• Check1

  [GCP003][WARNING] Resource 'module.google_cloud:module.gcp_firewall:google_compute_firewall.allow_web' defines a fully open inbound firewall rule.
  /home/gruber/projects/tf-free/modules/gcp/firewall/main.tf:11

   8 |     ports    = ["80", "443"]
   9 |   }
  10 | 
  11 |   source_ranges = ["0.0.0.0/0"]
  12 |   target_tags   = ["web"]
  13 | }
  14 | 
  

  Impact: The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/google/GCP003/ for more information.

• Check2

  [AWS012][ERROR] Resource 'module.aws:module.ec2:aws_instance.ec2' has a public IP address associated.
  /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:47

  44 | 
  45 |   subnet_id                   = var.public_subnet_id
  46 |   vpc_security_group_ids      = [aws_security_group.security_group.id]
  47 |   associate_public_ip_address = true
  48 |   user_data                   = var.seed_data
  49 |   metadata_options {
  50 |     http_tokens = var.imds-enable
  

  Impact: The instance or configuration is publically accessible
  Resolution: Set the instance to not be publically accessible

  See https://tfsec.dev/docs/aws/AWS012/ for more information.

• Check3

  [GEN001][WARNING] Variable 'module.aws:module.rds:variable.db_password' includes a potentially sensitive default value.
  /home/gruber/projects/tf-free/modules/aws/rds/variables.tf:45

  42 | variable "db_password" {
  43 |   description = "Region for AWS resources"
  44 |   sensitive   = true
  45 |   default     = "forALEKkjkfeajme"
  46 |   type        = string
  47 | }
  48 | 
  

  Impact: Default values could be exposing sensitive data
  Resolution: Don't include sensitive data in variable defaults

  See https://tfsec.dev/docs/general/GEN001/ for more information.

• Check4

  [AZU017][ERROR] Resource 'module.google_cloud:module.gcp_vpc:azurerm_network_security_group.ssh' has a .
  /home/gruber/projects/tf-free/modules/azure/vpc/main.tf:13-29

  10 |   }
  11 | }
  12 | 
  13 | resource "azurerm_network_security_group" "ssh" {
  14 |   name                = "ssh"
  15 |   resource_group_name = var.resource_group_name
  16 |   location            = var.location
  17 |   security_rule {
  18 |     name                       = "test123"
  19 |     priority                   = 100
  20 |     direction                  = "Inbound"
  21 |     access                     = "Allow"
  22 |     protocol                   = "Tcp"
  23 |     source_port_range          = "*"
  24 |     destination_port_range     = "22"
  25 |     source_address_prefix      = "*"
  26 |     destination_address_prefix = "*"
  27 |   }
  28 | 
  29 | }
  30 | 
  31 | resource "azurerm_route_table" "example" {
  32 |   name                = "MyRouteTable"
  

  Impact: Its dangerous to allow SSH access from the internet
  Resolution: Block port 22 access from the internet

  See https://tfsec.dev/docs/azure/AZU017/ for more information.

• Check5

  [GCP003][WARNING] Resource 'module.google_cloud:module.gcp_firewall:google_compute_firewall.allow_ssh' defines a fully open inbound firewall rule.
  /home/gruber/projects/tf-free/modules/gcp/firewall/main.tf:24

  21 |     ports    = ["22"]
  22 |   }
  23 | 
  24 |   source_ranges = ["0.0.0.0/0"]
  25 |   target_tags   = ["ssh"]
  26 | }
  27 | 
  

  Impact: The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/google/GCP003/ for more information.

• Check6

  [AZU017][ERROR] Resource 'module.aws:module.vpc:azurerm_network_security_group.ssh' has a .
  /home/gruber/projects/tf-free/modules/azure/vpc/main.tf:13-29

  10 |   }
  11 | }
  12 | 
  13 | resource "azurerm_network_security_group" "ssh" {
  14 |   name                = "ssh"
  15 |   resource_group_name = var.resource_group_name
  16 |   location            = var.location
  17 |   security_rule {
  18 |     name                       = "test123"
  19 |     priority                   = 100
  20 |     direction                  = "Inbound"
  21 |     access                     = "Allow"
  22 |     protocol                   = "Tcp"
  23 |     source_port_range          = "*"
  24 |     destination_port_range     = "22"
  25 |     source_address_prefix      = "*"
  26 |     destination_address_prefix = "*"
  27 |   }
  28 | 
  29 | }
  30 | 
  31 | resource "azurerm_route_table" "example" {
  32 |   name                = "MyRouteTable"
  

  Impact: Its dangerous to allow SSH access from the internet
  Resolution: Block port 22 access from the internet

  See https://tfsec.dev/docs/azure/AZU017/ for more information.

• Check7

  [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group.
  /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:11

   8 |     from_port   = 22
   9 |     to_port     = 22
  10 |     protocol    = "tcp"
  11 |     cidr_blocks = ["0.0.0.0/0"]
  12 |   }
  13 | 
  14 |   ingress {
  

  Impact: The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/aws/AWS008/ for more information.

• Check8

  [AWS009][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open egress security group.
  /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:32

  29 |     from_port   = 0
  30 |     to_port     = 0
  31 |     protocol    = "-1"
  32 |     cidr_blocks = ["0.0.0.0/0"]
  33 |   }
  34 | 
  35 |   tags = {
  

  Impact: The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/aws/AWS009/ for more information.

• Check9

  [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group.
  /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:18

  15 |     from_port   = 80
  16 |     to_port     = 80
  17 |     protocol    = "tcp"
  18 |     cidr_blocks = ["0.0.0.0/0"]
  19 |   }
  20 | 
  21 |   ingress {
  

  Impact: The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/aws/AWS008/ for more information.

• Check10

  [AWS008][WARNING] Resource 'module.aws:module.ec2:aws_security_group.security_group' defines a fully open ingress security group.
  /home/gruber/projects/tf-free/modules/aws/ec2/main.tf:25

  22 |     from_port   = 443
  23 |     to_port     = 443
  24 |     protocol    = "tcp"
  25 |     cidr_blocks = ["0.0.0.0/0"]
  26 |   }
  27 | 
  28 |   egress {
  

  Impact: The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  See https://tfsec.dev/docs/aws/AWS008/ for more information.

• Check11

  [GEN001][WARNING] Variable 'module.aws:variable.rds_password' includes a potentially sensitive default value.
  /home/gruber/projects/tf-free/modules/aws/variables.tf:49

  46 |   description = "Region for the RDS database"
  47 |   type        = string
  48 |   sensitive   = true
  49 |   default     = "testingdatabase89372934279"
  50 | }
  51 | 
  

  Impact: Default values could be exposing sensitive data
  Resolution: Don't include sensitive data in variable defaults

  See https://tfsec.dev/docs/general/GEN001/ for more information.

  times

  disk i/o 42.8751ms
  parsing HCL 301.9µs
  evaluating values 72.4109ms
  running checks 17.7196ms

  counts

  files loaded 63
  blocks 30
  evaluated blocks 602
  modules 18
  module blocks 572
  ignored checks 0

11 potential problems detected.