Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed import block from cdpt #8856

Closed
wants to merge 1 commit into from
Closed

Removed import block from cdpt #8856

wants to merge 1 commit into from

Conversation

sukeshreddyg
Copy link
Contributor

Import block is only required once - removing as this seems to be causing some issues in terraform 1.10 and is not longer required.

@sukeshreddyg sukeshreddyg requested review from a team as code owners November 28, 2024 10:26
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 28, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-chaps
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-chaps
2024-11-28T10:28:12Z INFO [vulndb] Need to update DB
2024-11-28T10:28:12Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T10:28:12Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T10:28:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T10:28:14Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T10:28:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T10:28:14Z INFO [misconfig] Need to update the built-in checks
2024-11-28T10:28:14Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-28T10:28:14Z INFO [secret] Secret scanning is enabled
2024-11-28T10:28:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T10:28:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T10:28:15Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T10:28:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:19Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:19Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:19Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-11-28T10:28:19Z INFO Number of language-specific files num=0
2024-11-28T10:28:19Z INFO Detected config files num=9

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0080 (HIGH): Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-24
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/cdpt-ifs
2024-11-28T10:28:19Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T10:28:19Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T10:28:19Z INFO [secret] Secret scanning is enabled
2024-11-28T10:28:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T10:28:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T10:28:20Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T10:28:20Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:23Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:23Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:23Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-11-28T10:28:23Z INFO Number of language-specific files num=0
2024-11-28T10:28:23Z INFO Detected config files num=10

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0080 (HIGH): Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-chaps
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 10:28:25,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 10:28:25,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-11-28 10:28:25,701 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 122, Failed checks: 49, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 |   # public keys
		16 |   public_key_data = local.public_key_data.keys[local.environment]
		17 |   # logs
		18 |   log_auto_clean       = "Enabled"
		19 |   log_standard_ia_days = 30  # days before moving to IA storage
		20 |   log_glacier_days     = 60  # days before moving to Glacier
		21 |   log_expiry_days      = 180 # days before log expiration
		22 |   # bastion
		23 |   allow_ssh_commands = false
		24 | 
		25 |   app_name      = var.networking[0].application
		26 |   business_unit = local.vpc_name
		27 |   subnet_set    = local.subnet_set
		28 |   environment   = local.environment
		29 |   region        = "eu-west-2"
		30 | 
		31 |   extra_user_data_content = "yum install -y openldap-clients"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:74-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		74 | data "aws_iam_policy_document" "rds-kms" {
		75 |   statement {
		76 |     effect    = "Allow"
		77 |     actions   = ["kms:*"]
		78 |     resources = ["*"]
		79 |     principals {
		80 |       type        = "AWS"
		81 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		82 |     }
		83 |   }
		84 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:74-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		74 | data "aws_iam_policy_document" "rds-kms" {
		75 |   statement {
		76 |     effect    = "Allow"
		77 |     actions   = ["kms:*"]
		78 |     resources = ["*"]
		79 |     principals {
		80 |       type        = "AWS"
		81 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		82 |     }
		83 |   }
		84 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:74-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		74 | data "aws_iam_policy_document" "rds-kms" {
		75 |   statement {
		76 |     effect    = "Allow"
		77 |     actions   = ["kms:*"]
		78 |     resources = ["*"]
		79 |     principals {
		80 |       type        = "AWS"
		81 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		82 |     }
		83 |   }
		84 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-57

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 | 
		42 |   ingress {
		43 |     from_port = 1433
		44 |     to_port   = 1433
		45 |     protocol  = "tcp"
		46 |     security_groups = [
		47 |       aws_security_group.ecs_service.id,
		48 |       aws_security_group.chapsdotnet_service.id
		49 |     ]
		50 |   }
		51 |   egress {
		52 |     from_port   = 0
		53 |     to_port     = 0
		54 |     protocol    = "-1"
		55 |     cidr_blocks = ["0.0.0.0/0"]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 | 
		42 |   ingress {
		43 |     from_port = 1433
		44 |     to_port   = 1433
		45 |     protocol  = "tcp"
		46 |     security_groups = [
		47 |       aws_security_group.ecs_service.id,
		48 |       aws_security_group.chapsdotnet_service.id
		49 |     ]
		50 |   }
		51 |   egress {
		52 |     from_port   = 0
		53 |     to_port     = 0
		54 |     protocol    = "-1"
		55 |     cidr_blocks = ["0.0.0.0/0"]
		56 |   }
		57 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:69-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		69 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		70 |   name              = "/aws/events/deploymentLogs"
		71 |   retention_in_days = "7"
		72 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:74-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chapsdotnet_task
	File: /ecs.tf:133-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:364-399

		364 | resource "aws_security_group" "cluster_ec2" {
		365 |   name        = "${local.application_name}-cluster-ec2-security-group"
		366 |   description = "controls access to the cluster ec2 instance"
		367 |   vpc_id      = data.aws_vpc.shared.id
		368 | 
		369 |   ingress {
		370 |     description     = "allow access on HTTP from load balancer"
		371 |     from_port       = 80
		372 |     to_port         = 80
		373 |     protocol        = "tcp"
		374 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		375 |   }
		376 | 
		377 |   ingress {
		378 |     description     = "Allow RDP ingress"
		379 |     from_port       = 3389
		380 |     to_port         = 3389
		381 |     protocol        = "tcp"
		382 |     security_groups = [module.bastion_linux.bastion_security_group]
		383 |   }
		384 | 
		385 |   egress {
		386 |     description = "Cluster EC2 loadbalancer egress rule"
		387 |     from_port   = 0
		388 |     to_port     = 0
		389 |     protocol    = "-1"
		390 |     cidr_blocks = ["0.0.0.0/0"]
		391 |   }
		392 | 
		393 |   tags = merge(
		394 |     local.tags,
		395 |     {
		396 |       Name = "${local.application_name}-cluster-ec2-security-group"
		397 |     }
		398 |   )
		399 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:519-542
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		519 | resource "aws_iam_role_policy" "app_execution" {
		520 |   name = "execution-${var.networking[0].application}"
		521 |   role = aws_iam_role.app_execution.id
		522 | 
		523 |   policy = <<-EOF
		524 |   {
		525 |     "Version": "2012-10-17",
		526 |     "Statement": [
		527 |       {
		528 |            "Action": [
		529 |               "ecr:*",
		530 |               "logs:CreateLogGroup",
		531 |               "logs:CreateLogStream",
		532 |               "logs:PutLogEvents",
		533 |               "logs:DescribeLogStreams",
		534 |               "secretsmanager:GetSecretValue"
		535 |            ],
		536 |            "Resource": "*",
		537 |            "Effect": "Allow"
		538 |       }
		539 |     ]
		540 |   }
		541 |   EOF
		542 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:519-542
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		519 | resource "aws_iam_role_policy" "app_execution" {
		520 |   name = "execution-${var.networking[0].application}"
		521 |   role = aws_iam_role.app_execution.id
		522 | 
		523 |   policy = <<-EOF
		524 |   {
		525 |     "Version": "2012-10-17",
		526 |     "Statement": [
		527 |       {
		528 |            "Action": [
		529 |               "ecr:*",
		530 |               "logs:CreateLogGroup",
		531 |               "logs:CreateLogStream",
		532 |               "logs:PutLogEvents",
		533 |               "logs:DescribeLogStreams",
		534 |               "secretsmanager:GetSecretValue"
		535 |            ],
		536 |            "Resource": "*",
		537 |            "Effect": "Allow"
		538 |       }
		539 |     ]
		540 |   }
		541 |   EOF
		542 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:519-542
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		519 | resource "aws_iam_role_policy" "app_execution" {
		520 |   name = "execution-${var.networking[0].application}"
		521 |   role = aws_iam_role.app_execution.id
		522 | 
		523 |   policy = <<-EOF
		524 |   {
		525 |     "Version": "2012-10-17",
		526 |     "Statement": [
		527 |       {
		528 |            "Action": [
		529 |               "ecr:*",
		530 |               "logs:CreateLogGroup",
		531 |               "logs:CreateLogStream",
		532 |               "logs:PutLogEvents",
		533 |               "logs:DescribeLogStreams",
		534 |               "secretsmanager:GetSecretValue"
		535 |            ],
		536 |            "Resource": "*",
		537 |            "Effect": "Allow"
		538 |       }
		539 |     ]
		540 |   }
		541 |   EOF
		542 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:519-542
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		519 | resource "aws_iam_role_policy" "app_execution" {
		520 |   name = "execution-${var.networking[0].application}"
		521 |   role = aws_iam_role.app_execution.id
		522 | 
		523 |   policy = <<-EOF
		524 |   {
		525 |     "Version": "2012-10-17",
		526 |     "Statement": [
		527 |       {
		528 |            "Action": [
		529 |               "ecr:*",
		530 |               "logs:CreateLogGroup",
		531 |               "logs:CreateLogStream",
		532 |               "logs:PutLogEvents",
		533 |               "logs:DescribeLogStreams",
		534 |               "secretsmanager:GetSecretValue"
		535 |            ],
		536 |            "Resource": "*",
		537 |            "Effect": "Allow"
		538 |       }
		539 |     ]
		540 |   }
		541 |   EOF
		542 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:595-621

