Add atlantis config file in the repo

[hemanthgk10]

Signed-off-by: Hemanth Gokavarapu hemanth@soluble.ai

[hemanthgk10]

atlantis --help

[hemanthgk10]

atlantis
Terraform Pull Request Automation

Usage:
  atlantis <command> [options] -- [terraform options]

Examples:
  # run plan in the root directory passing the -target flag to terraform
  atlantis plan -d . -- -target=resource

  # apply all unapplied plans from this pull request
  atlantis apply

  # apply the plan for the root directory and staging workspace
  atlantis apply -d . -w staging

Commands:
  plan     Runs 'terraform plan' for the changes in this pull request.
           To plan a specific project, use the -d, -w and -p flags.
  apply    Runs 'terraform apply' on all unapplied plans from this pull request.
           To only apply a specific plan, use the -d, -w and -p flags.
  unlock   Removes all atlantis locks and discards all plans for this PR.
           To unlock a specific plan you can use the Atlantis UI.
  approve_policies
           Approves all current policy checking failures for the PR.
  version  Print the output of 'terraform version'
  help     View help.

Flags:
  -h, --help   help for atlantis

Use "atlantis [command] --help" for more information about a command.

[hemanthgk10]

atlantis unlock

[hemanthgk10]

All Atlantis locks for this PR have been unlocked and plans discarded

[hemanthgk10]

Plan Error

parsing atlantis.yaml: repo config not allowed to set 'workflow' key: server-side config needs 'allowed_overrides: [workflow]'

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

running "/usr/local/bin/terraform init -input=false" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
╷
│ Error: Missing newline after argument
│ 
│ On kubernetes.tf line 27: An argument definition must end with a newline.
╵

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

running "/usr/local/bin/terraform init -input=false" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
╷
│ Error: Missing newline after argument
│ 
│ On kubernetes.tf line 26: An argument definition must end with a newline.
╵

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

Show Output

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: Reference to undeclared resource
│ 
│   on kubernetes.tf line 4, in resource "google_container_cluster" "primary":
│    4:   location 	     = data.google_compute_zones.available.names[0]
│ 
│ A data resource "google_compute_zones" "available" has not been declared in
│ the root module.
╵
╷
│ Error: Reference to undeclared resource
│ 
│   on kubernetes.tf line 11, in resource "google_container_cluster" "primary":
│   11:     data.google_compute_zones.available.names[1],
│ 
│ A data resource "google_compute_zones" "available" has not been declared in
│ the root module.
╵

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

Show Output

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: Insufficient client_certificate_config blocks
│ 
│   on kubernetes.tf line 18, in resource "google_container_cluster" "primary":
│   18:   master_auth {
│ 
│ At least 1 "client_certificate_config" blocks are required.
╵
╷
│ Error: Unsupported argument
│ 
│   on kubernetes.tf line 19, in resource "google_container_cluster" "primary":
│   19:     username = var.username
│ 
│ An argument named "username" is not expected here.
╵
╷
│ Error: Unsupported argument
│ 
│   on kubernetes.tf line 20, in resource "google_container_cluster" "primary":
│   20:     password = var.password
│ 
│ An argument named "password" is not expected here.
╵

print getting started

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

Show Output

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: Insufficient client_certificate_config blocks
│ 
│   on kubernetes.tf line 18, in resource "google_container_cluster" "primary":
│   18:   master_auth {
│ 
│ At least 1 "client_certificate_config" blocks are required.
╵
╷
│ Error: Unsupported argument
│ 
│   on kubernetes.tf line 19, in resource "google_container_cluster" "primary":
│   19:     username = var.username
│ 
│ An argument named "username" is not expected here.
╵
╷
│ Error: Unsupported argument
│ 
│   on kubernetes.tf line 20, in resource "google_container_cluster" "primary":
│   20:     password = var.password
│ 
│ An argument named "password" is not expected here.
╵

print getting started

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

Show Output

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: Unsupported attribute
│ 
│   on kubernetes.tf line 41, in output "primary_zone":
│   41:   value = google_container_cluster.primary.zone
│ 
│ This object has no argument, nested block, or exported attribute named
│ "zone".
╵
╷
│ Error: Unsupported attribute
│ 
│   on kubernetes.tf line 45, in output "additional_zones":
│   45:   value = google_container_cluster.primary.additional_zones
│ 
│ This object has no argument, nested block, or exported attribute named
│ "additional_zones".
╵

print getting started

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: project: required field is not set
│ 
│   with data.google_compute_zones.available,
│   on kubernetes.tf line 1, in data "google_compute_zones" "available":
│    1: data "google_compute_zones" "available" {
│ 
╵

print getting started

[hemanthgk10]

