Repository | sethvargo / vault-on-gke |
Description | Run @HashiCorp Vault on Google Kubernetes Engine (GKE) with Terraform |
Stars | 496 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 45, Failed checks: 21, Skipped checks: 0
Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
FAILED for resource: google_project.vault
File: /terraform/gcp.tf:20-26
Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
20 | resource "google_project" "vault" {
21 | count = var.project != "" ? 0 : 1
22 | name = random_id.project_random.hex
23 | project_id = random_id.project_random.hex
24 | org_id = var.org_id
25 | billing_account = var.billing_account
26 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.vault
File: /terraform/gcp.tf:69-92
69 | resource "google_storage_bucket" "vault" {
70 | name = "${data.google_project.vault.project_id}-vault-storage"
71 | project = data.google_project.vault.project_id
72 | force_destroy = true
73 | storage_class = "MULTI_REGIONAL"
74 |
75 | uniform_bucket_level_access = true
76 |
77 | versioning {
78 | enabled = true
79 | }
80 |
81 | lifecycle_rule {
82 | action {
83 | type = "Delete"
84 | }
85 |
86 | condition {
87 | num_newer_versions = 1
88 | }
89 | }
90 |
91 | depends_on = [google_project_service.service]
92 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.vault
File: /terraform/gcp.tf:69-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
69 | resource "google_storage_bucket" "vault" {
70 | name = "${data.google_project.vault.project_id}-vault-storage"
71 | project = data.google_project.vault.project_id
72 | force_destroy = true
73 | storage_class = "MULTI_REGIONAL"
74 |
75 | uniform_bucket_level_access = true
76 |
77 | versioning {
78 | enabled = true
79 | }
80 |
81 | lifecycle_rule {
82 | action {
83 | type = "Delete"
84 | }
85 |
86 | condition {
87 | num_newer_versions = 1
88 | }
89 | }
90 |
91 | depends_on = [google_project_service.service]
92 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: google_kms_crypto_key.vault-init
File: /terraform/gcp.tf:127-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
127 | resource "google_kms_crypto_key" "vault-init" {
128 | name = var.kms_crypto_key
129 | key_ring = google_kms_key_ring.vault.id
130 | rotation_period = "604800s"
131 | }
Check: CKV_GCP_82: "Ensure KMS keys are protected from deletion"
FAILED for resource: google_kms_crypto_key.kubernetes-secrets
File: /terraform/gcp.tf:141-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-kms-keys-are-protected-from-deletion.html
141 | resource "google_kms_crypto_key" "kubernetes-secrets" {
142 | name = var.kubernetes_secrets_crypto_key
143 | key_ring = google_kms_key_ring.vault.id
144 | rotation_period = "604800s"
145 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.vault-subnetwork
File: /terraform/gcp.tf:174-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
174 | resource "google_compute_subnetwork" "vault-subnetwork" {
175 | name = "vault-subnetwork"
176 | project = data.google_project.vault.project_id
177 | network = google_compute_network.vault-network.self_link
178 | region = var.region
179 | ip_cidr_range = var.kubernetes_network_ipv4_cidr
180 |
181 | private_ip_google_access = true
182 |
183 | secondary_ip_range {
184 | range_name = "vault-pods"
185 | ip_cidr_range = var.kubernetes_pods_ipv4_cidr
186 | }
187 |
188 | secondary_ip_range {
189 | range_name = "vault-svcs"
190 | ip_cidr_range = var.kubernetes_services_ipv4_cidr
191 | }
192 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.vault-subnetwork
File: /terraform/gcp.tf:174-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
174 | resource "google_compute_subnetwork" "vault-subnetwork" {
175 | name = "vault-subnetwork"
176 | project = data.google_project.vault.project_id
177 | network = google_compute_network.vault-network.self_link
178 | region = var.region
179 | ip_cidr_range = var.kubernetes_network_ipv4_cidr
180 |
181 | private_ip_google_access = true
182 |
183 | secondary_ip_range {
184 | range_name = "vault-pods"
185 | ip_cidr_range = var.kubernetes_pods_ipv4_cidr
186 | }
187 |
188 | secondary_ip_range {
189 | range_name = "vault-svcs"
190 | ip_cidr_range = var.kubernetes_services_ipv4_cidr
191 | }
192 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: google_container_cluster.vault
File: /terraform/gcp.tf:229-353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_secret.vault-tls
File: /terraform/k8s.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
16 | resource "kubernetes_secret" "vault-tls" {
17 | metadata {
18 | name = "vault-tls"
19 | }
20 |
21 | data = {
22 | "vault.crt" = "${tls_locally_signed_cert.vault.cert_pem}\n${tls_self_signed_cert.vault-ca.cert_pem}"
23 | "vault.key" = tls_private_key.vault.private_key_pem
24 | "ca.crt" = tls_self_signed_cert.vault-ca.cert_pem
25 | }
26 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_account.vault-server
File: /terraform/k8s.tf:28-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
28 | resource "kubernetes_service_account" "vault-server" {
29 | metadata {
30 | name = "vault-server"
31 | }
32 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_role_binding.vault-server
File: /terraform/k8s.tf:47-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
47 | resource "kubernetes_role_binding" "vault-server" {
48 | metadata {
49 | name = "vault-server"
50 | }
51 |
52 | role_ref {
53 | api_group = "rbac.authorization.k8s.io"
54 | kind = "Role"
55 | name = kubernetes_role.vault-server.metadata.0.name
56 | }
57 |
58 | subject {
59 | kind = "ServiceAccount"
60 | name = kubernetes_service_account.vault-server.metadata.0.name
61 | namespace = kubernetes_service_account.vault-server.metadata.0.namespace
62 | }
63 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service.vault-lb
File: /terraform/k8s.tf:65-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
65 | resource "kubernetes_service" "vault-lb" {
66 | metadata {
67 | name = "vault"
68 | labels = {
69 | app = "vault"
70 | }
71 | }
72 |
73 | spec {
74 | type = "LoadBalancer"
75 | load_balancer_ip = google_compute_address.vault.address
76 | load_balancer_source_ranges = var.vault_source_ranges
77 | external_traffic_policy = "Local"
78 |
79 | selector = {
80 | app = "vault"
81 | vault-active = "true"
82 | }
83 |
84 | port {
85 | name = "vault-port"
86 | port = 443
87 | target_port = 8200
88 | protocol = "TCP"
89 | }
90 | }
91 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_stateful_set.vault
File: /terraform/k8s.tf:93-312
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.vault-network
File: /terraform/gcp.tf:165-171
165 | resource "google_compute_network" "vault-network" {
166 | name = "vault-network"
167 | project = data.google_project.vault.project_id
168 | auto_create_subnetworks = false
169 |
170 | depends_on = [google_project_service.service]
171 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.vault
File: /terraform/gcp.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
20 | resource "google_project" "vault" {
21 | count = var.project != "" ? 0 : 1
22 | name = random_id.project_random.hex
23 | project_id = random_id.project_random.hex
24 | org_id = var.org_id
25 | billing_account = var.billing_account
26 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools