Skip to content

Fix Checkov errors in document-processing-workflows #748

New issue
New issue
Open
Open
Fix Checkov errors in document-processing-workflows#748
Assignees
ffeldhaus
@holtskinner

Description

@holtskinner
holtskinner
opened on Feb 15, 2024

Blocking #747

document-processing-workflows

2024-02-15T12:38:48.9347428Z �[0m2024-02-15 12:38:48 �[0;31m[ERROR]�[0m   Errors found in CHECKOV�[0m
2024-02-15T12:38:48.9448561Z �[0m2024-02-15 12:38:48 �[0;31m[ERROR]�[0m   Command output for CHECKOV:
2024-02-15T12:38:48.9449968Z ------
2024-02-15T12:38:48.9450551Z terraform scan results:
2024-02-15T12:38:48.9450952Z 
2024-02-15T12:38:48.9451458Z Passed checks: 46, Failed checks: 19, Skipped checks: 0
2024-02-15T12:38:48.9452296Z 
2024-02-15T12:38:48.9453100Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9454449Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9455995Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9458344Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9462527Z 
2024-02-15T12:38:48.9462884Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9464258Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9465286Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9466289Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9467100Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9468246Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9470343Z 		144 | }
2024-02-15T12:38:48.9470921Z 
2024-02-15T12:38:48.9471271Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9472520Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9474575Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9476805Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9478159Z 
2024-02-15T12:38:48.9478750Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9479717Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9480650Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9481379Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9482069Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9482990Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9483779Z 		144 | }
2024-02-15T12:38:48.9484037Z 
2024-02-15T12:38:48.9484409Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9485403Z 	FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9486370Z 	File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9488773Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9490388Z 
2024-02-15T12:38:48.9490765Z 		138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9491737Z 		139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9492549Z 		140 |   location                    = var.region
2024-02-15T12:38:48.9493313Z 		141 |   force_destroy               = true
2024-02-15T12:38:48.9494054Z 		142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9494899Z 		143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9495872Z 		144 | }
2024-02-15T12:38:48.9496229Z 
2024-02-15T12:38:48.9496779Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9497880Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9498860Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9500708Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9502041Z 
2024-02-15T12:38:48.9502329Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9503403Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9504180Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9504906Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9505721Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9506527Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9507314Z 		152 | }
2024-02-15T12:38:48.9507578Z 
2024-02-15T12:38:48.9507955Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9508700Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9509637Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9511575Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9512941Z 
2024-02-15T12:38:48.9513271Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9514187Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9515095Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9515823Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9516513Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9517434Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9518221Z 		152 | }
2024-02-15T12:38:48.9518695Z 
2024-02-15T12:38:48.9519071Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9520079Z 	FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9521041Z 	File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9523272Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9525023Z 
2024-02-15T12:38:48.9525314Z 		146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9526283Z 		147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9527513Z 		148 |   location                    = var.region
2024-02-15T12:38:48.9528316Z 		149 |   force_destroy               = true
2024-02-15T12:38:48.9529057Z 		150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9529949Z 		151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9530805Z 		152 | }
2024-02-15T12:38:48.9531080Z 
2024-02-15T12:38:48.9531628Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9532747Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9533771Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9535592Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9538093Z 
2024-02-15T12:38:48.9538548Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9539550Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9540397Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9541277Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9542023Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9543215Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9598501Z 		160 | }
2024-02-15T12:38:48.9598827Z 
2024-02-15T12:38:48.9599292Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9599990Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9600998Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9602611Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9603600Z 
2024-02-15T12:38:48.9603800Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9604451Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9605078Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9605682Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9606132Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9606751Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9607524Z 		160 | }
2024-02-15T12:38:48.9607705Z 
2024-02-15T12:38:48.9608010Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9608691Z 	FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9609337Z 	File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9610589Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9611596Z 
2024-02-15T12:38:48.9611800Z 		154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9612437Z 		155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9613033Z 		156 |   location                    = var.region
2024-02-15T12:38:48.9613483Z 		157 |   force_destroy               = true
2024-02-15T12:38:48.9613962Z 		158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9614785Z 		159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9615256Z 		160 | }
2024-02-15T12:38:48.9615471Z 
2024-02-15T12:38:48.9615869Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9616615Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9617359Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9618468Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9619216Z 
2024-02-15T12:38:48.9619505Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9620063Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9620765Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9621393Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9621892Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9622319Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9622810Z 		168 | 
2024-02-15T12:38:48.9623127Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9623600Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9624157Z 		171 |     content {
2024-02-15T12:38:48.9624581Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9625120Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9625713Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9626132Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9626491Z 		176 |     }
2024-02-15T12:38:48.9626885Z 		177 |   }
2024-02-15T12:38:48.9627195Z 		178 | 
2024-02-15T12:38:48.9627540Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9628085Z 		180 | 
2024-02-15T12:38:48.9628673Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9629268Z 		182 |   autoclass {
2024-02-15T12:38:48.9629701Z 		183 |     enabled = true
2024-02-15T12:38:48.9630060Z 		184 |   }
2024-02-15T12:38:48.9630340Z 		185 | }
2024-02-15T12:38:48.9630529Z 
2024-02-15T12:38:48.9630774Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9631286Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9631873Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9633034Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9633889Z 
2024-02-15T12:38:48.9634115Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9634683Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9635447Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9636080Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9636566Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9637052Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9637486Z 		168 | 
2024-02-15T12:38:48.9637798Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9638272Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9638811Z 		171 |     content {
2024-02-15T12:38:48.9639225Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9639817Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9640349Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9640768Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9641185Z 		176 |     }
2024-02-15T12:38:48.9641572Z 		177 |   }
2024-02-15T12:38:48.9641871Z 		178 | 
2024-02-15T12:38:48.9642272Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9642895Z 		180 | 
2024-02-15T12:38:48.9643438Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9644105Z 		182 |   autoclass {
2024-02-15T12:38:48.9644460Z 		183 |     enabled = true
2024-02-15T12:38:48.9644813Z 		184 |   }
2024-02-15T12:38:48.9645153Z 		185 | }
2024-02-15T12:38:48.9645341Z 
2024-02-15T12:38:48.9645697Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9646304Z 	FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9647002Z 	File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9648956Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9649868Z 
2024-02-15T12:38:48.9650112Z 		162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9650741Z 		163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9651459Z 		164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9652041Z 		165 |   location                    = var.region
2024-02-15T12:38:48.9652568Z 		166 |   force_destroy               = true
2024-02-15T12:38:48.9652994Z 		167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9653435Z 		168 | 
2024-02-15T12:38:48.9653811Z 		169 |   dynamic "cors" {
2024-02-15T12:38:48.9654223Z 		170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9654715Z 		171 |     content {
2024-02-15T12:38:48.9655238Z 		172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9655783Z 		173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9656297Z 		174 |       response_header = ["*"]
2024-02-15T12:38:48.9656772Z 		175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9657147Z 		176 |     }
2024-02-15T12:38:48.9657456Z 		177 |   }
2024-02-15T12:38:48.9657822Z 		178 | 
2024-02-15T12:38:48.9658181Z 		179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9658635Z 		180 | 
2024-02-15T12:38:48.9659220Z 		181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9659823Z 		182 |   autoclass {
2024-02-15T12:38:48.9660172Z 		183 |     enabled = true
2024-02-15T12:38:48.9660651Z 		184 |   }
2024-02-15T12:38:48.9660918Z 		185 | }
2024-02-15T12:38:48.9661105Z 
2024-02-15T12:38:48.9661444Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9662197Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9662758Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9663930Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9664682Z 
2024-02-15T12:38:48.9664984Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9665552Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9666074Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9666621Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9667044Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9667680Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9668259Z 		193 | 
2024-02-15T12:38:48.9668838Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9669419Z 		195 |   autoclass {
2024-02-15T12:38:48.9669852Z 		196 |     enabled = true
2024-02-15T12:38:48.9670207Z 		197 |   }
2024-02-15T12:38:48.9670489Z 		198 | }
2024-02-15T12:38:48.9670737Z 
2024-02-15T12:38:48.9670906Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9671404Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9671977Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9673342Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9674109Z 
2024-02-15T12:38:48.9674343Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9675154Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9675762Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9676251Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9676676Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9677282Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9677800Z 		193 | 
2024-02-15T12:38:48.9678285Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9678967Z 		195 |   autoclass {
2024-02-15T12:38:48.9679335Z 		196 |     enabled = true
2024-02-15T12:38:48.9679657Z 		197 |   }
2024-02-15T12:38:48.9680029Z 		198 | }
2024-02-15T12:38:48.9680185Z 
2024-02-15T12:38:48.9680520Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9681098Z 	FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9681731Z 	File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9682971Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9683861Z 
2024-02-15T12:38:48.9684076Z 		187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9684707Z 		188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9685226Z 		189 |   location                    = var.region
2024-02-15T12:38:48.9685696Z 		190 |   force_destroy               = true
2024-02-15T12:38:48.9686210Z 		191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9686747Z 		192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9687464Z 		193 | 
2024-02-15T12:38:48.9688039Z 		194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9688725Z 		195 |   autoclass {
2024-02-15T12:38:48.9689094Z 		196 |     enabled = true
2024-02-15T12:38:48.9689476Z 		197 |   }
2024-02-15T12:38:48.9689779Z 		198 | }
2024-02-15T12:38:48.9689932Z 
2024-02-15T12:38:48.9690323Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9691072Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9691653Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9692753Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9693564Z 
2024-02-15T12:38:48.9693792Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9694364Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9694906Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9695497Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9695919Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9696476Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9697035Z 		206 | }
2024-02-15T12:38:48.9697191Z 
2024-02-15T12:38:48.9697375Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9697923Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9698575Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9699678Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9700432Z 
2024-02-15T12:38:48.9700618Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9701482Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9702005Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9702440Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9703046Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9703961Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9704447Z 		206 | }
2024-02-15T12:38:48.9704720Z 
2024-02-15T12:38:48.9704969Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9705553Z 	FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9706112Z 	File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9707496Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9708421Z 
2024-02-15T12:38:48.9708617Z 		200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9709285Z 		201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9709781Z 		202 |   location                    = var.region
2024-02-15T12:38:48.9710256Z 		203 |   force_destroy               = true
2024-02-15T12:38:48.9710865Z 		204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9711365Z 		205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9711879Z 		206 | }
2024-02-15T12:38:48.9712035Z 
2024-02-15T12:38:48.9712524Z Check: CKV2_GCP_22: "Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)"
2024-02-15T12:38:48.9713260Z 	FAILED for resource: google_document_ai_processor.processor
2024-02-15T12:38:48.9713912Z 	File: /document-processing-workflows/main.tf:210-216
2024-02-15T12:38:48.9714331Z 
2024-02-15T12:38:48.9714554Z 		210 | resource "google_document_ai_processor" "processor" {
2024-02-15T12:38:48.9715074Z 		211 |   for_each     = var.processors
2024-02-15T12:38:48.9715503Z 		212 |   location     = each.value.location
2024-02-15T12:38:48.9716044Z 		213 |   display_name = each.value.display_name
2024-02-15T12:38:48.9716514Z 		214 |   type         = each.value.type
2024-02-15T12:38:48.9716991Z 		215 |   depends_on   = [google_project_service.documentai]
2024-02-15T12:38:48.9717585Z 		216 | }

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions