search

PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
8 stars 10 forks source link

chore: Pre-Commit dependencies update #26

Closed github-actions[bot] closed 3 months ago

github-actions[bot] commented 3 months ago

Pre-Commit Dependencies updates required

There are pre-commit dependencies waiting to be updated. Please see the Files changed tab for details.

Please check results of pre-commit test run with these updates in comments below.

Generated automatically with GitHub Actions

github-actions[bot] commented 3 months ago

:+1: :rocket: :smile: The Pre Commit test run succeded. See results here.

sebastianczech commented 3 months ago

/sca

Testing job ID: 8518424432 Job result: SUCCESS

sebastianczech commented 3 months ago

All Checkov issues connected with autoscaling:

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    FAILED for resource: module.vm_series_asg.aws_iam_role_policy.lambda_iam_policy_default
    File: /modules/asg/main.tf:198-[24](https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/actions/runs/8518424432/job/23330573710#step:11:25)9
    Calling File: /examples/isolated_design_autoscale/main.tf:214-[25](https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/actions/runs/8518424432/job/23330573710#step:11:26)2
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    FAILED for resource: module.vm_series_asg.aws_iam_role_policy.lambda_iam_policy_default
    File: /modules/asg/main.tf:198-249
    Calling File: /examples/isolated_design_autoscale/main.tf:214-252
Check: CKV_AWS_[28](https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/actions/runs/8518424432/job/23330573710#step:11:29)9: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    FAILED for resource: module.vm_series_asg.aws_iam_role_policy.lambda_iam_policy_default
    File: /modules/asg/main.tf:198-249
    Calling File: /examples/isolated_design_autoscale/main.tf:214-252
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
    FAILED for resource: module.vm_series_asg.aws_lambda_permission.this
    File: /modules/asg/main.tf:328-333
    Calling File: /examples/isolated_design_autoscale/main.tf:214-252
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

probably can be fixed in #24 ?

Regarding issues in panorama module:

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    FAILED for resource: module.panorama.aws_instance.this
    File: /modules/panorama/main.tf:[31](https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/actions/runs/8518424432/job/23330573710#step:11:32)-60
    Calling File: /examples/panorama_standalone/main.tf:150-173
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
    FAILED for resource: module.panorama.aws_ebs_volume.this
    File: /modules/panorama/main.tf:72-81
    Calling File: /examples/panorama_standalone/main.tf:150-173
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume
Check: CKV2_AWS_2: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
    FAILED for resource: module.panorama.aws_ebs_volume.this
    File: /modules/panorama/main.tf:72-81
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances

currently we have variable ebs_encrypted, which is used while creating resource aws_ebs_volume, but technically it's possible to set false for ebs_encrypted - do we want to always set it to true and remove that variable ?

Regarding issues for bootstrap module:

Check: CKV_AWS_1[45](https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/actions/runs/8518424432/job/23330573710#step:11:46): "Ensure that S3 buckets are encrypted with KMS by default"
    FAILED for resource: module.bootstrap.aws_s3_bucket.this[0]
    File: /modules/bootstrap/main.tf:19-25
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    FAILED for resource: module.bootstrap.aws_s3_bucket.this[0]
    File: /modules/bootstrap/main.tf:19-25
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    FAILED for resource: module.bootstrap.aws_s3_bucket.this[0]
    File: /modules/bootstrap/main.tf:19-25
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

we have encryption, versioning and blocked public access always enable, if we create the bucket. I propose to set all 3 Checkov warnings to list of skipped. Do you agree ?