Repository | oracle-terraform-modules / terraform-oci-oke |
Description | The Terraform OKE Module Installer for Oracle Cloud Infrastructure provides a Terraform module that provisions the necessary resources for Oracle Container Engine. |
Stars | 134 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:29,414 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/vcn/oci:3.5.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:29,414 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/drg/oci:1.0.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:29,414 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/bastion/oci:3.1.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:29,414 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/operator/oci:3.1.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:29,414 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/oke/oci:4.0.3 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 31, Failed checks: 23, Skipped checks: 0
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.cp_ingress
File: /modules/network/nsgs.tf:56-86
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
56 | resource "oci_core_network_security_group_security_rule" "cp_ingress" {
57 | network_security_group_id = oci_core_network_security_group.cp.id
58 | description = local.cp_ingress[count.index].description
59 | direction = "INGRESS"
60 | protocol = local.cp_ingress[count.index].protocol
61 | source = local.cp_ingress[count.index].source
62 | source_type = local.cp_ingress[count.index].source_type
63 |
64 | stateless = false
65 |
66 | dynamic "tcp_options" {
67 | for_each = local.cp_ingress[count.index].protocol == local.tcp_protocol ? [1] : []
68 | content {
69 | destination_port_range {
70 | min = local.cp_ingress[count.index].port
71 | max = local.cp_ingress[count.index].port
72 | }
73 | }
74 | }
75 |
76 | dynamic "icmp_options" {
77 | for_each = local.cp_ingress[count.index].protocol == local.icmp_protocol ? [1] : []
78 | content {
79 | type = 3
80 | code = 4
81 | }
82 | }
83 |
84 | count = length(local.cp_ingress)
85 |
86 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.cp_ingress_operator[0]
File: /modules/network/nsgs.tf:89-108
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
89 | resource "oci_core_network_security_group_security_rule" "cp_ingress_operator" {
90 | network_security_group_id = oci_core_network_security_group.cp.id
91 | description = "Allow operator host access to control plane. Required for kubectl/helm."
92 | direction = "INGRESS"
93 | protocol = local.tcp_protocol
94 | source = local.operator_subnet
95 | source_type = "CIDR_BLOCK"
96 |
97 | stateless = false
98 |
99 | tcp_options {
100 | destination_port_range {
101 | min = 6443
102 | max = 6443
103 | }
104 | }
105 |
106 | count = var.create_operator ? 1: 0
107 |
108 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_ingress
File: /modules/network/nsgs.tf:196-226
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
196 | resource "oci_core_network_security_group_security_rule" "workers_ingress" {
197 | network_security_group_id = oci_core_network_security_group.workers.id
198 | description = local.workers_ingress[count.index].description
199 | direction = "INGRESS"
200 | protocol = local.workers_ingress[count.index].protocol
201 | source = local.workers_ingress[count.index].source
202 | source_type = local.workers_ingress[count.index].source_type
203 |
204 | stateless = false
205 |
206 | dynamic "tcp_options" {
207 | for_each = local.workers_ingress[count.index].protocol == local.tcp_protocol && local.workers_ingress[count.index].port != -1 ? [1] : []
208 | content {
209 | destination_port_range {
210 | min = local.workers_ingress[count.index].port
211 | max = local.workers_ingress[count.index].port
212 | }
213 | }
214 | }
215 |
216 | dynamic "icmp_options" {
217 | for_each = local.workers_ingress[count.index].protocol == local.icmp_protocol ? [1] : []
218 | content {
219 | type = 3
220 | code = 4
221 | }
222 | }
223 |
224 | count = length(local.workers_ingress)
225 |
226 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_ingress_from_int_lb
File: /modules/network/nsgs.tf:229-248
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
229 | resource "oci_core_network_security_group_security_rule" "workers_ingress_from_int_lb" {
230 | network_security_group_id = oci_core_network_security_group.workers.id
