Repository | terraform-aws-modules / terraform-aws-eks |
Description | Terraform module to create an Elastic Kubernetes (EKS) cluster and associated resources πΊπ¦ |
Stars | 3813 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:38:24,879 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/kms/aws:1.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,879 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,879 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/key-pair/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,879 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/kms/aws:~>1.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,879 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:~>4.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,880 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:~>4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:38:24,880 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~>5.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 467, Failed checks: 35, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.additional
File: /examples/complete/main.tf:424-440
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
424 | resource "aws_security_group" "additional" {
425 | name_prefix = "${local.name}-additional"
426 | vpc_id = module.vpc.vpc_id
427 |
428 | ingress {
429 | from_port = 22
430 | to_port = 22
431 | protocol = "tcp"
432 | cidr_blocks = [
433 | "10.0.0.0/8",
434 | "172.16.0.0/12",
435 | "192.168.0.0/16",
436 | ]
437 | }
438 |
439 | tags = merge(local.tags, { Name = "${local.name}-additional" })
440 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.additional
File: /examples/complete/main.tf:442-457
442 | resource "aws_iam_policy" "additional" {
443 | name = "${local.name}-additional"
444 |
445 | policy = jsonencode({
446 | Version = "2012-10-17"
447 | Statement = [
448 | {
449 | Action = [
450 | "ec2:Describe*",
451 | ]
452 | Effect = "Allow"
453 | Resource = "*"
454 | },
455 | ]
456 | })
457 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.remote_access
File: /examples/eks_managed_node_group/main.tf:388-410
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
388 | resource "aws_security_group" "remote_access" {
389 | name_prefix = "${local.name}-remote-access"
390 | description = "Allow remote SSH access"
391 | vpc_id = module.vpc.vpc_id
392 |
393 | ingress {
394 | description = "SSH access"
395 | from_port = 22
396 | to_port = 22
397 | protocol = "tcp"
398 | cidr_blocks = ["10.0.0.0/8"]
399 | }
400 |
401 | egress {
402 | from_port = 0
403 | to_port = 0
404 | protocol = "-1"
405 | cidr_blocks = ["0.0.0.0/0"]
406 | ipv6_cidr_blocks = ["::/0"]
407 | }
408 |
409 | tags = merge(local.tags, { Name = "${local.name}-remote" })
410 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.node_additional
File: /examples/eks_managed_node_group/main.tf:412-430
412 | resource "aws_iam_policy" "node_additional" {
413 | name = "${local.name}-additional"
414 | description = "Example usage of node additional policy"
415 |
416 | policy = jsonencode({
417 | Version = "2012-10-17"
418 | Statement = [
419 | {
420 | Action = [
421 | "ec2:Describe*",
422 | ]
423 | Effect = "Allow"
424 | Resource = "*"
425 | },
426 | ]
427 | })
428 |
429 | tags = local.tags
430 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.additional
File: /examples/fargate_profile/main.tf:133-148
133 | resource "aws_iam_policy" "additional" {
134 | name = "${local.name}-additional"
135 |
136 | policy = jsonencode({
137 | Version = "2012-10-17"
138 | Statement = [
139 | {
140 | Action = [
141 | "ec2:Describe*",
142 | ]
143 | Effect = "Allow"
144 | Resource = "*"
145 | },
146 | ]
147 | })
148 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.additional
File: /examples/self_managed_node_group/main.tf:337-355
337 | resource "aws_iam_policy" "additional" {
338 | name = "${local.name}-additional"
339 | description = "Example usage of node additional policy"
340 |
341 | policy = jsonencode({
342 | Version = "2012-10-17"
343 | Statement = [
344 | {
345 | Action = [
346 | "ec2:Describe*",
347 | ]
348 | Effect = "Allow"
349 | Resource = "*"
350 | },
351 | ]
352 | })
353 |
354 | tags = local.tags
355 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.disabled_eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/complete/main.tf:370-374
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: module.disabled_eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/complete/main.tf:370-374
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.disabled_eks.aws_cloudwatch_log_group.this[0]
File: /main.tf:106-117
Calling File: /examples/complete/main.tf:370-374
106 | resource "aws_cloudwatch_log_group" "this" {
107 | count = local.create && var.create_cloudwatch_log_group ? 1 : 0
108 |
109 | name = "/aws/eks/${var.cluster_name}/cluster"
110 | retention_in_days = var.cloudwatch_log_group_retention_in_days
111 | kms_key_id = var.cloudwatch_log_group_kms_key_id
112 |
113 | tags = merge(
114 | var.tags,
115 | { Name = "/aws/eks/${var.cluster_name}/cluster" }
116 | )
117 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: module.eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/self_managed_node_group/main.tf:39-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/self_managed_node_group/main.tf:39-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: module.eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/self_managed_node_group/main.tf:39-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: module.eks.aws_eks_cluster.this[0]
File: /main.tf:25-91
Calling File: /examples/self_managed_node_group/main.tf:39-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.eks.aws_cloudwatch_log_group.this[0]
File: /main.tf:106-117
Calling File: /examples/self_managed_node_group/main.tf:39-251
106 | resource "aws_cloudwatch_log_group" "this" {
107 | count = local.create && var.create_cloudwatch_log_group ? 1 : 0
108 |
109 | name = "/aws/eks/${var.cluster_name}/cluster"
110 | retention_in_days = var.cloudwatch_log_group_retention_in_days
111 | kms_key_id = var.cloudwatch_log_group_kms_key_id
112 |
113 | tags = merge(
114 | var.tags,
115 | { Name = "/aws/eks/${var.cluster_name}/cluster" }
116 | )
117 | }
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.disabled_eks_managed_node_group.aws_launch_template.this[0]
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /examples/complete/main.tf:382-386
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.eks_managed_node_group.aws_launch_template.this[0]
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /examples/complete/main.tf:302-330
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.disabled_eks.module.eks_managed_node_group.aws_launch_template.this
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /node_groups.tf:270-374
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.disabled_eks.module.eks_managed_node_group.aws_launch_template.this
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /node_groups.tf:270-374
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.eks.module.eks_managed_node_group.aws_launch_template.this
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /node_groups.tf:270-374
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.eks.module.eks_managed_node_group.aws_launch_template.this
File: /modules/eks-managed-node-group/main.tf:36-296
Calling File: /node_groups.tf:270-374
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.karpenter.aws_iam_policy_document.irsa
File: /modules/karpenter/main.tf:70-163
Calling File: /examples/karpenter/main.tf:157-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.karpenter.aws_iam_policy_document.irsa
File: /modules/karpenter/main.tf:70-163
Calling File: /examples/karpenter/main.tf:157-168
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.disabled_self_managed_node_group.aws_launch_template.this[0]
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /examples/complete/main.tf:388-392
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.self_managed_node_group.aws_launch_template.this[0]
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /examples/complete/main.tf:332-350
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.disabled_eks.module.self_managed_node_group.aws_launch_template.this
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /node_groups.tf:380-507
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.disabled_eks.module.self_managed_node_group.aws_launch_template.this
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /node_groups.tf:380-507
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.eks.module.self_managed_node_group.aws_launch_template.this
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /node_groups.tf:380-507
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.eks.module.self_managed_node_group.aws_launch_template.this
File: /modules/self-managed-node-group/main.tf:47-400
Calling File: /node_groups.tf:380-507
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.eks.aws_iam_policy_document.cni_ipv6_policy
File: /node_groups.tf:47-67
Calling File: /examples/self_managed_node_group/main.tf:39-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
47 | data "aws_iam_policy_document" "cni_ipv6_policy" {
48 | count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
49 |
50 | statement {
51 | sid = "AssignDescribe"
52 | actions = [
53 | "ec2:AssignIpv6Addresses",
54 | "ec2:DescribeInstances",
55 | "ec2:DescribeTags",
56 | "ec2:DescribeNetworkInterfaces",
57 | "ec2:DescribeInstanceTypes"
58 | ]
59 | resources = ["*"]
60 | }
61 |
62 | statement {
63 | sid = "CreateTags"
64 | actions = ["ec2:CreateTags"]
65 | resources = ["arn:${data.aws_partition.current.partition}:ec2:*:*:network-interface/*"]
66 | }
67 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.eks.aws_iam_policy_document.cni_ipv6_policy
File: /node_groups.tf:47-67
Calling File: /examples/self_managed_node_group/main.tf:39-251
47 | data "aws_iam_policy_document" "cni_ipv6_policy" {
48 | count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
49 |
50 | statement {
51 | sid = "AssignDescribe"
52 | actions = [
53 | "ec2:AssignIpv6Addresses",
54 | "ec2:DescribeInstances",
55 | "ec2:DescribeTags",
56 | "ec2:DescribeNetworkInterfaces",
57 | "ec2:DescribeInstanceTypes"
58 | ]
59 | resources = ["*"]
60 | }
61 |
62 | statement {
63 | sid = "CreateTags"
64 | actions = ["ec2:CreateTags"]
65 | resources = ["arn:${data.aws_partition.current.partition}:ec2:*:*:network-interface/*"]
66 | }
67 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.remote_access
File: /examples/eks_managed_node_group/main.tf:388-410
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
388 | resource "aws_security_group" "remote_access" {
389 | name_prefix = "${local.name}-remote-access"
390 | description = "Allow remote SSH access"
391 | vpc_id = module.vpc.vpc_id
392 |
393 | ingress {
394 | description = "SSH access"
395 | from_port = 22
396 | to_port = 22
397 | protocol = "tcp"
398 | cidr_blocks = ["10.0.0.0/8"]
399 | }
400 |
401 | egress {
402 | from_port = 0
403 | to_port = 0
404 | protocol = "-1"
405 | cidr_blocks = ["0.0.0.0/0"]
406 | ipv6_cidr_blocks = ["::/0"]
407 | }
408 |
409 | tags = merge(local.tags, { Name = "${local.name}-remote" })
410 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.disabled_eks.aws_security_group.cluster[0]
File: /main.tf:177-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
177 | resource "aws_security_group" "cluster" {
178 | count = local.create_cluster_sg ? 1 : 0
179 |
180 | name = var.cluster_security_group_use_name_prefix ? null : local.cluster_sg_name
181 | name_prefix = var.cluster_security_group_use_name_prefix ? "${local.cluster_sg_name}${var.prefix_separator}" : null
182 | description = var.cluster_security_group_description
183 | vpc_id = var.vpc_id
184 |
185 | tags = merge(
186 | var.tags,
187 | { "Name" = local.cluster_sg_name },
188 | var.cluster_security_group_tags
189 | )
190 |
191 | lifecycle {
192 | create_before_destroy = true
193 | }
194 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.eks.aws_security_group.cluster[0]
File: /main.tf:177-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
177 | resource "aws_security_group" "cluster" {
178 | count = local.create_cluster_sg ? 1 : 0
179 |
180 | name = var.cluster_security_group_use_name_prefix ? null : local.cluster_sg_name
181 | name_prefix = var.cluster_security_group_use_name_prefix ? "${local.cluster_sg_name}${var.prefix_separator}" : null
182 | description = var.cluster_security_group_description
183 | vpc_id = var.vpc_id
184 |
185 | tags = merge(
186 | var.tags,
187 | { "Name" = local.cluster_sg_name },
188 | var.cluster_security_group_tags
189 | )
190 |
191 | lifecycle {
192 | create_before_destroy = true
193 | }
194 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.disabled_eks.aws_security_group.node[0]
File: /node_groups.tf:185-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
185 | resource "aws_security_group" "node" {
186 | count = local.create_node_sg ? 1 : 0
187 |
188 | name = var.node_security_group_use_name_prefix ? null : local.node_sg_name
189 | name_prefix = var.node_security_group_use_name_prefix ? "${local.node_sg_name}${var.prefix_separator}" : null
190 | description = var.node_security_group_description
191 | vpc_id = var.vpc_id
192 |
193 | tags = merge(
194 | var.tags,
195 | {
196 | "Name" = local.node_sg_name
197 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
198 | },
199 | var.node_security_group_tags
200 | )
201 |
202 | lifecycle {
203 | create_before_destroy = true
204 | }
205 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.eks.aws_security_group.node[0]
File: /node_groups.tf:185-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
185 | resource "aws_security_group" "node" {
186 | count = local.create_node_sg ? 1 : 0
187 |
188 | name = var.node_security_group_use_name_prefix ? null : local.node_sg_name
189 | name_prefix = var.node_security_group_use_name_prefix ? "${local.node_sg_name}${var.prefix_separator}" : null
190 | description = var.node_security_group_description
191 | vpc_id = var.vpc_id
192 |
193 | tags = merge(
194 | var.tags,
195 | {
196 | "Name" = local.node_sg_name
197 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
198 | },
199 | var.node_security_group_tags
200 | )
201 |
202 | lifecycle {
203 | create_before_destroy = true
204 | }
205 | }
github_actions scan results:
Passed checks: 99, Failed checks: 5, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Release)
File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Lock Threads)
File: /.github/workflows/lock.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Pre-Commit)
File: /.github/workflows/pre-commit.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Validate PR title)
File: /.github/workflows/pr-title.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Mark or close stale issues and PRs)
File: /.github/workflows/stale-actions.yaml:0-1