Repository | philips-labs / terraform-aws-github-runner |
Description | Terraform module for scalable GitHub action runners on AWS |
Stars | 1723 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:39:17,101 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 570, Failed checks: 91, Skipped checks: 0
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.github
File: /examples/permissions-boundary/main.tf:18-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
18 | resource "aws_kms_key" "github" {
19 | is_enabled = true
20 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.runners.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /main.tf:281-323
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.runners.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /main.tf:281-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.runners.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /main.tf:281-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.runners.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /main.tf:281-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.runner_binaries.aws_cloudwatch_log_group.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:66-71
Calling File: /main.tf:281-323
66 | resource "aws_cloudwatch_log_group" "syncer" {
67 | name = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
68 | retention_in_days = var.logging_retention_in_days
69 | kms_key_id = var.logging_kms_key_id
70 | tags = var.tags
71 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /modules/multi-runner/runner-binaries.tf:1-38
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /modules/multi-runner/runner-binaries.tf:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /modules/multi-runner/runner-binaries.tf:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_lambda_function.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:10-54
Calling File: /modules/multi-runner/runner-binaries.tf:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
10 | resource "aws_lambda_function" "syncer" {
11 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
12 | s3_key = var.syncer_lambda_s3_key != null ? var.syncer_lambda_s3_key : null
13 | s3_object_version = var.syncer_lambda_s3_object_version != null ? var.syncer_lambda_s3_object_version : null
14 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
15 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
16 | function_name = "${var.prefix}-syncer"
17 | role = aws_iam_role.syncer_lambda.arn
18 | handler = "index.handler"
19 | runtime = var.lambda_runtime
20 | timeout = var.lambda_timeout
21 | memory_size = 256
22 | architectures = [var.lambda_architecture]
23 |
24 | environment {
25 | variables = {
26 | ENVIRONMENT = var.prefix
27 | GITHUB_RUNNER_ARCHITECTURE = var.runner_architecture
28 | GITHUB_RUNNER_OS = local.gh_binary_os_label[var.runner_os]
29 | LOG_LEVEL = var.log_level
30 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
31 | S3_BUCKET_NAME = aws_s3_bucket.action_dist.id
32 | S3_OBJECT_KEY = local.action_runner_distribution_object_key
33 | S3_SSE_ALGORITHM = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm, null)
34 | S3_SSE_KMS_KEY_ID = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null)
35 | }
36 | }
37 |
38 | dynamic "vpc_config" {
39 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
40 | content {
41 | security_group_ids = var.lambda_security_group_ids
42 | subnet_ids = var.lambda_subnet_ids
43 | }
44 | }
45 |
46 | tags = var.tags
47 |
48 | dynamic "tracing_config" {
49 | for_each = var.lambda_tracing_mode != null ? [true] : []
50 | content {
51 | mode = var.lambda_tracing_mode
52 | }
53 | }
54 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_cloudwatch_log_group.syncer
File: /modules/runner-binaries-syncer/runner-binaries-syncer.tf:66-71
Calling File: /modules/multi-runner/runner-binaries.tf:1-38
66 | resource "aws_cloudwatch_log_group" "syncer" {
67 | name = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
68 | retention_in_days = var.logging_retention_in_days
69 | kms_key_id = var.logging_kms_key_id
70 | tags = var.tags
71 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.cloudwatch_agent_config_runner[0]
File: /modules/runners/logging.tf:43-51
Calling File: /main.tf:172-279
43 | resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
44 | count = var.enable_cloudwatch_agent ? 1 : 0
45 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/cloudwatch_agent_config_runner"
46 | type = "String"
47 | value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", {
48 | logfiles = jsonencode(local.logfiles)
49 | })
50 | tags = local.tags
51 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.runners.aws_cloudwatch_log_group.gh_runners
File: /modules/runners/logging.tf:53-59
Calling File: /main.tf:172-279
53 | resource "aws_cloudwatch_log_group" "gh_runners" {
54 | count = length(local.loggroups_names)
55 | name = local.loggroups_names[count.index]
56 | retention_in_days = var.logging_retention_in_days
57 | kms_key_id = var.logging_kms_key_id
58 | tags = local.tags
59 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.cloudwatch_agent_config_runner
File: /modules/runners/logging.tf:43-51
Calling File: /modules/multi-runner/runners.tf:1-106
43 | resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
44 | count = var.enable_cloudwatch_agent ? 1 : 0
45 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/cloudwatch_agent_config_runner"
46 | type = "String"
47 | value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", {
48 | logfiles = jsonencode(local.logfiles)
49 | })
50 | tags = local.tags
51 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.multi-runner.module.runners.aws_cloudwatch_log_group.gh_runners
File: /modules/runners/logging.tf:53-59
Calling File: /modules/multi-runner/runners.tf:1-106
53 | resource "aws_cloudwatch_log_group" "gh_runners" {
54 | count = length(local.loggroups_names)
55 | name = local.loggroups_names[count.index]
56 | retention_in_days = var.logging_retention_in_days
57 | kms_key_id = var.logging_kms_key_id
58 | tags = local.tags
59 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.runners.module.runners.aws_launch_template.runner
File: /modules/runners/main.tf:62-179
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.multi-runner.module.runners.aws_launch_template.runner
File: /modules/runners/main.tf:62-179
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.runners.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.runners.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.runners.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.runners.module.pool.aws_cloudwatch_log_group.pool
File: /modules/runners/pool/main.tf:64-69
Calling File: /modules/runners/pool.tf:1-61
64 | resource "aws_cloudwatch_log_group" "pool" {
65 | name = "/aws/lambda/${aws_lambda_function.pool.function_name}"
66 | retention_in_days = var.config.lambda.logging_retention_in_days
67 | kms_key_id = var.config.lambda.logging_kms_key_id
68 | tags = var.config.tags
69 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.multi-runner.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.multi-runner.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.multi-runner.module.runners.module.pool.aws_lambda_function.pool
File: /modules/runners/pool/main.tf:1-62
Calling File: /modules/runners/pool.tf:1-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_config_run_as
File: /modules/runners/runner-config.tf:1-6
Calling File: /main.tf:172-279
1 | resource "aws_ssm_parameter" "runner_config_run_as" {
2 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/run_as"
3 | type = "String"
4 | value = var.runner_as_root ? "root" : var.runner_run_as
5 | tags = local.tags
6 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_agent_mode
File: /modules/runners/runner-config.tf:8-13
Calling File: /main.tf:172-279
8 | resource "aws_ssm_parameter" "runner_agent_mode" {
9 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/agent_mode"
10 | type = "String"
11 | value = var.enable_ephemeral_runners ? "ephemeral" : "persistent"
12 | tags = local.tags
13 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.jit_config_enabled
File: /modules/runners/runner-config.tf:15-20
Calling File: /main.tf:172-279
15 | resource "aws_ssm_parameter" "jit_config_enabled" {
16 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_jit_config"
17 | type = "String"
18 | value = var.enable_jit_config == null ? var.enable_ephemeral_runners : var.enable_jit_config
19 | tags = local.tags
20 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_enable_cloudwatch
File: /modules/runners/runner-config.tf:22-27
Calling File: /main.tf:172-279
22 | resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
23 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_cloudwatch"
24 | type = "String"
25 | value = var.enable_cloudwatch_agent
26 | tags = local.tags
27 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.token_path
File: /modules/runners/runner-config.tf:29-34
Calling File: /main.tf:172-279
29 | resource "aws_ssm_parameter" "token_path" {
30 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/token_path"
31 | type = "String"
32 | value = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"
33 | tags = local.tags
34 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_config_run_as
File: /modules/runners/runner-config.tf:1-6
Calling File: /modules/multi-runner/runners.tf:1-106
1 | resource "aws_ssm_parameter" "runner_config_run_as" {
2 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/run_as"
3 | type = "String"
4 | value = var.runner_as_root ? "root" : var.runner_run_as
5 | tags = local.tags
6 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_agent_mode
File: /modules/runners/runner-config.tf:8-13
Calling File: /modules/multi-runner/runners.tf:1-106
8 | resource "aws_ssm_parameter" "runner_agent_mode" {
9 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/agent_mode"
10 | type = "String"
11 | value = var.enable_ephemeral_runners ? "ephemeral" : "persistent"
12 | tags = local.tags
13 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.jit_config_enabled
File: /modules/runners/runner-config.tf:15-20
Calling File: /modules/multi-runner/runners.tf:1-106
15 | resource "aws_ssm_parameter" "jit_config_enabled" {
16 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_jit_config"
17 | type = "String"
18 | value = var.enable_jit_config == null ? var.enable_ephemeral_runners : var.enable_jit_config
19 | tags = local.tags
