Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/cdpt-ifs #8403

dependabot · 2024-10-23T01:05:33Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.4.1

What's Fixed

The original behaviour of the bastion_security_group output has been reinstated. It will once again output the id of the "aws_security_group" "bastion_linux" { ... } resource.

The updated output is still available through the bastion_security_group_map output.

What's Changed

Bump bridgecrewio/checkov-action from 12.2879.0 to 12.2882.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#575

Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#574

Bump ministryofjustice/github-actions from 18.2.4 to 18.3.1 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#576

Bump bridgecrewio/checkov-action from 12.2882.0 to 12.2883.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#577

Reinstated original behaviour of security group output by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#579

Bump bridgecrewio/checkov-action from 12.2883.0 to 12.2884.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#578

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.4.0...v4.4.1

v4.4.0

What's Changed

All module resources use name_prefix instead of name to ensure uniqueness where possible.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Bump bridgecrewio/checkov-action from 12.2877.0 to 12.2879.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#573

Ensure uniqueness in naming by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#572

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.1...v4.4.0

v4.3.1

What's Fixed

The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Add alias for MP S3 KMS key by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566

Refactor unit tests by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

... (truncated)

Commits

dfed655 Merge pull request #578 from ministryofjustice/dependabot/github_actions/brid...
0f9f6a7 Bump bridgecrewio/checkov-action from 12.2883.0 to 12.2884.0
629382d Merge pull request #579 from ministryofjustice/fix/reinstate-old-output
d24e7f7 terraform-docs: automated action
498e46b reinstated original behaviour of security group output, and moved new functio...
c95588b Merge pull request #577 from ministryofjustice/dependabot/github_actions/brid...
5d37e86 Bump bridgecrewio/checkov-action from 12.2882.0 to 12.2883.0
948bb8a Merge pull request #576 from ministryofjustice/dependabot/github_actions/mini...
86f2b4b Bump ministryofjustice/github-actions from 18.2.4 to 18.3.1
2137b50 Merge pull request #574 from ministryofjustice/dependabot/github_actions/aqua...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.4.1. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.4.1) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-10-23T01:07:50Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-10-23T01:07:38Z INFO [vulndb] Need to update DB
2024-10-23T01:07:38Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T01:07:38Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T01:07:41Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T01:07:41Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T01:07:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T01:07:41Z INFO [misconfig] Need to update the built-in checks
2024-10-23T01:07:41Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T01:07:41Z INFO [secret] Secret scanning is enabled
2024-10-23T01:07:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T01:07:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T01:07:42Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T01:07:42Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-23T01:07:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-23T01:07:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-23T01:07:45Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-23T01:07:45Z INFO Number of language-specific files num=0
2024-10-23T01:07:45Z INFO Detected config files num=10

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 01:07:48,319 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-23 01:07:48,319 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1:None (for external modules, the --download-external-modules flag is required)
2024-10-23 01:07:48,319 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 109, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		58 |   name              = "/aws/events/deploymentLogs"
		59 |   retention_in_days = "7"
		60 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:87-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:469-487
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		469 | resource "aws_security_group" "ecs_service" {
		470 |   name_prefix = "ecs-service-sg-"
		471 |   vpc_id      = data.aws_vpc.shared.id
		472 | 
		473 |   ingress {
		474 |     from_port       = 80
		475 |     to_port         = 80
		476 |     protocol        = "tcp"
		477 |     description     = "Allow traffic on port 80 from load balancer"
		478 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		479 |   }
		480 | 
		481 |   egress {
		482 |     from_port   = 0
		483 |     to_port     = 0
		484 |     protocol    = "-1"
		485 |     cidr_blocks = ["0.0.0.0/0"]
		486 |   }
		487 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:532-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		532 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		533 |   name              = "${local.application_name}-ecs"
		534 |   retention_in_days = 30
		535 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:532-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		532 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		533 |   name              = "${local.application_name}-ecs"
		534 |   retention_in_days = 30
		535 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.ifs_target_group
	File: /loadbalancer.tf:102-132

		102 | resource "aws_lb_target_group" "ifs_target_group" {
		103 |   name                 = "ifs-target-group"
		104 |   port                 = 80
		105 |   protocol             = "HTTP"
		106 |   vpc_id               = data.aws_vpc.shared.id
		107 |   target_type          = "ip"
		108 |   deregistration_delay = 30
		109 | 
		110 |   stickiness {
		111 |     type = "lb_cookie"
		112 |   }
		113 | 
		114 |   health_check {
		115 |     healthy_threshold   = "5"
		116 |     interval            = "60"
		117 |     protocol            = "HTTP"
		118 |     unhealthy_threshold = "2"
		119 |     matcher             = "200-499"
		120 |     timeout             = "15"
		121 |     path                = "/health"
		122 |   }
		123 | 
		124 |   lifecycle {
		125 |     create_before_destroy = true
		126 |     ignore_changes        = [name]
		127 |   }
		128 | 
		129 |   tags = {
		130 |     Name = "ifs-target-group-${random_string.ifs_target_group_name.result}"
		131 |   }
		132 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:48-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		48 | module "pagerduty_core_alerts" {
		49 |   depends_on = [
		50 |     aws_sns_topic.lb_5xx_alarm_topic
		51 |   ]
		52 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		53 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		54 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		55 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 117:
 117:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 402:
 402:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-10-23T01:07:38Z	INFO	[vulndb] Need to update DB
2024-10-23T01:07:38Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T01:07:38Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T01:07:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T01:07:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T01:07:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T01:07:41Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T01:07:41Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T01:07:41Z	INFO	[secret] Secret scanning is enabled
2024-10-23T01:07:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T01:07:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T01:07:42Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T01:07:42Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-23T01:07:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-23T01:07:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-23T01:07:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-23T01:07:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-23T01:07:45Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-23T01:07:45Z	INFO	Number of language-specific files	num=0
2024-10-23T01:07:45Z	INFO	Detected config files	num=10

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5 ┌ resource "aws_db_instance" "database" {
   6 │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7 │   storage_type              = "gp2"
   8 │   engine                    = "sqlserver-web"
   9 │   engine_version            = "14.00.3381.3.v1"
  10 │   instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11 │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12 │   username                  = local.application_data.accounts[local.environment].db_user
  13 └   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=1

dependabot bot requested a review from a team as a code owner October 23, 2024 01:05

dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Oct 23, 2024

dependabot bot requested a review from a team as a code owner October 23, 2024 01:05

dependabot bot mentioned this pull request Oct 23, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.0 in /terraform/environments/cdpt-ifs #8267

Closed

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/cdpt-ifs #8403

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/cdpt-ifs #8403

dependabot bot commented on behalf of github Oct 23, 2024

github-actions bot commented Oct 23, 2024

(terraform)

database.tf (terraform)

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/cdpt-ifs #8403

Are you sure you want to change the base?

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/cdpt-ifs #8403

Conversation

dependabot bot commented on behalf of github Oct 23, 2024

v4.4.1

What's Fixed

What's Changed

v4.4.0

What's Changed

What's Changed

v4.3.1

What's Fixed

What's Changed

v4.3.0

What's New

What's Changed

github-actions bot commented Oct 23, 2024

Trivy Scan Failed

(terraform)

database.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed