Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-chaps

[dependabot]

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

• A lot of dependabot version bumps
• Feature/trivy by @​ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413
• updated README.md and unit test name by @​Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436
• add tfsec exception to fix static-analysis check failure by @​robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460
• Adds the redact of sensitive data items from test workflow output. by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465
• Fixes unredacted data values in workflow log. by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473
• Update main.tf by @​ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474
• issue/7689 by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544
• Bump Go versions by @​ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551
• Updated template to use dynamic resolution of SSM parameter store value by @​dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

• @​Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415
• @​Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436
• @​robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

• 440a828 Merge pull request #563 from ministryofjustice/feature/1385-resolve-parameter...
• 9b1804b terraform-docs: automated action
• 7acb479 updated template to use dynamic resolution of SSM parameter store value
• 72b6469 Merge pull request #562 from ministryofjustice/dependabot/github_actions/mini...
• 2cab62f Bump ministryofjustice/github-actions from 18.2.0 to 18.2.1
• de00773 Merge pull request #561 from ministryofjustice/dependabot/github_actions/acti...
• 226a136 Bump actions/upload-artifact from 4.4.2 to 4.4.3
• 69ed718 Merge pull request #560 from ministryofjustice/dependabot/github_actions/aqua...
• 32650dd Merge pull request #558 from ministryofjustice/dependabot/github_actions/acti...
• 55feca3 Merge pull request #559 from ministryofjustice/dependabot/github_actions/acti...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/cdpt-chaps

---

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T01:05:05Z INFO [vulndb] Need to update DB
2024-10-14T01:05:05Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T01:05:05Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:05:07Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:05:07Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T01:05:07Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T01:05:07Z INFO [misconfig] Need to update the built-in checks
2024-10-14T01:05:07Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-14T01:05:08Z INFO [secret] Secret scanning is enabled
2024-10-14T01:05:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T01:05:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T01:05:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T01:05:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-14T01:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:13Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:15Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T01:05:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T01:05:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T01:05:15Z INFO Number of language-specific files num=0
2024-10-14T01:05:15Z INFO Detected config files num=9

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-24
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 01:05:18,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 01:05:18,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 01:05:18,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 110, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 |   # public keys
		16 |   public_key_data = local.public_key_data.keys[local.environment]
		17 |   # logs
		18 |   log_auto_clean       = "Enabled"
		19 |   log_standard_ia_days = 30  # days before moving to IA storage
		20 |   log_glacier_days     = 60  # days before moving to Glacier
		21 |   log_expiry_days      = 180 # days before log expiration
		22 |   # bastion
		23 |   allow_ssh_commands = false
		24 | 
		25 |   app_name      = var.networking[0].application
		26 |   business_unit = local.vpc_name
		27 |   subnet_set    = local.subnet_set
		28 |   environment   = local.environment
		29 |   region        = "eu-west-2"
		30 | 
		31 |   extra_user_data_content = "yum install -y openldap-clients"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 |   ingress {
		42 |     from_port   = 1433
		43 |     to_port     = 1433
		44 |     protocol    = "tcp"
		45 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		46 |   }
		47 |   egress {
		48 |     from_port   = 0
		49 |     to_port     = 0
		50 |     protocol    = "-1"
		51 |     cidr_blocks = ["0.0.0.0/0"]
		52 |   }
		53 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:69-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		69 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		70 |   name              = "/aws/events/deploymentLogs"
		71 |   retention_in_days = "7"
		72 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:74-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:467-485
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		467 | resource "aws_security_group" "ecs_service" {
		468 |   name_prefix = "ecs-service-sg-"
		469 |   vpc_id      = data.aws_vpc.shared.id
		470 | 
		471 |   ingress {
		472 |     from_port       = 80
		473 |     to_port         = 80
		474 |     protocol        = "tcp"
		475 |     description     = "Allow traffic on port 80 from load balancer"
		476 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		477 |   }
		478 | 
		479 |   egress {
		480 |     from_port   = 0
		481 |     to_port     = 0
		482 |     protocol    = "-1"
		483 |     cidr_blocks = ["0.0.0.0/0"]
		484 |   }
		485 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:78-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		78 | module "pagerduty_core_alerts" {
		79 |   depends_on = [
		80 |     aws_sns_topic.cdpt_chaps_ddos_alarm
		81 |   ]
		82 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		83 |   sns_topics                = [aws_sns_topic.cdpt_chaps_ddos_alarm.name]
		84 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		85 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:132-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		132 | resource "aws_security_group" "chaps_lb_sc" {
		133 |   name        = "load balancer security group"
		134 |   description = "control access to the load balancer"
		135 |   vpc_id      = data.aws_vpc.shared.id
		136 | 
		137 |   ingress {
		138 |     description = "allow access on HTTPS"
		139 |     from_port   = 443
		140 |     to_port     = 443
		141 |     protocol    = "tcp"
		142 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		143 |   }
		144 | 
		145 |   egress {
		146 |     description = "Open all outbound ports"
		147 |     from_port   = 0
		148 |     to_port     = 0
		149 |     protocol    = "-1"
		150 |     cidr_blocks = ["0.0.0.0/0"]
		151 |   }
		152 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:154-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		154 | resource "aws_security_group" "chaps_target_sc" {
		155 |   name        = "target security group"
		156 |   description = "allow health check traffic from load balancer"
		157 |   vpc_id      = data.aws_vpc.shared.id
		158 | 
		159 |   ingress {
		160 |     description     = "allow traffic from load balancer"
		161 |     from_port       = 80
		162 |     to_port         = 80
		163 |     protocol        = "tcp"
		164 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		165 |   }
		166 | 
		167 |   egress {
		168 |     description = "Open all outbound ports"
		169 |     from_port   = 0
		170 |     to_port     = 0
		171 |     protocol    = "-1"
		172 |     cidr_blocks = ["0.0.0.0/0"]
		173 |   }
		174 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 104:
 104:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 108:
 108:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 112:
 112:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 116:
 116:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 120:
 120:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 175:
 175:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T01:05:05Z	INFO	[vulndb] Need to update DB
2024-10-14T01:05:05Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T01:05:05Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:05:07Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:05:07Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T01:05:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-14T01:05:07Z	INFO	[misconfig] Need to update the built-in checks
2024-10-14T01:05:07Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-14T01:05:08Z	INFO	[secret] Secret scanning is enabled
2024-10-14T01:05:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T01:05:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T01:05:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-14T01:05:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-14T01:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T01:05:13Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T01:05:15Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T01:05:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T01:05:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T01:05:15Z	INFO	Number of language-specific files	num=0
2024-10-14T01:05:15Z	INFO	Detected config files	num=9

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-24
────────────────────────────────────────
   5 ┌ resource "aws_db_instance" "database" {
   6 │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7 │   storage_type              = "gp2"
   8 │   engine                    = "sqlserver-web"
   9 │   engine_version            = "14.00.3381.3.v1"
  10 │   instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11 │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12 │   username                  = local.application_data.accounts[local.environment].db_user
  13 └   password                  = aws_secretsmanager_secret_version.db_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=1

[ASTRobinson]