20 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_enable_cloudwatch
File: /modules/runners/runner-config.tf:22-27
Calling File: /modules/multi-runner/runners.tf:1-106
22 | resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
23 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_cloudwatch"
24 | type = "String"
25 | value = var.enable_cloudwatch_agent
26 | tags = local.tags
27 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.token_path
File: /modules/runners/runner-config.tf:29-34
Calling File: /modules/multi-runner/runners.tf:1-106
29 | resource "aws_ssm_parameter" "token_path" {
30 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/token_path"
31 | type = "String"
32 | value = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"
33 | tags = local.tags
34 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /main.tf:172-279
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.runners.aws_cloudwatch_log_group.scale_down
File: /modules/runners/scale-down.tf:55-60
Calling File: /main.tf:172-279
55 | resource "aws_cloudwatch_log_group" "scale_down" {
56 | name = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"
57 | retention_in_days = var.logging_retention_in_days
58 | kms_key_id = var.logging_kms_key_id
59 | tags = var.tags
60 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /modules/multi-runner/runners.tf:1-106
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_down
File: /modules/runners/scale-down.tf:8-53
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
8 | resource "aws_lambda_function" "scale_down" {
9 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
10 | s3_key = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
11 | s3_object_version = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
12 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
13 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
14 | function_name = "${var.prefix}-scale-down"
15 | role = aws_iam_role.scale_down.arn
16 | handler = "index.scaleDownHandler"
17 | runtime = var.lambda_runtime
18 | timeout = var.lambda_timeout_scale_down
19 | tags = local.tags
20 | memory_size = 512
21 | architectures = [var.lambda_architecture]
22 |
23 | environment {
24 | variables = {
25 | ENVIRONMENT = var.prefix
26 | GHES_URL = var.ghes_url
27 | LOG_LEVEL = var.log_level
28 | MINIMUM_RUNNING_TIME_IN_MINUTES = coalesce(var.minimum_running_time_in_minutes, local.min_runtime_defaults[var.runner_os])
29 | NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && !var.ghes_ssl_verify ? 0 : 1
30 | PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name
31 | PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
32 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
33 | RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes
34 | SCALE_DOWN_CONFIG = jsonencode(var.idle_config)
35 | SERVICE_NAME = "runners-scale-down"
36 | }
37 | }
38 |
39 | dynamic "vpc_config" {
40 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
41 | content {
42 | security_group_ids = var.lambda_security_group_ids
43 | subnet_ids = var.lambda_subnet_ids
44 | }
45 | }
46 |
47 | dynamic "tracing_config" {
48 | for_each = var.lambda_tracing_mode != null ? [true] : []
49 | content {
50 | mode = var.lambda_tracing_mode
51 | }
52 | }
53 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.multi-runner.module.runners.aws_cloudwatch_log_group.scale_down
File: /modules/runners/scale-down.tf:55-60
Calling File: /modules/multi-runner/runners.tf:1-106
55 | resource "aws_cloudwatch_log_group" "scale_down" {
56 | name = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"
57 | retention_in_days = var.logging_retention_in_days
58 | kms_key_id = var.logging_kms_key_id
59 | tags = var.tags
60 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /main.tf:172-279
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.runners.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /main.tf:172-279
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.runners.aws_cloudwatch_log_group.scale_up
File: /modules/runners/scale-up.tf:65-70
Calling File: /main.tf:172-279
65 | resource "aws_cloudwatch_log_group" "scale_up" {
66 | name = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
67 | retention_in_days = var.logging_retention_in_days
68 | kms_key_id = var.logging_kms_key_id
69 | tags = var.tags
70 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /modules/multi-runner/runners.tf:1-106
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.multi-runner.module.runners.aws_lambda_function.scale_up
File: /modules/runners/scale-up.tf:1-63
Calling File: /modules/multi-runner/runners.tf:1-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.multi-runner.module.runners.aws_cloudwatch_log_group.scale_up
File: /modules/runners/scale-up.tf:65-70
Calling File: /modules/multi-runner/runners.tf:1-106
65 | resource "aws_cloudwatch_log_group" "scale_up" {
66 | name = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
67 | retention_in_days = var.logging_retention_in_days
68 | kms_key_id = var.logging_kms_key_id
69 | tags = var.tags
70 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: module.runners.module.webhook.aws_apigatewayv2_route.webhook
File: /modules/webhook/main.tf:13-17
Calling File: /main.tf:125-170
13 | resource "aws_apigatewayv2_route" "webhook" {
14 | api_id = aws_apigatewayv2_api.webhook.id
15 | route_key = "POST /${local.webhook_endpoint}"
16 | target = "integrations/${aws_apigatewayv2_integration.webhook.id}"
17 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: module.multi-runner.module.webhook.aws_apigatewayv2_route.webhook
File: /modules/webhook/main.tf:13-17
Calling File: /modules/multi-runner/webhook.tf:1-35
13 | resource "aws_apigatewayv2_route" "webhook" {
14 | api_id = aws_apigatewayv2_api.webhook.id
15 | route_key = "POST /${local.webhook_endpoint}"
16 | target = "integrations/${aws_apigatewayv2_integration.webhook.id}"
17 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.runners.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /main.tf:125-170
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.runners.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /main.tf:125-170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.runners.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /main.tf:125-170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.runners.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /main.tf:125-170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.runners.module.webhook.aws_cloudwatch_log_group.webhook
File: /modules/webhook/webhook.tf:44-49
Calling File: /main.tf:125-170
44 | resource "aws_cloudwatch_log_group" "webhook" {
45 | name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
46 | retention_in_days = var.logging_retention_in_days
47 | kms_key_id = var.logging_kms_key_id
48 | tags = var.tags
49 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.multi-runner.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /modules/multi-runner/webhook.tf:1-35
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.multi-runner.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /modules/multi-runner/webhook.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.multi-runner.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /modules/multi-runner/webhook.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.multi-runner.module.webhook.aws_lambda_function.webhook
File: /modules/webhook/webhook.tf:1-42
Calling File: /modules/multi-runner/webhook.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "webhook" {
2 | s3_bucket = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
3 | s3_key = var.webhook_lambda_s3_key != null ? var.webhook_lambda_s3_key : null
4 | s3_object_version = var.webhook_lambda_s3_object_version != null ? var.webhook_lambda_s3_object_version : null
5 | filename = var.lambda_s3_bucket == null ? local.lambda_zip : null
6 | source_code_hash = var.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
7 | function_name = "${var.prefix}-webhook"
8 | role = aws_iam_role.webhook_lambda.arn
9 | handler = "index.githubWebhook"
10 | runtime = var.lambda_runtime
11 | timeout = var.lambda_timeout
12 | architectures = [var.lambda_architecture]
13 |
14 | environment {
15 | variables = {
16 | ENVIRONMENT = var.prefix
17 | LOG_LEVEL = var.log_level
18 | POWERTOOLS_LOGGER_LOG_EVENT = var.log_level == "debug" ? "true" : "false"
19 | PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.github_app_parameters.webhook_secret.name
20 | REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
21 | RUNNER_CONFIG = jsonencode([for k, v in var.runner_config : v])
22 | SQS_WORKFLOW_JOB_QUEUE = try(var.sqs_workflow_job_queue, null) != null ? var.sqs_workflow_job_queue.id : ""
23 | }
24 | }
25 |
26 | dynamic "vpc_config" {
27 | for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
28 | content {
29 | security_group_ids = var.lambda_security_group_ids
30 | subnet_ids = var.lambda_subnet_ids
31 | }
32 | }
33 |
34 | tags = var.tags
35 |
36 | dynamic "tracing_config" {
37 | for_each = var.lambda_tracing_mode != null ? [true] : []
38 | content {
39 | mode = var.lambda_tracing_mode
40 | }
41 | }
42 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.multi-runner.module.webhook.aws_cloudwatch_log_group.webhook
File: /modules/webhook/webhook.tf:44-49
Calling File: /modules/multi-runner/webhook.tf:1-35
44 | resource "aws_cloudwatch_log_group" "webhook" {
45 | name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
46 | retention_in_days = var.logging_retention_in_days
47 | kms_key_id = var.logging_kms_key_id
48 | tags = var.tags
49 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.runners.module.runner_binaries[0].aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.runners.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
FAILED for resource: module.runners.module.runner_binaries[0].aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-14-data-encrypted-at-rest.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
FAILED for resource: module.runners.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-14-data-encrypted-at-rest.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-14-data-encrypted-at-rest.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.github
File: /examples/permissions-boundary/main.tf:18-20
18 | resource "aws_kms_key" "github" {
19 | is_enabled = true
20 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.runners.module.runner_binaries[0].aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.runners.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.cloudwatch_agent_config_runner[0]
File: /modules/runners/logging.tf:43-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
43 | resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
44 | count = var.enable_cloudwatch_agent ? 1 : 0
45 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/cloudwatch_agent_config_runner"
46 | type = "String"
47 | value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", {
48 | logfiles = jsonencode(local.logfiles)
49 | })
50 | tags = local.tags
51 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.cloudwatch_agent_config_runner
File: /modules/runners/logging.tf:43-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
43 | resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
44 | count = var.enable_cloudwatch_agent ? 1 : 0
45 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/cloudwatch_agent_config_runner"
46 | type = "String"
47 | value = var.cloudwatch_config != null ? var.cloudwatch_config : templatefile("${path.module}/templates/cloudwatch_config.json", {
48 | logfiles = jsonencode(local.logfiles)
49 | })
50 | tags = local.tags
51 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_config_run_as
File: /modules/runners/runner-config.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
1 | resource "aws_ssm_parameter" "runner_config_run_as" {
2 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/run_as"
3 | type = "String"
4 | value = var.runner_as_root ? "root" : var.runner_run_as
5 | tags = local.tags
6 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_agent_mode
File: /modules/runners/runner-config.tf:8-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
8 | resource "aws_ssm_parameter" "runner_agent_mode" {
9 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/agent_mode"
10 | type = "String"
11 | value = var.enable_ephemeral_runners ? "ephemeral" : "persistent"
12 | tags = local.tags
13 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.jit_config_enabled
File: /modules/runners/runner-config.tf:15-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
15 | resource "aws_ssm_parameter" "jit_config_enabled" {
16 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_jit_config"
17 | type = "String"
18 | value = var.enable_jit_config == null ? var.enable_ephemeral_runners : var.enable_jit_config
19 | tags = local.tags
20 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.runner_enable_cloudwatch
File: /modules/runners/runner-config.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
22 | resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
23 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_cloudwatch"
24 | type = "String"
25 | value = var.enable_cloudwatch_agent
26 | tags = local.tags
27 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.runners.module.runners.aws_ssm_parameter.token_path
File: /modules/runners/runner-config.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
29 | resource "aws_ssm_parameter" "token_path" {
30 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/token_path"
31 | type = "String"
32 | value = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"
33 | tags = local.tags
34 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_config_run_as
File: /modules/runners/runner-config.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
1 | resource "aws_ssm_parameter" "runner_config_run_as" {
2 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/run_as"
3 | type = "String"
4 | value = var.runner_as_root ? "root" : var.runner_run_as
5 | tags = local.tags
6 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_agent_mode
File: /modules/runners/runner-config.tf:8-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
8 | resource "aws_ssm_parameter" "runner_agent_mode" {
9 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/agent_mode"
10 | type = "String"
11 | value = var.enable_ephemeral_runners ? "ephemeral" : "persistent"
12 | tags = local.tags
13 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.jit_config_enabled
File: /modules/runners/runner-config.tf:15-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
15 | resource "aws_ssm_parameter" "jit_config_enabled" {
16 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_jit_config"
17 | type = "String"
18 | value = var.enable_jit_config == null ? var.enable_ephemeral_runners : var.enable_jit_config
19 | tags = local.tags
20 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.runner_enable_cloudwatch
File: /modules/runners/runner-config.tf:22-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
22 | resource "aws_ssm_parameter" "runner_enable_cloudwatch" {
23 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_cloudwatch"
24 | type = "String"
25 | value = var.enable_cloudwatch_agent
26 | tags = local.tags
27 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: module.multi-runner.module.runners.aws_ssm_parameter.token_path
File: /modules/runners/runner-config.tf:29-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
29 | resource "aws_ssm_parameter" "token_path" {
30 | name = "${var.ssm_paths.root}/${var.ssm_paths.config}/token_path"
31 | type = "String"
32 | value = "${var.ssm_paths.root}/${var.ssm_paths.tokens}"
33 | tags = local.tags
34 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.runners.module.runners.aws_security_group.runner_sg[0]
File: /modules/runners/main.tf:181-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
181 | resource "aws_security_group" "runner_sg" {
182 | count = var.enable_managed_runner_security_group ? 1 : 0
183 | name_prefix = "${var.prefix}-github-actions-runner-sg"
184 | description = "Github Actions Runner security group"
185 |
186 | vpc_id = var.vpc_id
187 |
188 | dynamic "egress" {
189 | for_each = var.egress_rules
190 | iterator = each
191 |
192 | content {
193 | cidr_blocks = each.value.cidr_blocks
194 | ipv6_cidr_blocks = each.value.ipv6_cidr_blocks
195 | prefix_list_ids = each.value.prefix_list_ids
196 | from_port = each.value.from_port
197 | protocol = each.value.protocol
198 | security_groups = each.value.security_groups
199 | self = each.value.self
200 | to_port = each.value.to_port
201 | description = each.value.description
202 | }
203 | }
204 |
205 | tags = merge(
206 | local.tags,
207 | {
208 | "Name" = format("%s", local.name_sg)
209 | },
210 | )
211 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.multi-runner.module.runners.aws_security_group.runner_sg[0]
File: /modules/runners/main.tf:181-211
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
181 | resource "aws_security_group" "runner_sg" {
182 | count = var.enable_managed_runner_security_group ? 1 : 0
183 | name_prefix = "${var.prefix}-github-actions-runner-sg"
184 | description = "Github Actions Runner security group"
185 |
186 | vpc_id = var.vpc_id
187 |
188 | dynamic "egress" {
189 | for_each = var.egress_rules
190 | iterator = each
191 |
192 | content {
193 | cidr_blocks = each.value.cidr_blocks
194 | ipv6_cidr_blocks = each.value.ipv6_cidr_blocks
195 | prefix_list_ids = each.value.prefix_list_ids
196 | from_port = each.value.from_port
197 | protocol = each.value.protocol
198 | security_groups = each.value.security_groups
199 | self = each.value.self
200 | to_port = each.value.to_port
201 | description = each.value.description
202 | }
203 | }
204 |
205 | tags = merge(
206 | local.tags,
207 | {
208 | "Name" = format("%s", local.name_sg)
209 | },
210 | )
211 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.runners.module.runner_binaries[0].aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.runners.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.multi-runner.module.runner_binaries.aws_s3_bucket.action_dist
File: /modules/runner-binaries-syncer/main.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "action_dist" {
6 | bucket = var.distribution_bucket_name
7 | force_destroy = true
8 | tags = var.tags
9 | }
cloudformation scan results:
Passed checks: 2, Failed checks: 4, Skipped checks: 0
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: AWS::Serverless::Function.Syncer
File: /lambdas/functions/gh-agent-syncer/template.yaml:3-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
3 | Syncer:
4 | Type: AWS::Serverless::Function
5 | Properties:
6 | Runtime: nodejs18.x
7 | Handler: dist/index.handler
8 | MemorySize: 256
9 | Timeout: 300
10 | Environment:
11 | Variables:
12 | GITHUB_RUNNER_ARCHITECTURE:
13 | GITHUB_RUNNER_OS:
14 | LOG_LEVEL:
15 | S3_BUCKET_NAME:
16 | S3_OBJECT_KEY:
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.Syncer
File: /lambdas/functions/gh-agent-syncer/template.yaml:3-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
3 | Syncer:
4 | Type: AWS::Serverless::Function
5 | Properties:
6 | Runtime: nodejs18.x
7 | Handler: dist/index.handler
8 | MemorySize: 256
9 | Timeout: 300
10 | Environment:
11 | Variables:
12 | GITHUB_RUNNER_ARCHITECTURE:
13 | GITHUB_RUNNER_OS:
14 | LOG_LEVEL:
15 | S3_BUCKET_NAME:
16 | S3_OBJECT_KEY:
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.Syncer
File: /lambdas/functions/gh-agent-syncer/template.yaml:3-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
3 | Syncer:
4 | Type: AWS::Serverless::Function
5 | Properties:
6 | Runtime: nodejs18.x
7 | Handler: dist/index.handler
8 | MemorySize: 256
9 | Timeout: 300
10 | Environment:
11 | Variables:
12 | GITHUB_RUNNER_ARCHITECTURE:
13 | GITHUB_RUNNER_OS:
14 | LOG_LEVEL:
15 | S3_BUCKET_NAME:
16 | S3_OBJECT_KEY:
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.Syncer
File: /lambdas/functions/gh-agent-syncer/template.yaml:3-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
3 | Syncer:
4 | Type: AWS::Serverless::Function
5 | Properties:
6 | Runtime: nodejs18.x
7 | Handler: dist/index.handler
8 | MemorySize: 256
9 | Timeout: 300
10 | Environment:
11 | Variables:
12 | GITHUB_RUNNER_ARCHITECTURE:
13 | GITHUB_RUNNER_OS:
14 | LOG_LEVEL:
15 | S3_BUCKET_NAME:
16 | S3_OBJECT_KEY:
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 8
github_actions scan results:
Passed checks: 247, Failed checks: 4, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Packer checks)
File: /.github/workflows/packer-build.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build lambdas)
File: /.github/workflows/lambda.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Release build)
File: /.github/workflows/release.yml:13-14
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Auto approve dependabot)
File: /.github/workflows/auto-approve-dependabot.yml:0-1