination_port_range = "22"
34 | source_address_prefix = "*"
35 | destination_address_prefix = "*"
36 | resource_group_name = azurerm_resource_group.vnet.name
37 | network_security_group_name = azurerm_network_security_group.hypervisor_nics.name
38 | }
Check: CKV_GCP_115: "Ensure basic roles are not used at organization level."
FAILED for resource: google_organization_iam_member.organization["roles/viewer"]
File: /2021-09-14-GCP-Runner/main.tf:18-26
18 | resource "google_organization_iam_member" "organization" {
19 | for_each = toset([
20 | "roles/viewer",
21 | "roles/resourcemanager.projectCreator",
22 | "roles/billing.user"])
23 | org_id = var.org_id
24 | role = each.key
25 | member = "serviceAccount:${google_service_account.service_account.email}"
26 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.tf_state
File: /2021-09-14-GCP-Runner/main.tf:42-49
42 | resource "google_storage_bucket" "tf_state" {
43 | name = "${module.project.project_id}-terraform-state"
44 | location = var.gcp_bucket_location
45 | force_destroy = true
46 | project = module.project.project_id
47 |
48 | uniform_bucket_level_access = true
49 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.tf_state
File: /2021-09-14-GCP-Runner/main.tf:42-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
42 | resource "google_storage_bucket" "tf_state" {
43 | name = "${module.project.project_id}-terraform-state"
44 | location = var.gcp_bucket_location
45 | force_destroy = true
46 | project = module.project.project_id
47 |
48 | uniform_bucket_level_access = true
49 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.tf_state
File: /2021-09-14-GCP-Runner/main.tf:42-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
42 | resource "google_storage_bucket" "tf_state" {
43 | name = "${module.project.project_id}-terraform-state"
44 | location = var.gcp_bucket_location
45 | force_destroy = true
46 | project = module.project.project_id
47 |
48 | uniform_bucket_level_access = true
49 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: module.project.google_project.project
File: /2021-09-14-GCP-Runner/project_creation/main.tf:8-13
Calling File: /2021-09-14-GCP-Runner/main.tf:2-8
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
8 | resource "google_project" "project" {
9 | name = random_id.id.hex
10 | project_id = random_id.id.hex
11 | billing_account = var.billing_account
12 | org_id = var.org_id
13 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.github-actions-runners_gh-runner-mig-vm.google_compute_subnetwork.gh-subnetwork[0]
File: /2021-09-14-GCP-Runner/runner_creation/main.tf:33-40
Calling File: /2021-09-14-GCP-Runner/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
33 | resource "google_compute_subnetwork" "gh-subnetwork" {
34 | count = var.create_network ? 1 : 0
35 | project = var.project_id
36 | name = var.subnet_name
37 | ip_cidr_range = var.subnet_ip
38 | region = var.region
39 | network = google_compute_network.gh-network[0].name
40 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.github-actions-runners_gh-runner-mig-vm.google_compute_subnetwork.gh-subnetwork[0]
File: /2021-09-14-GCP-Runner/runner_creation/main.tf:33-40
Calling File: /2021-09-14-GCP-Runner/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
33 | resource "google_compute_subnetwork" "gh-subnetwork" {
34 | count = var.create_network ? 1 : 0
35 | project = var.project_id
36 | name = var.subnet_name
37 | ip_cidr_range = var.subnet_ip
38 | region = var.region
39 | network = google_compute_network.gh-network[0].name
40 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.github-actions-runners_gh-runner-mig-vm.google_compute_subnetwork.gh-subnetwork[0]
File: /2021-09-14-GCP-Runner/runner_creation/main.tf:33-40
Calling File: /2021-09-14-GCP-Runner/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
33 | resource "google_compute_subnetwork" "gh-subnetwork" {
34 | count = var.create_network ? 1 : 0
35 | project = var.project_id
36 | name = var.subnet_name
37 | ip_cidr_range = var.subnet_ip
38 | region = var.region
39 | network = google_compute_network.gh-network[0].name
40 | }
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: google_sql_database_instance.votr
File: /2021-10-12-GCP-Votr/main.tf:47-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
47 | resource "google_sql_database_instance" "votr" {
48 | name = local.cloud_sql_instance_name
49 | database_version = var.database_version
50 | region = var.region
51 | project = module.project.project_id
52 |
53 | deletion_protection = false
54 |
55 | settings {
56 |
57 | tier = var.database_tier
58 |
59 | ip_configuration {
60 | ipv4_enabled = false
61 | private_network = google_compute_network.votr-network.id
62 | }
63 |
64 | database_flags {
65 | name = "cloudsql_iam_authentication"
66 | value = "on"
67 | }
68 |
69 | }
70 |
71 | depends_on = [google_service_networking_connection.private_vpc_connection]
72 | }
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
FAILED for resource: google_sql_database_instance.votr
File: /2021-10-12-GCP-Votr/main.tf:47-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version.html
47 | resource "google_sql_database_instance" "votr" {
48 | name = local.cloud_sql_instance_name
49 | database_version = var.database_version
50 | region = var.region
51 | project = module.project.project_id