Ran Plan for dir: . workspace: default

Plan Error

Show Output

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default": 
╷
│ Error: Invalid index
│ 
│   on kubernetes.tf line 7, in resource "google_container_cluster" "primary":
│    7:   location 	     = data.google_compute_zones.available.names[0]
│     ├────────────────
│     │ data.google_compute_zones.available.names is empty list of string
│ 
│ The given key does not identify an element in this collection value: the
│ collection has no elements.
╵
╷
│ Error: Invalid index
│ 
│   on kubernetes.tf line 14, in resource "google_container_cluster" "primary":
│   14:     data.google_compute_zones.available.names[1],
│     ├────────────────
│     │ data.google_compute_zones.available.names is empty list of string
│ 
│ The given key does not identify an element in this collection value.
╵

print getting started

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

2022-07-11 17:02:28,365 [MainThread  ] [ERROR]  Cannot read file contents: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.937 
Update available 2.0.937 -> 2.1.44
Run pip3 install -U checkov to update 




print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started:

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 0s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 3.566s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20549?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-20 High     FAIL Ensure master authorized networks is set to enabled in GKE clusters    default.json 
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 3.935s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20556?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-20 High     FAIL Ensure master authorized networks is set to enabled in GKE clusters    default.json 
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 4.035s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20563?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-20 High     FAIL Ensure master authorized networks is set to enabled in GKE clusters    default.json 
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 5.216s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20568?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-20 High     FAIL Ensure master authorized networks is set to enabled in GKE clusters    default.json 
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 0s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] checkov-terraform-plan has no custom policies
[ Info] Assessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20577?orgId=516676385582 for more information

Results:
Passed: 7 | Failed: 15 | Skipped: 0
Critical: X  | High: X | Medium: X | Low: X | Info : X

Violations:
❌  Ensure master authorized networks is set to enabled in GKE cluster
    Severity: High
    Resource: google_container_cluster.primary

❌  Ensure master authorized networks is set to enabled in GKE cluster
    Severity: High
    Resource: google_container_cluster.primary

❌  Ensure master authorized networks is set to enabled in GKE cluster
    Severity: High
    Resource: google_container_cluster.primary

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 3.674s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20584?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-20 High     FAIL Ensure master authorized networks is set to enabled in GKE clusters    default.json 
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: . workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 0s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + gcp_filestore_csi_driver_config {
              + enabled = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + image_type      = (known after apply)
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + spot              = false
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + boot_disk_kms_key = (known after apply)
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + node_group        = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + spot              = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + gvnic {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + vertical_pod_autoscaling {
          + enabled = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

  # null_resource.example will be created
  + resource "null_resource" "example" {
      + id = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/. gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 4.474s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20591?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d .
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d .

Plan: 2 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Plan Error

running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp": exit status 1: running "terraform plan -input=false -refresh -out $PLANFILE" in "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp": 
data.google_compute_zones.available: Reading...
╷
│ Error: project: required field is not set
│ 
│   with data.google_compute_zones.available,
│   on kubernetes.tf line 1, in data "google_compute_zones" "available":
│    1: data "google_compute_zones" "available" {
│ 
╵

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + network_policy {
          + enabled  = (known after apply)
          + provider = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/terraform-gcp gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 4.015s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20604?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d terraform-gcp
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d terraform-gcp

Plan: 1 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + network_policy {
          + enabled  = (known after apply)
          + provider = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/terraform-gcp gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 5.29s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20611?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d terraform-gcp
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d terraform-gcp

Plan: 1 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Plan Error

parsing atlantis.yaml: yaml: line 10: did not find expected key

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp, default, afa04f7c23f9a7573ca58bd4b91b672b054af389, 21, , example

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + network_policy {
          + enabled  = (known after apply)
          + provider = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/terraform-gcp gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 4.186s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20624?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d terraform-gcp
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d terraform-gcp

Plan: 1 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp, default, 913e5b4552fecbbd9ff009ab810c9255e167388e, 21, , example, terraform-gcp, terraform-gcp

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + network_policy {
          + enabled  = (known after apply)
          + provider = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/terraform-gcp gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 4.298s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20631?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d terraform-gcp
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d terraform-gcp

Plan: 1 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Ran Plan for dir: terraform-gcp workspace: default

Show Output

print getting started: $PLANFILE $WORKSPACE $DIR  $HEAD_COMMIT $HEAD_BRANCH_NAME $PULL_NUM $PROJECT_NAME $HEAD_REPO_OWNER $HEAD_BRANCH_NAME $ATLANTIS_TERRAFORM_VERSION

/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp, default, cfea50b61820d2f954037ec5e8c7a9edd465f606, 21, , example, terraform-gcp, terraform-gcp, InsecureCorp

data.google_compute_zones.available: Reading...
data.google_compute_zones.available: Read complete after 1s [id=projects/soluble-ci/regions/us-west-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_container_cluster.primary will be created
  + resource "google_container_cluster" "primary" {
      + cluster_ipv4_cidr           = (known after apply)
      + datapath_provider           = (known after apply)
      + default_max_pods_per_node   = (known after apply)
      + enable_binary_authorization = false
      + enable_intranode_visibility = (known after apply)
      + enable_kubernetes_alpha     = false
      + enable_legacy_abac          = false
      + enable_shielded_nodes       = true
      + endpoint                    = (known after apply)
      + id                          = (known after apply)
      + initial_node_count          = 1
      + label_fingerprint           = (known after apply)
      + location                    = "us-central1"
      + logging_service             = (known after apply)
      + master_version              = (known after apply)
      + min_master_version          = "1.16.8"
      + monitoring_service          = "monitoring.googleapis.com/kubernetes"
      + name                        = "soluble-gcp-example-cluster"
      + network                     = "default"
      + networking_mode             = (known after apply)
      + node_locations              = (known after apply)
      + node_version                = "1.16.8"
      + operation                   = (known after apply)
      + private_ipv6_google_access  = (known after apply)
      + project                     = (known after apply)
      + self_link                   = (known after apply)
      + services_ipv4_cidr          = (known after apply)
      + subnetwork                  = (known after apply)
      + tpu_ipv4_cidr_block         = (known after apply)

      + addons_config {
          + cloudrun_config {
              + disabled           = (known after apply)
              + load_balancer_type = (known after apply)
            }

          + horizontal_pod_autoscaling {
              + disabled = (known after apply)
            }

          + http_load_balancing {
              + disabled = (known after apply)
            }

          + network_policy_config {
              + disabled = (known after apply)
            }
        }

      + authenticator_groups_config {
          + security_group = (known after apply)
        }

      + cluster_autoscaling {
          + enabled = (known after apply)

          + auto_provisioning_defaults {
              + oauth_scopes    = (known after apply)
              + service_account = (known after apply)
            }

          + resource_limits {
              + maximum       = (known after apply)
              + minimum       = (known after apply)
              + resource_type = (known after apply)
            }
        }

      + confidential_nodes {
          + enabled = (known after apply)
        }

      + database_encryption {
          + key_name = (known after apply)
          + state    = (known after apply)
        }

      + default_snat_status {
          + disabled = (known after apply)
        }

      + ip_allocation_policy {
          + cluster_ipv4_cidr_block       = (known after apply)
          + cluster_secondary_range_name  = (known after apply)
          + services_ipv4_cidr_block      = (known after apply)
          + services_secondary_range_name = (known after apply)
        }

      + logging_config {
          + enable_components = (known after apply)
        }

      + master_auth {
          + client_certificate     = (known after apply)
          + client_key             = (sensitive value)
          + cluster_ca_certificate = (known after apply)

          + client_certificate_config {
              + issue_client_certificate = false
            }
        }

      + monitoring_config {
          + enable_components = (known after apply)
        }

      + network_policy {
          + enabled  = (known after apply)
          + provider = (known after apply)
        }

      + node_config {
          + disk_size_gb      = (known after apply)
          + disk_type         = (known after apply)
          + guest_accelerator = (known after apply)
          + image_type        = (known after apply)
          + labels            = (known after apply)
          + local_ssd_count   = (known after apply)
          + machine_type      = (known after apply)
          + metadata          = (known after apply)
          + oauth_scopes      = [
              + "https://www.googleapis.com/auth/compute",
              + "https://www.googleapis.com/auth/devstorage.read_only",
              + "https://www.googleapis.com/auth/logging.write",
            ]
          + preemptible       = false
          + service_account   = (known after apply)
          + taint             = (known after apply)

          + shielded_instance_config {
              + enable_integrity_monitoring = (known after apply)
              + enable_secure_boot          = (known after apply)
            }

          + workload_metadata_config {
              + mode = (known after apply)
            }
        }

      + node_pool {
          + initial_node_count          = (known after apply)
          + instance_group_urls         = (known after apply)
          + managed_instance_group_urls = (known after apply)
          + max_pods_per_node           = (known after apply)
          + name                        = (known after apply)
          + name_prefix                 = (known after apply)
          + node_count                  = (known after apply)
          + node_locations              = (known after apply)
          + version                     = (known after apply)

          + autoscaling {
              + max_node_count = (known after apply)
              + min_node_count = (known after apply)
            }

          + management {
              + auto_repair  = (known after apply)
              + auto_upgrade = (known after apply)
            }

          + node_config {
              + disk_size_gb      = (known after apply)
              + disk_type         = (known after apply)
              + guest_accelerator = (known after apply)
              + image_type        = (known after apply)
              + labels            = (known after apply)
              + local_ssd_count   = (known after apply)
              + machine_type      = (known after apply)
              + metadata          = (known after apply)
              + min_cpu_platform  = (known after apply)
              + oauth_scopes      = (known after apply)
              + preemptible       = (known after apply)
              + service_account   = (known after apply)
              + tags              = (known after apply)
              + taint             = (known after apply)

              + gcfs_config {
                  + enabled = (known after apply)
                }

              + shielded_instance_config {
                  + enable_integrity_monitoring = (known after apply)
                  + enable_secure_boot          = (known after apply)
                }

              + workload_metadata_config {
                  + mode = (known after apply)
                }
            }

          + upgrade_settings {
              + max_surge       = (known after apply)
              + max_unavailable = (known after apply)
            }
        }

      + release_channel {
          + channel = (known after apply)
        }

      + workload_identity_config {
          + workload_pool = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cluster_name = "soluble-gcp-example-cluster"
  + endpoint     = (known after apply)
  + node_version = "1.16.8"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default/terraform-gcp/default.tfplan"

[ Info] Getting https://api.demo.soluble.cloud/api/v1/org/516676385582/rules/checkov-terraform-plan/rules.tgz
[ Info] Installing rules.tgz
[ Info] Latest release of checkov-terraform-plan-policies is latest
[ Info] checkov-terraform-plan has no custom policies
[ Info] Running docker run --rm -v /Users/hemanthgokavarapu/.atlantis/repos/InsecureCorp/terraform-gcp/21/default:/src -w /src/terraform-gcp gcr.io/soluble-repo/checkov:2 -o json -s --skip-download -f default.json --framework terraform_plan
[ Info] Uploading results of checkov-terraform-plan
[ Info] ...including git-status-z.txt
[ Info] ...including results.json
[ Info] ...including config.yaml
[ Info] ...including tool.log
[ Info] ...including findings.json
[ Info] ...including fingerprints.json
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 3.76s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20638?orgId=516676385582 for more information
SID        SEVERITY PASS TITLE                                                                  FILE-PATH    LINE
ckv-gcp-68 High     FAIL Ensure Secure Boot for Shielded GKE Nodes is Enabled                   default.json 
ckv-gcp-64 Medium   FAIL Ensure clusters are created with Private Nodes                         default.json 
ckv-gcp-61 Medium   FAIL Enable VPC Flow Logs and Intranode Visibility                          default.json 
ckv-gcp-67 Medium   FAIL Ensure legacy Compute Engine instance metadata APIs are Disabled       default.json 
ckv-gcp-12 Medium   FAIL Ensure Network Policy is enabled on Kubernetes Engine Clusters         default.json 
ckv-gcp-25 Medium   FAIL Ensure Kubernetes Cluster is created with Private cluster enabled      default.json 
ckv-gcp-23 Medium   FAIL Ensure Kubernetes Cluster is created with Alias IP ranges enabled      default.json 
ckv-gcp-65 Medium   FAIL Manage Kubernetes RBAC users with Google Groups for GKE                default.json 
ckv-gcp-24 Medium   FAIL GKE is enabled with PodSecurityPolicy check                            default.json 
ckv-gcp-21 Low      FAIL Ensure Kubernetes Clusters are configured with Labels                  default.json 
ckv-gcp-70 Low      FAIL Ensure the GKE Release Channel is set                                  default.json 
ckv-gcp-66 Low      FAIL Ensure use of Binary Authorization                                     default.json 
ckv-gcp-69 Low      FAIL Ensure the GKE Metadata Server is Enabled                              default.json 
ckv-gcp-18 Critical PASS Ensure GKE Control Plane is not public                                 default.json 
ckv-gcp-8  High     PASS Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engin... default.json 
ckv-gcp-71 Medium   PASS Ensure Shielded GKE Nodes are Enabled                                  default.json 
ckv-gcp-7  Medium   PASS Legacy authorization is disabled check                                 default.json 
ckv-gcp-72 Medium   PASS Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled          default.json 
ckv-gcp-19 Medium   PASS Ensure GKE basic auth is disabled                                      default.json 
ckv-gcp-13 Medium   PASS Ensure client certificate authentication to Kubernetes Engine Clust... default.json 
ckv-gcp-1  Low      PASS GKE with stackdriver logging enabled check                             default.json 

print meeee

• ▶️ To apply this plan, comment:
  • atlantis apply -d terraform-gcp
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d terraform-gcp

Plan: 1 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[hemanthgk10]

Results:

❌ Ensure that AWS Lambda function is configured inside a VPC
    Severity: Medium
    Resource: aws_lambda_function.lambda

❌ Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
    Severity: Low
    Resource: aws_lambda_function.lambda

❌ X-ray tracing is enabled for Lambda
    Severity: Low
    Resource: aws_lambda_function.lambda

❌ No hard coded access keys and secret in lambdas
    Severity: Critical
    Resource: aws_lambda_function.lambda

❌ Check encryption settings for Lambda environmental variable
    Severity: High
    Resource: aws_lambda_function.lambda

❌ Ensure IAM role allows only specific principals
    Severity: Medium
    Resource: aws_iam_role.iam_for_lambda

❌ Ensure IAM role allows only specific services or principals
    Severity: Medium
    Resource: aws_iam_role.iam_for_lambda

❌ Ensure that AWS Lambda function is configured for function-level concurrent execution limit
    Severity: Medium
    Resource: aws_lambda_function.lambda

[hemanthgk10]

[ Info] checkov-terraform-plan has no custom policies
[ Warn] Could not get git status - exit status 128
[ Info] POST https://api.demo.soluble.cloud/api/v1/xcp/checkov/data returned 200 in 3.671s
[ Info] Asessment uploaded, see https://app.demo.soluble.cloud/assessments/details/20720?orgId=516676385582 for more information
Results:

Passed: 5 | Failed: 3

Violations:
Medium: 1 | Low: 2 |

❌ Ensure that AWS Lambda function is configured inside a VPC
   Severity: Medium
   Resource: aws_lambda_function.lambda

❌ Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
   Severity: Low
   Resource: aws_lambda_function.lambda

❌ X-ray tracing is enabled for Lambda
   Severity: Low
   Resource: aws_lambda_function.lambda