231 | description = "Allow internal load balancers traffic to workers"
232 | direction = "INGRESS"
233 | protocol = local.tcp_protocol
234 | source = local.int_lb_subnet
235 | source_type = "CIDR_BLOCK"
236 |
237 | stateless = false
238 |
239 | tcp_options {
240 | destination_port_range {
241 | min = local.node_port_min
242 | max = local.node_port_max
243 | }
244 | }
245 |
246 | count = var.load_balancers == "internal" || var.load_balancers == "both" ? 1 : 0
247 |
248 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_healthcheck_ingress_from_int_lb
File: /modules/network/nsgs.tf:250-269
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
250 | resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_int_lb" {
251 | network_security_group_id = oci_core_network_security_group.workers.id
252 | description = "Allow internal load balancers health check to workers"
253 | direction = "INGRESS"
254 | protocol = local.tcp_protocol
255 | source = local.int_lb_subnet
256 | source_type = "CIDR_BLOCK"
257 |
258 | stateless = false
259 |
260 | tcp_options {
261 | destination_port_range {
262 | min = local.health_check_port
263 | max = local.health_check_port
264 | }
265 | }
266 |
267 | count = var.load_balancers == "internal" || var.load_balancers == "both" ? 1 : 0
268 |
269 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_ingress_from_pub_lb
File: /modules/network/nsgs.tf:271-290
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
271 | resource "oci_core_network_security_group_security_rule" "workers_ingress_from_pub_lb" {
272 | network_security_group_id = oci_core_network_security_group.workers.id
273 | description = "Allow public load balancers traffic to workers"
274 | direction = "INGRESS"
275 | protocol = local.tcp_protocol
276 | source = local.pub_lb_subnet
277 | source_type = "CIDR_BLOCK"
278 |
279 | stateless = false
280 |
281 | tcp_options {
282 | destination_port_range {
283 | min = local.node_port_min
284 | max = local.node_port_max
285 | }
286 | }
287 |
288 | count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0
289 |
290 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_healthcheck_ingress_from_pub_lb
File: /modules/network/nsgs.tf:292-311
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
292 | resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_pub_lb" {
293 | network_security_group_id = oci_core_network_security_group.workers.id
294 | description = "Allow public load balancers health check to workers"
295 | direction = "INGRESS"
296 | protocol = local.tcp_protocol
297 | source = local.pub_lb_subnet
298 | source_type = "CIDR_BLOCK"
299 |
300 | stateless = false
301 |
302 | tcp_options {
303 | destination_port_range {
304 | min = local.health_check_port
305 | max = local.health_check_port
306 | }
307 | }
308 |
309 | count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0
310 |
311 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_ingress_npn
File: /modules/network/nsgs.tf:313-322
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
313 | resource "oci_core_network_security_group_security_rule" "workers_ingress_npn" {
314 | network_security_group_id = oci_core_network_security_group.workers.id
315 | description = "Allow cross-node pod communication when using NodePorts or hostNetwork: true"
316 | direction = "INGRESS"
317 | protocol = local.all_protocols
318 | source = local.pods_subnet
319 | source_type = "CIDR_BLOCK"
320 | stateless = false
321 | count = var.cni_type == "npn" ? 1 : 0
322 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.pods_ingress
File: /modules/network/nsgs.tf:384-393
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
384 | resource "oci_core_network_security_group_security_rule" "pods_ingress" {
385 | network_security_group_id = oci_core_network_security_group.pods[0].id
386 | description = local.pods_ingress[count.index].description
387 | source = local.pods_ingress[count.index].source
388 | source_type = local.pods_ingress[count.index].source_type
389 | protocol = local.pods_ingress[count.index].protocol
390 | direction = "INGRESS"
391 | stateless = false
392 | count = var.cni_type =="npn" ? length(local.pods_ingress) : 0
393 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.int_lb_ingress
File: /modules/network/nsgs.tf:449-467
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
449 | resource "oci_core_network_security_group_security_rule" "int_lb_ingress" {