@dependabot rebase

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/cdpt-chaps

---

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T14:35:05Z INFO [vulndb] Need to update DB
2024-10-14T14:35:05Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T14:35:05Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T14:35:05Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 793.308µs, allowed: 44000/minute\n\n"
2024-10-14T14:35:05Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 14:35:08,360 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 14:35:08,360 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 14:35:08,360 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 110, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 |   # public keys
		16 |   public_key_data = local.public_key_data.keys[local.environment]
		17 |   # logs
		18 |   log_auto_clean       = "Enabled"
		19 |   log_standard_ia_days = 30  # days before moving to IA storage
		20 |   log_glacier_days     = 60  # days before moving to Glacier
		21 |   log_expiry_days      = 180 # days before log expiration
		22 |   # bastion
		23 |   allow_ssh_commands = false
		24 | 
		25 |   app_name      = var.networking[0].application
		26 |   business_unit = local.vpc_name
		27 |   subnet_set    = local.subnet_set
		28 |   environment   = local.environment
		29 |   region        = "eu-west-2"
		30 | 
		31 |   extra_user_data_content = "yum install -y openldap-clients"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 |   ingress {
		42 |     from_port   = 1433
		43 |     to_port     = 1433
		44 |     protocol    = "tcp"
		45 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		46 |   }
		47 |   egress {
		48 |     from_port   = 0
		49 |     to_port     = 0
		50 |     protocol    = "-1"
		51 |     cidr_blocks = ["0.0.0.0/0"]
		52 |   }
		53 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:69-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		69 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		70 |   name              = "/aws/events/deploymentLogs"
		71 |   retention_in_days = "7"
		72 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:74-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:467-485
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		467 | resource "aws_security_group" "ecs_service" {
		468 |   name_prefix = "ecs-service-sg-"
		469 |   vpc_id      = data.aws_vpc.shared.id
		470 | 
		471 |   ingress {
		472 |     from_port       = 80
		473 |     to_port         = 80
		474 |     protocol        = "tcp"
		475 |     description     = "Allow traffic on port 80 from load balancer"
		476 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		477 |   }
		478 | 
		479 |   egress {
		480 |     from_port   = 0
		481 |     to_port     = 0
		482 |     protocol    = "-1"
		483 |     cidr_blocks = ["0.0.0.0/0"]
		484 |   }
		485 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:78-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		78 | module "pagerduty_core_alerts" {
		79 |   depends_on = [
		80 |     aws_sns_topic.cdpt_chaps_ddos_alarm
		81 |   ]
		82 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		83 |   sns_topics                = [aws_sns_topic.cdpt_chaps_ddos_alarm.name]
		84 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		85 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:132-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		132 | resource "aws_security_group" "chaps_lb_sc" {
		133 |   name        = "load balancer security group"
		134 |   description = "control access to the load balancer"
		135 |   vpc_id      = data.aws_vpc.shared.id
		136 | 
		137 |   ingress {
		138 |     description = "allow access on HTTPS"
		139 |     from_port   = 443
		140 |     to_port     = 443
		141 |     protocol    = "tcp"
		142 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		143 |   }
		144 | 
		145 |   egress {
		146 |     description = "Open all outbound ports"
		147 |     from_port   = 0
		148 |     to_port     = 0
		149 |     protocol    = "-1"
		150 |     cidr_blocks = ["0.0.0.0/0"]
		151 |   }
		152 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:154-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		154 | resource "aws_security_group" "chaps_target_sc" {
		155 |   name        = "target security group"
		156 |   description = "allow health check traffic from load balancer"
		157 |   vpc_id      = data.aws_vpc.shared.id
		158 | 
		159 |   ingress {
		160 |     description     = "allow traffic from load balancer"
		161 |     from_port       = 80
		162 |     to_port         = 80
		163 |     protocol        = "tcp"
		164 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		165 |   }
		166 | 
		167 |   egress {
		168 |     description = "Open all outbound ports"
		169 |     from_port   = 0
		170 |     to_port     = 0
		171 |     protocol    = "-1"
		172 |     cidr_blocks = ["0.0.0.0/0"]
		173 |   }
		174 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 104:
 104:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 108:
 108:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 112:
 112:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 116:
 116:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 120:
 120:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 175:
 175:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T14:35:05Z	INFO	[vulndb] Need to update DB
2024-10-14T14:35:05Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T14:35:05Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T14:35:05Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 793.308µs, allowed: 44000/minute\n\n"
2024-10-14T14:35:05Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/cdpt-chaps

---

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T15:58:11Z INFO [vulndb] Need to update DB
2024-10-14T15:58:11Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T15:58:11Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T15:58:13Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T15:58:13Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T15:58:13Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T15:58:13Z INFO [misconfig] Need to update the built-in checks
2024-10-14T15:58:13Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-14T15:58:13Z INFO [secret] Secret scanning is enabled
2024-10-14T15:58:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T15:58:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T15:58:14Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T15:58:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-14T15:58:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:17Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T15:58:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T15:58:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T15:58:17Z INFO Number of language-specific files num=0
2024-10-14T15:58:17Z INFO Detected config files num=9

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-24
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 15:58:20,394 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 15:58:20,395 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 15:58:20,395 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 110, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 |   # public keys
		16 |   public_key_data = local.public_key_data.keys[local.environment]
		17 |   # logs
		18 |   log_auto_clean       = "Enabled"
		19 |   log_standard_ia_days = 30  # days before moving to IA storage
		20 |   log_glacier_days     = 60  # days before moving to Glacier
		21 |   log_expiry_days      = 180 # days before log expiration
		22 |   # bastion
		23 |   allow_ssh_commands = false
		24 | 
		25 |   app_name      = var.networking[0].application
		26 |   business_unit = local.vpc_name
		27 |   subnet_set    = local.subnet_set
		28 |   environment   = local.environment
		29 |   region        = "eu-west-2"
		30 | 
		31 |   extra_user_data_content = "yum install -y openldap-clients"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 |   ingress {
		42 |     from_port   = 1433
		43 |     to_port     = 1433
		44 |     protocol    = "tcp"
		45 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		46 |   }
		47 |   egress {
		48 |     from_port   = 0
		49 |     to_port     = 0
		50 |     protocol    = "-1"
		51 |     cidr_blocks = ["0.0.0.0/0"]
		52 |   }
		53 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:69-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		69 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		70 |   name              = "/aws/events/deploymentLogs"
		71 |   retention_in_days = "7"
		72 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:74-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:467-485
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		467 | resource "aws_security_group" "ecs_service" {
		468 |   name_prefix = "ecs-service-sg-"
		469 |   vpc_id      = data.aws_vpc.shared.id
		470 | 
		471 |   ingress {
		472 |     from_port       = 80
		473 |     to_port         = 80
		474 |     protocol        = "tcp"
		475 |     description     = "Allow traffic on port 80 from load balancer"
		476 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		477 |   }
		478 | 
		479 |   egress {
		480 |     from_port   = 0
		481 |     to_port     = 0
		482 |     protocol    = "-1"
		483 |     cidr_blocks = ["0.0.0.0/0"]
		484 |   }
		485 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:78-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		78 | module "pagerduty_core_alerts" {
		79 |   depends_on = [
		80 |     aws_sns_topic.cdpt_chaps_ddos_alarm
		81 |   ]
		82 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		83 |   sns_topics                = [aws_sns_topic.cdpt_chaps_ddos_alarm.name]
		84 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		85 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:132-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		132 | resource "aws_security_group" "chaps_lb_sc" {
		133 |   name        = "load balancer security group"
		134 |   description = "control access to the load balancer"
		135 |   vpc_id      = data.aws_vpc.shared.id
		136 | 
		137 |   ingress {
		138 |     description = "allow access on HTTPS"
		139 |     from_port   = 443
		140 |     to_port     = 443
		141 |     protocol    = "tcp"
		142 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		143 |   }
		144 | 
		145 |   egress {
		146 |     description = "Open all outbound ports"
		147 |     from_port   = 0
		148 |     to_port     = 0
		149 |     protocol    = "-1"
		150 |     cidr_blocks = ["0.0.0.0/0"]
		151 |   }
		152 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:154-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		154 | resource "aws_security_group" "chaps_target_sc" {
		155 |   name        = "target security group"
		156 |   description = "allow health check traffic from load balancer"
		157 |   vpc_id      = data.aws_vpc.shared.id
		158 | 
		159 |   ingress {
		160 |     description     = "allow traffic from load balancer"
		161 |     from_port       = 80
		162 |     to_port         = 80
		163 |     protocol        = "tcp"
		164 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		165 |   }
		166 | 
		167 |   egress {
		168 |     description = "Open all outbound ports"
		169 |     from_port   = 0
		170 |     to_port     = 0
		171 |     protocol    = "-1"
		172 |     cidr_blocks = ["0.0.0.0/0"]
		173 |   }
		174 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 104:
 104:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 108:
 108:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 112:
 112:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 116:
 116:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 120:
 120:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 175:
 175:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Trivy in terraform/environments/cdpt-chaps
2024-10-14T15:58:11Z	INFO	[vulndb] Need to update DB
2024-10-14T15:58:11Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T15:58:11Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T15:58:13Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T15:58:13Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T15:58:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-14T15:58:13Z	INFO	[misconfig] Need to update the built-in checks
2024-10-14T15:58:13Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-14T15:58:13Z	INFO	[secret] Secret scanning is enabled
2024-10-14T15:58:13Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T15:58:13Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T15:58:14Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-14T15:58:14Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-14T15:58:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T15:58:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T15:58:17Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T15:58:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T15:58:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T15:58:17Z	INFO	Number of language-specific files	num=0
2024-10-14T15:58:17Z	INFO	Detected config files	num=9

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-24
────────────────────────────────────────
   5 ┌ resource "aws_db_instance" "database" {
   6 │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7 │   storage_type              = "gp2"
   8 │   engine                    = "sqlserver-web"
   9 │   engine_version            = "14.00.3381.3.v1"
  10 │   instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11 │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12 │   username                  = local.application_data.accounts[local.environment].db_user
  13 └   password                  = aws_secretsmanager_secret_version.db_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=1

[dependabot]

Superseded by #8250.