Repository | SebastianUA / terraform |
Description | The place to storing Terraform modules of many providers |
Stars | 173 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:52:38,684 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//azure/modules/base?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,684 [MainThread ] [WARNI] Failed to download module 8.8.4.4/32:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,684 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/iam_policy?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,685 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/iam_role?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,685 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/s3?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,689 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//random/modules/random?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,689 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/dms2?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,689 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/sns?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,689 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/sg?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,690 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/iam_role?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,690 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//time/modules/time?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,691 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/vpc?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,703 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/vpc_peering?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,703 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/ssm?ref=v15.15.15:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,703 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//random/modules/random?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/route53?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/rds?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/kms?ref=v15.15.15:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:sebastianua/terraform.git//aws/modules/apigatewayv2?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:sebastianua/terraform.git//aws/modules/lambda?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module [email protected]:sebastianua/terraform.git//aws/modules/route53?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,704 [MainThread ] [WARNI] Failed to download module 10.0.0.0/16:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:38,705 [MainThread ] [WARNI] Failed to download module [email protected]:SebastianUA/terraform.git//aws/modules/dms?ref=dev:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:43,869 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/sdn:latest failed to load via
2023-10-05 14:52:43,869 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/sdn, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/sdn
2023-10-05 14:52:44,008 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/disk_pool:latest failed to load via
2023-10-05 14:52:44,008 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/disk_pool, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/disk_pool
2023-10-05 14:52:44,027 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group:latest failed to load via
2023-10-05 14:52:44,027 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group
2023-10-05 14:52:44,028 [MainThread ] [WARNI] Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group:latest failed to load via
2023-10-05 14:52:44,028 [MainThread ] [WARNI] Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform/azure/modules/management_group
2023-10-05 14:53:38,025 [MainThread ] [ERROR] Failed to run check CKV_GCP_73 on /google_cloud_platform/modules/compute_security/compute_security.tf:google_compute_security_policy.compute_security_policy_custom[0]
Traceback (most recent call last):
File "/home/brett/.pyenv/versions/3.9.2/lib/python3.9/site-packages/checkov/common/checks/base_check.py", line 75, in run
check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
File "/home/brett/.pyenv/versions/3.9.2/lib/python3.9/site-packages/checkov/terraform/checks/resource/base_resource_check.py", line 43, in scan_entity_conf
return self.scan_resource_conf(conf)
File "/home/brett/.pyenv/versions/3.9.2/lib/python3.9/site-packages/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py", line 25, in scan_resource_conf
match = rule.get("match")
AttributeError: 'list' object has no attribute 'get'
terraform scan results:
Passed checks: 841, Failed checks: 353, Skipped checks: 0
Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
FAILED for resource: aws_iam_policy_document.iam_policy_document
File: /aws/examples/ses/main.tf:44-58
44 | data "aws_iam_policy_document" "iam_policy_document" {
45 | statement {
46 | actions = ["SES:SendEmail", "SES:SendRawEmail"]
47 | resources = [module.ses_domain_identity.ses_domain_identity_arn]
48 |
49 | principals {
50 | identifiers = ["*"]
51 | type = "AWS"
52 | }
53 | }
54 |
55 | depends_on = [
56 | module.ses_domain_identity
57 | ]
58 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.alb.aws_lb.alb[0]
File: /aws/modules/alb/lb.tf:4-70
Calling File: /aws/examples/alb/main.tf:16-98
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.alb.aws_lb_listener.alb_listener[0]
File: /aws/modules/alb/lb_listener.tf:4-121
Calling File: /aws/examples/alb/main.tf:16-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.asg.aws_launch_configuration.lc[0]
File: /aws/modules/asg/launch_configuration.tf:10-74
Calling File: /aws/examples/asg/main.tf:30-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.asg.aws_launch_configuration.lc[0]
File: /aws/modules/asg/launch_configuration.tf:10-74
Calling File: /aws/examples/asg/main.tf:30-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: module.cloudfront.aws_cloudfront_distribution.cloudfront_distribution[0]
File: /aws/modules/cloudfront/cloudfront_distribution.tf:4-281
Calling File: /aws/examples/cloudfront/main.tf:52-181
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_67: "Ensure CloudTrail is enabled in all Regions"
FAILED for resource: module.cloudtrail.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:32-49
Guide: https://docs.bridgecrew.io/docs/logging_1
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
FAILED for resource: module.cloudtrail.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:32-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_36: "Ensure CloudTrail log file validation is enabled"
FAILED for resource: module.cloudtrail.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:32-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_252: "Ensure CloudTrail defines an SNS Topic"
FAILED for resource: module.cloudtrail.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:32-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudtrail-defines-an-sns-topic.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_67: "Ensure CloudTrail is enabled in all Regions"
FAILED for resource: module.cloudtrail_event_selector_lambda.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:52-79
Guide: https://docs.bridgecrew.io/docs/logging_1
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
FAILED for resource: module.cloudtrail_event_selector_lambda.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:52-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_36: "Ensure CloudTrail log file validation is enabled"
FAILED for resource: module.cloudtrail_event_selector_lambda.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:52-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_252: "Ensure CloudTrail defines an SNS Topic"
FAILED for resource: module.cloudtrail_event_selector_lambda.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:52-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudtrail-defines-an-sns-topic.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_67: "Ensure CloudTrail is enabled in all Regions"
FAILED for resource: module.cloudtrail_event_selector_s3.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:82-110
Guide: https://docs.bridgecrew.io/docs/logging_1
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
FAILED for resource: module.cloudtrail_event_selector_s3.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:82-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_36: "Ensure CloudTrail log file validation is enabled"
FAILED for resource: module.cloudtrail_event_selector_s3.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:82-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_252: "Ensure CloudTrail defines an SNS Topic"
FAILED for resource: module.cloudtrail_event_selector_s3.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Calling File: /aws/examples/cloudtrail/main.tf:82-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudtrail-defines-an-sns-topic.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.cloudwatch_logs.aws_cloudwatch_log_group.cw_log_group[0]
File: /aws/modules/cloudwatch_logs/cloudwatch_log_group.tf:4-24
Calling File: /aws/examples/cloudwatch_logs/main.tf:13-41
4 | resource "aws_cloudwatch_log_group" "cw_log_group" {
5 | count = var.enable_cw_log_group ? 1 : 0
6 |
7 | name = var.cw_log_group_name != "" ? var.cw_log_group_name : "${lower(var.name)}-group-${lower(var.environment)}"
8 | retention_in_days = var.cw_log_group_retention_in_days
9 | kms_key_id = var.cw_log_group_kms_key_id
10 |
11 | tags = merge(
12 | {
13 | Name = var.cw_log_group_name != "" ? var.cw_log_group_name : "${lower(var.name)}-group-${lower(var.environment)}"
14 | },
15 | var.tags
16 | )
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: module.cloudwatch_logs.aws_cloudwatch_log_group.cw_log_group[0]
File: /aws/modules/cloudwatch_logs/cloudwatch_log_group.tf:4-24
Calling File: /aws/examples/cloudwatch_logs/main.tf:13-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
4 | resource "aws_cloudwatch_log_group" "cw_log_group" {
5 | count = var.enable_cw_log_group ? 1 : 0
6 |
7 | name = var.cw_log_group_name != "" ? var.cw_log_group_name : "${lower(var.name)}-group-${lower(var.environment)}"
8 | retention_in_days = var.cw_log_group_retention_in_days
9 | kms_key_id = var.cw_log_group_kms_key_id
10 |
11 | tags = merge(
12 | {
13 | Name = var.cw_log_group_name != "" ? var.cw_log_group_name : "${lower(var.name)}-group-${lower(var.environment)}"
14 | },
15 | var.tags
16 | )
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AWS_239: "Ensure DAX cluster endpoint is using TLS"
FAILED for resource: module.dax.aws_dax_cluster.dax_cluster[0]
File: /aws/modules/dax/dax_cluster.tf:4-56
Calling File: /aws/examples/dax/main.tf:13-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-dax-cluster-endpoint-uses-transport-layer-security-tls.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_89: "DMS replication instance should not be publicly accessible"
FAILED for resource: module.source_dms_endpoint.aws_dms_replication_instance.dms_replication_instance[0]
File: /aws/modules/dms/dms_replication_instance.tf:4-49
Calling File: /aws/examples/dms/main.tf:13-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-13.html
4 | resource "aws_dms_replication_instance" "dms_replication_instance" {
5 | count = var.enable_dms_replication_instance ? 1 : 0
6 |
7 | replication_instance_class = var.dms_replication_instance_replication_instance_class
8 | replication_instance_id = var.dms_replication_instance_replication_instance_id != "" ? var.dms_replication_instance_replication_instance_id : "${lower(var.name)}-dms-replication-instance-${lower(var.environment)}"
9 | replication_subnet_group_id = var.dms_replication_instance_replication_subnet_group_id != "" ? var.dms_replication_instance_replication_subnet_group_id : (var.enable_dms_replication_subnet_group ? aws_dms_replication_subnet_group.dms_replication_subnet_group[count.index].id : null)
10 |
11 | allocated_storage = var.dms_replication_instance_allocated_storage
12 | apply_immediately = var.dms_replication_instance_apply_immediately
13 | auto_minor_version_upgrade = var.dms_replication_instance_auto_minor_version_upgrade
14 | allow_major_version_upgrade = var.dms_replication_instance_allow_major_version_upgrade
15 | availability_zone = var.dms_replication_instance_availability_zone
16 | multi_az = var.dms_replication_instance_multi_az
17 | engine_version = var.dms_replication_instance_engine_version
18 | kms_key_arn = var.dms_replication_instance_kms_key_arn
19 | preferred_maintenance_window = var.dms_replication_instance_preferred_maintenance_window
20 | publicly_accessible = var.dms_replication_instance_publicly_accessible
21 | vpc_security_group_ids = var.dms_replication_instance_vpc_security_group_ids
22 |
23 | dynamic "timeouts" {
24 | iterator = timeouts
25 | for_each = length(keys(var.dms_replication_instance_timeouts)) > 0 ? [var.dms_replication_instance_timeouts] : []
26 |
27 | content {
28 | create = lookup(timeouts.value, "create", null)
29 | update = lookup(timeouts.value, "update", null)
30 | delete = lookup(timeouts.value, "delete", null)
31 | }
32 | }
33 |
34 | tags = merge(
35 | {
36 | Name = var.dms_replication_instance_replication_instance_id != "" ? var.dms_replication_instance_replication_instance_id : "${lower(var.name)}-dms-replication-instance-${lower(var.environment)}"
37 | },
38 | var.tags
39 | )
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | ignore_changes = []
44 | }
45 |
46 | depends_on = [
47 | aws_dms_replication_subnet_group.dms_replication_subnet_group
48 | ]
49 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: module.dynamodb.aws_dynamodb_table.dynamodb_table[0]
File: /aws/modules/dynamodb/dynamodb_table.tf:4-110
Calling File: /aws/examples/dynamodb/main.tf:13-82
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.ebs.aws_ebs_volume.ebs_volume[0]
File: /aws/modules/ebs/ebs_volume.tf:4-29
Calling File: /aws/examples/ebs/main.tf:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
4 | resource "aws_ebs_volume" "ebs_volume" {
5 | count = var.enable_ebs_volume ? 1 : 0
6 |
7 | availability_zone = length(var.ebs_volume_availability_zone) > 0 ? var.ebs_volume_availability_zone : element(split(",", (lookup(var.availability_zones, var.region))), 0)
8 | type = var.ebs_volume_type
9 | size = var.ebs_volume_size
10 |
11 | encrypted = var.ebs_volume_encrypted
12 | iops = var.ebs_volume_iops
13 | snapshot_id = var.ebs_volume_snapshot_id
14 | kms_key_id = var.ebs_volume_kms_key_id
15 |
16 | tags = merge(
17 | {
18 | Name = var.ebs_volume_name != "" ? lower(var.ebs_volume_name) : "${lower(var.name)}-ebs-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: module.ebs.aws_ebs_volume.ebs_volume[0]
File: /aws/modules/ebs/ebs_volume.tf:4-29
Calling File: /aws/examples/ebs/main.tf:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
4 | resource "aws_ebs_volume" "ebs_volume" {
5 | count = var.enable_ebs_volume ? 1 : 0
6 |
7 | availability_zone = length(var.ebs_volume_availability_zone) > 0 ? var.ebs_volume_availability_zone : element(split(",", (lookup(var.availability_zones, var.region))), 0)
8 | type = var.ebs_volume_type
9 | size = var.ebs_volume_size
10 |
11 | encrypted = var.ebs_volume_encrypted
12 | iops = var.ebs_volume_iops
13 | snapshot_id = var.ebs_volume_snapshot_id
14 | kms_key_id = var.ebs_volume_kms_key_id
15 |
16 | tags = merge(
17 | {
18 | Name = var.ebs_volume_name != "" ? lower(var.ebs_volume_name) : "${lower(var.name)}-ebs-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.ec2.aws_instance.instance[0]
File: /aws/modules/ec2/instance.tf:4-195
Calling File: /aws/examples/ec2/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.ec2.aws_instance.instance[0]
File: /aws/modules/ec2/instance.tf:4-195
Calling File: /aws/examples/ec2/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.ecr.aws_ecr_repository.ecr_repository[0]
File: /aws/modules/ecr/ecr_repository.tf:4-21
Calling File: /aws/examples/ecr/main.tf:8-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
4 | resource "aws_ecr_repository" "ecr_repository" {
5 | count = var.enable_ecr_repository ? 1 : 0
6 |
7 | name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
8 |
9 | tags = merge(
10 | {
11 | Name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
12 | },
13 | var.tags
14 | )
15 |
16 | timeouts {
17 | delete = var.timeouts_delete
18 | }
19 |
20 | depends_on = []
21 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.ecr.aws_ecr_repository.ecr_repository[0]
File: /aws/modules/ecr/ecr_repository.tf:4-21
Calling File: /aws/examples/ecr/main.tf:8-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
4 | resource "aws_ecr_repository" "ecr_repository" {
5 | count = var.enable_ecr_repository ? 1 : 0
6 |
7 | name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
8 |
9 | tags = merge(
10 | {
11 | Name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
12 | },
13 | var.tags
14 | )
15 |
16 | timeouts {
17 | delete = var.timeouts_delete
18 | }
19 |
20 | depends_on = []
21 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.ecr.aws_ecr_repository.ecr_repository[0]
File: /aws/modules/ecr/ecr_repository.tf:4-21
Calling File: /aws/examples/ecr/main.tf:8-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
4 | resource "aws_ecr_repository" "ecr_repository" {
5 | count = var.enable_ecr_repository ? 1 : 0
6 |
7 | name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
8 |
9 | tags = merge(
10 | {
11 | Name = var.ecr_repository_name != "" ? var.ecr_repository_name : "${lower(var.name)}-ecr-${lower(var.environment)}"
12 | },
13 | var.tags
14 | )
15 |
16 | timeouts {
17 | delete = var.timeouts_delete
18 | }
19 |
20 | depends_on = []
21 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.efs.aws_efs_file_system.efs_file_system[0]
File: /aws/modules/efs/efs_file_system.tf:4-37
Calling File: /aws/examples/efs/main.tf:14-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
4 | resource "aws_efs_file_system" "efs_file_system" {
5 | count = var.enable_efs_file_system ? 1 : 0
6 |
7 | creation_token = var.efs_file_system_creation_token
8 | encrypted = var.efs_file_system_encrypted
9 | kms_key_id = var.efs_file_system_kms_key_id
10 | performance_mode = var.efs_file_system_performance_mode
11 |
12 | provisioned_throughput_in_mibps = var.efs_file_system_provisioned_throughput_in_mibps
13 | throughput_mode = var.efs_file_system_throughput_mode
14 |
15 | dynamic "lifecycle_policy" {
16 | iterator = lifecycle_policy
17 | for_each = var.efs_file_system_lifecycle_policy
18 |
19 | content {
20 | transition_to_ia = lookup(lifecycle_policy.value, "transition_to_ia", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.efs_file_system_name != "" ? var.efs_file_system_name : "${lower(var.name)}-efs-${lower(var.environment)}"
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: module.efs.aws_efs_file_system.efs_file_system[0]
File: /aws/modules/efs/efs_file_system.tf:4-37
Calling File: /aws/examples/efs/main.tf:14-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
4 | resource "aws_efs_file_system" "efs_file_system" {
5 | count = var.enable_efs_file_system ? 1 : 0
6 |
7 | creation_token = var.efs_file_system_creation_token
8 | encrypted = var.efs_file_system_encrypted
9 | kms_key_id = var.efs_file_system_kms_key_id
10 | performance_mode = var.efs_file_system_performance_mode
11 |
12 | provisioned_throughput_in_mibps = var.efs_file_system_provisioned_throughput_in_mibps
13 | throughput_mode = var.efs_file_system_throughput_mode
14 |
15 | dynamic "lifecycle_policy" {
16 | iterator = lifecycle_policy
17 | for_each = var.efs_file_system_lifecycle_policy
18 |
19 | content {
20 | transition_to_ia = lookup(lifecycle_policy.value, "transition_to_ia", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.efs_file_system_name != "" ? var.efs_file_system_name : "${lower(var.name)}-efs-${lower(var.environment)}"
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: module.eks.aws_eks_cluster.eks_cluster[0]
File: /aws/modules/eks/eks_cluster.tf:4-78
Calling File: /aws/examples/eks/main.tf:89-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.eks.aws_eks_cluster.eks_cluster[0]
File: /aws/modules/eks/eks_cluster.tf:4-78
Calling File: /aws/examples/eks/main.tf:89-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_196: "Ensure no aws_elasticache_security_group resources exist"
FAILED for resource: module.elasticache_single_redis.aws_elasticache_security_group.elasticache_security_group[0]
File: /aws/modules/elasticache/elasticache_security_group.tf:4-20
Calling File: /aws/examples/elasticache/main.tf:20-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-elasticache-security-groups-are-defined.html
4 | resource "aws_elasticache_security_group" "elasticache_security_group" {
5 | count = var.enable_elasticache_security_group ? 1 : 0
6 |
7 | name = var.elasticache_security_group_name != "" ? var.elasticache_security_group_name : "${lower(var.name)}-elasticache-sg-${lower(var.environment)}"
8 | description = var.elasticache_security_group_description != "" ? var.elasticache_security_group_description : "Elasticache security group (SG) which managed by me"
9 |
10 | # NOTE: ElastiCache Subnet Groups are only for use when working with an ElastiCache cluster inside of a VPC. If you are on EC2 Classic, see the ElastiCache Security Group resource.
11 | # NOTE: ElastiCache Security Groups are for use only when working with an ElastiCache cluster outside of a VPC. If you are using a VPC, see the ElastiCache Subnet Group resource.
12 | security_group_names = var.elasticache_security_group_security_group_names
13 |
14 | lifecycle {
15 | create_before_destroy = true
16 | ignore_changes = []
17 | }
18 |
19 | depends_on = []
20 | }
Check: CKV_AWS_340: "Ensure Elastic Beanstalk managed platform updates are enabled"
FAILED for resource: module.elasticbeanstalk.aws_elastic_beanstalk_environment.elastic_beanstalk_environment[0]
File: /aws/modules/elasticbeanstalk/elastic_beanstalk_environment.tf:4-48
Calling File: /aws/examples/elasticbeanstalk/main.tf:14-73
4 | resource "aws_elastic_beanstalk_environment" "elastic_beanstalk_environment" {
5 | count = var.enable_elastic_beanstalk_environment ? 1 : 0
6 |
7 | name = var.elastic_beanstalk_environment_name != "" ? var.elastic_beanstalk_environment_name : "${lower(var.name)}-eb-env-${lower(var.environment)}"
8 | description = var.elastic_beanstalk_environment_description != "" ? var.elastic_beanstalk_environment_description : null
9 | application = var.elastic_beanstalk_environment_application != "" ? var.elastic_beanstalk_application_name : (var.enable_elastic_beanstalk_application ? aws_elastic_beanstalk_application.elastic_beanstalk_application.0.name : null)
10 |
11 | solution_stack_name = var.elastic_beanstalk_environment_solution_stack_name != "" && var.elastic_beanstalk_environment_template_name == "" ? var.elastic_beanstalk_environment_solution_stack_name : null
12 | template_name = var.elastic_beanstalk_environment_template_name != "" && var.elastic_beanstalk_environment_solution_stack_name == "" ? var.elastic_beanstalk_environment_template_name : null
13 | cname_prefix = var.elastic_beanstalk_environment_cname_prefix != "" ? var.elastic_beanstalk_environment_cname_prefix : null
14 | tier = var.elastic_beanstalk_environment_tier
15 |
16 | dynamic "setting" {
17 | iterator = setting
18 | for_each = var.elastic_beanstalk_environment_setting
19 |
20 | content {
21 | name = lookup(setting.value, "name", null)
22 | value = lookup(setting.value, "value", null)
23 | namespace = lookup(setting.value, "namespace", null)
24 | resource = lookup(setting.value, "resource", null)
25 | }
26 | }
27 |
28 | platform_arn = var.elastic_beanstalk_environment_platform_arn
29 | wait_for_ready_timeout = var.elastic_beanstalk_environment_wait_for_ready_timeout
30 | poll_interval = var.elastic_beanstalk_environment_poll_interval
31 | version_label = var.elastic_beanstalk_environment_version_label
32 |
33 | tags = merge(
34 | {
35 | Name = var.elastic_beanstalk_environment_name != "" ? lower(var.elastic_beanstalk_environment_name) : "${lower(var.name)}-eb-env-${lower(var.environment)}"
36 | },
37 | var.tags
38 | )
39 |
40 | lifecycle {
41 | create_before_destroy = true
42 | ignore_changes = [tags]
43 | }
44 |
45 | depends_on = [
46 | aws_elastic_beanstalk_application.elastic_beanstalk_application
47 | ]
48 | }
Check: CKV_AWS_312: "Ensure Elastic Beanstalk environments have enhanced health reporting enabled"
FAILED for resource: module.elasticbeanstalk.aws_elastic_beanstalk_environment.elastic_beanstalk_environment[0]
File: /aws/modules/elasticbeanstalk/elastic_beanstalk_environment.tf:4-48
Calling File: /aws/examples/elasticbeanstalk/main.tf:14-73
4 | resource "aws_elastic_beanstalk_environment" "elastic_beanstalk_environment" {
5 | count = var.enable_elastic_beanstalk_environment ? 1 : 0
6 |
7 | name = var.elastic_beanstalk_environment_name != "" ? var.elastic_beanstalk_environment_name : "${lower(var.name)}-eb-env-${lower(var.environment)}"
8 | description = var.elastic_beanstalk_environment_description != "" ? var.elastic_beanstalk_environment_description : null
9 | application = var.elastic_beanstalk_environment_application != "" ? var.elastic_beanstalk_application_name : (var.enable_elastic_beanstalk_application ? aws_elastic_beanstalk_application.elastic_beanstalk_application.0.name : null)
10 |
11 | solution_stack_name = var.elastic_beanstalk_environment_solution_stack_name != "" && var.elastic_beanstalk_environment_template_name == "" ? var.elastic_beanstalk_environment_solution_stack_name : null
12 | template_name = var.elastic_beanstalk_environment_template_name != "" && var.elastic_beanstalk_environment_solution_stack_name == "" ? var.elastic_beanstalk_environment_template_name : null
13 | cname_prefix = var.elastic_beanstalk_environment_cname_prefix != "" ? var.elastic_beanstalk_environment_cname_prefix : null
14 | tier = var.elastic_beanstalk_environment_tier
15 |
16 | dynamic "setting" {
17 | iterator = setting
18 | for_each = var.elastic_beanstalk_environment_setting
19 |
20 | content {
21 | name = lookup(setting.value, "name", null)
22 | value = lookup(setting.value, "value", null)
23 | namespace = lookup(setting.value, "namespace", null)
24 | resource = lookup(setting.value, "resource", null)
25 | }
26 | }
27 |
28 | platform_arn = var.elastic_beanstalk_environment_platform_arn
29 | wait_for_ready_timeout = var.elastic_beanstalk_environment_wait_for_ready_timeout
30 | poll_interval = var.elastic_beanstalk_environment_poll_interval
31 | version_label = var.elastic_beanstalk_environment_version_label
32 |
33 | tags = merge(
34 | {
35 | Name = var.elastic_beanstalk_environment_name != "" ? lower(var.elastic_beanstalk_environment_name) : "${lower(var.name)}-eb-env-${lower(var.environment)}"
36 | },
37 | var.tags
38 | )
39 |
40 | lifecycle {
41 | create_before_destroy = true
42 | ignore_changes = [tags]
43 | }
44 |
45 | depends_on = [
46 | aws_elastic_beanstalk_application.elastic_beanstalk_application
47 | ]
48 | }
Check: CKV_AWS_318: "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA"
FAILED for resource: module.elasticsearch_domain.aws_elasticsearch_domain.elasticsearch_domain[0]
File: /aws/modules/elasticsearch/elasticsearch_domain.tf:4-170
Calling File: /aws/examples/elasticsearch/main.tf:14-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_248: "Ensure that Elasticsearch is not using the default Security Group"
FAILED for resource: module.elasticsearch_domain.aws_elasticsearch_domain.elasticsearch_domain[0]
File: /aws/modules/elasticsearch/elasticsearch_domain.tf:4-170
Calling File: /aws/examples/elasticsearch/main.tf:14-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-elasticsearch-does-not-use-the-default-security-group.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_317: "Ensure Elasticsearch Domain Audit Logging is enabled"
FAILED for resource: module.elasticsearch_domain.aws_elasticsearch_domain.elasticsearch_domain[0]
File: /aws/modules/elasticsearch/elasticsearch_domain.tf:4-170
Calling File: /aws/examples/elasticsearch/main.tf:14-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: module.elb.aws_elb.elb[0]
File: /aws/modules/elb/elb.tf:4-69
Calling File: /aws/examples/elb/main.tf:12-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_190: "Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.fsx.aws_fsx_lustre_file_system.fsx_lustre_file_system[0]
File: /aws/modules/fsx/fsx_lustre_file_system.tf:4-39
Calling File: /aws/examples/fsx/main.tf:13-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-110.html
4 | resource "aws_fsx_lustre_file_system" "fsx_lustre_file_system" {
5 | count = var.enable_fsx_lustre_file_system ? 1 : 0
6 |
7 | storage_capacity = var.fsx_lustre_file_system_storage_capacity
8 | subnet_ids = var.fsx_lustre_file_system_subnet_ids
9 |
10 | export_path = var.fsx_lustre_file_system_export_path
11 | import_path = var.fsx_lustre_file_system_import_path
12 | imported_file_chunk_size = var.fsx_lustre_file_system_imported_file_chunk_size
13 | security_group_ids = var.fsx_lustre_file_system_security_group_ids
14 | weekly_maintenance_start_time = var.fsx_lustre_file_system_weekly_maintenance_start_time
15 |
16 | dynamic "timeouts" {
17 | iterator = timeouts
18 | for_each = length(keys(var.fsx_lustre_file_system_timeouts)) > 0 ? [var.fsx_lustre_file_system_timeouts] : []
19 |
20 | content {
21 | create = lookup(timeouts.value, "create", null)
22 | delete = lookup(timeouts.value, "delete", null)
23 | }
24 | }
25 |
26 | tags = merge(
27 | {
28 | Name = var.fsx_lustre_file_system_name != "" ? lower(var.fsx_lustre_file_system_name) : "${lower(var.name)}-fsx-lustre-file-system-${lower(var.environment)}"
29 | },
30 | var.tags
31 | )
32 |
33 | lifecycle {
34 | create_before_destroy = true
35 | ignore_changes = []
36 | }
37 |
38 | depends_on = []
39 | }
Check: CKV_AWS_10: "Ensure IAM password policy requires minimum length of 14 or greater"
FAILED for resource: module.iam_account.aws_iam_account_password_policy.iam_account_password_policy[0]
File: /aws/modules/iam_account/iam_account_password_policy.tf:4-24
Calling File: /aws/examples/iam_account/main.tf:32-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-9-1.html
4 | resource "aws_iam_account_password_policy" "iam_account_password_policy" {
5 | count = var.enable_iam_account_password_policy ? 1 : 0
6 |
7 | minimum_password_length = var.iam_account_password_policy_minimum_password_length
8 | require_lowercase_characters = var.iam_account_password_policy_require_lowercase_characters
9 | require_uppercase_characters = var.iam_account_password_policy_require_uppercase_characters
10 | require_numbers = var.iam_account_password_policy_require_numbers
11 | require_symbols = var.iam_account_password_policy_require_symbols
12 | allow_users_to_change_password = var.iam_account_password_policy_allow_users_to_change_password
13 |
14 | hard_expiry = var.iam_account_password_policy_hard_expiry
15 | max_password_age = var.iam_account_password_policy_max_password_age
16 | password_reuse_prevention = var.iam_account_password_policy_password_reuse_prevention
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: module.iam_user.aws_iam_user.iam_user[0]
File: /aws/modules/iam_user/iam_user.tf:4-26
Calling File: /aws/examples/iam_user/main.tf:32-74
4 | resource "aws_iam_user" "iam_user" {
5 | count = var.enable_iam_user ? 1 : 0
6 |
7 | name = var.iam_user_name != "" ? var.iam_user_name : "${lower(var.name)}-user-${lower(var.environment)}"
8 | path = var.iam_user_path
9 |
10 | permissions_boundary = var.iam_user_permissions_boundary
11 | force_destroy = var.iam_user_force_destroy
12 |
13 | tags = merge(
14 | {
15 | Name = var.iam_user_name != "" ? var.iam_user_name : "${lower(var.name)}-user-${lower(var.environment)}"
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: module.iam_user.aws_iam_user_policy.iam_user_policy[0]
File: /aws/modules/iam_user/iam_user_policy.tf:4-21
Calling File: /aws/examples/iam_user/main.tf:32-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
4 | resource "aws_iam_user_policy" "iam_user_policy" {
5 | count = var.enable_iam_user_policy ? 1 : 0
6 |
7 | name = var.iam_user_policy_name != "" && var.iam_user_policy_name_prefix == "" ? var.iam_user_policy_name : null
8 | name_prefix = var.iam_user_policy_name_prefix != "" && var.iam_user_policy_name == "" ? var.iam_user_policy_name_prefix : null
9 |
10 | user = var.iam_user_policy_user != "" && !var.enable_iam_user ? var.iam_user_policy_user : element(concat(aws_iam_user.iam_user.*.id, [""]), 0)
11 | policy = var.iam_user_policy_policy
12 |
13 | lifecycle {
14 | create_before_destroy = true
15 | ignore_changes = []
16 | }
17 |
18 | depends_on = [
19 | aws_iam_user.iam_user
20 | ]
21 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.lambda.aws_lambda_function.lambda_function[0]
File: /aws/modules/lambda/lambda_function.tf:4-83
Calling File: /aws/examples/lambda/main.tf:15-74
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_207: "Ensure MQ Broker minor version updates are enabled"
FAILED for resource: module.mq.aws_mq_broker.mq_broker[0]
File: /aws/modules/mq/mq_broker.tf:4-97
Calling File: /aws/examples/mq/main.tf:14-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbrokers-minor-version-updates-are-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_80: "Ensure MSK Cluster logging is enabled"
FAILED for resource: module.msk.aws_msk_cluster.msk_cluster[0]
File: /aws/modules/msk/msk_cluster.tf:4-171
Calling File: /aws/examples/msk/main.tf:15-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.nlb.aws_lb.nlb[0]
File: /aws/modules/nlb/nlb.tf:4-64
Calling File: /aws/examples/nlb/main.tf:14-59
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: module.nlb.aws_lb.nlb[0]
File: /aws/modules/nlb/nlb.tf:4-64
Calling File: /aws/examples/nlb/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.nlb.aws_lb_listener.nlb_listener[0]
File: /aws/modules/nlb/nlb_listener.tf:4-121
Calling File: /aws/examples/nlb/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.db_instance-rds-oracle.aws_db_instance.db_instance[0]
File: /aws/modules/rds/db_instance.tf:4-106
Calling File: /aws/examples/rds/main.tf:62-127
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.db_instance-rds-oracle.aws_db_instance.db_instance[0]
File: /aws/modules/rds/db_instance.tf:4-106
Calling File: /aws/examples/rds/main.tf:62-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.db_instance-rds-oracle.aws_db_instance.db_instance[0]
File: /aws/modules/rds/db_instance.tf:4-106
Calling File: /aws/examples/rds/main.tf:62-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.db_instance-rds-oracle.aws_db_instance.db_instance[0]
File: /aws/modules/rds/db_instance.tf:4-106
Calling File: /aws/examples/rds/main.tf:62-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_324: "Ensure that RDS Cluster log capture is enabled"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Calling File: /aws/examples/rds/main.tf:14-59
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_96: "Ensure all data stored in Aurora is securely encrypted at rest"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Calling File: /aws/examples/rds/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-38.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_313: "Ensure RDS cluster configured to copy tags to snapshots"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Calling File: /aws/examples/rds/main.tf:14-59
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Calling File: /aws/examples/rds/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_139: "Ensure that RDS clusters have deletion protection enabled"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Calling File: /aws/examples/rds/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.rds_cluster.aws_rds_cluster_instance.rds_cluster_instance[0]
File: /aws/modules/rds/rds_cluster_instance.tf:4-64
Calling File: /aws/examples/rds/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.rds_cluster.aws_rds_cluster_instance.rds_cluster_instance[0]
File: /aws/modules/rds/rds_cluster_instance.tf:4-64
Calling File: /aws/examples/rds/main.tf:14-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_307: "Ensure SageMaker Users should not have root access to SageMaker notebook instances"
FAILED for resource: module.sagemaker.aws_sagemaker_notebook_instance.sagemaker_notebook_instance[0]
File: /aws/modules/sagemaker/sagemaker_notebook_instance.tf:4-34
Calling File: /aws/examples/sagemaker/main.tf:17-67
4 | resource "aws_sagemaker_notebook_instance" "sagemaker_notebook_instance" {
5 | count = var.enable_sagemaker_notebook_instance ? 1 : 0
6 |
7 | name = var.sagemaker_notebook_instance_name != "" ? lower(var.sagemaker_notebook_instance_name) : "${lower(var.name)}-notebook-instance-${lower(var.environment)}"
8 | role_arn = var.sagemaker_notebook_instance_role_arn
9 | instance_type = var.sagemaker_notebook_instance_instance_type
10 |
11 | platform_identifier = var.sagemaker_notebook_instance_platform_identifier
12 | volume_size = var.sagemaker_notebook_instance_volume_size
13 | subnet_id = var.sagemaker_notebook_instance_subnet_id
14 | security_groups = var.sagemaker_notebook_instance_security_groups
15 | kms_key_id = var.sagemaker_notebook_instance_kms_key_id
16 | lifecycle_config_name = var.sagemaker_notebook_instance_lifecycle_config_name != "" && !var.enable_sagemaker_notebook_instance_lifecycle_configuration ? var.sagemaker_notebook_instance_lifecycle_config_name : element(concat(aws_sagemaker_notebook_instance_lifecycle_configuration.sagemaker_notebook_instance_lifecycle_configuration.*.id, [""]), 0)
17 | direct_internet_access = var.sagemaker_notebook_instance_direct_internet_access
18 |
19 | tags = merge(
20 | {
21 | Name = var.sagemaker_notebook_instance_name != "" ? lower(var.sagemaker_notebook_instance_name) : "${lower(var.name)}-notebook-instance-${lower(var.environment)}"
22 | },
23 | var.tags
24 | )
25 |
26 | lifecycle {
27 | create_before_destroy = true
28 | ignore_changes = []
29 | }
30 |
31 | depends_on = [
32 | aws_sagemaker_notebook_instance_lifecycle_configuration.sagemaker_notebook_instance_lifecycle_configuration
33 | ]
34 | }
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
FAILED for resource: module.sfn.aws_sfn_state_machine.sfn_state_machine[0]
File: /aws/modules/sfn/sfn_state_machine.tf:4-24
Calling File: /aws/examples/sfn/main.tf:13-44
4 | resource "aws_sfn_state_machine" "sfn_state_machine" {
5 | count = var.enable_sfn_state_machine ? 1 : 0
6 |
7 | name = var.sfn_state_machine_name != "" ? var.sfn_state_machine_name : "${lower(var.name)}-sfn-activity-${lower(var.environment)}"
8 | definition = var.sfn_state_machine_definition
9 | role_arn = var.sfn_state_machine_role_arn
10 |
11 | tags = merge(
12 | {
13 | Name = var.sfn_state_machine_name != "" ? var.sfn_state_machine_name : "${lower(var.name)}-sfn-activity-${lower(var.environment)}"
14 | },
15 | var.tags
16 | )
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
FAILED for resource: module.sfn.aws_sfn_state_machine.sfn_state_machine[0]
File: /aws/modules/sfn/sfn_state_machine.tf:4-24
Calling File: /aws/examples/sfn/main.tf:13-44
4 | resource "aws_sfn_state_machine" "sfn_state_machine" {
5 | count = var.enable_sfn_state_machine ? 1 : 0
6 |
7 | name = var.sfn_state_machine_name != "" ? var.sfn_state_machine_name : "${lower(var.name)}-sfn-activity-${lower(var.environment)}"
8 | definition = var.sfn_state_machine_definition
9 | role_arn = var.sfn_state_machine_role_arn
10 |
11 | tags = merge(
12 | {
13 | Name = var.sfn_state_machine_name != "" ? var.sfn_state_machine_name : "${lower(var.name)}-sfn-activity-${lower(var.environment)}"
14 | },
15 | var.tags
16 | )
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AWS_164: "Ensure Transfer Server is not exposed publicly."
FAILED for resource: module.transfer.aws_transfer_server.transfer_server[0]
File: /aws/modules/transfer/transfer_server.tf:4-37
Calling File: /aws/examples/transfer/main.tf:13-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-transfer-server-is-not-exposed-publicly.html
4 | resource "aws_transfer_server" "transfer_server" {
5 | count = var.enable_transfer_server ? 1 : 0
6 |
7 | endpoint_type = upper(var.transfer_server_endpoint_type)
8 | invocation_role = var.transfer_server_invocation_role
9 | host_key = var.transfer_server_host_key
10 | url = var.transfer_server_url
11 | identity_provider_type = var.transfer_server_identity_provider_type
12 | logging_role = var.transfer_server_logging_role
13 | force_destroy = var.transfer_server_force_destroy
14 |
15 | dynamic "endpoint_details" {
16 | iterator = endpoint_details
17 | for_each = var.transfer_server_endpoint_details
18 |
19 | content {
20 | vpc_endpoint_id = lookup(endpoint_details.value, "vpc_endpoint_id", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.transfer_server_name != "" ? lower(var.transfer_server_name) : "${lower(var.name)}-transfer-server-${lower(var.environment)}"
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV_AWS_232: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.vpc_2.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_230: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 20"
FAILED for resource: module.vpc_2.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_229: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 21"
FAILED for resource: module.vpc_2.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_231: "Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: module.vpc_2.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-nacl-does-not-allow-ingress-from-00000-to-port-3389.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/main.tf:24-86
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/main.tf:24-86
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_1.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:198-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_1.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:198-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_2.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_2.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:253-371
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_custom_routings.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_custom_routings.tf:4-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_custom_routings.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_custom_routings.tf:4-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_endpoint.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:382-488
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_endpoint.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc/main.tf:382-488
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_vpn.aws_subnet.public_subnets[0]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_vpn.tf:4-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_vpn.aws_subnet.public_subnets[1]
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_vpn.tf:4-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_endpoint.aws_subnet.public_subnets
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_endpoint.tf:4-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_1.aws_subnet.public_subnets
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_peering.tf:4-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc_2.aws_subnet.public_subnets
File: /aws/modules/vpc/subnet.tf:88-125
Calling File: /aws/examples/vpc_old/vpc_peering.tf:59-177
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
88 | resource "aws_subnet" "public_subnets" {
89 | count = length(var.public_subnet_cidrs)
90 |
91 | cidr_block = var.public_subnet_cidrs[count.index]
92 | vpc_id = var.vpc_id != "" && !var.enable_vpc ? var.vpc_id : element(concat(aws_vpc.vpc.*.id, [""]), 0)
93 | map_public_ip_on_launch = var.map_public_ip_on_launch
94 | availability_zone = length(var.azs) > 0 ? var.azs[count.index] : element(lookup(var.availability_zones, var.region), count.index)
95 |
96 | availability_zone_id = var.availability_zone_id
97 | ipv6_cidr_block = var.public_subnet_ipv6_cidrs != null ? var.public_subnet_ipv6_cidrs[count.index] : null
98 | assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation
99 |
100 | dynamic "timeouts" {
101 | iterator = timeouts
102 | for_each = length(keys(var.subnet_timeouts)) > 0 ? [var.subnet_timeouts] : []
103 |
104 | content {
105 | create = lookup(subnet_timeouts.value, "create", null)
106 | delete = lookup(subnet_timeouts.value, "delete", null)
107 | }
108 | }
109 |
110 | tags = merge(
111 | {
112 | Name = var.public_subnets_name != "" ? "${lower(var.public_subnets_name)}-${count.index + 1}" : "${lower(var.name)}-${lower(var.environment)}-public_subnet-${count.index + 1}"
113 | },
114 | var.tags
115 | )
116 |
117 | lifecycle {
118 | create_before_destroy = true
119 | ignore_changes = []
120 | }
121 |
122 | depends_on = [
123 | aws_vpc.vpc
124 | ]
125 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: module.vpc_default.aws_default_vpc.default_vpc[0]
File: /aws/modules/vpc_default/default_vpc.tf:4-24
Calling File: /aws/examples/vpc_default/main.tf:13-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
4 | resource "aws_default_vpc" "default_vpc" {
5 | count = var.enable_default_vpc ? 1 : 0
6 |
7 | enable_dns_support = var.default_vpc_enable_dns_support
8 | enable_dns_hostnames = var.default_vpc_enable_dns_hostnames
9 | enable_classiclink = var.default_vpc_enable_classiclink
10 |
11 | tags = merge(
12 | {
13 | Name = var.default_vpc_name != "" ? var.default_vpc_name : "Default VPC"
14 | },
15 | var.tags
16 | )
17 |
18 | lifecycle {
19 | create_before_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | depends_on = []
24 | }
Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
FAILED for resource: module.aks.azurerm_kubernetes_cluster.kubernetes_cluster[0]
File: /azure/modules/aks/kubernetes_cluster.tf:4-311
Calling File: /azure/examples/aks/main.tf:37-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
FAILED for resource: module.aks.azurerm_kubernetes_cluster.kubernetes_cluster[0]
File: /azure/modules/aks/kubernetes_cluster.tf:4-311
Calling File: /azure/examples/aks/main.tf:37-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.aks.azurerm_kubernetes_cluster.kubernetes_cluster[0]
File: /azure/modules/aks/kubernetes_cluster.tf:4-311
Calling File: /azure/examples/aks/main.tf:37-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.aks.azurerm_kubernetes_cluster.kubernetes_cluster[0]
File: /azure/modules/aks/kubernetes_cluster.tf:4-311
Calling File: /azure/examples/aks/main.tf:37-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_39: "Ensure that no custom subscription owner roles are created"
FAILED for resource: module.authorization.azurerm_role_definition.role_definition[0]
File: /azure/modules/authorization/role_definition.tf:4-44
Calling File: /azure/examples/authorization/main.tf:49-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/do-not-create-custom-subscription-owner-roles.html
4 | resource "azurerm_role_definition" "role_definition" {
5 | count = var.enable_role_definition ? 1 : 0
6 |
7 | name = var.role_definition_name != "" ? var.role_definition_name : "${lower(var.name)}-role-definition-${lower(var.environment)}"
8 | scope = var.role_definition_scope
9 |
10 | description = var.role_definition_description
11 | role_definition_id = var.role_definition_role_definition_id
12 | assignable_scopes = var.role_definition_assignable_scopes
13 |
14 | dynamic "permissions" {
15 | iterator = permissions
16 | for_each = var.role_definition_permissions
17 |
18 | content {
19 | actions = lookup(permissions.value, "actions", null)
20 | data_actions = lookup(permissions.value, "data_actions", null)
21 | not_actions = lookup(permissions.value, "not_actions", null)
22 | not_data_actions = lookup(permissions.value, "not_data_actions", null)
23 | }
24 | }
25 |
26 | dynamic "timeouts" {
27 | iterator = timeouts
28 | for_each = length(keys(var.role_definition_timeouts)) > 0 ? [var.role_definition_timeouts] : []
29 |
30 | content {
31 | create = lookup(timeouts.value, "create", null)
32 | read = lookup(timeouts.value, "read", null)
33 | update = lookup(timeouts.value, "update", null)
34 | delete = lookup(timeouts.value, "delete", null)
35 | }
36 | }
37 |
38 | lifecycle {
39 | create_before_destroy = true
40 | ignore_changes = []
41 | }
42 |
43 | depends_on = []
44 | }
Check: CKV_AZURE_98: "Ensure that Azure Container group is deployed into virtual network"
FAILED for resource: module.container.azurerm_container_group.container_group[0]
File: /azure/modules/container/container_group.tf:4-252
Calling File: /azure/examples/container/main.tf:35-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-container-container-group-is-deployed-into-virtual-network.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_96: "Ensure that MySQL server enables infrastructure encryption"
FAILED for resource: module.database_mysql.azurerm_mysql_server.mysql_server[0]
File: /azure/modules/database_mysql/mysql_server.tf:4-82
Calling File: /azure/examples/database_mysql/main.tf:46-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-postgresql-server-enables-infrastructure-encryption-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_53: "Ensure 'public network access enabled' is set to 'False' for mySQL servers"
FAILED for resource: module.database_mysql.azurerm_mysql_server.mysql_server[0]
File: /azure/modules/database_mysql/mysql_server.tf:4-82
Calling File: /azure/examples/database_mysql/main.tf:46-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_94: "Ensure that My SQL server enables geo-redundant backups"
FAILED for resource: module.database_mysql.azurerm_mysql_server.mysql_server[0]
File: /azure/modules/database_mysql/mysql_server.tf:4-82
Calling File: /azure/examples/database_mysql/main.tf:46-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-geo-redundant-backups.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_9: "Ensure that RDP access is restricted from the internet"
FAILED for resource: module.network_sg.azurerm_network_security_group.network_security_group[0]
File: /azure/modules/network/network_security_group.tf:4-61
Calling File: /azure/examples/network/main.tf:45-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: module.network_sg.azurerm_network_security_group.network_security_group[0]
File: /azure/modules/network/network_security_group.tf:4-61
Calling File: /azure/examples/network/main.tf:45-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: module.network_sg.azurerm_network_security_group.network_security_group[0]
File: /azure/modules/network/network_security_group.tf:4-61
Calling File: /azure/examples/network/main.tf:45-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_183: "Ensure that VNET uses local DNS addresses"
FAILED for resource: module.virtual_network.azurerm_virtual_network.virtual_network
File: /azure/modules/network/virtual_network.tf:4-66
Calling File: /azure/examples/network/main.tf:82-118
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.storage_account.azurerm_storage_account_network_rules.storage_account_network_rules[0]
File: /azure/modules/storage/storage_account_network_rules.tf:4-45
Calling File: /azure/examples/storage/main.tf:45-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
4 | resource "azurerm_storage_account_network_rules" "storage_account_network_rules" {
5 | count = var.enable_storage_account_network_rules ? 1 : 0
6 |
7 | default_action = var.storage_account_network_rules_default_action
8 |
9 | storage_account_id = var.storage_account_network_rules_storage_account_id != "" ? var.storage_account_network_rules_storage_account_id : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].id : null)
10 | bypass = var.storage_account_network_rules_bypass
11 | ip_rules = var.storage_account_network_rules_ip_rules
12 | virtual_network_subnet_ids = var.storage_account_network_rules_virtual_network_subnet_ids
13 |
14 | dynamic "private_link_access" {
15 | iterator = private_link_access
16 | for_each = length(keys(var.storage_account_network_rules_private_link_access)) > 0 ? [var.storage_account_network_rules_private_link_access] : []
17 |
18 | content {
19 | endpoint_resource_id = lookup(private_link_access.value, "endpoint_resource_id", null)
20 |
21 | endpoint_tenant_id = lookup(private_link_access.value, "endpoint_tenant_id", null)
22 | }
23 | }
24 |
25 | dynamic "timeouts" {
26 | iterator = timeouts
27 | for_each = length(keys(var.storage_account_network_rules_timeouts)) > 0 ? [var.storage_account_network_rules_timeouts] : []
28 |
29 | content {
30 | create = lookup(timeouts.value, "create", null)
31 | read = lookup(timeouts.value, "read", null)
32 | update = lookup(timeouts.value, "update", null)
33 | delete = lookup(timeouts.value, "delete", null)
34 | }
35 | }
36 |
37 | lifecycle {
38 | create_before_destroy = true
39 | ignore_changes = []
40 | }
41 |
42 | depends_on = [
43 | azurerm_storage_account.storage_account
44 | ]
45 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[0]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:4-143
Calling File: /google_cloud_platform/examples/compute_target_pool/main.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.compute_instance.google_compute_instance.compute_instance_with_attached_disk[1]
File: /google_cloud_platform/modules/compute_instance/compute_instance.tf:147-285
Calling File: /google_cloud_platform/examples/compute_instance/main.tf:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.compute_instance_template.google_compute_instance_template.compute_instance_template
File: /google_cloud_platform/modules/compute_instance_template/compute_instance_template.tf:4-91
Calling File: /google_cloud_platform/examples/compute_instance_template/main.tf:14-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.compute_instance_template.google_compute_instance_template.compute_instance_template
File: /google_cloud_platform/modules/compute_instance_template/compute_instance_template.tf:4-91
Calling File: /google_cloud_platform/examples/compute_instance_template/main.tf:14-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.compute_instance_template.google_compute_instance_template.compute_instance_template
File: /google_cloud_platform/modules/compute_instance_template/compute_instance_template.tf:4-91