		595 | resource "aws_security_group" "ecs_service" {
		596 |   name_prefix = "ecs-service-sg-"
		597 |   vpc_id      = data.aws_vpc.shared.id
		598 | 
		599 |   ingress {
		600 |     from_port       = 80
		601 |     to_port         = 80
		602 |     protocol        = "tcp"
		603 |     description     = "Allow traffic on port 80 from load balancer"
		604 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		605 |   }
		606 | 
		607 |   ingress {
		608 |     description = "Allow HTTP traffic from chapsdotnet container"
		609 |     from_port   = 80
		610 |     to_port     = 80
		611 |     protocol    = "tcp"
		612 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		613 |   }
		614 | 
		615 |   egress {
		616 |     from_port   = 0
		617 |     to_port     = 0
		618 |     protocol    = "-1"
		619 |     cidr_blocks = ["0.0.0.0/0"]
		620 |   }
		621 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:595-621
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		595 | resource "aws_security_group" "ecs_service" {
		596 |   name_prefix = "ecs-service-sg-"
		597 |   vpc_id      = data.aws_vpc.shared.id
		598 | 
		599 |   ingress {
		600 |     from_port       = 80
		601 |     to_port         = 80
		602 |     protocol        = "tcp"
		603 |     description     = "Allow traffic on port 80 from load balancer"
		604 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		605 |   }
		606 | 
		607 |   ingress {
		608 |     description = "Allow HTTP traffic from chapsdotnet container"
		609 |     from_port   = 80
		610 |     to_port     = 80
		611 |     protocol    = "tcp"
		612 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		613 |   }
		614 | 
		615 |   egress {
		616 |     from_port   = 0
		617 |     to_port     = 0
		618 |     protocol    = "-1"
		619 |     cidr_blocks = ["0.0.0.0/0"]
		620 |   }
		621 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.chapsdotnet_service
	File: /ecs.tf:624-649

		624 | resource "aws_security_group" "chapsdotnet_service" {
		625 |   name_prefix = "chapsdotnet-service-sg-"
		626 |   description = "Allow traffic for chapsdotnet service"
		627 |   vpc_id      = data.aws_vpc.shared.id
		628 | 
		629 |   ingress {
		630 |     from_port       = 8080
		631 |     to_port         = 8080
		632 |     protocol        = "tcp"
		633 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		634 |   }
		635 | 
		636 |   egress {
		637 |     from_port   = 0
		638 |     to_port     = 0
		639 |     protocol    = "-1"
		640 |     cidr_blocks = ["0.0.0.0/0"]
		641 |   }
		642 | 
		643 |   tags = merge(
		644 |     local.tags,
		645 |     {
		646 |       Name = "chapsdotnet-service-sg"
		647 |     }
		648 |   )
		649 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.chapsdotnet_service
	File: /ecs.tf:624-649
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		624 | resource "aws_security_group" "chapsdotnet_service" {
		625 |   name_prefix = "chapsdotnet-service-sg-"
		626 |   description = "Allow traffic for chapsdotnet service"
		627 |   vpc_id      = data.aws_vpc.shared.id
		628 | 
		629 |   ingress {
		630 |     from_port       = 8080
		631 |     to_port         = 8080
		632 |     protocol        = "tcp"
		633 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		634 |   }
		635 | 
		636 |   egress {
		637 |     from_port   = 0
		638 |     to_port     = 0
		639 |     protocol    = "-1"
		640 |     cidr_blocks = ["0.0.0.0/0"]
		641 |   }
		642 | 
		643 |   tags = merge(
		644 |     local.tags,
		645 |     {
		646 |       Name = "chapsdotnet-service-sg"
		647 |     }
		648 |   )
		649 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.chaps_cloudwatch_group
	File: /ecs.tf:695-698
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		695 | resource "aws_cloudwatch_log_group" "chaps_cloudwatch_group" {
		696 |   name              = "chaps-service-ecs"
		697 |   retention_in_days = 30
		698 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.chaps_cloudwatch_group
	File: /ecs.tf:695-698
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		695 | resource "aws_cloudwatch_log_group" "chaps_cloudwatch_group" {
		696 |   name              = "chaps-service-ecs"
		697 |   retention_in_days = 30
		698 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.chapsdotnet_cloudwatch_group
	File: /ecs.tf:700-703
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		700 | resource "aws_cloudwatch_log_group" "chapsdotnet_cloudwatch_group" {
		701 |   name              = "chapsdotnet-service-ecs"
		702 |   retention_in_days = 30
		703 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.chapsdotnet_cloudwatch_group
	File: /ecs.tf:700-703
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		700 | resource "aws_cloudwatch_log_group" "chapsdotnet_cloudwatch_group" {
		701 |   name              = "chapsdotnet-service-ecs"
		702 |   retention_in_days = 30
		703 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.chapsdotnet_target_group
	File: /loadbalancer.tf:25-56

		25 | resource "aws_lb_target_group" "chapsdotnet_target_group" {
		26 |   name_prefix          = "dotnet"
		27 |   port                 = 8080
		28 |   protocol             = "HTTP"
		29 |   vpc_id               = data.aws_vpc.shared.id
		30 |   target_type          = "ip"
		31 |   deregistration_delay = 30
		32 | 
		33 |   stickiness {
		34 |     type = "lb_cookie"
		35 |   }
		36 | 
		37 |   health_check {
		38 |     path                = "/health"
		39 |     port                = "8080"
		40 |     healthy_threshold   = "5"
		41 |     interval            = "30"
		42 |     protocol            = "HTTP"
		43 |     unhealthy_threshold = "2"
		44 |     matcher             = "200-499"
		45 |     timeout             = "5"
		46 |   }
		47 | 
		48 |   lifecycle {
		49 |     create_before_destroy = true
		50 |     ignore_changes        = [name]
		51 |   }
		52 | 
		53 |   tags = {
		54 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		55 |   }
		56 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:58-86

		58 | resource "aws_security_group" "chaps_lb_sc" {
		59 |   name        = "load balancer security group"
		60 |   description = "control access to the load balancer"
		61 |   vpc_id      = data.aws_vpc.shared.id
		62 | 
		63 |   ingress {
		64 |     description = "allow access on HTTPS"
		65 |     from_port   = 443
		66 |     to_port     = 443
		67 |     protocol    = "tcp"
		68 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		69 |   }
		70 | 
		71 |   ingress {
		72 |     description     = "Allow traffic fromt load balancer to chapsdotnet container"
		73 |     from_port       = 8080
		74 |     to_port         = 8080
		75 |     protocol        = "tcp"
		76 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		77 |   }
		78 | 
		79 |   egress {
		80 |     description = "Open all outbound ports"
		81 |     from_port   = 0
		82 |     to_port     = 0
		83 |     protocol    = "-1"
		84 |     cidr_blocks = ["0.0.0.0/0"]
		85 |   }
		86 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:88-108

		88  | resource "aws_security_group" "chaps_target_sc" {
		89  |   name        = "target security group"
		90  |   description = "allow health check traffic from load balancer"
		91  |   vpc_id      = data.aws_vpc.shared.id
		92  | 
		93  |   ingress {
		94  |     description     = "allow traffic from load balancer"
		95  |     from_port       = 80
		96  |     to_port         = 80
		97  |     protocol        = "tcp"
		98  |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		99  |   }
		100 | 
		101 |   egress {
		102 |     description = "Open all outbound ports"
		103 |     from_port   = 0
		104 |     to_port     = 0
		105 |     protocol    = "-1"
		106 |     cidr_blocks = ["0.0.0.0/0"]
		107 |   }
		108 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:78-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		78 | module "pagerduty_core_alerts" {
		79 |   depends_on = [
		80 |     aws_sns_topic.cdpt_chaps_ddos_alarm
		81 |   ]
		82 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		83 |   sns_topics                = [aws_sns_topic.cdpt_chaps_ddos_alarm.name]
		84 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		85 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:58-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		58 | resource "aws_security_group" "chaps_lb_sc" {
		59 |   name        = "load balancer security group"
		60 |   description = "control access to the load balancer"
		61 |   vpc_id      = data.aws_vpc.shared.id
		62 | 
		63 |   ingress {
		64 |     description = "allow access on HTTPS"
		65 |     from_port   = 443
		66 |     to_port     = 443
		67 |     protocol    = "tcp"
		68 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		69 |   }
		70 | 
		71 |   ingress {
		72 |     description     = "Allow traffic fromt load balancer to chapsdotnet container"
		73 |     from_port       = 8080
		74 |     to_port         = 8080
		75 |     protocol        = "tcp"
		76 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		77 |   }
		78 | 
		79 |   egress {
		80 |     description = "Open all outbound ports"
		81 |     from_port   = 0
		82 |     to_port     = 0
		83 |     protocol    = "-1"
		84 |     cidr_blocks = ["0.0.0.0/0"]
		85 |   }
		86 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:88-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		88  | resource "aws_security_group" "chaps_target_sc" {
		89  |   name        = "target security group"
		90  |   description = "allow health check traffic from load balancer"
		91  |   vpc_id      = data.aws_vpc.shared.id
		92  | 
		93  |   ingress {
		94  |     description     = "allow traffic from load balancer"
		95  |     from_port       = 80
		96  |     to_port         = 80
		97  |     protocol        = "tcp"
		98  |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		99  |   }
		100 | 
		101 |   egress {
		102 |     description = "Open all outbound ports"
		103 |     from_port   = 0
		104 |     to_port     = 0
		105 |     protocol    = "-1"
		106 |     cidr_blocks = ["0.0.0.0/0"]
		107 |   }
		108 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:571-593
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		571 | resource "aws_iam_role_policy" "app_task" {
		572 |   name = "task-${var.networking[0].application}"
		573 |   role = aws_iam_role.app_task.id
		574 | 
		575 |   policy = <<-EOF
		576 |   {
		577 |    "Version": "2012-10-17",
		578 |    "Statement": [
		579 |      {
		580 |        "Effect": "Allow",
		581 |         "Action": [
		582 |           "logs:CreateLogStream",
		583 |           "logs:PutLogEvents",
		584 |           "ecr:*",
		585 |           "iam:*",
		586 |           "ec2:*"
		587 |         ],
		588 |        "Resource": "*"
		589 |      }
		590 |    ]
		591 |   }
		592 |   EOF
		593 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 10:28:28,711 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 10:28:28,711 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-11-28 10:28:28,711 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 109, Failed checks: 45, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:9-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		9  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		10 |   name = "${local.application_name}-ec2-instance-policy"
		11 | 
		12 |   policy = <<EOF
		13 | {
		14 |     "Version": "2012-10-17",
		15 |     "Statement": [
		16 |         {
		17 |             "Effect": "Allow",
		18 |             "Action": [
		19 |                 "ec2:DescribeTags",
		20 |                 "ecs:CreateCluster",
		21 |                 "ecs:DeregisterContainerInstance",
		22 |                 "ecs:DiscoverPollEndpoint",
		23 |                 "ecs:Poll",
		24 |                 "ecs:RegisterContainerInstance",
		25 |                 "ecs:StartTelemetrySession",
		26 |                 "ecs:UpdateContainerInstancesState",
		27 |                 "ecs:Submit*",
		28 |                 "ecr:GetAuthorizationToken",
		29 |                 "ecr:BatchCheckLayerAvailability",
		30 |                 "ecr:GetDownloadUrlForLayer",
		31 |                 "ecr:BatchGetImage",
		32 |                 "logs:CreateLogGroup",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:GetLogEvents",
		35 |                 "logs:PutLogEvents",
		36 |                 "logs:DescribeLogGroups",
		37 |                 "logs:DescribeLogStreams",
		38 |                 "logs:PutRetentionPolicy",
		39 |                 "s3:ListBucket",
		40 |                 "s3:*Object*",
		41 |                 "kms:Decrypt",
		42 |                 "kms:Encrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:ReEncrypt",
		45 |                 "kms:GenerateDataKey",
		46 |                 "kms:DescribeKey",
		47 |                 "rds:Connect",
		48 |                 "rds:DescribeDBInstances"
		49 |             ],
		50 |             "Resource": "*"
		51 |         }
		52 |     ]
		53 | }
		54 | EOF
		55 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		58 |   name              = "/aws/events/deploymentLogs"
		59 |   retention_in_days = "7"
		60 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:87-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:233-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		233 | resource "aws_iam_role_policy" "app_execution" {
		234 |   name = "execution-${var.networking[0].application}"
		235 |   role = aws_iam_role.app_execution.id
		236 | 
		237 |   policy = <<-EOF
		238 |   {
		239 |     "Version": "2012-10-17",
		240 |     "Statement": [
		241 |       {
		242 |            "Action": [
		243 |               "ecr:*",
		244 |               "logs:CreateLogGroup",
		245 |               "logs:CreateLogStream",
		246 |               "logs:PutLogEvents",
		247 |               "logs:DescribeLogStreams",
		248 |               "secretsmanager:GetSecretValue"
		249 |            ],
		250 |            "Resource": "*",
		251 |            "Effect": "Allow"
		252 |       }
		253 |     ]
		254 |   }
		255 |   EOF
		256 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:319-354

