Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-616 - Add cloudwatch for CIS #9562

Merged
merged 10 commits into from
Feb 6, 2025
Merged

TM-616 - Add cloudwatch for CIS #9562

merged 10 commits into from
Feb 6, 2025
+447 −24

Conversation

ffteva-moj
Copy link
Contributor

No description provided.

@ffteva-moj ffteva-moj requested review from a team as code owners February 4, 2025 19:57
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Feb 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T19:59:51Z INFO [vulndb] Need to update DB
2025-02-04T19:59:51Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T19:59:51Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T19:59:54Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T19:59:54Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T19:59:54Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T19:59:54Z INFO [misconfig] Need to update the built-in checks
2025-02-04T19:59:54Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T19:59:54Z INFO [secret] Secret scanning is enabled
2025-02-04T19:59:54Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T19:59:54Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T19:59:55Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T19:59:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T19:59:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T19:59:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T19:59:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T19:59:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T19:59:57Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T19:59:57Z INFO Number of language-specific files num=0
2025-02-04T19:59:57Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 19:59:59,705 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 19:59:59,706 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:00:09,850 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 133, Failed checks: 26, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cis_pagerduty_core_alerts
	File: /cw.tf:397-404
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		397 | module "cis_pagerduty_core_alerts" {
		398 |   depends_on = [
		399 |     aws_sns_topic.cis_alerting_topic
		400 |   ]
		401 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		402 |   sns_topics                = [aws_sns_topic.cis_alerting_topic.name]
		403 |   pagerduty_integration_key = local.cis_pagerduty_integration_keys[local.cis_pagerduty_integration_key_name]
		404 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T19:59:51Z	INFO	[vulndb] Need to update DB
2025-02-04T19:59:51Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T19:59:51Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T19:59:54Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T19:59:54Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T19:59:54Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T19:59:54Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T19:59:54Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T19:59:54Z	INFO	[secret] Secret scanning is enabled
2025-02-04T19:59:54Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T19:59:54Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T19:59:55Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T19:59:55Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T19:59:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T19:59:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T19:59:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T19:59:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T19:59:57Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T19:59:57Z	INFO	Number of language-specific files	num=0
2025-02-04T19:59:57Z	INFO	Detected config files	num=5
trivy_exitcode=0

Fani Foteva added 2 commits February 4, 2025 20:00
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:02:55Z INFO [vulndb] Need to update DB
2025-02-04T20:02:55Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:02:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:02:57Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:02:57Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:02:57Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:02:57Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:02:57Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-04T20:02:58Z INFO [secret] Secret scanning is enabled
2025-02-04T20:02:58Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:02:58Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:02:59Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:02:59Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:03:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:03:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:03:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:03:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:03:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:03:01Z INFO Number of language-specific files num=0
2025-02-04T20:03:01Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:03:04,482 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:03:14,668 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 132, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:02:55Z	INFO	[vulndb] Need to update DB
2025-02-04T20:02:55Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:02:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:02:57Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:02:57Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:02:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:02:57Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:02:57Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-04T20:02:58Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:02:58Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:02:58Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:02:59Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:02:59Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:03:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:03:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:03:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:03:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:03:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:03:01Z	INFO	Number of language-specific files	num=0
2025-02-04T20:03:01Z	INFO	Detected config files	num=5
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:04:46Z INFO [vulndb] Need to update DB
2025-02-04T20:04:46Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:04:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:04:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:04:50Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:04:50Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:04:50Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:04:50Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:04:50Z INFO [secret] Secret scanning is enabled
2025-02-04T20:04:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:04:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:04:51Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:04:51Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:04:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:04:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:04:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:04:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:04:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:04:53Z INFO Number of language-specific files num=0
2025-02-04T20:04:53Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:04:56,849 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:05:06,988 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 132, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:04:46Z	INFO	[vulndb] Need to update DB
2025-02-04T20:04:46Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:04:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:04:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:04:50Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:04:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:04:50Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:04:50Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:04:50Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:04:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:04:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:04:51Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:04:51Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:04:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:04:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:04:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:04:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:04:53Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:04:53Z	INFO	Number of language-specific files	num=0
2025-02-04T20:04:53Z	INFO	Detected config files	num=5
trivy_exitcode=0

TM-616 - Added missing var
e9002ec 
Signed-off-by: Fani Foteva <[email protected]>
@ffteva-moj ffteva-moj temporarily deployed to corporate-information-system-development February 4, 2025 20:07 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:08:28Z INFO [vulndb] Need to update DB
2025-02-04T20:08:28Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:08:28Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:08:31Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:08:31Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:08:31Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:08:31Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:08:31Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:08:31Z INFO [secret] Secret scanning is enabled
2025-02-04T20:08:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:08:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:08:32Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:08:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:08:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:08:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:08:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:08:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:08:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:08:33Z INFO Number of language-specific files num=0
2025-02-04T20:08:33Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:08:36,089 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:08:46,281 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 132, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:08:28Z	INFO	[vulndb] Need to update DB
2025-02-04T20:08:28Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:08:28Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:08:31Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:08:31Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:08:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:08:31Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:08:31Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:08:31Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:08:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:08:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:08:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:08:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:08:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:08:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:08:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:08:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:08:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:08:33Z	INFO	Number of language-specific files	num=0
2025-02-04T20:08:33Z	INFO	Detected config files	num=5
trivy_exitcode=0

TM-616 - Added EFS alarm
69379f8 
Signed-off-by: Fani Foteva <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:27:36Z INFO [vulndb] Need to update DB
2025-02-04T20:27:36Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:27:36Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:27:38Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:27:38Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:27:38Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:27:38Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:27:38Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:27:39Z INFO [secret] Secret scanning is enabled
2025-02-04T20:27:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:27:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:27:40Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:27:40Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:27:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:27:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:27:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:27:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:27:41Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:27:41Z INFO Number of language-specific files num=0
2025-02-04T20:27:41Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:27:43,906 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:27:54,037 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 133, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:27:36Z	INFO	[vulndb] Need to update DB
2025-02-04T20:27:36Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:27:36Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:27:38Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:27:38Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:27:38Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:27:38Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:27:38Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:27:39Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:27:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:27:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:27:40Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:27:40Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:27:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:27:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:27:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:27:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:27:41Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:27:41Z	INFO	Number of language-specific files	num=0
2025-02-04T20:27:41Z	INFO	Detected config files	num=5
trivy_exitcode=0

Fani Foteva added 2 commits February 4, 2025 20:29
TM-616 - fixed wrong var
a6da404 
Signed-off-by: Fani Foteva <[email protected]>
TM-616 - fixed error again
c1af9ed 
Signed-off-by: Fani Foteva <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:32:09Z INFO [vulndb] Need to update DB
2025-02-04T20:32:09Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:32:09Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:32:12Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:32:12Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:32:12Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:32:12Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:32:12Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:32:12Z INFO [secret] Secret scanning is enabled
2025-02-04T20:32:12Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:32:12Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:32:13Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:32:13Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:32:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:32:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:32:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:32:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:32:14Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:32:14Z INFO Number of language-specific files num=0
2025-02-04T20:32:14Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:32:17,375 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:32:27,522 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 133, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:32:09Z	INFO	[vulndb] Need to update DB
2025-02-04T20:32:09Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:32:09Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:32:12Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:32:12Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:32:12Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:32:12Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:32:12Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:32:12Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:32:12Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:32:12Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:32:13Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:32:13Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:32:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:32:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:32:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:32:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:32:14Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:32:14Z	INFO	Number of language-specific files	num=0
2025-02-04T20:32:14Z	INFO	Detected config files	num=5
trivy_exitcode=0

@ffteva-moj ffteva-moj temporarily deployed to corporate-information-system-development February 4, 2025 20:33 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:34:02Z INFO [vulndb] Need to update DB
2025-02-04T20:34:02Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T20:34:02Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:34:04Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:34:04Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T20:34:04Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T20:34:04Z INFO [misconfig] Need to update the built-in checks
2025-02-04T20:34:04Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:34:04Z INFO [secret] Secret scanning is enabled
2025-02-04T20:34:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:34:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:34:05Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T20:34:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T20:34:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:34:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:34:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:34:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:34:06Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:34:07Z INFO Number of language-specific files num=0
2025-02-04T20:34:07Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 20:34:09,520 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 20:34:19,669 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 133, Failed checks: 25, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-04T20:34:02Z	INFO	[vulndb] Need to update DB
2025-02-04T20:34:02Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T20:34:02Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:34:04Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T20:34:04Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T20:34:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T20:34:04Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T20:34:04Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T20:34:04Z	INFO	[secret] Secret scanning is enabled
2025-02-04T20:34:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T20:34:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T20:34:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T20:34:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T20:34:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T20:34:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T20:34:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:34:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T20:34:06Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T20:34:07Z	INFO	Number of language-specific files	num=0
2025-02-04T20:34:07Z	INFO	Detected config files	num=5
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:33:44Z INFO [vulndb] Need to update DB
2025-02-06T02:33:44Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T02:33:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:33:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:33:47Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T02:33:47Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T02:33:47Z INFO [misconfig] Need to update the built-in checks
2025-02-06T02:33:47Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-06T02:33:48Z INFO [secret] Secret scanning is enabled
2025-02-06T02:33:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:33:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:33:49Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T02:33:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T02:33:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:33:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:33:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:33:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:33:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:33:53Z INFO Number of language-specific files num=0
2025-02-06T02:33:53Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 02:33:56,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:33:56,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:34:06,240 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 134, Failed checks: 26, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cis_pagerduty_core_alerts
	File: /cw.tf:397-404
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		397 | module "cis_pagerduty_core_alerts" {
		398 |   depends_on = [
		399 |     aws_sns_topic.cis_alerting_topic
		400 |   ]
		401 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		402 |   sns_topics                = [aws_sns_topic.cis_alerting_topic.name]
		403 |   pagerduty_integration_key = local.cis_pagerduty_integration_keys[local.cis_pagerduty_integration_key_name]
		404 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:33:44Z	INFO	[vulndb] Need to update DB
2025-02-06T02:33:44Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T02:33:44Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:33:47Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:33:47Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T02:33:47Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T02:33:47Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T02:33:47Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-06T02:33:48Z	INFO	[secret] Secret scanning is enabled
2025-02-06T02:33:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:33:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:33:49Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T02:33:49Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T02:33:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:33:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:33:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:33:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:33:53Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:33:53Z	INFO	Number of language-specific files	num=0
2025-02-06T02:33:53Z	INFO	Detected config files	num=5
trivy_exitcode=0

@ffteva-moj
Update pd module
dec414e 
Signed-off-by: Fani Foteva <[email protected]>
@ffteva-moj ffteva-moj requested a review from a team as a code owner February 6, 2025 02:36
@ffteva-moj ffteva-moj had a problem deploying to contract-work-administration-development February 6, 2025 02:37 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:38:52Z INFO [vulndb] Need to update DB
2025-02-06T02:38:52Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T02:38:52Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:38:55Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:38:55Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T02:38:55Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T02:38:55Z INFO [misconfig] Need to update the built-in checks
2025-02-06T02:38:55Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T02:38:55Z INFO [secret] Secret scanning is enabled
2025-02-06T02:38:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:38:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:38:56Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T02:38:56Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T02:38:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:38:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:38:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:38:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:38:59Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:38:59Z INFO Number of language-specific files num=0
2025-02-06T02:38:59Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 02:39:02,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:39:02,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:39:12,875 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 134, Failed checks: 26, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cis_pagerduty_core_alerts
	File: /cw.tf:397-404
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		397 | module "cis_pagerduty_core_alerts" {
		398 |   depends_on = [
		399 |     aws_sns_topic.cis_alerting_topic
		400 |   ]
		401 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		402 |   sns_topics                = [aws_sns_topic.cis_alerting_topic.name]
		403 |   pagerduty_integration_key = local.cis_pagerduty_integration_keys[local.cis_pagerduty_integration_key_name]
		404 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:38:52Z	INFO	[vulndb] Need to update DB
2025-02-06T02:38:52Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T02:38:52Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:38:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:38:55Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T02:38:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T02:38:55Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T02:38:55Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T02:38:55Z	INFO	[secret] Secret scanning is enabled
2025-02-06T02:38:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:38:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:38:56Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T02:38:56Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T02:38:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:38:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:38:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:38:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:38:59Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:38:59Z	INFO	Number of language-specific files	num=0
2025-02-06T02:38:59Z	INFO	Detected config files	num=5
trivy_exitcode=0

@ffteva-moj
fix mistake
343e4e0 
Signed-off-by: Fani Foteva <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:46:20Z INFO [vulndb] Need to update DB
2025-02-06T02:46:20Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T02:46:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:46:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:46:22Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T02:46:22Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T02:46:22Z INFO [misconfig] Need to update the built-in checks
2025-02-06T02:46:22Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T02:46:22Z INFO [secret] Secret scanning is enabled
2025-02-06T02:46:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:46:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:46:23Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T02:46:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T02:46:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:46:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:46:24Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:46:24Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:46:25Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:46:25Z INFO Number of language-specific files num=0
2025-02-06T02:46:25Z INFO Detected config files num=5
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 02:46:27,978 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:46:27,978 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 02:46:38,121 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 134, Failed checks: 26, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISEC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "CISEC2LogGoup" {
		6 |   name              = "${local.application_name_short}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "CISLogGroupCfnInit" {
		13 |   name              = "${local.application_name_short}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "CISLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name_short}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "CISLogGroupRman" {
		23 |   name              = "${local.application_name_short}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "CISLogGroupRmanArch" {
		29 |   name              = "${local.application_name_short}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "CISLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name_short}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.CISLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "CISLogGroupPMONstatus" {
		39 |   name              = "${local.application_name_short}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cis_alerting_topic
	File: /cw.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		367 | resource "aws_sns_topic" "cis_alerting_topic" {
		368 |   name = "${local.application_name_short}-SNS-topic"
		369 |   tags = merge(
		370 |     local.tags,
		371 |     {
		372 |       Name = "${local.application_name_short}-cis-alerting-topic"
		373 |     }
		374 |   )
		375 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cis_pagerduty_core_alerts
	File: /cw.tf:397-404
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		397 | module "cis_pagerduty_core_alerts" {
		398 |   depends_on = [
		399 |     aws_sns_topic.cis_alerting_topic
		400 |   ]
		401 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		402 |   sns_topics                = [aws_sns_topic.cis_alerting_topic.name]
		403 |   pagerduty_integration_key = local.cis_pagerduty_integration_keys[local.cis_pagerduty_integration_key_name]
		404 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.cis_ec2_policy
	File: /iam.tf:27-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		27 | resource "aws_iam_role_policy" "cis_ec2_policy" {
		28 |   name = "${local.application_name_short}-ec2-policy"
		29 |   role = aws_iam_role.cis_ec2_role.id
		30 | 
		31 |   policy = jsonencode({
		32 |     Version = "2012-10-17"
		33 |     Statement = [
		34 |       {
		35 |         Action   = "s3:*"
		36 |         Effect   = "Allow"
		37 |         Resource = "*"
		38 |       }
		39 |     ]
		40 |   })
		41 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:69-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		69  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		70  |   name = "${local.application_name_short}-s3fs-policy"
		71  |   role = aws_iam_role.cis_s3fs_role.id
		72  | 
		73  |   policy = jsonencode({
		74  |     Version = "2012-10-17"
		75  |     Statement = [
		76  |       {
		77  |         "Action" : [
		78  |           "s3:*"
		79  |         ],
		80  |         "Resource" : [
		81  |           "arn:aws:s3:::laa-software-bucket2",
		82  |           "arn:aws:s3:::laa-software-bucket2/*",
		83  |           "arn:aws:s3:::laa-software-library",
		84  |           "arn:aws:s3:::laa-software-library/*",
		85  |           "arn:aws:s3:::laa-cis-inbound-production",
		86  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		87  |           "arn:aws:s3:::laa-cis-outbound-production",
		88  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		89  |           "arn:aws:s3:::laa-ccms-outbound-production",
		90  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		91  |           "arn:aws:s3:::laa-ccms-inbound-production",
		92  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		93  |         ],
		94  |         "Effect" : "Allow"
		95  |       },
		96  |       {
		97  |         "Action" : [
		98  |           "logs:CreateLogGroup",
		99  |           "logs:CreateLogStream",
		100 |           "logs:DescribeLogStreams",
		101 |           "logs:PutRetentionPolicy",
		102 |           "logs:PutLogEvents",
		103 |           "ec2:DescribeInstances"
		104 |         ],
		105 |         "Resource" : "*",
		106 |         "Effect" : "Allow"
		107 |       },
		108 |       {
		109 |         "Action" : [
		110 |           "ec2:CreateTags"
		111 |         ],
		112 |         "Resource" : "*",
		113 |         "Effect" : "Allow"
		114 |       }
		115 |     ]
		116 |   })
		117 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2025-02-06T02:46:20Z	INFO	[vulndb] Need to update DB
2025-02-06T02:46:20Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T02:46:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:46:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T02:46:22Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T02:46:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T02:46:22Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T02:46:22Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T02:46:22Z	INFO	[secret] Secret scanning is enabled
2025-02-06T02:46:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T02:46:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T02:46:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T02:46:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T02:46:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T02:46:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T02:46:24Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:46:24Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T02:46:25Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T02:46:25Z	INFO	Number of language-specific files	num=0
2025-02-06T02:46:25Z	INFO	Detected config files	num=5
trivy_exitcode=0

@ffteva-moj ffteva-moj deployed to corporate-information-system-development February 6, 2025 10:58 — with GitHub Actions Active
@ffteva-moj ffteva-moj merged commit ab81bb6 into main Feb 6, 2025
12 of 16 checks passed
@ffteva-moj ffteva-moj deleted the TM-616 branch February 6, 2025 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLinden SteveLinden SteveLinden approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ffteva-moj @SteveLinden