52 |
53 | deletion_protection = false
54 |
55 | settings {
56 |
57 | tier = var.database_tier
58 |
59 | ip_configuration {
60 | ipv4_enabled = false
61 | private_network = google_compute_network.votr-network.id
62 | }
63 |
64 | database_flags {
65 | name = "cloudsql_iam_authentication"
66 | value = "on"
67 | }
68 |
69 | }
70 |
71 | depends_on = [google_service_networking_connection.private_vpc_connection]
72 | }
Check: CKV_GCP_14: "Ensure all Cloud SQL database instance have backup configuration enabled"
FAILED for resource: google_sql_database_instance.votr
File: /2021-10-12-GCP-Votr/main.tf:47-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-2.html
47 | resource "google_sql_database_instance" "votr" {
48 | name = local.cloud_sql_instance_name
49 | database_version = var.database_version
50 | region = var.region
51 | project = module.project.project_id
52 |
53 | deletion_protection = false
54 |
55 | settings {
56 |
57 | tier = var.database_tier
58 |
59 | ip_configuration {
60 | ipv4_enabled = false
61 | private_network = google_compute_network.votr-network.id
62 | }
63 |
64 | database_flags {
65 | name = "cloudsql_iam_authentication"
66 | value = "on"
67 | }
68 |
69 | }
70 |
71 | depends_on = [google_service_networking_connection.private_vpc_connection]
72 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.votr-subnetwork
File: /2021-10-12-GCP-Votr/main.tf:126-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
126 | resource "google_compute_subnetwork" "votr-subnetwork" {
127 | project = module.project.project_id
128 | name = var.subnet_name
129 | ip_cidr_range = var.subnet_ip
130 | region = var.region
131 | network = google_compute_network.votr-network.name
132 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.votr-subnetwork
File: /2021-10-12-GCP-Votr/main.tf:126-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
126 | resource "google_compute_subnetwork" "votr-subnetwork" {
127 | project = module.project.project_id
128 | name = var.subnet_name
129 | ip_cidr_range = var.subnet_ip
130 | region = var.region
131 | network = google_compute_network.votr-network.name
132 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.votr-subnetwork
File: /2021-10-12-GCP-Votr/main.tf:126-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
126 | resource "google_compute_subnetwork" "votr-subnetwork" {
127 | project = module.project.project_id
128 | name = var.subnet_name
129 | ip_cidr_range = var.subnet_ip
130 | region = var.region
131 | network = google_compute_network.votr-network.name
132 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: module.project.google_project.project
File: /2021-10-12-GCP-Votr/project_creation/main.tf:2-7
Calling File: /2021-10-12-GCP-Votr/main.tf:2-8
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
2 | resource "google_project" "project" {
3 | name = var.prefix
4 | project_id = var.prefix
5 | billing_account = var.billing_account
6 | org_id = var.org_id
7 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.subnet
File: /2021-12-14-MoveBlock/foreach/main.tf:47-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
47 | resource "aws_subnet" "subnet" {
48 | vpc_id = aws_vpc.vpc.id
49 | cidr_block = "192.168.0.0/24"
50 | map_public_ip_on_launch = true
51 | availability_zone = data.aws_availability_zones.available.names[0]
52 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.subnet
File: /2021-12-14-MoveBlock/module-move/main.tf:38-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "subnet" {
39 | vpc_id = aws_vpc.vpc.id
40 | cidr_block = "192.168.0.0/24"
41 | map_public_ip_on_launch = true
42 | availability_zone = data.aws_availability_zones.available.names[0]
43 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx-sg
File: /2021-12-21-PlanAndApply/main.tf:65-86
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
65 | resource "aws_security_group" "nginx-sg" {
66 | name = "nginx_sg"
67 | vpc_id = aws_vpc.vpc.id
68 |
69 | # HTTP access from anywhere
70 | ingress {
71 | from_port = 80
72 | to_port = 80
73 | protocol = "tcp"
74 | cidr_blocks = ["0.0.0.0/0"]
75 | }
76 |
77 | # outbound internet access
78 | egress {
79 | from_port = 0
80 | to_port = 0
81 | protocol = "-1"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 |
85 |
86 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx-sg
File: /2021-12-21-PlanAndApply/main.tf:65-86
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
65 | resource "aws_security_group" "nginx-sg" {
66 | name = "nginx_sg"
67 | vpc_id = aws_vpc.vpc.id
68 |
69 | # HTTP access from anywhere
70 | ingress {
71 | from_port = 80
72 | to_port = 80
73 | protocol = "tcp"
74 | cidr_blocks = ["0.0.0.0/0"]
75 | }
76 |
77 | # outbound internet access
78 | egress {
79 | from_port = 0
80 | to_port = 0
81 | protocol = "-1"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 |
85 |
86 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx1
File: /2021-12-21-PlanAndApply/main.tf:89-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
89 | resource "aws_instance" "nginx1" {
90 | ami = nonsensitive(data.aws_ssm_parameter.ami.value)
91 | instance_type = var.instance_type
92 | subnet_id = aws_subnet.subnet1.id
93 | vpc_security_group_ids = [aws_security_group.nginx-sg.id]
94 |
95 | user_data = <Taco Team Server You did it! Have a 🌮