		319 | resource "aws_security_group" "cluster_ec2" {
		320 |   name        = "${local.application_name}-cluster-ec2-security-group"
		321 |   description = "controls access to the cluster ec2 instance"
		322 |   vpc_id      = data.aws_vpc.shared.id
		323 | 
		324 |   ingress {
		325 |     description     = "allow access on HTTP from load balancer"
		326 |     from_port       = 80
		327 |     to_port         = 80
		328 |     protocol        = "tcp"
		329 |     security_groups = [aws_security_group.ifs_lb_sc.id]
		330 |   }
		331 | 
		332 |   ingress {
		333 |     description     = "Allow RDP ingress"
		334 |     from_port       = 3389
		335 |     to_port         = 3389
		336 |     protocol        = "tcp"
		337 |     security_groups = [module.bastion_linux.bastion_security_group]
		338 |   }
		339 | 
		340 |   egress {
		341 |     description = "Cluster EC2 loadbalancer egress rule"
		342 |     from_port   = 0
		343 |     to_port     = 0
		344 |     protocol    = "-1"
		345 |     cidr_blocks = ["0.0.0.0/0"]
		346 |   }
		347 | 
		348 |   tags = merge(
		349 |     local.tags,
		350 |     {
		351 |       Name = "${local.application_name}-cluster-ec2-security-group"
		352 |     }
		353 |   )
		354 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:469-487

		469 | resource "aws_security_group" "ecs_service" {
		470 |   name_prefix = "ecs-service-sg-"
		471 |   vpc_id      = data.aws_vpc.shared.id
		472 | 
		473 |   ingress {
		474 |     from_port       = 80
		475 |     to_port         = 80
		476 |     protocol        = "tcp"
		477 |     description     = "Allow traffic on port 80 from load balancer"
		478 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		479 |   }
		480 | 
		481 |   egress {
		482 |     from_port   = 0
		483 |     to_port     = 0
		484 |     protocol    = "-1"
		485 |     cidr_blocks = ["0.0.0.0/0"]
		486 |   }
		487 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:469-487
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		469 | resource "aws_security_group" "ecs_service" {
		470 |   name_prefix = "ecs-service-sg-"
		471 |   vpc_id      = data.aws_vpc.shared.id
		472 | 
		473 |   ingress {
		474 |     from_port       = 80
		475 |     to_port         = 80
		476 |     protocol        = "tcp"
		477 |     description     = "Allow traffic on port 80 from load balancer"
		478 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		479 |   }
		480 | 
		481 |   egress {
		482 |     from_port   = 0
		483 |     to_port     = 0
		484 |     protocol    = "-1"
		485 |     cidr_blocks = ["0.0.0.0/0"]
		486 |   }
		487 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:532-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		532 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		533 |   name              = "${local.application_name}-ecs"
		534 |   retention_in_days = 30
		535 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:532-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		532 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		533 |   name              = "${local.application_name}-ecs"
		534 |   retention_in_days = 30
		535 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.ifs_target_group
	File: /loadbalancer.tf:102-132

		102 | resource "aws_lb_target_group" "ifs_target_group" {
		103 |   name                 = "ifs-target-group"
		104 |   port                 = 80
		105 |   protocol             = "HTTP"
		106 |   vpc_id               = data.aws_vpc.shared.id
		107 |   target_type          = "ip"
		108 |   deregistration_delay = 30
		109 | 
		110 |   stickiness {
		111 |     type = "lb_cookie"
		112 |   }
		113 | 
		114 |   health_check {
		115 |     healthy_threshold   = "5"
		116 |     interval            = "60"
		117 |     protocol            = "HTTP"
		118 |     unhealthy_threshold = "2"
		119 |     matcher             = "200-499"
		120 |     timeout             = "15"
		121 |     path                = "/health"
		122 |   }
		123 | 
		124 |   lifecycle {
		125 |     create_before_destroy = true
		126 |     ignore_changes        = [name]
		127 |   }
		128 | 
		129 |   tags = {
		130 |     Name = "ifs-target-group-${random_string.ifs_target_group_name.result}"
		131 |   }
		132 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:48-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		48 | module "pagerduty_core_alerts" {
		49 |   depends_on = [
		50 |     aws_sns_topic.lb_5xx_alarm_topic
		51 |   ]
		52 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		53 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		54 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		55 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:183-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		183 | resource "aws_iam_role_policy" "app_task" {
		184 |   name = "task-${var.networking[0].application}"
		185 |   role = aws_iam_role.app_task.id
		186 | 
		187 |   policy = <<-EOF
		188 |   {
		189 |    "Version": "2012-10-17",
		190 |    "Statement": [
		191 |      {
		192 |        "Effect": "Allow",
		193 |         "Action": [
		194 |           "logs:CreateLogStream",
		195 |           "logs:PutLogEvents",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
12 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 104:
 104:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 108:
 108:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 112:
 112:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 116:
 116:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 120:
 120:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 170:
 170:           value = "${local.application_data.accounts[local.environment].TenantId}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 178:
 178:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 182:
 182:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 186:
 186:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 190:
 190:           value = "${local.application_data.accounts[local.environment].dotnet_client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 194:
 194:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 117:
 117:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 402:
 402:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-chaps
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-chaps
2024-11-28T10:28:12Z	INFO	[vulndb] Need to update DB
2024-11-28T10:28:12Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T10:28:12Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T10:28:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T10:28:14Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T10:28:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T10:28:14Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T10:28:14Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-28T10:28:14Z	INFO	[secret] Secret scanning is enabled
2024-11-28T10:28:14Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T10:28:14Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T10:28:15Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T10:28:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:19Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:19Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:19Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-11-28T10:28:19Z	INFO	Number of language-specific files	num=0
2024-11-28T10:28:19Z	INFO	Detected config files	num=9

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0080 (HIGH): Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-24
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.db_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-11-28T10:28:19Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T10:28:19Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T10:28:19Z	INFO	[secret] Secret scanning is enabled
2024-11-28T10:28:19Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T10:28:19Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T10:28:20Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T10:28:20Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T10:28:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-28T10:28:23Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-11-28T10:28:23Z	INFO	Number of language-specific files	num=0
2024-11-28T10:28:23Z	INFO	Detected config files	num=10

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0080 (HIGH): Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=2

@roncitrus roncitrus closed this Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sukeshreddyg @roncitrus