450 | network_security_group_id = oci_core_network_security_group.int_lb[0].id
451 | description = "Allow stateful ingress from ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)} on port ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)}"
452 | direction = "INGRESS"
453 | protocol = local.tcp_protocol
454 | source = element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)
455 | source_type = "CIDR_BLOCK"
456 |
457 | stateless = false
458 |
459 | tcp_options {
460 | destination_port_range {
461 | min = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 0) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)
462 | max = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 1) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)
463 | }
464 | }
465 |
466 | count = var.load_balancers == "internal" || var.load_balancers == "both" ? length(local.internal_lb_allowed_cidrs_and_ports) : 0
467 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.pub_lb_ingress
File: /modules/network/nsgs.tf:549-567
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
549 | resource "oci_core_network_security_group_security_rule" "pub_lb_ingress" {
550 | network_security_group_id = oci_core_network_security_group.pub_lb[0].id
551 | description = "Allow stateful ingress from ${element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 0)} on port ${element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)}"
552 | direction = "INGRESS"
553 | protocol = local.tcp_protocol
554 | source = element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 0)
555 | source_type = "CIDR_BLOCK"
556 |
557 | stateless = false
558 |
559 | tcp_options {
560 | destination_port_range {
561 | min = length(regexall("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)), 0) : element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)
562 | max = length(regexall("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)), 1) : element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)
563 | }
564 | }
565 |
566 | count = var.load_balancers == "public" || var.load_balancers == "both" ? length(local.public_lb_allowed_cidrs_and_ports) : 0
567 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.waf_ingress
File: /modules/network/nsgs.tf:578-596
Calling File: /main.tf:192-241
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
578 | resource "oci_core_network_security_group_security_rule" "waf_ingress" {
579 | for_each = var.enable_waf == true ? toset(local.waf_cidr_list) : toset([])
580 | network_security_group_id = oci_core_network_security_group.waf[0].id
581 | description = "Allow stateful ingress from WAF"
582 | direction = "INGRESS"
583 | protocol = local.tcp_protocol
584 | source = each.key
585 | source_type = "CIDR_BLOCK"
586 |
587 | stateless = false
588 |
589 | tcp_options {
590 | destination_port_range {
591 | min = 443
592 | max = 443
593 | }
594 | }
595 |
596 | }
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.network.oci_core_security_list.control_plane_seclist
File: /modules/network/seclist.tf:3-60
Calling File: /main.tf:192-241
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_15: "Ensure OCI File System is Encrypted with a customer Managed Key"
FAILED for resource: module.storage.oci_file_storage_file_system.fss
File: /modules/storage/fss.tf:5-12
Calling File: /main.tf:322-349
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/storage/ensure-oci-file-system-is-encrypted-with-a-customer-managed-key.html
5 | resource "oci_file_storage_file_system" "fss" {
6 | availability_domain = local.availability_domain
7 | compartment_id = var.compartment_id
8 | display_name = var.label_prefix == "none" ? "fss" : "${var.label_prefix}-fss"
9 | lifecycle {
10 | ignore_changes = [availability_domain, defined_tags]
11 | }
12 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.storage.oci_core_network_security_group_security_rule.fss_mt_ingress
File: /modules/storage/nsg.tf:10-41
Calling File: /main.tf:322-349
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
10 | resource "oci_core_network_security_group_security_rule" "fss_mt_ingress" {
11 | network_security_group_id = oci_core_network_security_group.fss_mt.id
12 | direction = "INGRESS"
13 | protocol = local.fss_mt_ingress[count.index].protocol
14 | source = local.fss_mt_ingress[count.index].source
15 | source_type = local.fss_mt_ingress[count.index].source_type
16 | description = "Allow incoming traffic for FSS Mount Target from OKE worker subnet"
17 |
18 | stateless = false
19 |
20 | dynamic "tcp_options" {
21 | for_each = local.fss_mt_ingress[count.index].protocol == local.tcp_protocol ? [1] : []
22 | content {
23 | destination_port_range {
24 | min = local.fss_mt_ingress[count.index].port
25 | max = local.fss_mt_ingress[count.index].port
26 | }
27 | }
28 | }
29 |
30 | dynamic "udp_options" {
31 | for_each = local.fss_mt_ingress[count.index].protocol == local.udp_protocol ? [1] : []
32 | content {
33 | source_port_range {
34 | min = local.fss_mt_ingress[count.index].port
35 | max = local.fss_mt_ingress[count.index].port
36 | }
37 | }
38 | }
39 |
40 | count = length(local.fss_mt_ingress)
41 | }
Check: CKV2_OCI_5: "Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption"
FAILED for resource: module.oke.oci_containerengine_node_pool.autoscaler_pool
File: /modules/oke/autoscaler.tf:5-122
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_OCI_5: "Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption"
FAILED for resource: module.oke.oci_containerengine_node_pool.nodepools
File: /modules/oke/nodepools.tf:4-154
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_OCI_6: "Ensure Kubernetes Engine Cluster pod security policy is enforced"
FAILED for resource: module.oke.oci_containerengine_cluster.k8s_cluster
File: /modules/oke/cluster.tf:11-89
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.cp_egress_npn
File: /modules/network/nsgs.tf:42-54
42 | resource "oci_core_network_security_group_security_rule" "cp_egress_npn" {
43 | network_security_group_id = oci_core_network_security_group.cp.id
44 | description = "Allow Kubernetes Control plane to communicate with pods"
45 | destination = local.pods_subnet
46 | destination_type = "CIDR_BLOCK"
47 | direction = "EGRESS"
48 | protocol = local.all_protocols
49 |
50 | stateless = false
51 |
52 | count = var.cni_type == "npn" ? 1 :0
53 |
54 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_egress_npn
File: /modules/network/nsgs.tf:168-179
168 | resource "oci_core_network_security_group_security_rule" "workers_egress_npn" {
169 | network_security_group_id = oci_core_network_security_group.workers.id
170 | description = "Allow worker nodes access to pods"
171 | destination = local.pods_subnet
172 | destination_type = "CIDR_BLOCK"
173 | direction = "EGRESS"
174 | protocol = local.all_protocols
175 |
176 | stateless = false
177 |
178 | count = var.cni_type == "npn" ? 1: 0
179 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_egress_internet
File: /modules/network/nsgs.tf:182-194
182 | resource "oci_core_network_security_group_security_rule" "workers_egress_internet" {
183 | network_security_group_id = oci_core_network_security_group.workers.id
184 | description = "Allow worker nodes access to Internet. Required for getting container images or using external services"
185 | destination = local.anywhere
186 | destination_type = "CIDR_BLOCK"
187 | direction = "EGRESS"
188 | protocol = local.tcp_protocol
189 |
190 | stateless = false
191 |
192 | count = var.allow_worker_internet_access == true ? 1 : 0
193 |
194 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.workers_ingress_npn
File: /modules/network/nsgs.tf:313-322
313 | resource "oci_core_network_security_group_security_rule" "workers_ingress_npn" {
314 | network_security_group_id = oci_core_network_security_group.workers.id
315 | description = "Allow cross-node pod communication when using NodePorts or hostNetwork: true"
316 | direction = "INGRESS"
317 | protocol = local.all_protocols
318 | source = local.pods_subnet
319 | source_type = "CIDR_BLOCK"
320 | stateless = false
321 | count = var.cni_type == "npn" ? 1 : 0
322 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.network.oci_core_network_security_group_security_rule.pods_egress_internet
File: /modules/network/nsgs.tf:396-407
396 | resource "oci_core_network_security_group_security_rule" "pods_egress_internet" {
397 | network_security_group_id = oci_core_network_security_group.pods[0].id
398 | description = "Allow pods access to Internet"
399 | destination = local.anywhere
400 | destination_type = "CIDR_BLOCK"
401 | direction = "EGRESS"
402 | protocol = local.all_protocols
403 |
404 | stateless = false
405 | count = (var.cni_type =="npn" && var.allow_pod_internet_access == true) ? 1 : 0
406 |
407 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools