Repository | SUSE / ha-sap-terraform-deployments |
Description | Automated SAP/HA Deployments in Public/Private Clouds |
Stars | 112 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 233, Failed checks: 134, Skipped checks: 0
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.dynamodb-terraform-state-lock
File: /aws/create_remote_state/dynamodb.tf:2-16
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
2 | resource "aws_dynamodb_table" "dynamodb-terraform-state-lock" {
3 | name = var.dynamodb_name
4 | hash_key = "LockID"
5 | read_capacity = 20
6 | write_capacity = 20
7 |
8 | attribute {
9 | name = "LockID"
10 | type = "S"
11 | }
12 |
13 | tags {
14 | Name = "DynamoDB Terraform State Lock Table"
15 | }
16 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.dynamodb-terraform-state-lock
File: /aws/create_remote_state/dynamodb.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
2 | resource "aws_dynamodb_table" "dynamodb-terraform-state-lock" {
3 | name = var.dynamodb_name
4 | hash_key = "LockID"
5 | read_capacity = 20
6 | write_capacity = 20
7 |
8 | attribute {
9 | name = "LockID"
10 | type = "S"
11 | }
12 |
13 | tags {
14 | Name = "DynamoDB Terraform State Lock Table"
15 | }
16 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public
File: /aws/infrastructure.tf:133-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
133 | resource "aws_subnet" "public" {
134 | vpc_id = local.vpc_id
135 | cidr_block = local.public_subnet_address_range
136 | availability_zone = element(data.aws_availability_zones.available.names, 0)
137 | map_public_ip_on_launch = true
138 |
139 | tags = {
140 | Name = "${local.deployment_name}-public-subnet"
141 | Workspace = local.deployment_name
142 | }
143 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.secgroup
File: /aws/infrastructure.tf:172-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
172 | resource "aws_security_group" "secgroup" {
173 | count = local.create_security_group
174 | name = "${local.deployment_name}-sg"
175 | vpc_id = local.vpc_id
176 |
177 | tags = {
178 | Name = "${local.deployment_name}-sg"
179 | Workspace = local.deployment_name
180 | }
181 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.outall
File: /aws/infrastructure.tf:183-192
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
183 | resource "aws_security_group_rule" "outall" {
184 | count = local.create_security_group
185 | type = "egress"
186 | from_port = 0
187 | to_port = 0
188 | protocol = "-1"
189 | cidr_blocks = ["0.0.0.0/0"]
190 |
191 | security_group_id = local.security_group_id
192 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.local
File: /aws/infrastructure.tf:194-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
194 | resource "aws_security_group_rule" "local" {
195 | count = local.create_security_group
196 | type = "ingress"
197 | from_port = 0
198 | to_port = 0
199 | protocol = "-1"
200 | cidr_blocks = [local.vpc_address_range]
201 |
202 | security_group_id = local.security_group_id
203 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ssh
File: /aws/infrastructure.tf:216-225
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
216 | resource "aws_security_group_rule" "ssh" {
217 | count = local.create_security_group
218 | type = "ingress"
219 | from_port = 22
220 | to_port = 22
221 | protocol = "tcp"
222 | cidr_blocks = ["0.0.0.0/0"]
223 |
224 | security_group_id = local.security_group_id
225 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.ssh
File: /aws/infrastructure.tf:216-225
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
216 | resource "aws_security_group_rule" "ssh" {
217 | count = local.create_security_group
218 | type = "ingress"
219 | from_port = 22
220 | to_port = 22
221 | protocol = "tcp"
222 | cidr_blocks = ["0.0.0.0/0"]
223 |
224 | security_group_id = local.security_group_id
225 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Calling File: /aws/infrastructure.tf:319-340
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Calling File: /aws/infrastructure.tf:319-340
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Calling File: /aws/infrastructure.tf:319-340
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Calling File: /aws/infrastructure.tf:319-340
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Calling File: /aws/infrastructure.tf:319-340
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.drbd_node.aws_instance.drbd
File: /aws/modules/drbd_node/main.tf:50-83
Calling File: /aws/main.tf:168-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
50 | resource "aws_instance" "drbd" {
51 | count = var.drbd_count
52 | ami = module.get_os_image.image_id
53 | instance_type = var.instance_type
54 | key_name = var.key_name
55 | associate_public_ip_address = local.bastion_enabled ? false : true
56 | subnet_id = element(aws_subnet.drbd-subnet.*.id, count.index)
57 | private_ip = element(var.host_ips, count.index)
58 | vpc_security_group_ids = [var.security_group_id]
59 | availability_zone = element(var.availability_zones, count.index)
60 | source_dest_check = false
61 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
62 |
63 | root_block_device {
64 | volume_type = "gp2"
65 | volume_size = "10"
66 | }
67 |
68 | ebs_block_device {
69 | volume_type = var.drbd_data_disk_type
70 | volume_size = var.drbd_data_disk_size
71 | device_name = "/dev/sdb"
72 | }
73 |
74 | volume_tags = {
75 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
76 | }
77 |
78 | tags = {
79 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
80 | Workspace = var.common_variables["deployment_name"]
81 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
82 | }
83 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.drbd_node.aws_instance.drbd
File: /aws/modules/drbd_node/main.tf:50-83
Calling File: /aws/main.tf:168-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
50 | resource "aws_instance" "drbd" {
51 | count = var.drbd_count
52 | ami = module.get_os_image.image_id
53 | instance_type = var.instance_type
54 | key_name = var.key_name
55 | associate_public_ip_address = local.bastion_enabled ? false : true
56 | subnet_id = element(aws_subnet.drbd-subnet.*.id, count.index)
57 | private_ip = element(var.host_ips, count.index)
58 | vpc_security_group_ids = [var.security_group_id]
59 | availability_zone = element(var.availability_zones, count.index)
60 | source_dest_check = false
61 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
62 |
63 | root_block_device {
64 | volume_type = "gp2"
65 | volume_size = "10"
66 | }
67 |
68 | ebs_block_device {
69 | volume_type = var.drbd_data_disk_type
70 | volume_size = var.drbd_data_disk_size
71 | device_name = "/dev/sdb"
72 | }
73 |
74 | volume_tags = {
75 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
76 | }
77 |
78 | tags = {
79 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
80 | Workspace = var.common_variables["deployment_name"]
81 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
82 | }
83 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.drbd_node.aws_instance.drbd
File: /aws/modules/drbd_node/main.tf:50-83
Calling File: /aws/main.tf:168-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
50 | resource "aws_instance" "drbd" {
51 | count = var.drbd_count
52 | ami = module.get_os_image.image_id
53 | instance_type = var.instance_type
54 | key_name = var.key_name
55 | associate_public_ip_address = local.bastion_enabled ? false : true
56 | subnet_id = element(aws_subnet.drbd-subnet.*.id, count.index)
57 | private_ip = element(var.host_ips, count.index)
58 | vpc_security_group_ids = [var.security_group_id]
59 | availability_zone = element(var.availability_zones, count.index)
60 | source_dest_check = false
61 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
62 |
63 | root_block_device {
64 | volume_type = "gp2"
65 | volume_size = "10"
66 | }
67 |
68 | ebs_block_device {
69 | volume_type = var.drbd_data_disk_type
70 | volume_size = var.drbd_data_disk_size
71 | device_name = "/dev/sdb"
72 | }
73 |
74 | volume_tags = {
75 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
76 | }
77 |
78 | tags = {
79 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
80 | Workspace = var.common_variables["deployment_name"]
81 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
82 | }
83 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.drbd_node.aws_instance.drbd
File: /aws/modules/drbd_node/main.tf:50-83
Calling File: /aws/main.tf:168-201
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
50 | resource "aws_instance" "drbd" {
51 | count = var.drbd_count
52 | ami = module.get_os_image.image_id
53 | instance_type = var.instance_type
54 | key_name = var.key_name
55 | associate_public_ip_address = local.bastion_enabled ? false : true
56 | subnet_id = element(aws_subnet.drbd-subnet.*.id, count.index)
57 | private_ip = element(var.host_ips, count.index)
58 | vpc_security_group_ids = [var.security_group_id]
59 | availability_zone = element(var.availability_zones, count.index)
60 | source_dest_check = false
61 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
62 |
63 | root_block_device {
64 | volume_type = "gp2"
65 | volume_size = "10"
66 | }
67 |
68 | ebs_block_device {
69 | volume_type = var.drbd_data_disk_type
70 | volume_size = var.drbd_data_disk_size
71 | device_name = "/dev/sdb"
72 | }
73 |
74 | volume_tags = {
75 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
76 | }
77 |
78 | tags = {
79 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
80 | Workspace = var.common_variables["deployment_name"]
81 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
82 | }
83 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.hana_node.aws_instance.hana
File: /aws/modules/hana_node/main.tf:97-133
Calling File: /aws/main.tf:263-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
97 | resource "aws_instance" "hana" {
98 | count = var.hana_count
99 | ami = module.get_os_image.image_id
100 | instance_type = var.instance_type
101 | key_name = var.key_name
102 | associate_public_ip_address = local.bastion_enabled ? false : true
103 | subnet_id = element(aws_subnet.hana.*.id, count.index % 2)
104 | private_ip = element(var.host_ips, count.index)
105 | vpc_security_group_ids = [var.security_group_id]
106 | availability_zone = element(var.availability_zones, count.index % 2)
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
108 | source_dest_check = false
109 |
110 | root_block_device {
111 | volume_type = "gp2"
112 | volume_size = "60"
113 | }
114 |
115 | dynamic "ebs_block_device" {
116 | for_each = { for disk in local.disks : "${disk.disk_name}" => disk if disk.node_num == count.index }
117 | content {
118 | volume_type = ebs_block_device.value.disk_type
119 | volume_size = ebs_block_device.value.disk_size
120 | device_name = ebs_block_device.value.disk_name
121 | }
122 | }
123 |
124 | volume_tags = {
125 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
126 | }
127 |
128 | tags = {
129 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
130 | Workspace = var.common_variables["deployment_name"]
131 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
132 | }
133 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.hana_node.aws_instance.hana
File: /aws/modules/hana_node/main.tf:97-133
Calling File: /aws/main.tf:263-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
97 | resource "aws_instance" "hana" {
98 | count = var.hana_count
99 | ami = module.get_os_image.image_id
100 | instance_type = var.instance_type
101 | key_name = var.key_name
102 | associate_public_ip_address = local.bastion_enabled ? false : true
103 | subnet_id = element(aws_subnet.hana.*.id, count.index % 2)
104 | private_ip = element(var.host_ips, count.index)
105 | vpc_security_group_ids = [var.security_group_id]
106 | availability_zone = element(var.availability_zones, count.index % 2)
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
108 | source_dest_check = false
109 |
110 | root_block_device {
111 | volume_type = "gp2"
112 | volume_size = "60"
113 | }
114 |
115 | dynamic "ebs_block_device" {
116 | for_each = { for disk in local.disks : "${disk.disk_name}" => disk if disk.node_num == count.index }
117 | content {
118 | volume_type = ebs_block_device.value.disk_type
119 | volume_size = ebs_block_device.value.disk_size
120 | device_name = ebs_block_device.value.disk_name
121 | }
122 | }
123 |
124 | volume_tags = {
125 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
126 | }
127 |
128 | tags = {
129 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
130 | Workspace = var.common_variables["deployment_name"]
131 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
132 | }
133 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.hana_node.aws_instance.hana
File: /aws/modules/hana_node/main.tf:97-133
Calling File: /aws/main.tf:263-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
97 | resource "aws_instance" "hana" {
98 | count = var.hana_count
99 | ami = module.get_os_image.image_id
100 | instance_type = var.instance_type
101 | key_name = var.key_name
102 | associate_public_ip_address = local.bastion_enabled ? false : true
103 | subnet_id = element(aws_subnet.hana.*.id, count.index % 2)
104 | private_ip = element(var.host_ips, count.index)
105 | vpc_security_group_ids = [var.security_group_id]
106 | availability_zone = element(var.availability_zones, count.index % 2)
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
108 | source_dest_check = false
109 |
110 | root_block_device {
111 | volume_type = "gp2"
112 | volume_size = "60"
113 | }
114 |
115 | dynamic "ebs_block_device" {
116 | for_each = { for disk in local.disks : "${disk.disk_name}" => disk if disk.node_num == count.index }
117 | content {
118 | volume_type = ebs_block_device.value.disk_type
119 | volume_size = ebs_block_device.value.disk_size
120 | device_name = ebs_block_device.value.disk_name
121 | }
122 | }
123 |
124 | volume_tags = {
125 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
126 | }
127 |
128 | tags = {
129 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
130 | Workspace = var.common_variables["deployment_name"]
131 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
132 | }
133 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.hana_node.aws_instance.hana
File: /aws/modules/hana_node/main.tf:97-133
Calling File: /aws/main.tf:263-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
97 | resource "aws_instance" "hana" {
98 | count = var.hana_count
99 | ami = module.get_os_image.image_id
100 | instance_type = var.instance_type
101 | key_name = var.key_name
102 | associate_public_ip_address = local.bastion_enabled ? false : true
103 | subnet_id = element(aws_subnet.hana.*.id, count.index % 2)
104 | private_ip = element(var.host_ips, count.index)
105 | vpc_security_group_ids = [var.security_group_id]
106 | availability_zone = element(var.availability_zones, count.index % 2)
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0]
108 | source_dest_check = false
109 |
110 | root_block_device {
111 | volume_type = "gp2"
112 | volume_size = "60"
113 | }
114 |
115 | dynamic "ebs_block_device" {
116 | for_each = { for disk in local.disks : "${disk.disk_name}" => disk if disk.node_num == count.index }
117 | content {
118 | volume_type = ebs_block_device.value.disk_type
119 | volume_size = ebs_block_device.value.disk_size
120 | device_name = ebs_block_device.value.disk_name
121 | }
122 | }
123 |
124 | volume_tags = {
125 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
126 | }
127 |
128 | tags = {
129 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
130 | Workspace = var.common_variables["deployment_name"]
131 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
132 | }
133 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.iscsi_server.aws_instance.iscsisrv
File: /aws/modules/iscsi_server/main.tf:15-45
Calling File: /aws/main.tf:203-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
15 | resource "aws_instance" "iscsisrv" {
16 | count = var.iscsi_count
17 | ami = module.get_os_image.image_id
18 | instance_type = var.instance_type
19 | key_name = var.key_name
20 | associate_public_ip_address = local.bastion_enabled ? false : true
21 | subnet_id = element(var.subnet_ids, count.index)
22 | private_ip = element(var.host_ips, count.index)
23 | vpc_security_group_ids = [var.security_group_id]
24 | availability_zone = element(var.availability_zones, count.index)
25 |
26 | root_block_device {
27 | volume_type = "gp2"
28 | volume_size = "20"
29 | }
30 |
31 | ebs_block_device {
32 | volume_type = "gp2"
33 | volume_size = var.iscsi_disk_size
34 | device_name = "/dev/sdb"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.iscsi_server.aws_instance.iscsisrv
File: /aws/modules/iscsi_server/main.tf:15-45
Calling File: /aws/main.tf:203-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
15 | resource "aws_instance" "iscsisrv" {
16 | count = var.iscsi_count
17 | ami = module.get_os_image.image_id
18 | instance_type = var.instance_type
19 | key_name = var.key_name
20 | associate_public_ip_address = local.bastion_enabled ? false : true
21 | subnet_id = element(var.subnet_ids, count.index)
22 | private_ip = element(var.host_ips, count.index)
23 | vpc_security_group_ids = [var.security_group_id]
24 | availability_zone = element(var.availability_zones, count.index)
25 |
26 | root_block_device {
27 | volume_type = "gp2"
28 | volume_size = "20"
29 | }
30 |
31 | ebs_block_device {
32 | volume_type = "gp2"
33 | volume_size = var.iscsi_disk_size
34 | device_name = "/dev/sdb"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.iscsi_server.aws_instance.iscsisrv
File: /aws/modules/iscsi_server/main.tf:15-45
Calling File: /aws/main.tf:203-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
15 | resource "aws_instance" "iscsisrv" {
16 | count = var.iscsi_count
17 | ami = module.get_os_image.image_id
18 | instance_type = var.instance_type
19 | key_name = var.key_name
20 | associate_public_ip_address = local.bastion_enabled ? false : true
21 | subnet_id = element(var.subnet_ids, count.index)
22 | private_ip = element(var.host_ips, count.index)
23 | vpc_security_group_ids = [var.security_group_id]
24 | availability_zone = element(var.availability_zones, count.index)
25 |
26 | root_block_device {
27 | volume_type = "gp2"
28 | volume_size = "20"
29 | }
30 |
31 | ebs_block_device {
32 | volume_type = "gp2"
33 | volume_size = var.iscsi_disk_size
34 | device_name = "/dev/sdb"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.iscsi_server.aws_instance.iscsisrv
File: /aws/modules/iscsi_server/main.tf:15-45
Calling File: /aws/main.tf:203-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
15 | resource "aws_instance" "iscsisrv" {
16 | count = var.iscsi_count
17 | ami = module.get_os_image.image_id
18 | instance_type = var.instance_type
19 | key_name = var.key_name
20 | associate_public_ip_address = local.bastion_enabled ? false : true
21 | subnet_id = element(var.subnet_ids, count.index)
22 | private_ip = element(var.host_ips, count.index)
23 | vpc_security_group_ids = [var.security_group_id]
24 | availability_zone = element(var.availability_zones, count.index)
25 |
26 | root_block_device {
27 | volume_type = "gp2"
28 | volume_size = "20"
29 | }
30 |
31 | ebs_block_device {
32 | volume_type = "gp2"
33 | volume_size = var.iscsi_disk_size
34 | device_name = "/dev/sdb"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.hana_node.module.hana_majority_maker.aws_instance.majority_maker
File: /aws/modules/majority_maker_node/main.tf:34-61
Calling File: /aws/modules/hana_node/main.tf:135-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
34 | resource "aws_instance" "majority_maker" {
35 | count = var.node_count
36 | ami = module.get_os_image.image_id
37 | instance_type = var.instance_type
38 | key_name = var.key_name
39 | associate_public_ip_address = local.bastion_enabled ? false : true
40 | subnet_id = element(aws_subnet.majority_maker-subnet.*.id, count.index)
41 | private_ip = var.majority_maker_ip
42 | vpc_security_group_ids = [var.security_group_id]
43 | availability_zone = element(var.availability_zones, 2) # hardcode 3rd az
44 | iam_instance_profile = "${var.common_variables["deployment_name"]}-${var.name}-role-profile"
45 | source_dest_check = false
46 |
47 | root_block_device {
48 | volume_type = "gp2"
49 | volume_size = "60"
50 | }
51 |
52 | volume_tags = {
53 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
54 | }
55 |
56 | tags = {
57 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
58 | Workspace = var.common_variables["deployment_name"]
59 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}mm"
60 | }
61 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.hana_node.module.hana_majority_maker.aws_instance.majority_maker
File: /aws/modules/majority_maker_node/main.tf:34-61
Calling File: /aws/modules/hana_node/main.tf:135-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
34 | resource "aws_instance" "majority_maker" {
35 | count = var.node_count
36 | ami = module.get_os_image.image_id
37 | instance_type = var.instance_type
38 | key_name = var.key_name
39 | associate_public_ip_address = local.bastion_enabled ? false : true
40 | subnet_id = element(aws_subnet.majority_maker-subnet.*.id, count.index)
41 | private_ip = var.majority_maker_ip
42 | vpc_security_group_ids = [var.security_group_id]
43 | availability_zone = element(var.availability_zones, 2) # hardcode 3rd az
44 | iam_instance_profile = "${var.common_variables["deployment_name"]}-${var.name}-role-profile"
45 | source_dest_check = false
46 |
47 | root_block_device {
48 | volume_type = "gp2"
49 | volume_size = "60"
50 | }
51 |
52 | volume_tags = {
53 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
54 | }
55 |
56 | tags = {
57 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
58 | Workspace = var.common_variables["deployment_name"]
59 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}mm"
60 | }
61 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.hana_node.module.hana_majority_maker.aws_instance.majority_maker
File: /aws/modules/majority_maker_node/main.tf:34-61
Calling File: /aws/modules/hana_node/main.tf:135-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
34 | resource "aws_instance" "majority_maker" {
35 | count = var.node_count
36 | ami = module.get_os_image.image_id
37 | instance_type = var.instance_type
38 | key_name = var.key_name
39 | associate_public_ip_address = local.bastion_enabled ? false : true
40 | subnet_id = element(aws_subnet.majority_maker-subnet.*.id, count.index)
41 | private_ip = var.majority_maker_ip
42 | vpc_security_group_ids = [var.security_group_id]
43 | availability_zone = element(var.availability_zones, 2) # hardcode 3rd az
44 | iam_instance_profile = "${var.common_variables["deployment_name"]}-${var.name}-role-profile"
45 | source_dest_check = false
46 |
47 | root_block_device {
48 | volume_type = "gp2"
49 | volume_size = "60"
50 | }
51 |
52 | volume_tags = {
53 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
54 | }
55 |
56 | tags = {
57 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
58 | Workspace = var.common_variables["deployment_name"]
59 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}mm"
60 | }
61 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.hana_node.module.hana_majority_maker.aws_instance.majority_maker
File: /aws/modules/majority_maker_node/main.tf:34-61
Calling File: /aws/modules/hana_node/main.tf:135-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
34 | resource "aws_instance" "majority_maker" {
35 | count = var.node_count
36 | ami = module.get_os_image.image_id
37 | instance_type = var.instance_type
38 | key_name = var.key_name
39 | associate_public_ip_address = local.bastion_enabled ? false : true
40 | subnet_id = element(aws_subnet.majority_maker-subnet.*.id, count.index)
41 | private_ip = var.majority_maker_ip
42 | vpc_security_group_ids = [var.security_group_id]
43 | availability_zone = element(var.availability_zones, 2) # hardcode 3rd az
44 | iam_instance_profile = "${var.common_variables["deployment_name"]}-${var.name}-role-profile"
45 | source_dest_check = false
46 |
47 | root_block_device {
48 | volume_type = "gp2"
49 | volume_size = "60"
50 | }
51 |
52 | volume_tags = {
53 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
54 | }
55 |
56 | tags = {
57 | Name = "${var.common_variables["deployment_name"]}-${var.name}mm"
58 | Workspace = var.common_variables["deployment_name"]
59 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}mm"
60 | }
61 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.netweaver_node.aws_efs_file_system.netweaver-efs
File: /aws/modules/netweaver_node/main.tf:63-71
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
63 | resource "aws_efs_file_system" "netweaver-efs" {
64 | count = local.vm_count > 0 ? local.shared_storage_efs : 0
65 | creation_token = "${var.common_variables["deployment_name"]}-netweaver-efs"
66 | performance_mode = var.efs_performance_mode
67 |
68 | tags = {
69 | Name = "${var.common_variables["deployment_name"]}-efs"
70 | }
71 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: module.netweaver_node.aws_efs_file_system.netweaver-efs
File: /aws/modules/netweaver_node/main.tf:63-71
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
63 | resource "aws_efs_file_system" "netweaver-efs" {
64 | count = local.vm_count > 0 ? local.shared_storage_efs : 0
65 | creation_token = "${var.common_variables["deployment_name"]}-netweaver-efs"
66 | performance_mode = var.efs_performance_mode
67 |
68 | tags = {
69 | Name = "${var.common_variables["deployment_name"]}-efs"
70 | }
71 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.netweaver_node.aws_instance.netweaver
File: /aws/modules/netweaver_node/main.tf:96-130
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
96 | resource "aws_instance" "netweaver" {
97 | count = local.vm_count
98 | ami = module.get_os_image.image_id
99 | instance_type = var.instance_type
100 | key_name = var.key_name
101 | associate_public_ip_address = local.bastion_enabled ? false : true
102 | subnet_id = element(aws_subnet.netweaver.*.id, count.index % 2) # %2 is used because there are not more than 2 subnets
103 | private_ip = element(var.host_ips, count.index)
104 | vpc_security_group_ids = [var.security_group_id]
105 | availability_zone = element(var.availability_zones, count.index % 2)
106 | source_dest_check = false
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0] # We apply to all nodes to have the SAP data provider, even though some policies are only for the clustered nodes
108 |
109 | root_block_device {
110 | volume_type = "gp2"
111 | volume_size = "60"
112 | }
113 |
114 | # Disk to store Netweaver software installation files
115 | ebs_block_device {
116 | volume_type = "gp2"
117 | volume_size = "60"
118 | device_name = "/dev/sdb"
119 | }
120 |
121 | volume_tags = {
122 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
123 | }
124 |
125 | tags = {
126 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
127 | Workspace = var.common_variables["deployment_name"]
128 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
129 | }
130 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.netweaver_node.aws_instance.netweaver
File: /aws/modules/netweaver_node/main.tf:96-130
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
96 | resource "aws_instance" "netweaver" {
97 | count = local.vm_count
98 | ami = module.get_os_image.image_id
99 | instance_type = var.instance_type
100 | key_name = var.key_name
101 | associate_public_ip_address = local.bastion_enabled ? false : true
102 | subnet_id = element(aws_subnet.netweaver.*.id, count.index % 2) # %2 is used because there are not more than 2 subnets
103 | private_ip = element(var.host_ips, count.index)
104 | vpc_security_group_ids = [var.security_group_id]
105 | availability_zone = element(var.availability_zones, count.index % 2)
106 | source_dest_check = false
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0] # We apply to all nodes to have the SAP data provider, even though some policies are only for the clustered nodes
108 |
109 | root_block_device {
110 | volume_type = "gp2"
111 | volume_size = "60"
112 | }
113 |
114 | # Disk to store Netweaver software installation files
115 | ebs_block_device {
116 | volume_type = "gp2"
117 | volume_size = "60"
118 | device_name = "/dev/sdb"
119 | }
120 |
121 | volume_tags = {
122 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
123 | }
124 |
125 | tags = {
126 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
127 | Workspace = var.common_variables["deployment_name"]
128 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
129 | }
130 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.netweaver_node.aws_instance.netweaver
File: /aws/modules/netweaver_node/main.tf:96-130
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
96 | resource "aws_instance" "netweaver" {
97 | count = local.vm_count
98 | ami = module.get_os_image.image_id
99 | instance_type = var.instance_type
100 | key_name = var.key_name
101 | associate_public_ip_address = local.bastion_enabled ? false : true
102 | subnet_id = element(aws_subnet.netweaver.*.id, count.index % 2) # %2 is used because there are not more than 2 subnets
103 | private_ip = element(var.host_ips, count.index)
104 | vpc_security_group_ids = [var.security_group_id]
105 | availability_zone = element(var.availability_zones, count.index % 2)
106 | source_dest_check = false
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0] # We apply to all nodes to have the SAP data provider, even though some policies are only for the clustered nodes
108 |
109 | root_block_device {
110 | volume_type = "gp2"
111 | volume_size = "60"
112 | }
113 |
114 | # Disk to store Netweaver software installation files
115 | ebs_block_device {
116 | volume_type = "gp2"
117 | volume_size = "60"
118 | device_name = "/dev/sdb"
119 | }
120 |
121 | volume_tags = {
122 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
123 | }
124 |
125 | tags = {
126 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
127 | Workspace = var.common_variables["deployment_name"]
128 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
129 | }
130 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.netweaver_node.aws_instance.netweaver
File: /aws/modules/netweaver_node/main.tf:96-130
Calling File: /aws/main.tf:228-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
96 | resource "aws_instance" "netweaver" {
97 | count = local.vm_count
98 | ami = module.get_os_image.image_id
99 | instance_type = var.instance_type
100 | key_name = var.key_name
101 | associate_public_ip_address = local.bastion_enabled ? false : true
102 | subnet_id = element(aws_subnet.netweaver.*.id, count.index % 2) # %2 is used because there are not more than 2 subnets
103 | private_ip = element(var.host_ips, count.index)
104 | vpc_security_group_ids = [var.security_group_id]
105 | availability_zone = element(var.availability_zones, count.index % 2)
106 | source_dest_check = false
107 | iam_instance_profile = module.sap_cluster_policies.cluster_profile_name[0] # We apply to all nodes to have the SAP data provider, even though some policies are only for the clustered nodes
108 |
109 | root_block_device {
110 | volume_type = "gp2"
111 | volume_size = "60"
112 | }
113 |
114 | # Disk to store Netweaver software installation files
115 | ebs_block_device {
116 | volume_type = "gp2"
117 | volume_size = "60"
118 | device_name = "/dev/sdb"
119 | }
120 |
121 | volume_tags = {
122 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
123 | }
124 |
125 | tags = {
126 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
127 | Workspace = var.common_variables["deployment_name"]
128 | "${var.common_variables["deployment_name"]}-cluster" = "${var.name}${format("%02d", count.index + 1)}"
129 | }
130 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled.html
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_group.mysecgroup
File: /azure/infrastructure.tf:150-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_160: "Ensure that HTTP (port 80) access is restricted from the internet"
FAILED for resource: azurerm_network_security_group.mysecgroup
File: /azure/infrastructure.tf:150-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-http-port-80-access-from-the-internet-is-restricted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: module.bastion.azurerm_network_security_group.bastion
File: /azure/modules/bastion/main.tf:16-45
Calling File: /azure/infrastructure.tf:302-314
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
16 | resource "azurerm_network_security_group" "bastion" {
17 | count = local.bastion_count
18 | name = "nsg-bastion"
19 | location = var.az_region
20 | resource_group_name = var.resource_group_name
21 |
22 | security_rule {
23 | name = "SSH"
24 | priority = 100
25 | direction = "Inbound"
26 | access = "Allow"
27 | protocol = "Tcp"
28 | source_port_range = "*"
29 | destination_port_range = "22"
30 | source_address_prefix = "*"
31 | destination_address_prefix = local.private_ip_address
32 | }
33 |
34 | security_rule {
35 | name = "OUTALL"
36 | priority = 101
37 | direction = "Outbound"
38 | access = "Allow"
39 | protocol = "*"
40 | source_port_range = "*"
41 | destination_port_range = "*"
42 | source_address_prefix = "*"
43 | destination_address_prefix = "*"
44 | }
45 | }
Check: CKV_AZURE_93: "Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption"
FAILED for resource: module.netweaver_node.azurerm_managed_disk.app_server_disk
File: /azure/modules/netweaver_node/main.tf:321-329
Calling File: /azure/main.tf:186-228
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption.html
321 | resource "azurerm_managed_disk" "app_server_disk" {
322 | count = var.app_server_count
323 | name = "disk-netweaver${format("%02d", count.index + 1)}-App"
324 | location = var.az_region
325 | resource_group_name = var.resource_group_name
326 | storage_account_type = var.data_disk_type
327 | create_option = "Empty"
328 | disk_size_gb = var.data_disk_size
329 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.terraform-state
File: /gcp/create_remote_state/bucket.tf:1-12
1 | resource "google_storage_bucket" "terraform-state" {
2 | # NOTE: The bucket name must be globally unique and conform to certain requirements described in:
3 | # https://cloud.google.com/storage/docs/naming#requirements
4 | name = "terraform-state"
5 |
6 | location = "eu"
7 | project = "my-project"
8 |
9 | versioning {
10 | enabled = true
11 | }
12 | }
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
FAILED for resource: google_storage_bucket.terraform-state
File: /gcp/create_remote_state/bucket.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2.html
1 | resource "google_storage_bucket" "terraform-state" {
2 | # NOTE: The bucket name must be globally unique and conform to certain requirements described in:
3 | # https://cloud.google.com/storage/docs/naming#requirements
4 | name = "terraform-state"
5 |
6 | location = "eu"
7 | project = "my-project"
8 |
9 | versioning {
10 | enabled = true
11 | }
12 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.terraform-state
File: /gcp/create_remote_state/bucket.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
1 | resource "google_storage_bucket" "terraform-state" {
2 | # NOTE: The bucket name must be globally unique and conform to certain requirements described in:
3 | # https://cloud.google.com/storage/docs/naming#requirements
4 | name = "terraform-state"
5 |
6 | location = "eu"
7 | project = "my-project"
8 |
9 | versioning {
10 | enabled = true
11 | }
12 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.ha_subnet
File: /gcp/infrastructure.tf:33-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
33 | resource "google_compute_subnetwork" "ha_subnet" {
34 | count = var.subnet_name == "" ? 1 : 0
35 | name = "${local.deployment_name}-subnet"
36 | network = local.network_link
37 | region = var.region
38 | ip_cidr_range = local.subnet_address_range
39 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.ha_subnet
File: /gcp/infrastructure.tf:33-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
33 | resource "google_compute_subnetwork" "ha_subnet" {
34 | count = var.subnet_name == "" ? 1 : 0
35 | name = "${local.deployment_name}-subnet"
36 | network = local.network_link
37 | region = var.region
38 | ip_cidr_range = local.subnet_address_range
39 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.ha_subnet
File: /gcp/infrastructure.tf:33-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
33 | resource "google_compute_subnetwork" "ha_subnet" {
34 | count = var.subnet_name == "" ? 1 : 0
35 | name = "${local.deployment_name}-subnet"
36 | network = local.network_link