Calling File: /google_cloud_platform/examples/compute_instance_template/main.tf:14-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:38-61
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
38 | resource "google_compute_subnetwork" "compute_subnetwork" {
39 | count = var.enable_compute_subnetwork && !var.enable_secondary_ip_range ? 1 : 0
40 |
41 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
42 | description = var.description
43 | project = var.project
44 | ip_cidr_range = var.ip_cidr_range
45 | region = var.region
46 | network = var.network
47 |
48 | enable_flow_logs = var.enable_flow_logs
49 | private_ip_google_access = var.private_ip_google_access
50 |
51 | timeouts {
52 | create = var.timeouts_create
53 | update = var.timeouts_update
54 | delete = var.timeouts_delete
55 | }
56 |
57 | lifecycle {
58 | ignore_changes = []
59 | create_before_destroy = true
60 | }
61 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:38-61
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
38 | resource "google_compute_subnetwork" "compute_subnetwork" {
39 | count = var.enable_compute_subnetwork && !var.enable_secondary_ip_range ? 1 : 0
40 |
41 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
42 | description = var.description
43 | project = var.project
44 | ip_cidr_range = var.ip_cidr_range
45 | region = var.region
46 | network = var.network
47 |
48 | enable_flow_logs = var.enable_flow_logs
49 | private_ip_google_access = var.private_ip_google_access
50 |
51 | timeouts {
52 | create = var.timeouts_create
53 | update = var.timeouts_update
54 | delete = var.timeouts_delete
55 | }
56 |
57 | lifecycle {
58 | ignore_changes = []
59 | create_before_destroy = true
60 | }
61 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:38-61
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
38 | resource "google_compute_subnetwork" "compute_subnetwork" {
39 | count = var.enable_compute_subnetwork && !var.enable_secondary_ip_range ? 1 : 0
40 |
41 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
42 | description = var.description
43 | project = var.project
44 | ip_cidr_range = var.ip_cidr_range
45 | region = var.region
46 | network = var.network
47 |
48 | enable_flow_logs = var.enable_flow_logs
49 | private_ip_google_access = var.private_ip_google_access
50 |
51 | timeouts {
52 | create = var.timeouts_create
53 | update = var.timeouts_update
54 | delete = var.timeouts_delete
55 | }
56 |
57 | lifecycle {
58 | ignore_changes = []
59 | create_before_destroy = true
60 | }
61 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/vpc/vpc-with-custom-subnet/main.tf:22-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/compute_route/main.tf:22-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/compute_route/main.tf:22-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.compute_subnetwork.google_compute_subnetwork.compute_subnetwork_with_secondary_ip_range
File: /google_cloud_platform/modules/compute_network/compute_network.tf:63-91
Calling File: /google_cloud_platform/examples/compute_route/main.tf:22-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
63 | resource "google_compute_subnetwork" "compute_subnetwork_with_secondary_ip_range" {
64 | count = var.enable_compute_subnetwork && var.enable_secondary_ip_range ? 1 : 0
65 |
66 | name = "${lower(var.name)}-subnetwork-${lower(var.environment)}"
67 | description = var.description
68 | project = var.project
69 | ip_cidr_range = var.ip_cidr_range
70 | region = var.region
71 | network = var.network
72 |
73 | enable_flow_logs = var.enable_flow_logs
74 | private_ip_google_access = var.private_ip_google_access
75 |
76 | secondary_ip_range {
77 | range_name = var.secondary_ip_range_name
78 | ip_cidr_range = var.secondary_ip_range_cidr
79 | }
80 |
81 | timeouts {
82 | create = var.timeouts_create
83 | update = var.timeouts_update
84 | delete = var.timeouts_delete
85 | }
86 |
87 | lifecycle {
88 | ignore_changes = []
89 | create_before_destroy = true
90 | }
91 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_25: "Ensure Kubernetes Cluster is created with Private cluster enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-6.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_70: "Ensure the GKE Release Channel is set"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-release-channel-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_19: "Ensure GKE basic auth is disabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_23: "Ensure Kubernetes Cluster is created with Alias IP ranges enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-15.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_64: "Ensure clusters are created with Private Nodes"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-clusters-are-created-with-private-nodes.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_25: "Ensure Kubernetes Cluster is created with Private cluster enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-6.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_70: "Ensure the GKE Release Channel is set"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-release-channel-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_19: "Ensure GKE basic auth is disabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_64: "Ensure clusters are created with Private Nodes"
FAILED for resource: module.container_cluster.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-clusters-are-created-with-private-nodes.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.container_cluster.google_container_node_pool.container_node_pool_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:248-311
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.container_cluster.google_container_node_pool.container_node_pool_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:248-311
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.container_cluster.google_container_node_pool.container_node_pool_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:313-374
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.container_cluster.google_container_node_pool.container_node_pool_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:313-374
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:29-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_25: "Ensure Kubernetes Cluster is created with Private cluster enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-6.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_70: "Ensure the GKE Release Channel is set"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-release-channel-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_19: "Ensure GKE basic auth is disabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_23: "Ensure Kubernetes Cluster is created with Alias IP ranges enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-15.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_64: "Ensure clusters are created with Private Nodes"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:4-123
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-clusters-are-created-with-private-nodes.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_25: "Ensure Kubernetes Cluster is created with Private cluster enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-6.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_70: "Ensure the GKE Release Channel is set"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-release-channel-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_19: "Ensure GKE basic auth is disabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_64: "Ensure clusters are created with Private Nodes"
FAILED for resource: module.node_pool.google_container_cluster.container_cluster_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:125-244
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-clusters-are-created-with-private-nodes.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.node_pool.google_container_node_pool.container_node_pool_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:248-311
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.node_pool.google_container_node_pool.container_node_pool_zone[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:248-311
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: module.node_pool.google_container_node_pool.container_node_pool_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:313-374
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: module.node_pool.google_container_node_pool.container_node_pool_region[0]
File: /google_cloud_platform/modules/container_cluster/container_cluster.tf:313-374
Calling File: /google_cloud_platform/examples/container_cluster/main.tf:45-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_94: "Ensure Dataflow jobs are private"
FAILED for resource: module.dataflow_job.google_dataflow_job.dataflow_job
File: /google_cloud_platform/modules/dataflow_job/dataflow_job.tf:4-22
Calling File: /google_cloud_platform/examples/dataflow_job/main.tf:14-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-cloud-dataflow-job-has-public-ips.html
4 | resource "google_dataflow_job" "dataflow_job" {
5 |
6 | name = "${lower(var.name)}-df-job-${lower(var.environment)}"
7 | project = var.project
8 | zone = var.zone
9 |
10 | template_gcs_path = var.template_gcs_path
11 | temp_gcs_location = var.temp_gcs_location
12 |
13 | max_workers = var.max_workers
14 | on_delete = var.on_delete
15 |
16 | parameters = ["${var.parameters}"]
17 |
18 | lifecycle {
19 | ignore_changes = []
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_GCP_90: "Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.dataflow_job.google_dataflow_job.dataflow_job
File: /google_cloud_platform/modules/dataflow_job/dataflow_job.tf:4-22
Calling File: /google_cloud_platform/examples/dataflow_job/main.tf:14-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-data-flow-jobs-are-encrypted-with-customer-supplied-encryption-keys-csek.html
4 | resource "google_dataflow_job" "dataflow_job" {
5 |
6 | name = "${lower(var.name)}-df-job-${lower(var.environment)}"
7 | project = var.project
8 | zone = var.zone
9 |
10 | template_gcs_path = var.template_gcs_path
11 | temp_gcs_location = var.temp_gcs_location
12 |
13 | max_workers = var.max_workers
14 | on_delete = var.on_delete
15 |
16 | parameters = ["${var.parameters}"]
17 |
18 | lifecycle {
19 | ignore_changes = []
20 | create_before_destroy = true
21 | }
22 | }
Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.google_bigquery.google_bigquery_dataset.bigquery_dataset[0]
File: /google_cloud_platform/modules/google_bigquery/google_bigquery.tf:14-41
Calling File: /google_cloud_platform/examples/google_bigquery/main.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1.html
14 | resource "google_bigquery_dataset" "bigquery_dataset" {
15 | count = var.enable_bigquery_dataset ? 1 : 0
16 |
17 | dataset_id = length(var.dataset_id) > 0 ? var.dataset_id : "${random_integer.dataset.result}"
18 | friendly_name = length(var.friendly_name) > 0 ? var.friendly_name : "${lower(var.name)}-bq-dataset-${lower(var.environment)}"
19 | description = var.description
20 | project = var.project
21 | location = var.location
22 | default_table_expiration_ms = var.default_table_expiration_ms
23 |
24 | labels {
25 | name = "${lower(var.name)}-bq-dataset-${lower(var.environment)}"
26 | dataset_id = length(var.dataset_id) > 0 ? var.dataset_id : "${random_integer.dataset.result}"
27 | environment = lower(var.environment)
28 | orchestration = lower(var.orchestration)
29 | }
30 |
31 | lifecycle {
32 | ignore_changes = [
33 | dataset_id
34 | ]
35 | create_before_destroy = true
36 | }
37 |
38 | depends_on = [
39 | random_integer.dataset
40 | ]
41 | }
Check: CKV_GCP_85: "Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.google_bigtable.google_bigtable_instance.bigtable_instance[0]
File: /google_cloud_platform/modules/google_bigtable/google_bigtable.tf:4-20
Calling File: /google_cloud_platform/examples/google_bigtable/main.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-table-instances-are-encrypted-with-customer-supplied-encryption-keys-cseks.html
4 | resource "google_bigtable_instance" "bigtable_instance" {
5 | count = var.enable_bigtable_instance ? 1 : 0
6 |
7 | name = "${lower(var.name)}-bt-instance-${lower(var.environment)}"
8 | display_name = var.display_name
9 | cluster_id = length(var.cluster_id) > 0 ? var.cluster_id : "${lower(var.name)}-bt-instance-${lower(var.environment)}"
10 | project = var.project
11 | zone = var.zone
12 | num_nodes = var.num_nodes
13 | instance_type = var.instance_type
14 | storage_type = var.storage_type
15 |
16 | lifecycle {
17 | ignore_changes = []
18 | create_before_destroy = true
19 | }
20 | }
Check: CKV_GCP_16: "Ensure that DNSSEC is enabled for Cloud DNS"
FAILED for resource: module.google_dns.google_dns_managed_zone.dns_managed_zone[0]
File: /google_cloud_platform/modules/google_dns/google_dns.tf:4-16
Calling File: /google_cloud_platform/examples/google_dns/main.tf:14-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-5.html
4 | resource "google_dns_managed_zone" "dns_managed_zone" {
5 | count = var.enable_dns_managed_zone && length(var.dns_name) > 0 && length(var.description) > 0 ? 1 : 0
6 |
7 | name = "${lower(var.name)}-dns-mz-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 | dns_name = var.dns_name
11 |
12 | lifecycle {
13 | ignore_changes = []
14 | create_before_destroy = true
15 | }
16 | }
Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.google_pubsub.google_pubsub_topic.pubsub_topic[0]
File: /google_cloud_platform/modules/google_pubsub/google_pubsub.tf:4-14
Calling File: /google_cloud_platform/examples/google_pubsub/main.tf:14-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek.html
4 | resource "google_pubsub_topic" "pubsub_topic" {
5 | count = var.enable_pubsub_topic ? 1 : 0
6 |
7 | name = "${lower(var.name)}-ps-topic-${lower(var.environment)}"
8 | project = var.project
9 |
10 | lifecycle {
11 | ignore_changes = []
12 | create_before_destroy = true
13 | }
14 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: module.project.google_project.project[0]
File: /google_cloud_platform/modules/project/outputs.tf:14-35
Calling File: /google_cloud_platform/examples/project/main.tf:14-30
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
14 | resource "google_project" "project" {
15 | count = var.billing_account != "" && var.org_id != "" ? 1 : 0
16 |
17 | name = var.name
18 | project_id = var.project_id == "" ? random_id.id.hex : var.project_id
19 | billing_account = var.billing_account
20 | org_id = var.org_id
21 |
22 | skip_delete = var.skip_delete
23 | auto_create_network = var.auto_create_network
24 |
25 | labels {
26 | Name = var.name
27 | Environment = var.environment
28 | Orchestration = var.orchestration
29 | Createdby = var.createdby
30 | }
31 |
32 | depends_on = [
33 | random_id.id
34 | ]
35 | }
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: module.project.google_project.specific_project[0]
File: /google_cloud_platform/modules/project/outputs.tf:40-61
Calling File: /google_cloud_platform/examples/project/main.tf:14-30
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
40 | resource "google_project" "specific_project" {
41 | count = var.org_id != "" && var.enable_specific_folder ? 1 : 0
42 |
43 | name = var.name
44 | #project_id = "${random_id.id.hex}"
45 | project_id = var.project_id == "" ? random_id.id.hex : var.project_id
46 | folder_id = google_folder.specific_folder.name
47 |
48 | skip_delete = var.skip_delete
49 | auto_create_network = var.auto_create_network
50 |
51 | labels {
52 | Name = var.name
53 | Environment = var.environment
54 | Orchestration = var.orchestration
55 | Createdby = var.createdby
56 | }
57 |
58 | depends_on = [
59 | google_folder.specific_folder
60 | ]
61 | }
Check: CKV_GCP_45: "Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level"
FAILED for resource: module.project.google_organization_iam_member.organization_iam_member[0]
File: /google_cloud_platform/modules/project/outputs.tf:110-117
Calling File: /google_cloud_platform/examples/project/main.tf:14-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-6.html
110 | resource "google_organization_iam_member" "organization_iam_member" {
111 | count = var.org_id != "" && var.enable_organization_iam_member ? 1 : 0
112 |
113 |
114 | org_id = var.org_id
115 | role = "roles/editor"
116 | member = "user:[email protected]"
117 | }
Check: CKV_GCP_115: "Ensure basic roles are not used at organization level."
FAILED for resource: module.project.google_organization_iam_member.organization_iam_member[0]
File: /google_cloud_platform/modules/project/outputs.tf:110-117
Calling File: /google_cloud_platform/examples/project/main.tf:14-30
110 | resource "google_organization_iam_member" "organization_iam_member" {
111 | count = var.org_id != "" && var.enable_organization_iam_member ? 1 : 0
112 |
113 |
114 | org_id = var.org_id
115 | role = "roles/editor"
116 | member = "user:[email protected]"
117 | }
Check: CKV_GCP_95: "Ensure Memorystore for Redis has AUTH enabled"
FAILED for resource: module.redis_instance.google_redis_instance.redis_instance[0]
File: /google_cloud_platform/modules/redis_instance/redis_instance.tf:4-38
Calling File: /google_cloud_platform/examples/redis_instance/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-is-auth-enabled.html
4 | resource "google_redis_instance" "redis_instance" {
5 | count = var.count_redis_instance
6 |
7 | name = "${lower(var.name)}-ri-${lower(var.environment)}-${count.index + 1}"
8 | memory_size_gb = var.memory_size_gb
9 | tier = var.tier
10 |
11 | project = var.project
12 | region = var.region
13 | location_id = var.location_id
14 | alternative_location_id = var.alternative_location_id
15 |
16 | authorized_network = var.authorized_network
17 |
18 | redis_version = var.redis_version
19 | display_name = length(var.display_name) > 0 ? var.display_name : "${lower(var.name)}-ri-${lower(var.environment)}"
20 | reserved_ip_range = var.reserved_ip_range
21 |
22 | timeouts {
23 | create = var.timeouts_create
24 | update = var.timeouts_update
25 | delete = var.timeouts_delete
26 | }
27 |
28 | labels {
29 | name = "${lower(var.name)}-ri-${lower(var.environment)}-${count.index + 1}"
30 | environment = lower(var.environment)
31 | orchestration = lower(var.orchestration)
32 | }
33 |
34 | lifecycle {
35 | ignore_changes = []
36 | create_before_destroy = true
37 | }
38 | }
Check: CKV_GCP_97: "Ensure Memorystore for Redis uses intransit encryption"
FAILED for resource: module.redis_instance.google_redis_instance.redis_instance[0]
File: /google_cloud_platform/modules/redis_instance/redis_instance.tf:4-38
Calling File: /google_cloud_platform/examples/redis_instance/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-uses-intransit-encryption.html
4 | resource "google_redis_instance" "redis_instance" {
5 | count = var.count_redis_instance
6 |
7 | name = "${lower(var.name)}-ri-${lower(var.environment)}-${count.index + 1}"
8 | memory_size_gb = var.memory_size_gb
9 | tier = var.tier
10 |
11 | project = var.project
12 | region = var.region
13 | location_id = var.location_id
14 | alternative_location_id = var.alternative_location_id
15 |
16 | authorized_network = var.authorized_network
17 |
18 | redis_version = var.redis_version
19 | display_name = length(var.display_name) > 0 ? var.display_name : "${lower(var.name)}-ri-${lower(var.environment)}"
20 | reserved_ip_range = var.reserved_ip_range
21 |
22 | timeouts {
23 | create = var.timeouts_create
24 | update = var.timeouts_update
25 | delete = var.timeouts_delete
26 | }
27 |
28 | labels {
29 | name = "${lower(var.name)}-ri-${lower(var.environment)}-${count.index + 1}"
30 | environment = lower(var.environment)
31 | orchestration = lower(var.orchestration)
32 | }
33 |
34 | lifecycle {
35 | ignore_changes = []
36 | create_before_destroy = true
37 | }
38 | }
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:4-67
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:4-67
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:4-67
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:4-67
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres
File: /google_cloud_platform/modules/sql_database/sql_database.tf:69-135
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres
File: /google_cloud_platform/modules/sql_database/sql_database.tf:69-135
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres
File: /google_cloud_platform/modules/sql_database/sql_database.tf:69-135
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres
File: /google_cloud_platform/modules/sql_database/sql_database.tf:69-135
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql_replication[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:139-215
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql_replication[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:139-215
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql_replication[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:139-215
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql_replication[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:139-215
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres_replication
File: /google_cloud_platform/modules/sql_database/sql_database.tf:217-296
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres_replication
File: /google_cloud_platform/modules/sql_database/sql_database.tf:217-296
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres_replication
File: /google_cloud_platform/modules/sql_database/sql_database.tf:217-296
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres_replication
File: /google_cloud_platform/modules/sql_database/sql_database.tf:217-296
Calling File: /google_cloud_platform/examples/sql_database/main.tf:14-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: module.storage_bucket.google_storage_bucket.storage_bucket[0]
File: /google_cloud_platform/modules/storage_bucket/storage_bucket.tf:4-59
Calling File: /google_cloud_platform/examples/storage_bucket/main.tf:14-21
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: module.storage_bucket.google_storage_bucket.storage_bucket[0]
File: /google_cloud_platform/modules/storage_bucket/storage_bucket.tf:4-59
Calling File: /google_cloud_platform/examples/storage_bucket/main.tf:14-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: module.storage_bucket.google_storage_bucket.storage_bucket[0]
File: /google_cloud_platform/modules/storage_bucket/storage_bucket.tf:4-59
Calling File: /google_cloud_platform/examples/storage_bucket/main.tf:14-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: module.k8s_cluster_role_binding.kubernetes_cluster_role_binding.cluster_role_binding[0]
File: /kubernetes/modules/k8s_cluster_role/cluster_role_binding.tf:4-45
Calling File: /kubernetes/examples/k8s_cluster_role/main.tf:86-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
4 | resource "kubernetes_cluster_role_binding" "cluster_role_binding" {
5 | count = var.enable_cluster_role_binding ? 1 : 0
6 |
7 | metadata {
8 | name = var.cluster_role_binding_name != "" ? var.cluster_role_binding_name : "${lower(var.name)}-cluster-role-binding-${lower(var.environment)}"
9 | // name = var.cluster_role_binding_name != "" ? var.cluster_role_binding_name : (var.cluster_role_binding_generate_name == null ? "${lower(var.name)}-cluster-role-${lower(var.environment)}" : null)
10 | // generate_name = var.cluster_role_binding_generate_name != null ? (var.cluster_role_binding_name == "" ? var.cluster_role_binding_generate_name : null) : null
11 |
12 | annotations = var.cluster_role_binding_annotations
13 | labels = var.cluster_role_binding_labels
14 | }
15 |
16 | dynamic "role_ref" {
17 | iterator = role_ref
18 | for_each = var.cluster_role_binding_role_refs
19 |
20 | content {
21 | api_group = lookup(role_ref.value, "api_group", null)
22 | kind = lookup(role_ref.value, "kind", null)
23 | name = lookup(role_ref.value, "name", null)
24 | }
25 | }
26 |
27 | dynamic "subject" {
28 | iterator = subject
29 | for_each = var.cluster_role_binding_subjects
30 |
31 | content {
32 | name = lookup(subject.value, "name", null)
33 | kind = lookup(subject.value, "kind", null)
34 | namespace = lookup(subject.value, "namespace", null)
35 | api_group = lookup(subject.value, "api_group", null)
36 | }
37 | }
38 |
39 | lifecycle {
40 | create_before_destroy = true
41 | ignore_changes = []
42 | }
43 |
44 | depends_on = []
45 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: module.k8s_config_map_suffix.kubernetes_config_map.config_map[0]
File: /kubernetes/modules/k8s_config_map/config_map.tf:4-26
Calling File: /kubernetes/examples/k8s_config_map/main.tf:61-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
4 | resource "kubernetes_config_map" "config_map" {
5 | count = var.enable_config_map ? 1 : 0
6 |
7 | metadata {
8 | name = var.config_map_name != "" ? var.config_map_name : (var.config_map_generate_name == null ? "${lower(var.name)}-cm-${lower(var.environment)}" : null)
9 | generate_name = var.config_map_generate_name != null ? (var.config_map_name == "" ? var.config_map_generate_name : null) : null
10 |
11 | annotations = var.config_map_annotations
12 | labels = var.config_map_labels
13 |
14 | namespace = var.config_map_namespace
15 | }
16 |
17 | data = var.data
18 | binary_data = var.binary_data
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
FAILED for resource: module.k8s_role_binding.kubernetes_role_binding.role_binding[0]
File: /kubernetes/modules/k8s_role/kubernetes_role_binding.tf:4-46
Calling File: /kubernetes/examples/k8s_role/main.tf:51-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used.html
4 | resource "kubernetes_role_binding" "role_binding" {
5 | count = var.enable_role_binding ? 1 : 0
6 |
7 | metadata {
8 | name = var.role_binding_name != "" ? var.role_binding_name : "${lower(var.name)}-cluster-role-${lower(var.environment)}"
9 | // name = var.role_binding_name != "" ? var.role_binding_name : (var.role_binding_generate_name == null ? "${lower(var.name)}-cluster-role-${lower(var.environment)}" : null)
10 | // generate_name = var.role_binding_generate_name != null ? (var.role_binding_name == "" ? var.role_binding_generate_name : null) : null
11 |
12 | annotations = var.role_binding_annotations
13 | labels = var.role_binding_labels
14 | namespace = var.role_binding_namespace
15 | }
16 |
17 | dynamic "role_ref" {
18 | iterator = role_ref
19 | for_each = var.role_binding_role_refs
20 |
21 | content {
22 | api_group = lookup(role_ref.value, "api_group", null)
23 | kind = lookup(role_ref.value, "kind", null)
24 | name = lookup(role_ref.value, "name", null)
25 | }
26 | }
27 |
28 | dynamic "subject" {
29 | iterator = subject
30 | for_each = var.role_binding_subjects
31 |
32 | content {
33 | name = lookup(subject.value, "name", null)
34 | kind = lookup(subject.value, "kind", null)
35 | namespace = lookup(subject.value, "namespace", null)
36 | api_group = lookup(subject.value, "api_group", null)
37 | }
38 | }
39 |
40 | lifecycle {
41 | create_before_destroy = true
42 | ignore_changes = []
43 | }
44 |
45 | depends_on = []
46 | }
Check: CKV2_AZURE_20: "Ensure Storage logging is enabled for Table service for read requests"
FAILED for resource: module.storage_blob.azurerm_storage_table.storage_table
File: /azure/modules/storage/storage_table.tf:4-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-table-service-for-read-requests.html
4 | resource "azurerm_storage_table" "storage_table" {
5 | count = var.enable_storage_table ? 1 : 0
6 |
7 | name = var.storage_table_name != "" ? var.storage_table_name : "${lower(var.name)}-storage-table-${lower(var.environment)}"
8 | storage_account_name = var.storage_table_storage_account_name != "" ? var.storage_table_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | dynamic "acl" {
11 | iterator = acl
12 | for_each = var.storage_table_acl
13 |
14 | content {
15 | id = lookup(acl.value, "id", null)
16 |
17 | dynamic "access_policy" {
18 | iterator = access_policy
19 | for_each = length(keys(lookup(acl.value, "access_policy", {}))) > 0 ? [lookup(acl.value, "access_policy", {})] : []
20 |
21 | content {
22 | expiry = lookup(access_policy.value, "expiry", null)
23 | permissions = lookup(access_policy.value, "permissions", null)
24 | start = lookup(access_policy.value, "start", null)
25 | }
26 | }
27 | }
28 | }
29 |
30 | dynamic "timeouts" {
31 | iterator = timeouts
32 | for_each = length(keys(var.storage_table_timeouts)) > 0 ? [var.storage_table_timeouts] : []
33 |
34 | content {
35 | create = lookup(timeouts.value, "create", null)
36 | read = lookup(timeouts.value, "read", null)
37 | update = lookup(timeouts.value, "update", null)
38 | delete = lookup(timeouts.value, "delete", null)
39 | }
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | ignore_changes = []
45 | }
46 |
47 | depends_on = [
48 | azurerm_storage_account.storage_account
49 | ]
50 | }
Check: CKV2_AZURE_20: "Ensure Storage logging is enabled for Table service for read requests"
FAILED for resource: module.storage_container.azurerm_storage_table.storage_table
File: /azure/modules/storage/storage_table.tf:4-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-table-service-for-read-requests.html
4 | resource "azurerm_storage_table" "storage_table" {
5 | count = var.enable_storage_table ? 1 : 0
6 |
7 | name = var.storage_table_name != "" ? var.storage_table_name : "${lower(var.name)}-storage-table-${lower(var.environment)}"
8 | storage_account_name = var.storage_table_storage_account_name != "" ? var.storage_table_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | dynamic "acl" {
11 | iterator = acl
12 | for_each = var.storage_table_acl
13 |
14 | content {
15 | id = lookup(acl.value, "id", null)
16 |
17 | dynamic "access_policy" {
18 | iterator = access_policy
19 | for_each = length(keys(lookup(acl.value, "access_policy", {}))) > 0 ? [lookup(acl.value, "access_policy", {})] : []
20 |
21 | content {
22 | expiry = lookup(access_policy.value, "expiry", null)
23 | permissions = lookup(access_policy.value, "permissions", null)
24 | start = lookup(access_policy.value, "start", null)
25 | }
26 | }
27 | }
28 | }
29 |
30 | dynamic "timeouts" {
31 | iterator = timeouts
32 | for_each = length(keys(var.storage_table_timeouts)) > 0 ? [var.storage_table_timeouts] : []
33 |
34 | content {
35 | create = lookup(timeouts.value, "create", null)
36 | read = lookup(timeouts.value, "read", null)
37 | update = lookup(timeouts.value, "update", null)
38 | delete = lookup(timeouts.value, "delete", null)
39 | }
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | ignore_changes = []
45 | }
46 |
47 | depends_on = [
48 | azurerm_storage_account.storage_account
49 | ]
50 | }
Check: CKV2_AZURE_20: "Ensure Storage logging is enabled for Table service for read requests"
FAILED for resource: module.storage_share.azurerm_storage_table.storage_table
File: /azure/modules/storage/storage_table.tf:4-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-table-service-for-read-requests.html
4 | resource "azurerm_storage_table" "storage_table" {
5 | count = var.enable_storage_table ? 1 : 0
6 |
7 | name = var.storage_table_name != "" ? var.storage_table_name : "${lower(var.name)}-storage-table-${lower(var.environment)}"
8 | storage_account_name = var.storage_table_storage_account_name != "" ? var.storage_table_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | dynamic "acl" {
11 | iterator = acl
12 | for_each = var.storage_table_acl
13 |
14 | content {
15 | id = lookup(acl.value, "id", null)
16 |
17 | dynamic "access_policy" {
18 | iterator = access_policy
19 | for_each = length(keys(lookup(acl.value, "access_policy", {}))) > 0 ? [lookup(acl.value, "access_policy", {})] : []
20 |
21 | content {
22 | expiry = lookup(access_policy.value, "expiry", null)
23 | permissions = lookup(access_policy.value, "permissions", null)
24 | start = lookup(access_policy.value, "start", null)
25 | }
26 | }
27 | }
28 | }
29 |
30 | dynamic "timeouts" {
31 | iterator = timeouts
32 | for_each = length(keys(var.storage_table_timeouts)) > 0 ? [var.storage_table_timeouts] : []
33 |
34 | content {
35 | create = lookup(timeouts.value, "create", null)
36 | read = lookup(timeouts.value, "read", null)
37 | update = lookup(timeouts.value, "update", null)
38 | delete = lookup(timeouts.value, "delete", null)
39 | }
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | ignore_changes = []
45 | }
46 |
47 | depends_on = [
48 | azurerm_storage_account.storage_account
49 | ]
50 | }
Check: CKV2_AZURE_20: "Ensure Storage logging is enabled for Table service for read requests"
FAILED for resource: module.storage_sync.azurerm_storage_table.storage_table
File: /azure/modules/storage/storage_table.tf:4-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-table-service-for-read-requests.html
4 | resource "azurerm_storage_table" "storage_table" {
5 | count = var.enable_storage_table ? 1 : 0
6 |
7 | name = var.storage_table_name != "" ? var.storage_table_name : "${lower(var.name)}-storage-table-${lower(var.environment)}"
8 | storage_account_name = var.storage_table_storage_account_name != "" ? var.storage_table_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | dynamic "acl" {
11 | iterator = acl
12 | for_each = var.storage_table_acl
13 |
14 | content {
15 | id = lookup(acl.value, "id", null)
16 |
17 | dynamic "access_policy" {
18 | iterator = access_policy
19 | for_each = length(keys(lookup(acl.value, "access_policy", {}))) > 0 ? [lookup(acl.value, "access_policy", {})] : []
20 |
21 | content {
22 | expiry = lookup(access_policy.value, "expiry", null)
23 | permissions = lookup(access_policy.value, "permissions", null)
24 | start = lookup(access_policy.value, "start", null)
25 | }
26 | }
27 | }
28 | }
29 |
30 | dynamic "timeouts" {
31 | iterator = timeouts
32 | for_each = length(keys(var.storage_table_timeouts)) > 0 ? [var.storage_table_timeouts] : []
33 |
34 | content {
35 | create = lookup(timeouts.value, "create", null)
36 | read = lookup(timeouts.value, "read", null)
37 | update = lookup(timeouts.value, "update", null)
38 | delete = lookup(timeouts.value, "delete", null)
39 | }
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | ignore_changes = []
45 | }
46 |
47 | depends_on = [
48 | azurerm_storage_account.storage_account
49 | ]
50 | }
Check: CKV2_AZURE_20: "Ensure Storage logging is enabled for Table service for read requests"
FAILED for resource: module.storage_account.azurerm_storage_table.storage_table
File: /azure/modules/storage/storage_table.tf:4-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-table-service-for-read-requests.html
4 | resource "azurerm_storage_table" "storage_table" {
5 | count = var.enable_storage_table ? 1 : 0
6 |
7 | name = var.storage_table_name != "" ? var.storage_table_name : "${lower(var.name)}-storage-table-${lower(var.environment)}"
8 | storage_account_name = var.storage_table_storage_account_name != "" ? var.storage_table_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | dynamic "acl" {
11 | iterator = acl
12 | for_each = var.storage_table_acl
13 |
14 | content {
15 | id = lookup(acl.value, "id", null)
16 |
17 | dynamic "access_policy" {
18 | iterator = access_policy
19 | for_each = length(keys(lookup(acl.value, "access_policy", {}))) > 0 ? [lookup(acl.value, "access_policy", {})] : []
20 |
21 | content {
22 | expiry = lookup(access_policy.value, "expiry", null)
23 | permissions = lookup(access_policy.value, "permissions", null)
24 | start = lookup(access_policy.value, "start", null)
25 | }
26 | }
27 | }
28 | }
29 |
30 | dynamic "timeouts" {
31 | iterator = timeouts
32 | for_each = length(keys(var.storage_table_timeouts)) > 0 ? [var.storage_table_timeouts] : []
33 |
34 | content {
35 | create = lookup(timeouts.value, "create", null)
36 | read = lookup(timeouts.value, "read", null)
37 | update = lookup(timeouts.value, "update", null)
38 | delete = lookup(timeouts.value, "delete", null)
39 | }
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | ignore_changes = []
45 | }
46 |
47 | depends_on = [
48 | azurerm_storage_account.storage_account
49 | ]
50 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_blob.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_container.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_share.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.storage_sync.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage_share.azurerm_storage_container.storage_container
File: /azure/modules/storage/storage_container.tf:4-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "storage_container" {
5 | count = var.enable_storage_container ? 1 : 0
6 |
7 | name = var.storage_container_name != "" ? var.storage_container_name : "${lower(var.name)}-storage-container-${lower(var.environment)}"
8 | storage_account_name = var.storage_container_storage_account_name != "" ? var.storage_container_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | container_access_type = var.storage_container_container_access_type
11 | metadata = var.storage_container_metadata
12 |
13 | dynamic "timeouts" {
14 | iterator = timeouts
15 | for_each = length(keys(var.storage_container_timeouts)) > 0 ? [var.storage_container_timeouts] : []
16 |
17 | content {
18 | create = lookup(timeouts.value, "create", null)
19 | read = lookup(timeouts.value, "read", null)
20 | update = lookup(timeouts.value, "update", null)
21 | delete = lookup(timeouts.value, "delete", null)
22 | }
23 | }
24 |
25 | lifecycle {
26 | create_before_destroy = true
27 | ignore_changes = []
28 | }
29 |
30 | depends_on = [
31 | azurerm_storage_account.storage_account
32 | ]
33 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage_sync.azurerm_storage_container.storage_container
File: /azure/modules/storage/storage_container.tf:4-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "storage_container" {
5 | count = var.enable_storage_container ? 1 : 0
6 |
7 | name = var.storage_container_name != "" ? var.storage_container_name : "${lower(var.name)}-storage-container-${lower(var.environment)}"
8 | storage_account_name = var.storage_container_storage_account_name != "" ? var.storage_container_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | container_access_type = var.storage_container_container_access_type
11 | metadata = var.storage_container_metadata
12 |
13 | dynamic "timeouts" {
14 | iterator = timeouts
15 | for_each = length(keys(var.storage_container_timeouts)) > 0 ? [var.storage_container_timeouts] : []
16 |
17 | content {
18 | create = lookup(timeouts.value, "create", null)
19 | read = lookup(timeouts.value, "read", null)
20 | update = lookup(timeouts.value, "update", null)
21 | delete = lookup(timeouts.value, "delete", null)
22 | }
23 | }
24 |
25 | lifecycle {
26 | create_before_destroy = true
27 | ignore_changes = []
28 | }
29 |
30 | depends_on = [
31 | azurerm_storage_account.storage_account
32 | ]
33 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage_blob.azurerm_storage_container.storage_container[0]
File: /azure/modules/storage/storage_container.tf:4-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "storage_container" {
5 | count = var.enable_storage_container ? 1 : 0
6 |
7 | name = var.storage_container_name != "" ? var.storage_container_name : "${lower(var.name)}-storage-container-${lower(var.environment)}"
8 | storage_account_name = var.storage_container_storage_account_name != "" ? var.storage_container_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | container_access_type = var.storage_container_container_access_type
11 | metadata = var.storage_container_metadata
12 |
13 | dynamic "timeouts" {
14 | iterator = timeouts
15 | for_each = length(keys(var.storage_container_timeouts)) > 0 ? [var.storage_container_timeouts] : []
16 |
17 | content {
18 | create = lookup(timeouts.value, "create", null)
19 | read = lookup(timeouts.value, "read", null)
20 | update = lookup(timeouts.value, "update", null)
21 | delete = lookup(timeouts.value, "delete", null)
22 | }
23 | }
24 |
25 | lifecycle {
26 | create_before_destroy = true
27 | ignore_changes = []
28 | }
29 |
30 | depends_on = [
31 | azurerm_storage_account.storage_account
32 | ]
33 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage_container.azurerm_storage_container.storage_container[0]
File: /azure/modules/storage/storage_container.tf:4-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "storage_container" {
5 | count = var.enable_storage_container ? 1 : 0
6 |
7 | name = var.storage_container_name != "" ? var.storage_container_name : "${lower(var.name)}-storage-container-${lower(var.environment)}"
8 | storage_account_name = var.storage_container_storage_account_name != "" ? var.storage_container_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | container_access_type = var.storage_container_container_access_type
11 | metadata = var.storage_container_metadata
12 |
13 | dynamic "timeouts" {
14 | iterator = timeouts
15 | for_each = length(keys(var.storage_container_timeouts)) > 0 ? [var.storage_container_timeouts] : []
16 |
17 | content {
18 | create = lookup(timeouts.value, "create", null)
19 | read = lookup(timeouts.value, "read", null)
20 | update = lookup(timeouts.value, "update", null)
21 | delete = lookup(timeouts.value, "delete", null)
22 | }
23 | }
24 |
25 | lifecycle {
26 | create_before_destroy = true
27 | ignore_changes = []
28 | }
29 |
30 | depends_on = [
31 | azurerm_storage_account.storage_account
32 | ]
33 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.storage_account.azurerm_storage_container.storage_container
File: /azure/modules/storage/storage_container.tf:4-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "storage_container" {
5 | count = var.enable_storage_container ? 1 : 0
6 |
7 | name = var.storage_container_name != "" ? var.storage_container_name : "${lower(var.name)}-storage-container-${lower(var.environment)}"
8 | storage_account_name = var.storage_container_storage_account_name != "" ? var.storage_container_storage_account_name : (var.enable_storage_account ? azurerm_storage_account.storage_account[count.index].name : null)
9 |
10 | container_access_type = var.storage_container_container_access_type
11 | metadata = var.storage_container_metadata
12 |
13 | dynamic "timeouts" {
14 | iterator = timeouts
15 | for_each = length(keys(var.storage_container_timeouts)) > 0 ? [var.storage_container_timeouts] : []
16 |
17 | content {
18 | create = lookup(timeouts.value, "create", null)
19 | read = lookup(timeouts.value, "read", null)
20 | update = lookup(timeouts.value, "update", null)
21 | delete = lookup(timeouts.value, "delete", null)
22 | }
23 | }
24 |
25 | lifecycle {
26 | create_before_destroy = true
27 | ignore_changes = []
28 | }
29 |
30 | depends_on = [
31 | azurerm_storage_account.storage_account
32 | ]
33 | }
Check: CKV2_AZURE_29: "Ensure AKS cluster has Azure CNI networking enabled"
FAILED for resource: module.aks.azurerm_kubernetes_cluster.kubernetes_cluster[0]
File: /azure/modules/aks/kubernetes_cluster.tf:4-311
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_account.azurerm_storage_account.storage_account[0]
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_blob.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_container.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_share.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.storage_sync.azurerm_storage_account.storage_account
File: /azure/modules/storage/storage_account.tf:4-308
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_16: "Ensure that MySQL server enables customer-managed key for encryption"
FAILED for resource: module.database_mysql.azurerm_mysql_server.mysql_server[0]
File: /azure/modules/database_mysql/mysql_server.tf:4-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-mysql-server-enables-customer-managed-key-for-encryption.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: module.compute_firewall.google_compute_firewall.compute_firewall_all_ingress
File: /google_cloud_platform/modules/compute_firewall/compute_firewall.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
4 | resource "google_compute_firewall" "compute_firewall_all_ingress" {
5 | count = var.enable_all_ingress && upper(var.direction) == "INGRESS" ? 1 : 0
6 |
7 | name = "${lower(var.name)}-fw-${lower(var.environment)}-${lower(var.direction)}"
8 | description = var.description
9 |
10 | project = var.project
11 |
12 | network = var.network
13 |
14 | priority = var.priority
15 | source_ranges = var.source_ranges
16 | source_tags = ["${var.source_tags}"]
17 | target_tags = ["${var.target_tags}"]
18 | direction = var.direction
19 | #destination_ranges = ["${var.destination_ranges}"]
20 | #source_service_accounts = ["${var.source_service_accounts}"]
21 | #target_service_accounts = ["${var.target_service_accounts}"]
22 |
23 | allow {
24 | protocol = "all"
25 | }
26 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.bastion_host.azurerm_subnet.subnet
File: /azure/modules/network/subnet.tf:4-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.network_sg.azurerm_subnet.subnet
File: /azure/modules/network/subnet.tf:4-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.public_ip.azurerm_subnet.subnet
File: /azure/modules/network/subnet.tf:4-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.subnet.azurerm_subnet.subnet
File: /azure/modules/network/subnet.tf:4-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.virtual_network.azurerm_subnet.subnet
File: /azure/modules/network/subnet.tf:4-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:4-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres
File: /google_cloud_platform/modules/sql_database/sql_database.tf:69-135
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_mysql_replication[0]
File: /google_cloud_platform/modules/sql_database/sql_database.tf:139-215
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
FAILED for resource: module.sql_database.google_sql_database_instance.sql_database_instance_postgres_replication
File: /google_cloud_platform/modules/sql_database/sql_database.tf:217-296
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project.google_project.project[0]
File: /google_cloud_platform/modules/project/outputs.tf:14-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
14 | resource "google_project" "project" {
15 | count = var.billing_account != "" && var.org_id != "" ? 1 : 0
16 |
17 | name = var.name
18 | project_id = var.project_id == "" ? random_id.id.hex : var.project_id
19 | billing_account = var.billing_account
20 | org_id = var.org_id
21 |
22 | skip_delete = var.skip_delete
23 | auto_create_network = var.auto_create_network
24 |
25 | labels {
26 | Name = var.name
27 | Environment = var.environment
28 | Orchestration = var.orchestration
29 | Createdby = var.createdby
30 | }
31 |
32 | depends_on = [
33 | random_id.id
34 | ]
35 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: module.project.google_project.specific_project[0]
File: /google_cloud_platform/modules/project/outputs.tf:40-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
40 | resource "google_project" "specific_project" {
41 | count = var.org_id != "" && var.enable_specific_folder ? 1 : 0
42 |
43 | name = var.name
44 | #project_id = "${random_id.id.hex}"
45 | project_id = var.project_id == "" ? random_id.id.hex : var.project_id
46 | folder_id = google_folder.specific_folder.name
47 |
48 | skip_delete = var.skip_delete
49 | auto_create_network = var.auto_create_network
50 |
51 | labels {
52 | Name = var.name
53 | Environment = var.environment
54 | Orchestration = var.orchestration
55 | Createdby = var.createdby
56 | }
57 |
58 | depends_on = [
59 | google_folder.specific_folder
60 | ]
61 | }
Check: CKV2_GCP_11: "Ensure GCP GCR Container Vulnerability Scanning is enabled"
FAILED for resource: module.project.google_project_services.project_services[0]
File: /google_cloud_platform/modules/project/outputs.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-gcr-container-vulnerability-scanning-is-enabled.html
75 | resource "google_project_services" "project_services" {
76 | count = length(var.google_project_services) > 0 && var.billing_account != "" && var.org_id != "" || length(var.google_project_services) > 0 && var.org_id != "" && var.enable_specific_folder ? 1 : 0
77 |
78 | project = var.project_id == "" ? random_id.id.hex : var.project_id
79 | services = ["${var.google_project_services}"]
80 |
81 | disable_on_destroy = var.disable_on_destroy
82 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.google_cloudfunctions.google_cloudfunctions_function.cloudfunctions_function_http[0]
File: /google_cloud_platform/modules/google_cloudfunctions/google_cloudfunctions.tf:4-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
4 | resource "google_cloudfunctions_function" "cloudfunctions_function_http" {
5 | count = var.trigger_http ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cf-function-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 | region = var.region
11 |
12 | source_archive_bucket = var.source_archive_bucket
13 | source_archive_object = var.source_archive_object
14 |
15 | available_memory_mb = var.available_memory_mb
16 | timeout = var.timeout
17 | entry_point = var.entry_point
18 | trigger_http = var.trigger_http
19 |
20 | labels {
21 | name = "${lower(var.name)}-cf-function-${lower(var.environment)}"
22 | environment = lower(var.environment)
23 | orchestration = lower(var.orchestration)
24 | }
25 |
26 | lifecycle {
27 | ignore_changes = []
28 | create_before_destroy = true
29 | }
30 | }
Check: CKV2_GCP_10: "Ensure GCP Cloud Function HTTP trigger is secured"
FAILED for resource: module.google_cloudfunctions.google_cloudfunctions_function.cloudfunctions_function_https
File: /google_cloud_platform/modules/google_cloudfunctions/google_cloudfunctions.tf:32-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-cloud-function-http-trigger-is-secured.html
32 | resource "google_cloudfunctions_function" "cloudfunctions_function_https" {
33 | count = !var.trigger_http ? 1 : 0
34 |
35 | name = "${lower(var.name)}-cf-function-${lower(var.environment)}"
36 | description = var.description
37 | project = var.project
38 | region = var.region
39 |
40 | source_archive_bucket = var.source_archive_bucket
41 | source_archive_object = var.source_archive_object
42 |
43 | available_memory_mb = var.available_memory_mb
44 | timeout = var.timeout
45 | entry_point = var.entry_point
46 | trigger_http = var.trigger_http
47 |
48 | trigger_bucket = var.trigger_bucket
49 | trigger_topic = var.trigger_topic
50 | retry_on_failure = var.retry_on_failure
51 |
52 | labels {
53 | name = "${lower(var.name)}-cf-function-${lower(var.environment)}"
54 | environment = lower(var.environment)
55 | orchestration = lower(var.orchestration)
56 | }
57 |
58 | lifecycle {
59 | ignore_changes = []
60 | create_before_destroy = true
61 | }
62 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.db_instance-rds-oracle.aws_db_instance.db_instance[0]
File: /aws/modules/rds/db_instance.tf:4-106
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.rds_cluster.aws_db_instance.db_instance
File: /aws/modules/rds/db_instance.tf:4-106
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_network.google_compute_network.compute_network[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_network2.google_compute_network.compute_network[0]
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_network_peering.google_compute_network.compute_network
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_subnetwork.google_compute_network.compute_network
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_subnetwork_iam_binding.google_compute_network.compute_network
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_subnetwork_iam_member.google_compute_network.compute_network
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: module.compute_subnetwork_iam_policy.google_compute_network.compute_network
File: /google_cloud_platform/modules/compute_network/compute_network.tf:4-18
4 | resource "google_compute_network" "compute_network" {
5 | count = var.enable_compute_network ? 1 : 0
6 |
7 | name = "${lower(var.name)}-cn-network-${lower(var.environment)}"
8 | description = var.description
9 | project = var.project
10 |
11 | auto_create_subnetworks = var.auto_create_subnetworks
12 | routing_mode = var.routing_mode
13 |
14 | lifecycle {
15 | ignore_changes = []
16 | create_before_destroy = true
17 | }
18 | }
Check: CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured"
FAILED for resource: module.source_dms_endpoint.aws_dms_endpoint.dms_endpoint[0]
File: /aws/modules/dms/dms_endpoint.tf:4-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-database-migration-service-endpoints-have-ssl-configured.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.network_acl
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc_1.aws_network_acl.network_acl
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc_2.aws_network_acl.network_acl[0]
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc_custom_routings.aws_network_acl.network_acl
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc_endpoint.aws_network_acl.network_acl
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc_vpn.aws_network_acl.network_acl
File: /aws/modules/vpc/network_acl.tf:4-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: module.cloudfront.aws_cloudfront_distribution.cloudfront_distribution[0]
File: /aws/modules/cloudfront/cloudfront_distribution.tf:4-281
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_7: "Ensure that Amazon EMR clusters' security groups are not open to the world"
FAILED for resource: module.emr.aws_emr_cluster.emr_cluster[0]
File: /aws/modules/emr/emr_cluster.tf:4-308
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-amazon-emr-clusters-security-groups-are-not-open-to-the-world.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: module.dynamodb.aws_dynamodb_table.dynamodb_table[0]
File: /aws/modules/dynamodb/dynamodb_table.tf:4-110
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_27: "Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-logging-32.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb.aws_lb.alb[0]
File: /aws/modules/alb/lb.tf:4-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb_name_prefix.aws_lb.alb
File: /aws/modules/alb/lb.tf:4-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.secretsmanager.aws_secretsmanager_secret.secretsmanager_secret[0]
File: /aws/modules/secretsmanager/secretsmanager_secret.tf:4-37
4 | resource "aws_secretsmanager_secret" "secretsmanager_secret" {
5 | count = var.enable_secretsmanager_secret ? 1 : 0
6 |
7 | name = var.secretsmanager_secret_name != null && var.secretsmanager_secret_name_prefix == null ? lower(var.secretsmanager_secret_name) : null
8 | name_prefix = var.secretsmanager_secret_name_prefix != null && var.secretsmanager_secret_name == null ? lower(var.secretsmanager_secret_name_prefix) : null
9 | description = var.secretsmanager_secret_description
10 | kms_key_id = var.secretsmanager_secret_kms_key_id
11 | policy = var.secretsmanager_secret_policy
12 | recovery_window_in_days = var.secretsmanager_secret_recovery_window_in_days
13 | rotation_lambda_arn = var.secretsmanager_secret_rotation_lambda_arn
14 |
15 | dynamic "rotation_rules" {
16 | iterator = rotation_rules
17 | for_each = var.secretsmanager_secret_rotation_rules
18 |
19 | content {
20 | automatically_after_days = lookup(rotation_rules.value, "automatically_after_days", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.secretsmanager_secret_name != null && var.secretsmanager_secret_name_prefix == null ? lower(var.secretsmanager_secret_name) : lower(var.secretsmanager_secret_name_prefix)
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_1.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_2.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_custom_routings.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_endpoint.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_endpoint_service.aws_vpc.vpc
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_vpn.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_endpoint.aws_vpc.vpc
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_1.aws_vpc.vpc
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_2.aws_vpc.vpc
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.shield.aws_eip.eip
File: /aws/modules/shield/eip.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "eip" {
2 | vpc = true
3 | }
Check: CKV2_AWS_50: "Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled"
FAILED for resource: module.elasticache_single_memcached.aws_elasticache_replication_group.elasticache_replication_group
File: /aws/modules/elasticache/elasticache_replication_group.tf:4-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticache-redis-cluster-with-multi-az-automatic-failover-feature-set-to-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_50: "Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled"
FAILED for resource: module.elasticache_single_redis.aws_elasticache_replication_group.elasticache_replication_group
File: /aws/modules/elasticache/elasticache_replication_group.tf:4-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticache-redis-cluster-with-multi-az-automatic-failover-feature-set-to-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_14: "Ensure that IAM groups includes at least one IAM user"
FAILED for resource: module.iam_group.aws_iam_group_membership.iam_group_membership[0]
File: /aws/modules/iam_group/iam_group_membership.tf:4-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-iam-groups-include-at-least-one-iam-user.html
4 | resource "aws_iam_group_membership" "iam_group_membership" {
5 | count = var.enable_iam_group_membership ? 1 : 0
6 |
7 | name = var.iam_group_membership_name != "" ? var.iam_group_membership_name : "${lower(var.name)}-group-membership-${lower(var.environment)}"
8 |
9 | users = var.iam_group_membership_users
10 | group = var.iam_group_membership_group != "" && !var.enable_iam_group ? var.iam_group_membership_group : element(concat(aws_iam_group.iam_group.*.name, [""]), 0)
11 |
12 | lifecycle {
13 | create_before_destroy = true
14 | ignore_changes = []
15 | }
16 |
17 | depends_on = [
18 | aws_iam_group.iam_group
19 | ]
20 | }
Check: CKV2_AWS_33: "Ensure AppSync is protected by WAF"
FAILED for resource: module.appsync.aws_appsync_graphql_api.appsync_graphql_api[0]
File: /aws/modules/appsync/appsync_graphql_api.tf:4-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-appsync-is-protected-by-waf.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
FAILED for resource: module.ebs.aws_ebs_volume.ebs_volume[0]
File: /aws/modules/ebs/ebs_volume.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html
4 | resource "aws_ebs_volume" "ebs_volume" {
5 | count = var.enable_ebs_volume ? 1 : 0
6 |
7 | availability_zone = length(var.ebs_volume_availability_zone) > 0 ? var.ebs_volume_availability_zone : element(split(",", (lookup(var.availability_zones, var.region))), 0)
8 | type = var.ebs_volume_type
9 | size = var.ebs_volume_size
10 |
11 | encrypted = var.ebs_volume_encrypted
12 | iops = var.ebs_volume_iops
13 | snapshot_id = var.ebs_volume_snapshot_id
14 | kms_key_id = var.ebs_volume_kms_key_id
15 |
16 | tags = merge(
17 | {
18 | Name = var.ebs_volume_name != "" ? lower(var.ebs_volume_name) : "${lower(var.name)}-ebs-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_8: "Ensure that RDS clusters has backup plan of AWS Backup"
FAILED for resource: module.db_instance-rds-oracle.aws_rds_cluster.rds_cluster
File: /aws/modules/rds/rds_cluster.tf:4-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-clusters-has-backup-plan-of-aws-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_8: "Ensure that RDS clusters has backup plan of AWS Backup"
FAILED for resource: module.rds_cluster.aws_rds_cluster.rds_cluster[0]
File: /aws/modules/rds/rds_cluster.tf:4-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-clusters-has-backup-plan-of-aws-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb.aws_lb_listener.alb_listener[0]
File: /aws/modules/alb/lb_listener.tf:4-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_37: "Ensure Codecommit associates an approval rule"
FAILED for resource: module.codecommit.aws_codecommit_repository.codecommit_repository[0]
File: /aws/modules/codecommit/codecommit_repository.tf:4-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codecommit-is-associated-with-an-approval-rule.html
4 | resource "aws_codecommit_repository" "codecommit_repository" {
5 | count = var.enable_codecommit_repository ? 1 : 0
6 |
7 | repository_name = var.codecommit_repository_name != "" ? lower(var.codecommit_repository_name) : "${lower(var.name)}-codecommit-repo-${lower(var.environment)}"
8 |
9 | description = var.codecommit_repository_description
10 | default_branch = var.codecommit_repository_default_branch
11 |
12 | tags = merge(
13 | {
14 | Name = var.codecommit_repository_name != "" ? lower(var.codecommit_repository_name) : "${lower(var.name)}-codecommit-repo-${lower(var.environment)}"
15 | },
16 | var.tags
17 | )
18 |
19 | lifecycle {
20 | create_before_destroy = true
21 | ignore_changes = []
22 | }
23 |
24 | depends_on = []
25 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_1.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_2.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_custom_routings.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_endpoint.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_vpn.aws_vpc.vpc[0]
File: /aws/modules/vpc/vpc.tf:4-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "vpc" {
5 | count = var.enable_vpc ? 1 : 0
6 |
7 | cidr_block = cidrsubnet(var.vpc_cidr_block, 0, 0)
8 |
9 | instance_tenancy = var.vpc_instance_tenancy
10 | enable_dns_support = var.vpc_enable_dns_support
11 | enable_dns_hostnames = var.vpc_enable_dns_hostnames
12 | enable_classiclink = var.vpc_enable_classiclink
13 | enable_classiclink_dns_support = var.vpc_enable_classiclink_dns_support
14 | assign_generated_ipv6_cidr_block = var.vpc_assign_generated_ipv6_cidr_block
15 |
16 | tags = merge(
17 | {
18 | Name = var.vpc_name != "" ? lower(var.vpc_name) : "${lower(var.name)}-vpc-${lower(var.environment)}"
19 | },
20 | var.tags
21 | )
22 |
23 | lifecycle {
24 | create_before_destroy = true
25 | ignore_changes = []
26 | }
27 |
28 | depends_on = []
29 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_4: "Ensure API Gateway stage have logging level defined as appropriate"
FAILED for resource: module.api_gateway.aws_api_gateway_stage.api_gateway_stage
File: /aws/modules/api_gateway/api_gateway_stage.tf:4-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-api-gateway-stage-have-logging-level-defined-as-appropiate.html
4 | resource "aws_api_gateway_stage" "api_gateway_stage" {
5 | count = var.enable_api_gateway_stage ? 1 : 0
6 |
7 | rest_api_id = var.api_gateway_stage_rest_api_id != "" && !var.enable_api_gateway_rest_api ? var.api_gateway_stage_rest_api_id : element(concat(aws_api_gateway_rest_api.api_gateway_rest_api.*.id, [""]), 0)
8 | deployment_id = var.api_gateway_stage_deployment_id != "" && !var.enable_api_gateway_deployment ? var.api_gateway_stage_deployment_id : element(concat(aws_api_gateway_deployment.api_gateway_deployment.*.id, [""]), 0)
9 | stage_name = var.api_gateway_stage_stage_name != "" ? var.api_gateway_stage_stage_name : "${lower(var.name)}-api-gw-state-${lower(var.environment)}"
10 |
11 | description = var.api_gateway_stage_description
12 | cache_cluster_enabled = var.api_gateway_stage_cache_cluster_enabled
13 | cache_cluster_size = var.api_gateway_stage_cache_cluster_size
14 | client_certificate_id = var.api_gateway_stage_client_certificate_id != "" && !var.enable_api_gateway_client_certificate ? var.api_gateway_stage_client_certificate_id : element(concat(aws_api_gateway_client_certificate.api_gateway_client_certificate.*.id, [""]), 0)
15 | documentation_version = var.api_gateway_stage_documentation_version != "" && !var.enable_api_gateway_documentation_version ? var.api_gateway_stage_documentation_version : element(concat(aws_api_gateway_documentation_version.api_gateway_documentation_version.*.id, [""]), 0)
16 | variables = var.api_gateway_stage_variables
17 | xray_tracing_enabled = var.api_gateway_stage_xray_tracing_enabled
18 |
19 | dynamic "access_log_settings" {
20 | iterator = access_log_settings
21 | for_each = var.api_gateway_stage_access_log_settings
22 |
23 | content {
24 | destination_arn = lookup(access_log_settings.value, "destination_arn", null)
25 | format = lookup(access_log_settings.value, "format", null)
26 | }
27 | }
28 |
29 | tags = merge(
30 | {
31 | Name = var.api_gateway_stage_stage_name != "" ? var.api_gateway_stage_stage_name : "${lower(var.name)}-api-gw-state-${lower(var.environment)}"
32 | },
33 | var.tags
34 | )
35 |
36 | lifecycle {
37 | create_before_destroy = true
38 | ignore_changes = []
39 | }
40 |
41 | depends_on = [
42 | aws_api_gateway_rest_api.api_gateway_rest_api,
43 | aws_api_gateway_deployment.api_gateway_deployment,
44 | aws_api_gateway_client_certificate.api_gateway_client_certificate,
45 | aws_api_gateway_documentation_version.api_gateway_documentation_version
46 | ]
47 | }
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
FAILED for resource: module.efs.aws_efs_file_system.efs_file_system[0]
File: /aws/modules/efs/efs_file_system.tf:4-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup.html
4 | resource "aws_efs_file_system" "efs_file_system" {
5 | count = var.enable_efs_file_system ? 1 : 0
6 |
7 | creation_token = var.efs_file_system_creation_token
8 | encrypted = var.efs_file_system_encrypted
9 | kms_key_id = var.efs_file_system_kms_key_id
10 | performance_mode = var.efs_file_system_performance_mode
11 |
12 | provisioned_throughput_in_mibps = var.efs_file_system_provisioned_throughput_in_mibps
13 | throughput_mode = var.efs_file_system_throughput_mode
14 |
15 | dynamic "lifecycle_policy" {
16 | iterator = lifecycle_policy
17 | for_each = var.efs_file_system_lifecycle_policy
18 |
19 | content {
20 | transition_to_ia = lookup(lifecycle_policy.value, "transition_to_ia", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.efs_file_system_name != "" ? var.efs_file_system_name : "${lower(var.name)}-efs-${lower(var.environment)}"
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
FAILED for resource: module.efs_policy.aws_efs_file_system.efs_file_system
File: /aws/modules/efs/efs_file_system.tf:4-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup.html
4 | resource "aws_efs_file_system" "efs_file_system" {
5 | count = var.enable_efs_file_system ? 1 : 0
6 |
7 | creation_token = var.efs_file_system_creation_token
8 | encrypted = var.efs_file_system_encrypted
9 | kms_key_id = var.efs_file_system_kms_key_id
10 | performance_mode = var.efs_file_system_performance_mode
11 |
12 | provisioned_throughput_in_mibps = var.efs_file_system_provisioned_throughput_in_mibps
13 | throughput_mode = var.efs_file_system_throughput_mode
14 |
15 | dynamic "lifecycle_policy" {
16 | iterator = lifecycle_policy
17 | for_each = var.efs_file_system_lifecycle_policy
18 |
19 | content {
20 | transition_to_ia = lookup(lifecycle_policy.value, "transition_to_ia", null)
21 | }
22 | }
23 |
24 | tags = merge(
25 | {
26 | Name = var.efs_file_system_name != "" ? var.efs_file_system_name : "${lower(var.name)}-efs-${lower(var.environment)}"
27 | },
28 | var.tags
29 | )
30 |
31 | lifecycle {
32 | create_before_destroy = true
33 | ignore_changes = []
34 | }
35 |
36 | depends_on = []
37 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: module.cloudfront.aws_cloudfront_distribution.cloudfront_distribution[0]
File: /aws/modules/cloudfront/cloudfront_distribution.tf:4-281
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.route53.aws_route53_zone.route53_zone[0]
File: /aws/modules/route53/route53_zone.tf:4-36
4 | resource "aws_route53_zone" "route53_zone" {
5 | count = var.enable_route53_zone ? 1 : 0
6 |
7 | name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
8 |
9 | comment = var.route53_zone_comment
10 | force_destroy = var.route53_zone_force_destroy
11 | delegation_set_id = var.route53_zone_delegation_set_id
12 |
13 | dynamic "vpc" {
14 | iterator = vpc
15 | for_each = var.route53_zone_vpc
16 |
17 | content {
18 | vpc_id = lookup(vpc.value, "vpc_id", null)
19 | vpc_region = lookup(vpc.value, "vpc_region", null)
20 | }
21 | }
22 |
23 | tags = merge(
24 | {
25 | Name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
26 | },
27 | var.tags
28 | )
29 |
30 | lifecycle {
31 | create_before_destroy = true
32 | ignore_changes = []
33 | }
34 |
35 | depends_on = []
36 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_bucket_public_access_block.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_private_bucket.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_flow_logs.aws_s3_bucket.s3_bucket[0]
File: /aws/modules/s3/s3_bucket.tf:4-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
4 | resource "aws_s3_bucket" "s3_bucket" {
5 | count = var.enable_s3_bucket ? 1 : 0
6 |
7 | bucket = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : null
8 | bucket_prefix = var.s3_bucket_prefix != null && var.s3_bucket_name == null ? lower(var.s3_bucket_prefix) : null
9 |
10 | force_destroy = var.s3_bucket_force_destroy
11 | object_lock_enabled = var.s3_bucket_object_lock_enabled
12 |
13 | tags = merge(
14 | {
15 | Name = var.s3_bucket_name != null && var.s3_bucket_prefix == null ? lower(var.s3_bucket_name) : lower(var.s3_bucket_prefix)
16 | },
17 | var.tags
18 | )
19 |
20 | lifecycle {
21 | create_before_destroy = true
22 | ignore_changes = []
23 | }
24 |
25 | depends_on = []
26 | }
Check: CKV2_AWS_45: "Ensure AWS Config recorder is enabled to record all supported resources"
FAILED for resource: module.config.aws_config_configuration_recorder_status.config_configuration_recorder_status[0]
File: /aws/modules/config/config_configuration_recorder_status.tf:4-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-config-recorder-is-enabled-to-record-all-supported-resources.html
4 | resource "aws_config_configuration_recorder_status" "config_configuration_recorder_status" {
5 | count = var.enable_config_configuration_recorder_status ? 1 : 0
6 |
7 | name = var.config_configuration_recorder_status_name != "" && !var.enable_config_configuration_recorder ? var.config_configuration_recorder_status_name : element(concat(aws_config_configuration_recorder.config_configuration_recorder.*.name, [""]), 0)
8 | is_enabled = var.config_configuration_recorder_status_is_enabled
9 |
10 | lifecycle {
11 | create_before_destroy = true
12 | ignore_changes = []
13 | }
14 |
15 | depends_on = [
16 | aws_config_configuration_recorder.config_configuration_recorder
17 | ]
18 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.sg.aws_security_group.security_group[0]
File: /aws/modules/sg/security_group.tf:4-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.sg_allow_all.aws_security_group.security_group[0]
File: /aws/modules/sg/security_group.tf:4-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.sg_default.aws_security_group.security_group
File: /aws/modules/sg/security_group.tf:4-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_10: "Ensure CloudTrail trails are integrated with CloudWatch Logs"
FAILED for resource: module.cloudtrail.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-cloudtrail-trails-are-integrated-with-cloudwatch-logs.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_10: "Ensure CloudTrail trails are integrated with CloudWatch Logs"
FAILED for resource: module.cloudtrail_event_selector_lambda.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-cloudtrail-trails-are-integrated-with-cloudwatch-logs.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_10: "Ensure CloudTrail trails are integrated with CloudWatch Logs"
FAILED for resource: module.cloudtrail_event_selector_s3.aws_cloudtrail.cloudtrail[0]
File: /aws/modules/cloudtrail/cloudtrail.tf:4-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-cloudtrail-trails-are-integrated-with-cloudwatch-logs.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_21: "Ensure that all IAM users are members of at least one IAM group."
FAILED for resource: module.iam_group.aws_iam_group_membership.iam_group_membership[0]
File: /aws/modules/iam_group/iam_group_membership.tf:4-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-all-iam-users-are-members-of-at-least-one-iam-group.html
4 | resource "aws_iam_group_membership" "iam_group_membership" {
5 | count = var.enable_iam_group_membership ? 1 : 0
6 |
7 | name = var.iam_group_membership_name != "" ? var.iam_group_membership_name : "${lower(var.name)}-group-membership-${lower(var.environment)}"
8 |
9 | users = var.iam_group_membership_users
10 | group = var.iam_group_membership_group != "" && !var.enable_iam_group ? var.iam_group_membership_group : element(concat(aws_iam_group.iam_group.*.name, [""]), 0)
11 |
12 | lifecycle {
13 | create_before_destroy = true
14 | ignore_changes = []
15 | }
16 |
17 | depends_on = [
18 | aws_iam_group.iam_group
19 | ]
20 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.route53.aws_route53_zone.route53_zone[0]
File: /aws/modules/route53/route53_zone.tf:4-36
4 | resource "aws_route53_zone" "route53_zone" {
5 | count = var.enable_route53_zone ? 1 : 0
6 |
7 | name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
8 |
9 | comment = var.route53_zone_comment
10 | force_destroy = var.route53_zone_force_destroy
11 | delegation_set_id = var.route53_zone_delegation_set_id
12 |
13 | dynamic "vpc" {
14 | iterator = vpc
15 | for_each = var.route53_zone_vpc
16 |
17 | content {
18 | vpc_id = lookup(vpc.value, "vpc_id", null)
19 | vpc_region = lookup(vpc.value, "vpc_region", null)
20 | }
21 | }
22 |
23 | tags = merge(
24 | {
25 | Name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
26 | },
27 | var.tags
28 | )
29 |
30 | lifecycle {
31 | create_before_destroy = true
32 | ignore_changes = []
33 | }
34 |
35 | depends_on = []
36 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.route53_cname.aws_route53_zone.route53_zone
File: /aws/modules/route53/route53_zone.tf:4-36
4 | resource "aws_route53_zone" "route53_zone" {
5 | count = var.enable_route53_zone ? 1 : 0
6 |
7 | name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
8 |
9 | comment = var.route53_zone_comment
10 | force_destroy = var.route53_zone_force_destroy
11 | delegation_set_id = var.route53_zone_delegation_set_id
12 |
13 | dynamic "vpc" {
14 | iterator = vpc
15 | for_each = var.route53_zone_vpc
16 |
17 | content {
18 | vpc_id = lookup(vpc.value, "vpc_id", null)
19 | vpc_region = lookup(vpc.value, "vpc_region", null)
20 | }
21 | }
22 |
23 | tags = merge(
24 | {
25 | Name = var.route53_zone_name != "" ? lower(var.route53_zone_name) : "${lower(var.name)}-route53-zone-${lower(var.environment)}"
26 | },
27 | var.tags
28 | )
29 |
30 | lifecycle {
31 | create_before_destroy = true
32 | ignore_changes = []
33 | }
34 |
35 | depends_on = []
36 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.lt.aws_autoscaling_attachment.asg_attachment
File: /aws/modules/asg/autoscaling_attachment.tf:4-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
4 | resource "aws_autoscaling_attachment" "asg_attachment" {
5 | count = var.enable_autoscaling_attachment ? 1 : 0
6 |
7 | autoscaling_group_name = var.autoscaling_group_name != "" ? var.autoscaling_group_name : (var.enable_asg ? element(concat(aws_autoscaling_group.asg.*.name, [""]), 0) : null)
8 |
9 | elb = upper(var.load_balancer_type) == "ELB" ? var.load_balancers : null
10 | lb_target_group_arn = upper(var.load_balancer_type) == "ALB" ? var.lb_target_group_arn : null
11 |
12 | lifecycle {
13 | create_before_destroy = true
14 | ignore_changes = []
15 | }
16 |
17 | depends_on = [
18 | aws_autoscaling_group.asg
19 | ]
20 | }
Check: CKV2_AWS_15: "Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks."
FAILED for resource: module.asg.aws_autoscaling_attachment.asg_attachment
File: /aws/modules/asg/autoscaling_attachment.tf:4-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-auto-scaling-groups-that-are-associated-with-a-load-balancer-are-using-elastic-load-balancing-health-checks.html
4 | resource "aws_autoscaling_attachment" "asg_attachment" {
5 | count = var.enable_autoscaling_attachment ? 1 : 0
6 |
7 | autoscaling_group_name = var.autoscaling_group_name != "" ? var.autoscaling_group_name : (var.enable_asg ? element(concat(aws_autoscaling_group.asg.*.name, [""]), 0) : null)
8 |
9 | elb = upper(var.load_balancer_type) == "ELB" ? var.load_balancers : null
10 | lb_target_group_arn = upper(var.load_balancer_type) == "ALB" ? var.lb_target_group_arn : null
11 |
12 | lifecycle {
13 | create_before_destroy = true
14 | ignore_changes = []
15 | }
16 |
17 | depends_on = [
18 | aws_autoscaling_group.asg
19 | ]
20 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
secrets scan results:
Passed checks: 0, Failed checks: 10, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 51ab909f465edf3e75934709d2a079474400158e
File: /aws/examples/directory_service/main.tf:19-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
19 | directory_service_directory_password = "Supe***************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: b34331b28704ce3ef0b0c4fb9737a75d54238198
File: /aws/examples/kms/main.tf:76-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
76 | "client_secret": "828957**********************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: b7515061d61310889975bc0725b5f3f8fcb5c44e
File: /aws/examples/mq/main.tf:51-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
51 | password = "mq_*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 25bf56df1d538fe347ce4926e3b341a49d9e722f
File: /aws/examples/rds/main.tf:113-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
113 | db_instance_db_password = "ImP***********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 6bb92e6cdc2b24e9e9dc3d2511cf957f5c1ae51d
File: /cloudflare/examples/cloudflare_record/main.tf:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | api_key = "api*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 4ffcab4dbf3fa2f00801de9eda7304403830d523
File: /heroku/examples/heroku_config/main.tf:44-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
44 | PRIVATE_KEY = "some************"
Check: CKV_SECRET_14: "Slack Token"
FAILED for resource: fb2784769fce62c7e34b215825277434456b237c
File: /newrelic/examples/newrelic_alert/main.tf:38-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-14.html
38 | alert_channel_slack_configuration_url = "https:**************************************************************************"
Check: CKV_SECRET_14: "Slack Token"
FAILED for resource: fb2784769fce62c7e34b215825277434456b237c
File: /newrelic/examples/newrelic_infra/main.tf:26-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-14.html
26 | #alert_channel_slack_configuration_url = "https:**************************************************************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 88d5f0d556ec8a3f863c0d8ea710db73bc0731f3
File: /null_resource/examples/null_resource/main.tf:27-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
27 | # provisioner_file_connection_password = "pas**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 156283b3938f846e25c7f346d54dea21a7ee6d5b
File: /vault/examples/vault_token/main.tf:49-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
49 | token_auth_backend_role_path_suffix = "pa*********"
github_actions scan results:
Passed checks: 14, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(terraform-lint)
File: /.github/workflows/terraform-lint.yaml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools