Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/performance-hub #8235

dependabot · 2024-10-15T00:14:25Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.1

What's Fixed

The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Add alias for MP S3 KMS key by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566

Refactor unit tests by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

Update main.tf by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474

issue/7689 by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544

Bump Go versions by @ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551

Updated template to use dynamic resolution of SSM parameter store value by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

@Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415

@Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

@robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

ab924e5 Merge pull request #571 from ministryofjustice/dependabot/github_actions/gith...
0aeff36 Bump github/codeql-action from 3.26.12 to 3.26.13
9a92439 Merge pull request #569 from ministryofjustice/feature/7569-unit-tests
4d638cb Merge pull request #570 from ministryofjustice/dependabot/github_actions/mini...
0f844c3 Update versions.tf
f820ed1 Update terraform-static-analysis.yml
b8abd5c Update format-code.yml
714055c Bump ministryofjustice/github-actions from 18.2.2 to 18.2.4
89aaf2c added checkov skip as policy is defined as a separate resource and not inline
7d94ff1 terraform-docs: automated action
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.3.1. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.1) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-10-15T00:15:59Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/performance-hub

Running Trivy in terraform/environments/performance-hub
2024-10-15T00:15:43Z INFO [vulndb] Need to update DB
2024-10-15T00:15:43Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T00:15:43Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:15:46Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:15:46Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T00:15:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T00:15:46Z INFO [misconfig] Need to update the built-in checks
2024-10-15T00:15:46Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [--------------------------------------------------------->] 100.00% ? p/s ?156.02 KiB / 156.02 KiB [-----------------------------------------------] 100.00% 8.58 MiB p/s 200ms2024-10-15T00:15:46Z INFO [secret] Secret scanning is enabled
2024-10-15T00:15:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:15:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:15:47Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T00:15:47Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:15:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:15:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T00:15:52Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:15:52Z INFO Number of language-specific files num=0
2024-10-15T00:15:52Z INFO Detected config files num=10

database.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
database.tf:171-187
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket" "database_backup_files" {
172 │ #checkov:skip=CKV_AWS_18
173 │ #checkov:skip=CKV_AWS_144
174 │ #checkov:skip=CKV2_AWS_6
175 │ bucket = "${local.application_name}-db-backups-${local.environment}"
176 │
177 │ lifecycle {
178 │ prevent_destroy = true
179 └ }
...
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
database.tf:171-187
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket" "database_backup_files" {
172 │ #checkov:skip=CKV_AWS_18
173 │ #checkov:skip=CKV_AWS_144
174 │ #checkov:skip=CKV2_AWS_6
175 │ bucket = "${local.application_name}-db-backups-${local.environment}"
176 │
177 │ lifecycle {
178 │ prevent_destroy = true
179 └ }
...
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
database.tf:171-187
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket" "database_backup_files" {
172 │ #checkov:skip=CKV_AWS_18
173 │ #checkov:skip=CKV_AWS_144
174 │ #checkov:skip=CKV2_AWS_6
175 │ bucket = "${local.application_name}-db-backups-${local.environment}"
176 │
177 │ lifecycle {
178 │ prevent_destroy = true
179 └ }
...
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
database.tf:171-187
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket" "database_backup_files" {
172 │ #checkov:skip=CKV_AWS_18
173 │ #checkov:skip=CKV_AWS_144
174 │ #checkov:skip=CKV2_AWS_6
175 │ bucket = "${local.application_name}-db-backups-${local.environment}"
176 │
177 │ lifecycle {
178 │ prevent_destroy = true
179 └ }
...
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 1)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
loadbalancer.tf:5-25
────────────────────────────────────────
5 ┌ resource "aws_lb" "external" {
6 │ #checkov:skip=CKV_AWS_91
7 │ #checkov:skip=CKV_AWS_131
8 │ #checkov:skip=CKV2_AWS_20
9 │ #checkov:skip=CKV2_AWS_28
10 │ name = "${local.application_name}-loadbalancer"
11 │ load_balancer_type = "application"
12 │ subnets = data.aws_subnets.shared-public.ids
13 └ enable_deletion_protection = true
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
loadbalancer.tf:5-25
────────────────────────────────────────
5 ┌ resource "aws_lb" "external" {
6 │ #checkov:skip=CKV_AWS_91
7 │ #checkov:skip=CKV_AWS_131
8 │ #checkov:skip=CKV2_AWS_20
9 │ #checkov:skip=CKV2_AWS_28
10 │ name = "${local.application_name}-loadbalancer"
11 │ load_balancer_type = "application"
12 │ subnets = data.aws_subnets.shared-public.ids
13 └ enable_deletion_protection = true
..
────────────────────────────────────────

CRITICAL: Listener for application load balancer does not use HTTPS.
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

See https://avd.aquasec.com/misconfig/avd-aws-0054
────────────────────────────────────────
loadbalancer.tf:58-69
────────────────────────────────────────
58 ┌ resource "aws_lb_listener" "listener" {
59 │ #checkov:skip=CKV_AWS_2
60 │ #checkov:skip=CKV_AWS_103
61 │ load_balancer_arn = aws_lb.external.id
62 │ port = local.app_data.accounts[local.environment].server_port
63 │ protocol = "HTTP"
64 │
65 │ default_action {
66 └ target_group_arn = aws_lb_target_group.target_group.id
..
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:21-23
────────────────────────────────────────
21 ┌ resource "aws_sns_topic" "ddos_alarm" {
22 │ name = "ddos_alarm"
23 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/performance-hub

*****************************

Running Checkov in terraform/environments/performance-hub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 00:15:55,712 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:15:55,712 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:15:55,712 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 252, Failed checks: 42, Skipped checks: 32

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # Tags
		33 |   tags_common = local.tags
		34 |   tags_prefix = terraform.workspace
		35 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:311-324
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		311 | data "aws_iam_policy_document" "rds-kms" {
		312 |   #checkov:skip=CKV_AWS_111
		313 |   #checkov:skip=CKV_AWS_109
		314 |   statement {
		315 |     effect    = "Allow"
		316 |     actions   = ["kms:*"]
		317 |     resources = ["*"]
		318 | 
		319 |     principals {
		320 |       type        = "AWS"
		321 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		322 |     }
		323 |   }
		324 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.database_backup_files
	File: /database.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		194 | resource "aws_s3_bucket_lifecycle_configuration" "database_backup_files" {
		195 |   bucket = aws_s3_bucket.database_backup_files.id
		196 |   rule {
		197 |     id     = "tf-s3-lifecycle"
		198 |     status = "Enabled"
		199 |     noncurrent_version_transition {
		200 |       noncurrent_days = 30
		201 |       storage_class   = "STANDARD_IA"
		202 |     }
		203 | 
		204 |     transition {
		205 |       days          = 60
		206 |       storage_class = "STANDARD_IA"
		207 |     }
		208 |   }
		209 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:182-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		182 | data "aws_iam_policy_document" "ebs-kms" {
		183 |   #checkov:skip=CKV_AWS_111
		184 |   #checkov:skip=CKV_AWS_109
		185 |   statement {
		186 |     effect    = "Allow"
		187 |     actions   = ["kms:*"]
		188 |     resources = ["*"]
		189 | 
		190 |     principals {
		191 |       type        = "Service"
		192 |       identifiers = ["ec2.amazonaws.com"]
		193 |     }
		194 |   }
		195 |   statement {
		196 |     effect    = "Allow"
		197 |     actions   = ["kms:*"]
		198 |     resources = ["*"]
		199 | 
		200 |     principals {
		201 |       type        = "AWS"
		202 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		203 |     }
		204 |   }
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group
	File: /loadbalancer.tf:27-55

		27 | resource "aws_lb_target_group" "target_group" {
		28 |   name                 = "${local.application_name}-tg-${local.environment}"
		29 |   port                 = local.app_data.accounts[local.environment].server_port
		30 |   protocol             = "HTTP"
		31 |   vpc_id               = data.aws_vpc.shared.id
		32 |   target_type          = "instance"
		33 |   deregistration_delay = 30
		34 | 
		35 |   stickiness {
		36 |     type = "lb_cookie"
		37 |   }
		38 | 
		39 |   health_check {
		40 |     # path                = "/"
		41 |     healthy_threshold   = "5"
		42 |     interval            = "120"
		43 |     protocol            = "HTTP"
		44 |     unhealthy_threshold = "2"
		45 |     matcher             = "200-499"
		46 |     timeout             = "5"
		47 |   }
		48 | 
		49 |   tags = merge(
		50 |     local.tags,
		51 |     {
		52 |       Name = "${local.application_name}-tg-${local.environment}"
		53 |     }
		54 |   )
		55 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.target_group
	File: /loadbalancer.tf:27-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		27 | resource "aws_lb_target_group" "target_group" {
		28 |   name                 = "${local.application_name}-tg-${local.environment}"
		29 |   port                 = local.app_data.accounts[local.environment].server_port
		30 |   protocol             = "HTTP"
		31 |   vpc_id               = data.aws_vpc.shared.id
		32 |   target_type          = "instance"
		33 |   deregistration_delay = 30
		34 | 
		35 |   stickiness {
		36 |     type = "lb_cookie"
		37 |   }
		38 | 
		39 |   health_check {
		40 |     # path                = "/"
		41 |     healthy_threshold   = "5"
		42 |     interval            = "120"
		43 |     protocol            = "HTTP"
		44 |     unhealthy_threshold = "2"
		45 |     matcher             = "200-499"
		46 |     timeout             = "5"
		47 |   }
		48 | 
		49 |   tags = merge(
		50 |     local.tags,
		51 |     {
		52 |       Name = "${local.application_name}-tg-${local.environment}"
		53 |     }
		54 |   )
		55 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:190-229
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		190 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		191 |   name = "${var.app_name}-ec2-instance-policy"
		192 | 
		193 |   policy = <<EOF
		194 | {
		195 |     "Version": "2012-10-17",
		196 |     "Statement": [
		197 |         {
		198 |             "Effect": "Allow",
		199 |             "Action": [
		200 |                 "ec2:DescribeTags",
		201 |                 "ecs:CreateCluster",
		202 |                 "ecs:DeregisterContainerInstance",
		203 |                 "ecs:DiscoverPollEndpoint",
		204 |                 "ecs:Poll",
		205 |                 "ecs:RegisterContainerInstance",
		206 |                 "ecs:StartTelemetrySession",
		207 |                 "ecs:UpdateContainerInstancesState",
		208 |                 "ecs:Submit*",
		209 |                 "ecr:GetAuthorizationToken",
		210 |                 "ecr:BatchCheckLayerAvailability",
		211 |                 "ecr:GetDownloadUrlForLayer",
		212 |                 "ecr:BatchGetImage",
		213 |                 "logs:CreateLogStream",
		214 |                 "logs:PutLogEvents",
		215 |                 "s3:ListBucket",
		216 |                 "s3:*Object*",
		217 |                 "kms:Decrypt",
		218 |                 "kms:Encrypt",
		219 |                 "kms:GenerateDataKey",
		220 |                 "kms:ReEncrypt",
		221 |                 "kms:GenerateDataKey",
		222 |                 "kms:DescribeKey"
		223 |             ],
		224 |             "Resource": "*"
		225 |         }
		226 |     ]
		227 | }
		228 | EOF
		229 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:190-229
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		190 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		191 |   name = "${var.app_name}-ec2-instance-policy"
		192 | 
		193 |   policy = <<EOF
		194 | {
		195 |     "Version": "2012-10-17",
		196 |     "Statement": [
		197 |         {
		198 |             "Effect": "Allow",
		199 |             "Action": [
		200 |                 "ec2:DescribeTags",
		201 |                 "ecs:CreateCluster",
		202 |                 "ecs:DeregisterContainerInstance",
		203 |                 "ecs:DiscoverPollEndpoint",
		204 |                 "ecs:Poll",
		205 |                 "ecs:RegisterContainerInstance",
		206 |                 "ecs:StartTelemetrySession",
		207 |                 "ecs:UpdateContainerInstancesState",
		208 |                 "ecs:Submit*",
		209 |                 "ecr:GetAuthorizationToken",
		210 |                 "ecr:BatchCheckLayerAvailability",
		211 |                 "ecr:GetDownloadUrlForLayer",
		212 |                 "ecr:BatchGetImage",
		213 |                 "logs:CreateLogStream",
		214 |                 "logs:PutLogEvents",
		215 |                 "s3:ListBucket",
		216 |                 "s3:*Object*",
		217 |                 "kms:Decrypt",
		218 |                 "kms:Encrypt",
		219 |                 "kms:GenerateDataKey",
		220 |                 "kms:ReEncrypt",
		221 |                 "kms:GenerateDataKey",
		222 |                 "kms:DescribeKey"
		223 |             ],
		224 |             "Resource": "*"
		225 |         }
		226 |     ]
		227 | }
		228 | EOF
		229 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:190-229
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		190 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		191 |   name = "${var.app_name}-ec2-instance-policy"
		192 | 
		193 |   policy = <<EOF
		194 | {
		195 |     "Version": "2012-10-17",
		196 |     "Statement": [
		197 |         {
		198 |             "Effect": "Allow",
		199 |             "Action": [
		200 |                 "ec2:DescribeTags",
		201 |                 "ecs:CreateCluster",
		202 |                 "ecs:DeregisterContainerInstance",
		203 |                 "ecs:DiscoverPollEndpoint",
		204 |                 "ecs:Poll",
		205 |                 "ecs:RegisterContainerInstance",
		206 |                 "ecs:StartTelemetrySession",
		207 |                 "ecs:UpdateContainerInstancesState",
		208 |                 "ecs:Submit*",
		209 |                 "ecr:GetAuthorizationToken",
		210 |                 "ecr:BatchCheckLayerAvailability",
		211 |                 "ecr:GetDownloadUrlForLayer",
		212 |                 "ecr:BatchGetImage",
		213 |                 "logs:CreateLogStream",
		214 |                 "logs:PutLogEvents",
		215 |                 "s3:ListBucket",
		216 |                 "s3:*Object*",
		217 |                 "kms:Decrypt",
		218 |                 "kms:Encrypt",
		219 |                 "kms:GenerateDataKey",
		220 |                 "kms:ReEncrypt",
		221 |                 "kms:GenerateDataKey",
		222 |                 "kms:DescribeKey"
		223 |             ],
		224 |             "Resource": "*"
		225 |         }
		226 |     ]
		227 | }
		228 | EOF
		229 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:190-229
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		190 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		191 |   name = "${var.app_name}-ec2-instance-policy"
		192 | 
		193 |   policy = <<EOF
		194 | {
		195 |     "Version": "2012-10-17",
		196 |     "Statement": [
		197 |         {
		198 |             "Effect": "Allow",
		199 |             "Action": [
		200 |                 "ec2:DescribeTags",
		201 |                 "ecs:CreateCluster",
		202 |                 "ecs:DeregisterContainerInstance",
		203 |                 "ecs:DiscoverPollEndpoint",
		204 |                 "ecs:Poll",
		205 |                 "ecs:RegisterContainerInstance",
		206 |                 "ecs:StartTelemetrySession",
		207 |                 "ecs:UpdateContainerInstancesState",
		208 |                 "ecs:Submit*",
		209 |                 "ecr:GetAuthorizationToken",
		210 |                 "ecr:BatchCheckLayerAvailability",
		211 |                 "ecr:GetDownloadUrlForLayer",
		212 |                 "ecr:BatchGetImage",
		213 |                 "logs:CreateLogStream",
		214 |                 "logs:PutLogEvents",
		215 |                 "s3:ListBucket",
		216 |                 "s3:*Object*",
		217 |                 "kms:Decrypt",
		218 |                 "kms:Encrypt",
		219 |                 "kms:GenerateDataKey",
		220 |                 "kms:ReEncrypt",
		221 |                 "kms:GenerateDataKey",
		222 |                 "kms:DescribeKey"
		223 |             ],
		224 |             "Resource": "*"
		225 |         }
		226 |     ]
		227 | }
		228 | EOF
		229 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:370-393
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		370 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		371 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		372 |   policy = <<EOF
		373 | {
		374 |   "Version": "2012-10-17",
		375 |   "Statement": [
		376 |     {
		377 |       "Effect": "Allow",
		378 |       "Action": [
		379 |         "s3:ListBucket",
		380 |         "s3:*Object*",
		381 |         "kms:Decrypt",
		382 |         "kms:Encrypt",
		383 |         "kms:GenerateDataKey",
		384 |         "kms:ReEncrypt",
		385 |         "kms:GenerateDataKey",
		386 |         "kms:DescribeKey"
		387 |       ],
		388 |       "Resource": ["*"]
		389 |     }
		390 |   ]
		391 | }
		392 | EOF
		393 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:370-393
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		370 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		371 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		372 |   policy = <<EOF
		373 | {
		374 |   "Version": "2012-10-17",
		375 |   "Statement": [
		376 |     {
		377 |       "Effect": "Allow",
		378 |       "Action": [
		379 |         "s3:ListBucket",
		380 |         "s3:*Object*",
		381 |         "kms:Decrypt",
		382 |         "kms:Encrypt",
		383 |         "kms:GenerateDataKey",
		384 |         "kms:ReEncrypt",
		385 |         "kms:GenerateDataKey",
		386 |         "kms:DescribeKey"
		387 |       ],
		388 |       "Resource": ["*"]
		389 |     }
		390 |   ]
		391 | }
		392 | EOF
		393 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:370-393
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		370 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		371 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		372 |   policy = <<EOF
		373 | {
		374 |   "Version": "2012-10-17",
		375 |   "Statement": [
		376 |     {
		377 |       "Effect": "Allow",
		378 |       "Action": [
		379 |         "s3:ListBucket",
		380 |         "s3:*Object*",
		381 |         "kms:Decrypt",
		382 |         "kms:Encrypt",
		383 |         "kms:GenerateDataKey",
		384 |         "kms:ReEncrypt",
		385 |         "kms:GenerateDataKey",
		386 |         "kms:DescribeKey"
		387 |       ],
		388 |       "Resource": ["*"]
		389 |     }
		390 |   ]
		391 | }
		392 | EOF
		393 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:370-393
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		370 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		371 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		372 |   policy = <<EOF
		373 | {
		374 |   "Version": "2012-10-17",
		375 |   "Statement": [
		376 |     {
		377 |       "Effect": "Allow",
		378 |       "Action": [
		379 |         "s3:ListBucket",
		380 |         "s3:*Object*",
		381 |         "kms:Decrypt",
		382 |         "kms:Encrypt",
		383 |         "kms:GenerateDataKey",
		384 |         "kms:ReEncrypt",
		385 |         "kms:GenerateDataKey",
		386 |         "kms:DescribeKey"
		387 |       ],
		388 |       "Resource": ["*"]
		389 |     }
		390 |   ]
		391 | }
		392 | EOF
		393 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.windows-new-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /module/ecs/main.tf:479-489
	Calling File: /ecs.tf:5-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		479 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		480 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		481 |   name              = "${var.app_name}-ecs"
		482 |   retention_in_days = 30
		483 |   tags = merge(
		484 |     var.tags_common,
		485 |     {
		486 |       Name = "${var.app_name}-ecs-cloudwatch-group"
		487 |     }
		488 |   )
		489 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /monitoring.tf:21-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		21 | resource "aws_sns_topic" "ddos_alarm" {
		22 |   name = "ddos_alarm"
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_ddos_alarm
	File: /monitoring.tf:43-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		43 | module "pagerduty_ddos_alarm" {
		44 |   depends_on = [
		45 |     aws_sns_topic.ddos_alarm
		46 |   ]
		47 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		48 |   sns_topics                = [aws_sns_topic.ddos_alarm.name]
		49 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		50 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /s3.tf:264-277
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		264 | data "aws_iam_policy_document" "s3-kms" {
		265 |   #checkov:skip=CKV_AWS_111
		266 |   #checkov:skip=CKV_AWS_109
		267 |   statement {
		268 |     effect    = "Allow"
		269 |     actions   = ["kms:*"]
		270 |     resources = ["*"]
		271 | 
		272 |     principals {
		273 |       type        = "AWS"
		274 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		275 |     }
		276 |   }
		277 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.upload_files
	File: /s3.tf:30-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		30 | resource "aws_s3_bucket_lifecycle_configuration" "upload_files" {
		31 |   bucket = aws_s3_bucket.upload_files.id
		32 |   rule {
		33 |     id     = "tf-s3-lifecycle"
		34 |     status = "Enabled"
		35 |     noncurrent_version_transition {
		36 |       noncurrent_days = 30
		37 |       storage_class   = "STANDARD_IA"
		38 |     }
		39 | 
		40 |     transition {
		41 |       days          = 60
		42 |       storage_class = "STANDARD_IA"
		43 |     }
		44 |   }
		45 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.s3-uploads-policy
	File: /s3.tf:112-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		112 | resource "aws_iam_policy" "s3-uploads-policy" {
		113 |   name   = "${local.application_name}-s3-uploads-policy"
		114 |   policy = <<EOF
		115 | {
		116 |   "Version": "2012-10-17",
		117 |   "Statement": [
		118 |     {
		119 |       "Effect": "Allow",
		120 |       "Action": [
		121 |           "s3:*"
		122 |       ],
		123 |       "Resource": [
		124 |           "${aws_s3_bucket.upload_files.arn}"
		125 |       ]
		126 |     },
		127 |     {
		128 |       "Effect": "Allow",
		129 |       "Action": [
		130 |           "s3:*"
		131 |       ],
		132 |       "Resource": [
		133 |         "${aws_s3_bucket.upload_files.arn}/*"
		134 |       ]
		135 |     },
		136 |     {
		137 |       "Effect": "Allow",
		138 |       "Action": [
		139 |         "s3:GetEncryptionConfiguration"
		140 |       ],
		141 |       "Resource": "*"
		142 |     },
		143 |     {
		144 |       "Effect": "Allow",
		145 |       "Action": [
		146 |       "kms:Decrypt"
		147 |       ],
		148 |       "Resource": "*"
		149 |     }
		150 |   ]
		151 | }
		152 | EOF
		153 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.s3-uploads-policy
	File: /s3.tf:112-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		112 | resource "aws_iam_policy" "s3-uploads-policy" {
		113 |   name   = "${local.application_name}-s3-uploads-policy"
		114 |   policy = <<EOF
		115 | {
		116 |   "Version": "2012-10-17",
		117 |   "Statement": [
		118 |     {
		119 |       "Effect": "Allow",
		120 |       "Action": [
		121 |           "s3:*"
		122 |       ],
		123 |       "Resource": [
		124 |           "${aws_s3_bucket.upload_files.arn}"
		125 |       ]
		126 |     },
		127 |     {
		128 |       "Effect": "Allow",
		129 |       "Action": [
		130 |           "s3:*"
		131 |       ],
		132 |       "Resource": [
		133 |         "${aws_s3_bucket.upload_files.arn}/*"
		134 |       ]
		135 |     },
		136 |     {
		137 |       "Effect": "Allow",
		138 |       "Action": [
		139 |         "s3:GetEncryptionConfiguration"
		140 |       ],
		141 |       "Resource": "*"
		142 |     },
		143 |     {
		144 |       "Effect": "Allow",
		145 |       "Action": [
		146 |       "kms:Decrypt"
		147 |       ],
		148 |       "Resource": "*"
		149 |     }
		150 |   ]
		151 | }
		152 | EOF
		153 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ap_landing_bucket
	File: /s3.tf:166-201
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		166 | module "ap_landing_bucket" {
		167 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		168 | 
		169 |   bucket_name        = "${local.application_name}-land-${local.environment}"
		170 |   ownership_controls = "BucketOwnerEnforced"
		171 | 
		172 |   versioning_enabled  = false
		173 |   replication_enabled = false
		174 | 
		175 |   bucket_policy = [data.aws_iam_policy_document.allow_ap_write_to_landing.json]
		176 | 
		177 |   providers = {
		178 |     # Leave this provider block in even if you are not using replication
		179 |     aws.bucket-replication = aws
		180 |   }
		181 | 
		182 |   custom_kms_key = aws_kms_key.s3.arn
		183 | 
		184 |   lifecycle_rule = [
		185 |     {
		186 |       id      = "tf-s3-lifecycle-landing"
		187 |       enabled = "Enabled"
		188 | 
		189 |       expiration = {
		190 |         days = 30
		191 |       }
		192 |     }
		193 |   ]
		194 | 
		195 |   tags = merge(
		196 |     local.tags,
		197 |     {
		198 |       Name = "${local.application_name}-ap-landing-bucket"
		199 |     }
		200 |   )
		201 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /database.tf:171-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		171 | resource "aws_s3_bucket" "database_backup_files" {
		172 |   #checkov:skip=CKV_AWS_18
		173 |   #checkov:skip=CKV_AWS_144
		174 |   #checkov:skip=CKV2_AWS_6
		175 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		176 | 
		177 |   lifecycle {
		178 |     prevent_destroy = true
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     local.tags,
		183 |     {
		184 |       Name = "${local.application_name}-db-backups-s3"
		185 |     }
		186 |   )
		187 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /s3.tf:7-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		7  | resource "aws_s3_bucket" "upload_files" {
		8  |   #checkov:skip=CKV_AWS_18
		9  |   #checkov:skip=CKV_AWS_144
		10 |   #checkov:skip=CKV2_AWS_6
		11 |   bucket = "${local.application_name}-uploads-${local.environment}"
		12 | 
		13 |   lifecycle {
		14 |     prevent_destroy = true
		15 |   }
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-uploads"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.mojhub_cnnstr
	File: /secrets.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "mojhub_cnnstr" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name = "mojhub_cnnstr"
		15 |   tags = merge(
		16 |     local.tags,
		17 |     {
		18 |       Name = "mojhub_cnnstr"
		19 |     },
		20 |   )
		21 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.mojhub_membership
	File: /secrets.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		28 | resource "aws_secretsmanager_secret" "mojhub_membership" {
		29 |   #checkov:skip=CKV_AWS_149
		30 |   name = "mojhub_membership"
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "mojhub_membership"
		35 |     },
		36 |   )
		37 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:44-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		44 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		45 |   #checkov:skip=CKV_AWS_149
		46 |   name = "govuk_notify_api_key"
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "govuk_notify_api_key"
		51 |     },
		52 |   )
		53 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.os_vts_api_key
	File: /secrets.tf:60-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		60 | resource "aws_secretsmanager_secret" "os_vts_api_key" {
		61 |   #checkov:skip=CKV_AWS_149
		62 |   name = "os_vts_api_key"
		63 |   tags = merge(
		64 |     local.tags,
		65 |     {
		66 |       Name = "os_vts_api_key"
		67 |     },
		68 |   )
		69 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_import_access_key_id
	File: /secrets.tf:76-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "ap_import_access_key_id" {
		77 |   #checkov:skip=CKV_AWS_149
		78 |   name                    = "ap_import_access_key_id"
		79 |   recovery_window_in_days = 0
		80 |   tags = merge(
		81 |     local.tags,
		82 |     {
		83 |       Name = "ap_import_access_key_id"
		84 |     },
		85 |   )
		86 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_import_secret_access_key
	File: /secrets.tf:93-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		93  | resource "aws_secretsmanager_secret" "ap_import_secret_access_key" {
		94  |   #checkov:skip=CKV_AWS_149
		95  |   name                    = "ap_import_secret_access_key"
		96  |   recovery_window_in_days = 0
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "ap_import_secret_access_key"
		101 |     },
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_export_access_key_id
	File: /secrets.tf:110-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		110 | resource "aws_secretsmanager_secret" "ap_export_access_key_id" {
		111 |   #checkov:skip=CKV_AWS_149
		112 |   name                    = "ap_export_access_key_id"
		113 |   recovery_window_in_days = 0
		114 |   tags = merge(
		115 |     local.tags,
		116 |     {
		117 |       Name = "ap_export_access_key_id"
		118 |     },
		119 |   )
		120 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_export_secret_access_key
	File: /secrets.tf:127-137
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		127 | resource "aws_secretsmanager_secret" "ap_export_secret_access_key" {
		128 |   #checkov:skip=CKV_AWS_149
		129 |   name                    = "ap_export_secret_access_key"
		130 |   recovery_window_in_days = 0
		131 |   tags = merge(
		132 |     local.tags,
		133 |     {
		134 |       Name = "ap_export_secret_access_key"
		135 |     },
		136 |   )
		137 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:144-155
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		144 | resource "aws_secretsmanager_secret" "db_password" {
		145 |   #checkov:skip=CKV_AWS_149
		146 | 
		147 |   name = "${var.networking[0].application}-database-password"
		148 | 
		149 |   tags = merge(
		150 |     local.tags,
		151 |     {
		152 |       Name = "${var.networking[0].application}-db-password"
		153 |     },
		154 |   )
		155 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/performance-hub

*****************************

Running tflint in terraform/environments/performance-hub
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/performance-hub/data.tf line 9:
   9: data "template_file" "task_definition" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/performance-hub/data.tf line 26:
  26:     storage_bucket              = "${aws_s3_bucket.upload_files.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/performance-hub/secrets.tf line 5:
   5: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/performance-hub

*****************************

Running Trivy in terraform/environments/performance-hub
2024-10-15T00:15:43Z	INFO	[vulndb] Need to update DB
2024-10-15T00:15:43Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T00:15:43Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:15:46Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:15:46Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T00:15:46Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T00:15:46Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T00:15:46Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [--------------------------------------------------------->] 100.00% ? p/s ?156.02 KiB / 156.02 KiB [-----------------------------------------------] 100.00% 8.58 MiB p/s 200ms2024-10-15T00:15:46Z	INFO	[secret] Secret scanning is enabled
2024-10-15T00:15:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:15:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:15:47Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T00:15:47Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:15:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:15:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T00:15:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T00:15:52Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:15:52Z	INFO	Number of language-specific files	num=0
2024-10-15T00:15:52Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 database.tf:171-187
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket" "database_backup_files" {
 172 │   #checkov:skip=CKV_AWS_18
 173 │   #checkov:skip=CKV_AWS_144
 174 │   #checkov:skip=CKV2_AWS_6
 175 │   bucket = "${local.application_name}-db-backups-${local.environment}"
 176 │ 
 177 │   lifecycle {
 178 │     prevent_destroy = true
 179 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 database.tf:171-187
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket" "database_backup_files" {
 172 │   #checkov:skip=CKV_AWS_18
 173 │   #checkov:skip=CKV_AWS_144
 174 │   #checkov:skip=CKV2_AWS_6
 175 │   bucket = "${local.application_name}-db-backups-${local.environment}"
 176 │ 
 177 │   lifecycle {
 178 │     prevent_destroy = true
 179 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 database.tf:171-187
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket" "database_backup_files" {
 172 │   #checkov:skip=CKV_AWS_18
 173 │   #checkov:skip=CKV_AWS_144
 174 │   #checkov:skip=CKV2_AWS_6
 175 │   bucket = "${local.application_name}-db-backups-${local.environment}"
 176 │ 
 177 │   lifecycle {
 178 │     prevent_destroy = true
 179 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 database.tf:171-187
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket" "database_backup_files" {
 172 │   #checkov:skip=CKV_AWS_18
 173 │   #checkov:skip=CKV_AWS_144
 174 │   #checkov:skip=CKV2_AWS_6
 175 │   bucket = "${local.application_name}-db-backups-${local.environment}"
 176 │ 
 177 │   lifecycle {
 178 │     prevent_destroy = true
 179 └   }
 ...   
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 4 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 1)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 loadbalancer.tf:5-25
────────────────────────────────────────
   5 ┌ resource "aws_lb" "external" {
   6 │   #checkov:skip=CKV_AWS_91
   7 │   #checkov:skip=CKV_AWS_131
   8 │   #checkov:skip=CKV2_AWS_20
   9 │   #checkov:skip=CKV2_AWS_28
  10 │   name                       = "${local.application_name}-loadbalancer"
  11 │   load_balancer_type         = "application"
  12 │   subnets                    = data.aws_subnets.shared-public.ids
  13 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 loadbalancer.tf:5-25
────────────────────────────────────────
   5 ┌ resource "aws_lb" "external" {
   6 │   #checkov:skip=CKV_AWS_91
   7 │   #checkov:skip=CKV_AWS_131
   8 │   #checkov:skip=CKV2_AWS_20
   9 │   #checkov:skip=CKV2_AWS_28
  10 │   name                       = "${local.application_name}-loadbalancer"
  11 │   load_balancer_type         = "application"
  12 │   subnets                    = data.aws_subnets.shared-public.ids
  13 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


CRITICAL: Listener for application load balancer does not use HTTPS.
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.


See https://avd.aquasec.com/misconfig/avd-aws-0054
────────────────────────────────────────
 loadbalancer.tf:58-69
────────────────────────────────────────
  58 ┌ resource "aws_lb_listener" "listener" {
  59 │   #checkov:skip=CKV_AWS_2
  60 │   #checkov:skip=CKV_AWS_103
  61 │   load_balancer_arn = aws_lb.external.id
  62 │   port              = local.app_data.accounts[local.environment].server_port
  63 │   protocol          = "HTTP"
  64 │ 
  65 │   default_action {
  66 └     target_group_arn = aws_lb_target_group.target_group.id
  ..   
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:21-23
────────────────────────────────────────
  21 ┌ resource "aws_sns_topic" "ddos_alarm" {
  22 │   name = "ddos_alarm"
  23 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8 │   #checkov:skip=CKV_AWS_18
   9 │   #checkov:skip=CKV_AWS_144
  10 │   #checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  12 │ 
  13 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8 │   #checkov:skip=CKV_AWS_18
   9 │   #checkov:skip=CKV_AWS_144
  10 │   #checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  12 │ 
  13 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8 │   #checkov:skip=CKV_AWS_18
   9 │   #checkov:skip=CKV_AWS_144
  10 │   #checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  12 │ 
  13 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8 │   #checkov:skip=CKV_AWS_18
   9 │   #checkov:skip=CKV_AWS_144
  10 │   #checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  12 │ 
  13 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


trivy_exitcode=1

dependabot · 2024-10-15T11:14:14Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

github-actions · 2024-10-15T11:15:42Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/performance-hub

Running Trivy in terraform/environments/performance-hub
2024-10-15T11:15:30Z INFO [vulndb] Need to update DB
2024-10-15T11:15:30Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T11:15:30Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T11:15:32Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T11:15:32Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T11:15:32Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T11:15:32Z INFO [misconfig] Need to update the built-in checks
2024-10-15T11:15:32Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T11:15:32Z INFO [secret] Secret scanning is enabled
2024-10-15T11:15:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T11:15:32Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T11:15:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T11:15:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ap_landing_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.tag" value="cty.NilVal"
2024-10-15T11:15:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.windows-new-ecs.dynamic.ingress" value="cty.NilVal"
2024-10-15T11:15:36Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T11:15:37Z INFO Number of language-specific files num=0
2024-10-15T11:15:37Z INFO Detected config files num=10