37 | region = var.region
38 | ip_cidr_range = local.subnet_address_range
39 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.ha_firewall_allow_tcp[0]
File: /gcp/infrastructure.tf:73-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
73 | resource "google_compute_firewall" "ha_firewall_allow_tcp" {
74 | count = local.create_firewall
75 | name = "${local.deployment_name}-fw-tcp"
76 | network = local.vpc_name
77 | source_ranges = ["0.0.0.0/0"]
78 |
79 | allow {
80 | protocol = "tcp"
81 | ports = ["22", "80", "443", "3000", "7630", "9668", "9100", "9664", "9090", "9680"]
82 | }
83 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.ha_firewall_allow_tcp[0]
File: /gcp/infrastructure.tf:73-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
73 | resource "google_compute_firewall" "ha_firewall_allow_tcp" {
74 | count = local.create_firewall
75 | name = "${local.deployment_name}-fw-tcp"
76 | network = local.vpc_name
77 | source_ranges = ["0.0.0.0/0"]
78 |
79 | allow {
80 | protocol = "tcp"
81 | ports = ["22", "80", "443", "3000", "7630", "9668", "9100", "9664", "9090", "9680"]
82 | }
83 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: module.bastion.google_compute_subnetwork.bastion_subnet
File: /gcp/modules/bastion/main.tf:10-16
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
10 | resource "google_compute_subnetwork" "bastion_subnet" {
11 | count = local.bastion_count
12 | name = "${local.deployment_name}-bastion-subnet"
13 | network = var.network_link
14 | region = var.region
15 | ip_cidr_range = var.snet_address_range
16 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: module.bastion.google_compute_subnetwork.bastion_subnet
File: /gcp/modules/bastion/main.tf:10-16
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
10 | resource "google_compute_subnetwork" "bastion_subnet" {
11 | count = local.bastion_count
12 | name = "${local.deployment_name}-bastion-subnet"
13 | network = var.network_link
14 | region = var.region
15 | ip_cidr_range = var.snet_address_range
16 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: module.bastion.google_compute_subnetwork.bastion_subnet
File: /gcp/modules/bastion/main.tf:10-16
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
10 | resource "google_compute_subnetwork" "bastion_subnet" {
11 | count = local.bastion_count
12 | name = "${local.deployment_name}-bastion-subnet"
13 | network = var.network_link
14 | region = var.region
15 | ip_cidr_range = var.snet_address_range
16 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.bastion.google_compute_instance.bastion
File: /gcp/modules/bastion/main.tf:45-80
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
45 | resource "google_compute_instance" "bastion" {
46 | count = local.bastion_count
47 | name = "${local.deployment_name}-${var.name}"
48 | description = "Bastion server"
49 | machine_type = var.vm_size
50 | zone = element(var.compute_zones, 0)
51 |
52 | network_interface {
53 | subnetwork = google_compute_subnetwork.bastion_subnet.*.name[0]
54 | network_ip = local.private_ip_address
55 |
56 | access_config {
57 | nat_ip = ""
58 | }
59 | }
60 |
61 | scheduling {
62 | automatic_restart = true
63 | on_host_maintenance = "MIGRATE"
64 | preemptible = false
65 | }
66 |
67 | boot_disk {
68 | initialize_params {
69 | image = var.os_image
70 | }
71 |
72 | auto_delete = true
73 | }
74 |
75 | metadata = {
76 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["bastion_public_key"]}"
77 | }
78 |
79 | tags = ["bastion"]
80 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.bastion.google_compute_instance.bastion
File: /gcp/modules/bastion/main.tf:45-80
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
45 | resource "google_compute_instance" "bastion" {
46 | count = local.bastion_count
47 | name = "${local.deployment_name}-${var.name}"
48 | description = "Bastion server"
49 | machine_type = var.vm_size
50 | zone = element(var.compute_zones, 0)
51 |
52 | network_interface {
53 | subnetwork = google_compute_subnetwork.bastion_subnet.*.name[0]
54 | network_ip = local.private_ip_address
55 |
56 | access_config {
57 | nat_ip = ""
58 | }
59 | }
60 |
61 | scheduling {
62 | automatic_restart = true
63 | on_host_maintenance = "MIGRATE"
64 | preemptible = false
65 | }
66 |
67 | boot_disk {
68 | initialize_params {
69 | image = var.os_image
70 | }
71 |
72 | auto_delete = true
73 | }
74 |
75 | metadata = {
76 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["bastion_public_key"]}"
77 | }
78 |
79 | tags = ["bastion"]
80 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.bastion.google_compute_instance.bastion
File: /gcp/modules/bastion/main.tf:45-80
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
45 | resource "google_compute_instance" "bastion" {
46 | count = local.bastion_count
47 | name = "${local.deployment_name}-${var.name}"
48 | description = "Bastion server"
49 | machine_type = var.vm_size
50 | zone = element(var.compute_zones, 0)
51 |
52 | network_interface {
53 | subnetwork = google_compute_subnetwork.bastion_subnet.*.name[0]
54 | network_ip = local.private_ip_address
55 |
56 | access_config {
57 | nat_ip = ""
58 | }
59 | }
60 |
61 | scheduling {
62 | automatic_restart = true
63 | on_host_maintenance = "MIGRATE"
64 | preemptible = false
65 | }
66 |
67 | boot_disk {
68 | initialize_params {
69 | image = var.os_image
70 | }
71 |
72 | auto_delete = true
73 | }
74 |
75 | metadata = {
76 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["bastion_public_key"]}"
77 | }
78 |
79 | tags = ["bastion"]
80 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.bastion.google_compute_instance.bastion
File: /gcp/modules/bastion/main.tf:45-80
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
45 | resource "google_compute_instance" "bastion" {
46 | count = local.bastion_count
47 | name = "${local.deployment_name}-${var.name}"
48 | description = "Bastion server"
49 | machine_type = var.vm_size
50 | zone = element(var.compute_zones, 0)
51 |
52 | network_interface {
53 | subnetwork = google_compute_subnetwork.bastion_subnet.*.name[0]
54 | network_ip = local.private_ip_address
55 |
56 | access_config {
57 | nat_ip = ""
58 | }
59 | }
60 |
61 | scheduling {
62 | automatic_restart = true
63 | on_host_maintenance = "MIGRATE"
64 | preemptible = false
65 | }
66 |
67 | boot_disk {
68 | initialize_params {
69 | image = var.os_image
70 | }
71 |
72 | auto_delete = true
73 | }
74 |
75 | metadata = {
76 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["bastion_public_key"]}"
77 | }
78 |
79 | tags = ["bastion"]
80 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.bastion.google_compute_instance.bastion
File: /gcp/modules/bastion/main.tf:45-80
Calling File: /gcp/infrastructure.tf:87-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
45 | resource "google_compute_instance" "bastion" {
46 | count = local.bastion_count
47 | name = "${local.deployment_name}-${var.name}"
48 | description = "Bastion server"
49 | machine_type = var.vm_size
50 | zone = element(var.compute_zones, 0)
51 |
52 | network_interface {
53 | subnetwork = google_compute_subnetwork.bastion_subnet.*.name[0]
54 | network_ip = local.private_ip_address
55 |
56 | access_config {
57 | nat_ip = ""
58 | }
59 | }
60 |
61 | scheduling {
62 | automatic_restart = true
63 | on_host_maintenance = "MIGRATE"
64 | preemptible = false
65 | }
66 |
67 | boot_disk {
68 | initialize_params {
69 | image = var.os_image
70 | }
71 |
72 | auto_delete = true
73 | }
74 |
75 | metadata = {
76 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["bastion_public_key"]}"
77 | }
78 |
79 | tags = ["bastion"]
80 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.drbd_node.google_compute_disk.data
File: /gcp/modules/drbd_node/main.tf:10-16
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
10 | resource "google_compute_disk" "data" {
11 | count = var.drbd_count
12 | name = "${var.common_variables["deployment_name"]}-disk-drbd-${count.index}"
13 | type = var.drbd_data_disk_type
14 | size = var.drbd_data_disk_size
15 | zone = element(var.compute_zones, count.index)
16 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.drbd_node.google_compute_instance.drbd
File: /gcp/modules/drbd_node/main.tf:59-109
Calling File: /gcp/main.tf:177-202
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.hana_node.google_compute_disk.disk
File: /gcp/modules/hana_node/main.tf:32-39
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
32 | resource "google_compute_disk" "disk" {
33 | for_each = { for disk in local.disks : "${disk.disk_name}" => disk }
34 |
35 | name = each.value.disk_name
36 | type = each.value.disk_type
37 | size = each.value.disk_size
38 | zone = element(local.compute_zones_hana, each.value.node_num)
39 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.hana_node.google_compute_instance.clusternodes
File: /gcp/modules/hana_node/main.tf:231-285
Calling File: /gcp/main.tf:233-264
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.iscsi_server.google_compute_disk.iscsi_data
File: /gcp/modules/iscsi_server/main.tf:7-13
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
7 | resource "google_compute_disk" "iscsi_data" {
8 | count = var.iscsi_count
9 | name = "${var.common_variables["deployment_name"]}-iscsi-data-${count.index + 1}"
10 | type = "pd-standard"
11 | size = var.iscsi_disk_size
12 | zone = element(var.compute_zones, 0)
13 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.iscsi_server.google_compute_instance.iscsisrv
File: /gcp/modules/iscsi_server/main.tf:15-64
Calling File: /gcp/main.tf:284-302
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.hana_node.module.hana_majority_maker.google_compute_instance.majority_maker
File: /gcp/modules/majority_maker_node/main.tf:9-54
Calling File: /gcp/modules/hana_node/main.tf:287-306
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
9 | resource "google_compute_instance" "majority_maker" {
10 | count = var.node_count
11 | machine_type = var.machine_type
12 | name = "${var.common_variables["deployment_name"]}-${var.name}mm"
13 | zone = element(var.compute_zones, 2)
14 |
15 | can_ip_forward = true
16 |
17 | network_interface {
18 | subnetwork = var.network_subnet_name
19 | network_ip = var.majority_maker_ip
20 |
21 | # Set public IP address. Only if the bastion is not used
22 | dynamic "access_config" {
23 | for_each = local.bastion_enabled ? [] : [1]
24 | content {
25 | nat_ip = ""
26 | }
27 | }
28 | }
29 |
30 | scheduling {
31 | automatic_restart = true
32 | on_host_maintenance = "MIGRATE"
33 | preemptible = false
34 | }
35 |
36 | boot_disk {
37 | initialize_params {
38 | image = var.os_image
39 | size = 60
40 | }
41 |
42 | auto_delete = true
43 | }
44 |
45 | metadata = {
46 | sshKeys = "${var.common_variables["authorized_user"]}:${var.common_variables["public_key"]}"
47 | }
48 |
49 | service_account {
50 | scopes = ["compute-rw", "storage-rw", "logging-write", "monitoring-write", "service-control", "service-management"]
51 | }
52 |
53 | tags = ["hana-group"]
54 | }
Check: CKV_GCP_37: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.netweaver_node.google_compute_disk.netweaver-software
File: /gcp/modules/netweaver_node/main.tf:14-20
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-x.html
14 | resource "google_compute_disk" "netweaver-software" {
15 | count = local.vm_count
16 | name = "${var.common_variables["deployment_name"]}-nw-installation-sw-${count.index}"
17 | type = "pd-standard"
18 | size = 60
19 | zone = element(var.compute_zones, count.index)
20 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_36: "Ensure that IP forwarding is not enabled on Instances"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: module.netweaver_node.google_compute_instance.netweaver
File: /gcp/modules/netweaver_node/main.tf:141-191
Calling File: /gcp/main.tf:204-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OPENSTACK_2: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)"
FAILED for resource: openstack_networking_secgroup_rule_v2.ha_firewall_allow_ssh
File: /openstack/infrastructure.tf:73-81
Guide: https://docs.bridgecrew.io/docs/bc_openstack_networking_1
73 | resource "openstack_networking_secgroup_rule_v2" "ha_firewall_allow_ssh" {
74 | direction = "ingress"
75 | ethertype = "IPv4"
76 | protocol = "tcp"
77 | port_range_min = 22
78 | port_range_max = 22
79 | remote_ip_prefix = "0.0.0.0/0"
80 | security_group_id = openstack_networking_secgroup_v2.ha_firewall_external.id
81 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.bastion.azurerm_network_interface.bastion
File: /azure/modules/bastion/main.tf:68-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
68 | resource "azurerm_network_interface" "bastion" {
69 | count = local.bastion_count
70 | name = "nic-bastion"
71 | location = var.az_region
72 | resource_group_name = var.resource_group_name
73 |
74 | ip_configuration {
75 | name = "ipconf-primary"
76 | subnet_id = azurerm_subnet.bastion[0].id
77 | private_ip_address_allocation = "static"
78 | private_ip_address = local.private_ip_address
79 | public_ip_address_id = azurerm_public_ip.bastion[0].id
80 | }
81 |
82 | tags = {
83 | workspace = var.common_variables["deployment_name"]
84 | }
85 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.drbd_node.azurerm_network_interface.drbd
File: /azure/modules/drbd_node/main.tf:129-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
129 | resource "azurerm_network_interface" "drbd" {
130 | count = var.drbd_count
131 | name = "nic-drbd${format("%02d", count.index + 1)}"
132 | location = var.az_region
133 | resource_group_name = var.resource_group_name
134 |
135 | ip_configuration {
136 | name = "ipconf-primary"
137 | subnet_id = var.network_subnet_id
138 | private_ip_address_allocation = "static"
139 | private_ip_address = element(var.host_ips, count.index)
140 | public_ip_address_id = local.bastion_enabled ? null : element(azurerm_public_ip.drbd.*.id, count.index)
141 | }
142 |
143 | tags = {
144 | workspace = var.common_variables["deployment_name"]
145 | }
146 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.hana_node.azurerm_network_interface.hana
File: /azure/modules/hana_node/main.tf:176-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
176 | resource "azurerm_network_interface" "hana" {
177 | count = var.hana_count
178 | name = "nic-${var.name}${format("%02d", count.index + 1)}"
179 | location = var.az_region
180 | resource_group_name = var.resource_group_name
181 | enable_accelerated_networking = var.enable_accelerated_networking
182 |
183 | ip_configuration {
184 | name = "ipconf-primary"
185 | subnet_id = var.network_subnet_id
186 | private_ip_address_allocation = "static"
187 | private_ip_address = element(var.host_ips, count.index)
188 | public_ip_address_id = local.bastion_enabled ? null : element(azurerm_public_ip.hana.*.id, count.index)
189 | }
190 |
191 | tags = {
192 | workspace = var.common_variables["deployment_name"]
193 | }
194 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.iscsi_server.azurerm_network_interface.iscsisrv
File: /azure/modules/iscsi_server/main.tf:9-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
9 | resource "azurerm_network_interface" "iscsisrv" {
10 | count = var.iscsi_count
11 | name = "nic-iscsisrv${format("%02d", count.index + 1)}"
12 | location = var.az_region
13 | resource_group_name = var.resource_group_name
14 |
15 | ip_configuration {
16 | name = "ipconf-primary"
17 | subnet_id = var.network_subnet_id
18 | private_ip_address_allocation = "static"
19 | private_ip_address = element(var.host_ips, count.index)
20 | public_ip_address_id = local.bastion_enabled ? null : element(azurerm_public_ip.iscsisrv.*.id, count.index)
21 | }
22 |
23 | tags = {
24 | workspace = var.common_variables["deployment_name"]
25 | }
26 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.hana_node.module.hana_majority_maker.azurerm_network_interface.majority_maker
File: /azure/modules/majority_maker_node/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
10 | resource "azurerm_network_interface" "majority_maker" {
11 | count = var.node_count
12 | name = "nic-${var.name}majority_maker"
13 | location = var.az_region
14 | resource_group_name = var.resource_group_name
15 | enable_accelerated_networking = var.enable_accelerated_networking
16 |
17 | ip_configuration {
18 | name = "ipconf-primary"
19 | subnet_id = var.network_subnet_id
20 | private_ip_address_allocation = "static"
21 | private_ip_address = var.majority_maker_ip
22 | public_ip_address_id = local.bastion_enabled ? null : element(azurerm_public_ip.majority_maker.*.id, count.index)
23 | }
24 |
25 | tags = {
26 | workspace = var.common_variables["deployment_name"]
27 | }
28 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.monitoring.azurerm_network_interface.monitoring
File: /azure/modules/monitoring/main.tf:9-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
9 | resource "azurerm_network_interface" "monitoring" {
10 | name = "nic-monitoring"
11 | count = var.monitoring_enabled == true ? 1 : 0
12 | location = var.az_region
13 | resource_group_name = var.resource_group_name
14 |
15 | ip_configuration {
16 | name = "ipconf-primary"
17 | subnet_id = var.network_subnet_id
18 | private_ip_address_allocation = "static"
19 | private_ip_address = var.monitoring_srv_ip
20 | public_ip_address_id = local.bastion_enabled ? null : azurerm_public_ip.monitoring.0.id
21 | }
22 |
23 | tags = {
24 | workspace = var.common_variables["deployment_name"]
25 | }
26 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.bastion.azurerm_virtual_machine.bastion
File: /azure/modules/bastion/main.tf:105-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
105 | resource "azurerm_virtual_machine" "bastion" {
106 | count = local.bastion_count
107 | name = var.name
108 | location = var.az_region
109 | resource_group_name = var.resource_group_name
110 | network_interface_ids = [azurerm_network_interface.bastion[0].id]
111 | vm_size = var.vm_size
112 | delete_os_disk_on_termination = true
113 | delete_data_disks_on_termination = true
114 |
115 | storage_os_disk {
116 | name = "disk-bastion-Os"
117 | caching = "ReadWrite"
118 | create_option = "FromImage"
119 | managed_disk_type = "Standard_LRS"
120 | }
121 |
122 | storage_image_reference {
123 | publisher = module.os_image_reference.publisher
124 | offer = module.os_image_reference.offer
125 | sku = module.os_image_reference.sku
126 | version = module.os_image_reference.version
127 | }
128 |
129 | os_profile {
130 | computer_name = local.hostname
131 | admin_username = var.common_variables["authorized_user"]
132 | }
133 |
134 | os_profile_linux_config {
135 | disable_password_authentication = true
136 |
137 | ssh_keys {
138 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
139 | key_data = var.common_variables["bastion_public_key"]
140 | }
141 | }
142 |
143 | boot_diagnostics {
144 | enabled = "true"
145 | storage_uri = var.storage_account
146 | }
147 |
148 | tags = {
149 | workspace = var.common_variables["deployment_name"]
150 | }
151 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.drbd_node.azurerm_virtual_machine.drbd
File: /azure/modules/drbd_node/main.tf:175-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.hana_node.azurerm_virtual_machine.hana
File: /azure/modules/hana_node/main.tf:384-445
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.iscsi_server.azurerm_virtual_machine.iscsisrv
File: /azure/modules/iscsi_server/main.tf:68-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.hana_node.module.hana_majority_maker.azurerm_virtual_machine.majority_maker
File: /azure/modules/majority_maker_node/main.tf:68-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
68 | resource "azurerm_virtual_machine" "majority_maker" {
69 | count = var.node_count
70 | name = "vm${var.name}mm"
71 | location = var.az_region
72 | resource_group_name = var.resource_group_name
73 | network_interface_ids = [element(azurerm_network_interface.majority_maker.*.id, count.index)]
74 | # availability_set_id = var.common_variables["hana"]["ha_enabled"] ? azurerm_availability_set.hana-availability-set[0].id : null
75 | vm_size = var.vm_size
76 | delete_os_disk_on_termination = true
77 |
78 | storage_os_disk {
79 | name = "disk-${var.name}majority_maker-Os"
80 | caching = "ReadWrite"
81 | create_option = "FromImage"
82 | managed_disk_type = "Premium_LRS"
83 | }
84 |
85 | storage_image_reference {
86 | id = var.sles4sap_uri != "" ? join(",", azurerm_image.sles4sap.*.id) : ""
87 | publisher = var.sles4sap_uri != "" ? "" : module.os_image_reference.publisher
88 | offer = var.sles4sap_uri != "" ? "" : module.os_image_reference.offer
89 | sku = var.sles4sap_uri != "" ? "" : module.os_image_reference.sku
90 | version = var.sles4sap_uri != "" ? "" : module.os_image_reference.version
91 | }
92 |
93 | os_profile {
94 | computer_name = "vm${var.name}mm"
95 | admin_username = var.common_variables["authorized_user"]
96 | }
97 |
98 | os_profile_linux_config {
99 | disable_password_authentication = true
100 |
101 | ssh_keys {
102 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
103 | key_data = var.common_variables["public_key"]
104 | }
105 | }
106 |
107 | boot_diagnostics {
108 | enabled = "true"
109 | storage_uri = var.storage_account
110 | }
111 |
112 | tags = {
113 | workspace = var.common_variables["deployment_name"]
114 | }
115 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.monitoring.azurerm_virtual_machine.monitoring
File: /azure/modules/monitoring/main.tf:68-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.netweaver_node.azurerm_virtual_machine.netweaver
File: /azure/modules/netweaver_node/main.tf:346-394
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
346 | resource "azurerm_virtual_machine" "netweaver" {
347 | count = local.vm_count
348 | name = "${var.name}${format("%02d", count.index + 1)}"
349 | location = var.az_region
350 | resource_group_name = var.resource_group_name
351 | network_interface_ids = [element(azurerm_network_interface.netweaver.*.id, count.index)]
352 | availability_set_id = count.index < var.xscs_server_count ? (local.create_ha_infra > 0 ? azurerm_availability_set.netweaver-xscs-availability-set[0].id : null) : azurerm_availability_set.netweaver-app-availability-set[0].id
353 | vm_size = count.index < var.xscs_server_count ? var.xscs_vm_size : var.app_vm_size
354 | delete_os_disk_on_termination = true
355 | delete_data_disks_on_termination = true
356 |
357 | storage_os_disk {
358 | name = "disk-netweaver${format("%02d", count.index + 1)}-Os"
359 | caching = "ReadWrite"
360 | create_option = "FromImage"
361 | managed_disk_type = "Premium_LRS"
362 | }
363 |
364 | storage_image_reference {
365 | id = var.netweaver_image_uri != "" ? join(",", azurerm_image.netweaver-image.*.id) : ""
366 | publisher = var.netweaver_image_uri != "" ? "" : module.os_image_reference.publisher
367 | offer = var.netweaver_image_uri != "" ? "" : module.os_image_reference.offer
368 | sku = var.netweaver_image_uri != "" ? "" : module.os_image_reference.sku
369 | version = var.netweaver_image_uri != "" ? "" : module.os_image_reference.version
370 | }
371 |
372 | os_profile {
373 | computer_name = "${local.hostname}${format("%02d", count.index + 1)}"
374 | admin_username = var.common_variables["authorized_user"]
375 | }
376 |
377 | os_profile_linux_config {
378 | disable_password_authentication = true
379 |
380 | ssh_keys {
381 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
382 | key_data = var.common_variables["public_key"]
383 | }
384 | }
385 |
386 | boot_diagnostics {
387 | enabled = "true"
388 | storage_uri = var.storage_account
389 | }
390 |
391 | tags = {
392 | workspace = var.common_variables["deployment_name"]
393 | }
394 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.bastion.azurerm_virtual_machine.bastion
File: /azure/modules/bastion/main.tf:105-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
105 | resource "azurerm_virtual_machine" "bastion" {
106 | count = local.bastion_count
107 | name = var.name
108 | location = var.az_region
109 | resource_group_name = var.resource_group_name
110 | network_interface_ids = [azurerm_network_interface.bastion[0].id]
111 | vm_size = var.vm_size
112 | delete_os_disk_on_termination = true
113 | delete_data_disks_on_termination = true
114 |
115 | storage_os_disk {
116 | name = "disk-bastion-Os"
117 | caching = "ReadWrite"
118 | create_option = "FromImage"
119 | managed_disk_type = "Standard_LRS"
120 | }
121 |
122 | storage_image_reference {
123 | publisher = module.os_image_reference.publisher
124 | offer = module.os_image_reference.offer
125 | sku = module.os_image_reference.sku
126 | version = module.os_image_reference.version
127 | }
128 |
129 | os_profile {
130 | computer_name = local.hostname
131 | admin_username = var.common_variables["authorized_user"]
132 | }
133 |
134 | os_profile_linux_config {
135 | disable_password_authentication = true
136 |
137 | ssh_keys {
138 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
139 | key_data = var.common_variables["bastion_public_key"]
140 | }
141 | }
142 |
143 | boot_diagnostics {
144 | enabled = "true"
145 | storage_uri = var.storage_account
146 | }
147 |
148 | tags = {
149 | workspace = var.common_variables["deployment_name"]
150 | }
151 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.drbd_node.azurerm_virtual_machine.drbd
File: /azure/modules/drbd_node/main.tf:175-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.hana_node.azurerm_virtual_machine.hana
File: /azure/modules/hana_node/main.tf:384-445
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.iscsi_server.azurerm_virtual_machine.iscsisrv
File: /azure/modules/iscsi_server/main.tf:68-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.hana_node.module.hana_majority_maker.azurerm_virtual_machine.majority_maker
File: /azure/modules/majority_maker_node/main.tf:68-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
68 | resource "azurerm_virtual_machine" "majority_maker" {
69 | count = var.node_count
70 | name = "vm${var.name}mm"
71 | location = var.az_region
72 | resource_group_name = var.resource_group_name
73 | network_interface_ids = [element(azurerm_network_interface.majority_maker.*.id, count.index)]
74 | # availability_set_id = var.common_variables["hana"]["ha_enabled"] ? azurerm_availability_set.hana-availability-set[0].id : null
75 | vm_size = var.vm_size
76 | delete_os_disk_on_termination = true
77 |
78 | storage_os_disk {
79 | name = "disk-${var.name}majority_maker-Os"
80 | caching = "ReadWrite"
81 | create_option = "FromImage"
82 | managed_disk_type = "Premium_LRS"
83 | }
84 |
85 | storage_image_reference {
86 | id = var.sles4sap_uri != "" ? join(",", azurerm_image.sles4sap.*.id) : ""
87 | publisher = var.sles4sap_uri != "" ? "" : module.os_image_reference.publisher
88 | offer = var.sles4sap_uri != "" ? "" : module.os_image_reference.offer
89 | sku = var.sles4sap_uri != "" ? "" : module.os_image_reference.sku
90 | version = var.sles4sap_uri != "" ? "" : module.os_image_reference.version
91 | }
92 |
93 | os_profile {
94 | computer_name = "vm${var.name}mm"
95 | admin_username = var.common_variables["authorized_user"]
96 | }
97 |
98 | os_profile_linux_config {
99 | disable_password_authentication = true
100 |
101 | ssh_keys {
102 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
103 | key_data = var.common_variables["public_key"]
104 | }
105 | }
106 |
107 | boot_diagnostics {
108 | enabled = "true"
109 | storage_uri = var.storage_account
110 | }
111 |
112 | tags = {
113 | workspace = var.common_variables["deployment_name"]
114 | }
115 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.monitoring.azurerm_virtual_machine.monitoring
File: /azure/modules/monitoring/main.tf:68-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.netweaver_node.azurerm_virtual_machine.netweaver
File: /azure/modules/netweaver_node/main.tf:346-394
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
346 | resource "azurerm_virtual_machine" "netweaver" {
347 | count = local.vm_count
348 | name = "${var.name}${format("%02d", count.index + 1)}"
349 | location = var.az_region
350 | resource_group_name = var.resource_group_name
351 | network_interface_ids = [element(azurerm_network_interface.netweaver.*.id, count.index)]
352 | availability_set_id = count.index < var.xscs_server_count ? (local.create_ha_infra > 0 ? azurerm_availability_set.netweaver-xscs-availability-set[0].id : null) : azurerm_availability_set.netweaver-app-availability-set[0].id
353 | vm_size = count.index < var.xscs_server_count ? var.xscs_vm_size : var.app_vm_size
354 | delete_os_disk_on_termination = true
355 | delete_data_disks_on_termination = true
356 |
357 | storage_os_disk {
358 | name = "disk-netweaver${format("%02d", count.index + 1)}-Os"
359 | caching = "ReadWrite"
360 | create_option = "FromImage"
361 | managed_disk_type = "Premium_LRS"
362 | }
363 |
364 | storage_image_reference {
365 | id = var.netweaver_image_uri != "" ? join(",", azurerm_image.netweaver-image.*.id) : ""
366 | publisher = var.netweaver_image_uri != "" ? "" : module.os_image_reference.publisher
367 | offer = var.netweaver_image_uri != "" ? "" : module.os_image_reference.offer
368 | sku = var.netweaver_image_uri != "" ? "" : module.os_image_reference.sku
369 | version = var.netweaver_image_uri != "" ? "" : module.os_image_reference.version
370 | }
371 |
372 | os_profile {
373 | computer_name = "${local.hostname}${format("%02d", count.index + 1)}"
374 | admin_username = var.common_variables["authorized_user"]
375 | }
376 |
377 | os_profile_linux_config {
378 | disable_password_authentication = true
379 |
380 | ssh_keys {
381 | path = "/home/${var.common_variables["authorized_user"]}/.ssh/authorized_keys"
382 | key_data = var.common_variables["public_key"]
383 | }
384 | }
385 |
386 | boot_diagnostics {
387 | enabled = "true"
388 | storage_uri = var.storage_account
389 | }
390 |
391 | tags = {
392 | workspace = var.common_variables["deployment_name"]
393 | }
394 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.mytfstorageacc
File: /azure/infrastructure.tf:44-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
44 | resource "azurerm_storage_account" "mytfstorageacc" {
45 | name = "stdiag${lower(local.deployment_name)}"
46 | resource_group_name = local.resource_group_name
47 | location = var.az_region
48 | account_replication_type = "LRS"
49 | account_tier = "Standard"
50 |
51 | tags = {
52 | workspace = local.deployment_name
53 | }
54 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.mysubnet-netapp
File: /azure/infrastructure.tf:113-129
113 | resource "azurerm_subnet" "mysubnet-netapp" {
114 |
115 | count = var.subnet_netapp_name == "" ? local.shared_storage_anf : 0
116 | name = "snet-netapp-${lower(local.deployment_name)}"
117 | resource_group_name = local.resource_group_name
118 | virtual_network_name = local.vnet_name
119 | address_prefixes = [local.subnet_netapp_address_range]
120 |
121 | delegation {
122 | name = "netapp"
123 |
124 | service_delegation {
125 | name = "Microsoft.Netapp/volumes"
126 | actions = ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
127 | }
128 | }
129 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ngw[0]
File: /aws/infrastructure.tf:109-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
109 | resource "aws_eip" "ngw" {
110 | count = var.bastion_enabled ? 1 : 0
111 | vpc = true
112 |
113 | tags = {
114 | Name = "${local.deployment_name}-eip-ngw"
115 | Workspace = local.deployment_name
116 | }
117 |
118 | depends_on = [local.internet_gateway]
119 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc
File: /aws/infrastructure.tf:51-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
51 | resource "aws_vpc" "vpc" {
52 | count = var.vpc_id == "" ? 1 : 0
53 | cidr_block = local.vpc_address_range
54 | enable_dns_hostnames = true
55 | enable_dns_support = true
56 |
57 | tags = {
58 | Name = "${local.deployment_name}-vpc"
59 | Workspace = local.deployment_name
60 | }
61 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.dynamodb-terraform-state-lock
File: /aws/create_remote_state/dynamodb.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
2 | resource "aws_dynamodb_table" "dynamodb-terraform-state-lock" {
3 | name = var.dynamodb_name
4 | hash_key = "LockID"
5 | read_capacity = 20
6 | write_capacity = 20
7 |
8 | attribute {
9 | name = "LockID"
10 | type = "S"
11 | }
12 |
13 | tags {
14 | Name = "DynamoDB Terraform State Lock Table"
15 | }
16 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.secgroup
File: /aws/infrastructure.tf:172-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
172 | resource "aws_security_group" "secgroup" {
173 | count = local.create_security_group
174 | name = "${local.deployment_name}-sg"
175 | vpc_id = local.vpc_id
176 |
177 | tags = {
178 | Name = "${local.deployment_name}-sg"
179 | Workspace = local.deployment_name
180 | }
181 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc
File: /aws/infrastructure.tf:51-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
51 | resource "aws_vpc" "vpc" {
52 | count = var.vpc_id == "" ? 1 : 0
53 | cidr_block = local.vpc_address_range
54 | enable_dns_hostnames = true
55 | enable_dns_support = true
56 |
57 | tags = {
58 | Name = "${local.deployment_name}-vpc"
59 | Workspace = local.deployment_name
60 | }
61 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /aws/create_remote_state/main.tf:5-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = var.bucket_name
7 |
8 | versioning {
9 | enabled = true
10 | }
11 |
12 | lifecycle {
13 | prevent_destroy = true
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.bastion.aws_instance.bastion
File: /aws/modules/bastion/main.tf:21-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
21 | resource "aws_instance" "bastion" {
22 | count = var.bastion_count
23 | ami = module.get_os_image.image_id
24 | instance_type = var.instance_type
25 | key_name = aws_key_pair.key-pair.0.key_name
26 | associate_public_ip_address = true
27 | subnet_id = element(var.subnet_ids, count.index)
28 | private_ip = element(var.host_ips, count.index)
29 | vpc_security_group_ids = [var.security_group_id]
30 | availability_zone = element(var.availability_zones, count.index)
31 |
32 | root_block_device {
33 | volume_type = "gp2"
34 | volume_size = "20"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.iscsi_server.aws_instance.iscsisrv
File: /aws/modules/iscsi_server/main.tf:15-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
15 | resource "aws_instance" "iscsisrv" {
16 | count = var.iscsi_count
17 | ami = module.get_os_image.image_id
18 | instance_type = var.instance_type
19 | key_name = var.key_name
20 | associate_public_ip_address = local.bastion_enabled ? false : true
21 | subnet_id = element(var.subnet_ids, count.index)
22 | private_ip = element(var.host_ips, count.index)
23 | vpc_security_group_ids = [var.security_group_id]
24 | availability_zone = element(var.availability_zones, count.index)
25 |
26 | root_block_device {
27 | volume_type = "gp2"
28 | volume_size = "20"
29 | }
30 |
31 | ebs_block_device {
32 | volume_type = "gp2"
33 | volume_size = var.iscsi_disk_size
34 | device_name = "/dev/sdb"
35 | }
36 |
37 | volume_tags = {
38 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
39 | }
40 |
41 | tags = {
42 | Name = "${var.common_variables["deployment_name"]}-${var.name}${format("%02d", count.index + 1)}"
43 | Workspace = var.common_variables["deployment_name"]
44 | }
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.monitoring.aws_instance.monitoring
File: /aws/modules/monitoring/main.tf:13-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
13 | resource "aws_instance" "monitoring" {
14 | count = var.monitoring_enabled == true ? 1 : 0
15 | ami = module.get_os_image.image_id
16 | instance_type = var.instance_type
17 | key_name = var.key_name
18 | associate_public_ip_address = local.bastion_enabled ? false : true
19 | subnet_id = element(var.subnet_ids, 0)
20 | private_ip = var.monitoring_srv_ip
21 | vpc_security_group_ids = [var.security_group_id]
22 | availability_zone = element(var.availability_zones, 0)
23 |
24 | root_block_device {
25 | volume_type = "gp2"
26 | volume_size = "20"
27 | }
28 |
29 | ebs_block_device {
30 | volume_type = "gp2"
31 | volume_size = "10"
32 | device_name = "/dev/sdb"
33 | }
34 |
35 | volume_tags = {
36 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
37 | }
38 |
39 | tags = {
40 | Name = "${var.common_variables["deployment_name"]}-${var.name}"
41 | Workspace = var.common_variables["deployment_name"]
42 | }
43 | }
github_actions scan results:
Passed checks: 131, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(CI tests)
File: /.github/workflows/ci.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools