Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Checkov errors in document-processing-workflows #748

Open
holtskinner opened this issue Feb 15, 2024 · 0 comments
Open

Fix Checkov errors in document-processing-workflows #748

holtskinner opened this issue Feb 15, 2024 · 0 comments
Assignees
@ffeldhaus

Comments

@holtskinner
Copy link
Collaborator

Blocking #747

document-processing-workflows

2024-02-15T12:38:48.9347428Z �[0m2024-02-15 12:38:48 �[0;31m[ERROR]�[0m   Errors found in CHECKOV�[0m
2024-02-15T12:38:48.9448561Z �[0m2024-02-15 12:38:48 �[0;31m[ERROR]�[0m   Command output for CHECKOV:
2024-02-15T12:38:48.9449968Z ------
2024-02-15T12:38:48.9450551Z terraform scan results:
2024-02-15T12:38:48.9450952Z 
2024-02-15T12:38:48.9451458Z Passed checks: 46, Failed checks: 19, Skipped checks: 0
2024-02-15T12:38:48.9452296Z 
2024-02-15T12:38:48.9453100Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9454449Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9455995Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9458344Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9462527Z 
2024-02-15T12:38:48.9462884Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9464258Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9465286Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9466289Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9467100Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9468246Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9470343Z 		144 | }
2024-02-15T12:38:48.9470921Z 
2024-02-15T12:38:48.9471271Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9472520Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9474575Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9476805Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9478159Z 
2024-02-15T12:38:48.9478750Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9479717Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9480650Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9481379Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9482069Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9482990Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9483779Z 		144 | }
2024-02-15T12:38:48.9484037Z 
2024-02-15T12:38:48.9484409Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9485403Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9486370Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9488773Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9490388Z 
2024-02-15T12:38:48.9490765Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9491737Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9492549Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9493313Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9494054Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9494899Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9495872Z 		144 | }
2024-02-15T12:38:48.9496229Z 
2024-02-15T12:38:48.9496779Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9497880Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9498860Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9500708Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9502041Z 
2024-02-15T12:38:48.9502329Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9503403Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9504180Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9504906Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9505721Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9506527Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9507314Z 		152 | }
2024-02-15T12:38:48.9507578Z 
2024-02-15T12:38:48.9507955Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9508700Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9509637Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9511575Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9512941Z 
2024-02-15T12:38:48.9513271Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9514187Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9515095Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9515823Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9516513Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9517434Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9518221Z 		152 | }
2024-02-15T12:38:48.9518695Z 
2024-02-15T12:38:48.9519071Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9520079Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9521041Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9523272Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9525023Z 
2024-02-15T12:38:48.9525314Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9526283Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9527513Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9528316Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9529057Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9529949Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9530805Z 		152 | }
2024-02-15T12:38:48.9531080Z 
2024-02-15T12:38:48.9531628Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9532747Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9533771Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9535592Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9538093Z 
2024-02-15T12:38:48.9538548Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9539550Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9540397Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9541277Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9542023Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9543215Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9598501Z 		160 | }
2024-02-15T12:38:48.9598827Z 
2024-02-15T12:38:48.9599292Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9599990Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9600998Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9602611Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9603600Z 
2024-02-15T12:38:48.9603800Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9604451Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9605078Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9605682Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9606132Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9606751Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9607524Z 		160 | }
2024-02-15T12:38:48.9607705Z 
2024-02-15T12:38:48.9608010Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9608691Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9609337Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9610589Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9611596Z 
2024-02-15T12:38:48.9611800Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9612437Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9613033Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9613483Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9613962Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9614785Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9615256Z 		160 | }
2024-02-15T12:38:48.9615471Z 
2024-02-15T12:38:48.9615869Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9616615Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9617359Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9618468Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9619216Z 
2024-02-15T12:38:48.9619505Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9620063Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9620765Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9621393Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9621892Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9622319Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9622810Z 		168 | 
2024-02-15T12:38:48.9623127Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9623600Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9624157Z 		171 |     content {
2024-02-15T12:38:48.9624581Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9625120Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9625713Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9626132Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9626491Z 		176 |     }
2024-02-15T12:38:48.9626885Z 		177 |   }
2024-02-15T12:38:48.9627195Z 		178 | 
2024-02-15T12:38:48.9627540Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9628085Z 		180 | 
2024-02-15T12:38:48.9628673Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9629268Z 		182 |   autoclass {
2024-02-15T12:38:48.9629701Z 		183 |     enabled = true
2024-02-15T12:38:48.9630060Z 		184 |   }
2024-02-15T12:38:48.9630340Z 		185 | }
2024-02-15T12:38:48.9630529Z 
2024-02-15T12:38:48.9630774Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9631286Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9631873Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9633034Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9633889Z 
2024-02-15T12:38:48.9634115Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9634683Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9635447Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9636080Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9636566Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9637052Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9637486Z 		168 | 
2024-02-15T12:38:48.9637798Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9638272Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9638811Z 		171 |     content {
2024-02-15T12:38:48.9639225Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9639817Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9640349Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9640768Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9641185Z 		176 |     }
2024-02-15T12:38:48.9641572Z 		177 |   }
2024-02-15T12:38:48.9641871Z 		178 | 
2024-02-15T12:38:48.9642272Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9642895Z 		180 | 
2024-02-15T12:38:48.9643438Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9644105Z 		182 |   autoclass {
2024-02-15T12:38:48.9644460Z 		183 |     enabled = true
2024-02-15T12:38:48.9644813Z 		184 |   }
2024-02-15T12:38:48.9645153Z 		185 | }
2024-02-15T12:38:48.9645341Z 
2024-02-15T12:38:48.9645697Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9646304Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9647002Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9648956Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9649868Z 
2024-02-15T12:38:48.9650112Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9650741Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9651459Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9652041Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9652568Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9652994Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9653435Z 		168 | 
2024-02-15T12:38:48.9653811Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9654223Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9654715Z 		171 |     content {
2024-02-15T12:38:48.9655238Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9655783Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9656297Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9656772Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9657147Z 		176 |     }
2024-02-15T12:38:48.9657456Z 		177 |   }
2024-02-15T12:38:48.9657822Z 		178 | 
2024-02-15T12:38:48.9658181Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9658635Z 		180 | 
2024-02-15T12:38:48.9659220Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9659823Z 		182 |   autoclass {
2024-02-15T12:38:48.9660172Z 		183 |     enabled = true
2024-02-15T12:38:48.9660651Z 		184 |   }
2024-02-15T12:38:48.9660918Z 		185 | }
2024-02-15T12:38:48.9661105Z 
2024-02-15T12:38:48.9661444Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9662197Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9662758Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9663930Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9664682Z 
2024-02-15T12:38:48.9664984Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9665552Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9666074Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9666621Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9667044Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9667680Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9668259Z 		193 | 
2024-02-15T12:38:48.9668838Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9669419Z 		195 |   autoclass {
2024-02-15T12:38:48.9669852Z 		196 |     enabled = true
2024-02-15T12:38:48.9670207Z 		197 |   }
2024-02-15T12:38:48.9670489Z 		198 | }
2024-02-15T12:38:48.9670737Z 
2024-02-15T12:38:48.9670906Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9671404Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9671977Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9673342Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9674109Z 
2024-02-15T12:38:48.9674343Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9675154Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9675762Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9676251Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9676676Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9677282Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9677800Z 		193 | 
2024-02-15T12:38:48.9678285Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9678967Z 		195 |   autoclass {
2024-02-15T12:38:48.9679335Z 		196 |     enabled = true
2024-02-15T12:38:48.9679657Z 		197 |   }
2024-02-15T12:38:48.9680029Z 		198 | }
2024-02-15T12:38:48.9680185Z 
2024-02-15T12:38:48.9680520Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9681098Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9681731Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9682971Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9683861Z 
2024-02-15T12:38:48.9684076Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9684707Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9685226Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9685696Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9686210Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9686747Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9687464Z 		193 | 
2024-02-15T12:38:48.9688039Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9688725Z 		195 |   autoclass {
2024-02-15T12:38:48.9689094Z 		196 |     enabled = true
2024-02-15T12:38:48.9689476Z 		197 |   }
2024-02-15T12:38:48.9689779Z 		198 | }
2024-02-15T12:38:48.9689932Z 
2024-02-15T12:38:48.9690323Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9691072Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9691653Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9692753Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9693564Z 
2024-02-15T12:38:48.9693792Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9694364Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9694906Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9695497Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9695919Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9696476Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9697035Z 		206 | }
2024-02-15T12:38:48.9697191Z 
2024-02-15T12:38:48.9697375Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9697923Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9698575Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9699678Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9700432Z 
2024-02-15T12:38:48.9700618Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9701482Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9702005Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9702440Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9703046Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9703961Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9704447Z 		206 | }
2024-02-15T12:38:48.9704720Z 
2024-02-15T12:38:48.9704969Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9705553Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9706112Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9707496Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9708421Z 
2024-02-15T12:38:48.9708617Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9709285Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9709781Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9710256Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9710865Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9711365Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9711879Z 		206 | }
2024-02-15T12:38:48.9712035Z 
2024-02-15T12:38:48.9712524Z Check: CKV2_GCP_22: "Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)"
2024-02-15T12:38:48.9713260Z 	FAILED for resource: google_document_ai_processor.processor
2024-02-15T12:38:48.9713912Z 	File: /document-processing-workflows/main.tf:210-216
2024-02-15T12:38:48.9714331Z 
2024-02-15T12:38:48.9714554Z 		210 | resource "google_document_ai_processor" "processor" {
2024-02-15T12:38:48.9715074Z 		211 |   for_each     = var.processors
2024-02-15T12:38:48.9715503Z 		212 |   location     = each.value.location
2024-02-15T12:38:48.9716044Z 		213 |   display_name = each.value.display_name
2024-02-15T12:38:48.9716514Z 		214 |   type         = each.value.type
2024-02-15T12:38:48.9716991Z 		215 |   depends_on   = [google_project_service.documentai]
2024-02-15T12:38:48.9717585Z 		216 | }
@holtskinner holtskinner changed the title Fix Checkov errors Fix Checkov errors in document-processing-workflows Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ffeldhaus ffeldhaus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ffeldhaus @holtskinner