Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/pra-register #8244

dependabot · 2024-10-15T00:56:42Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.1

What's Fixed

The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Add alias for MP S3 KMS key by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566

Refactor unit tests by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

Update main.tf by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474

issue/7689 by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544

Bump Go versions by @ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551

Updated template to use dynamic resolution of SSM parameter store value by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

@Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415

@Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

@robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

ab924e5 Merge pull request #571 from ministryofjustice/dependabot/github_actions/gith...
0aeff36 Bump github/codeql-action from 3.26.12 to 3.26.13
9a92439 Merge pull request #569 from ministryofjustice/feature/7569-unit-tests
4d638cb Merge pull request #570 from ministryofjustice/dependabot/github_actions/mini...
0f844c3 Update versions.tf
f820ed1 Update terraform-static-analysis.yml
b8abd5c Update format-code.yml
714055c Bump ministryofjustice/github-actions from 18.2.2 to 18.2.4
89aaf2c added checkov skip as policy is defined as a separate resource and not inline
7d94ff1 terraform-docs: automated action
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.3.1. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.1) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-10-15T00:58:04Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/pra-register

Running Trivy in terraform/environments/pra-register
2024-10-15T00:57:53Z INFO [vulndb] Need to update DB
2024-10-15T00:57:53Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T00:57:53Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:57:55Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:57:55Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T00:57:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T00:57:55Z INFO [misconfig] Need to update the built-in checks
2024-10-15T00:57:55Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T00:57:56Z INFO [secret] Secret scanning is enabled
2024-10-15T00:57:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:57:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:57:58Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T00:57:58Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:58:00Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:58:00Z INFO Number of language-specific files num=0
2024-10-15T00:58:00Z INFO Detected config files num=6

ecs.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 2)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Image scanning is not enabled
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:351-354
────────────────────────────────────────
351 ┌ resource "aws_ecr_repository" "pra_ecr_repo" {
352 │ name = "pra-ecr-repo"
353 │ force_delete = true
354 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:448-451
────────────────────────────────────────
448 ┌ resource "aws_sns_topic" "ddos_alarm" {
449 │ count = local.is-development ? 0 : 1
450 │ name = "pra_ddos_alarm"
451 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:453-456
────────────────────────────────────────
453 ┌ resource "aws_sns_topic" "pra_utilisation_alarm" {
454 │ count = local.is-development ? 0 : 1
455 │ name = "pra_utilisation_alarm"
456 └ }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:234-242
────────────────────────────────────────
234 ┌ resource "aws_lb" "pra_lb" {
235 │ name = "pra-load-balancer"
236 │ load_balancer_type = "application"
237 │ security_groups = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 │ subnets = data.aws_subnets.shared-public.ids
239 │ enable_deletion_protection = false
240 │ internal = false
241 │ depends_on = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:240
via load_balancer.tf:234-242 (aws_lb.pra_lb)
────────────────────────────────────────
234 resource "aws_lb" "pra_lb" {
235 name = "pra-load-balancer"
236 load_balancer_type = "application"
237 security_groups = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 subnets = data.aws_subnets.shared-public.ids
239 enable_deletion_protection = false
240 [ internal = false
241 depends_on = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 }
────────────────────────────────────────

rds.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "pra_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 00:58:02,662 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:58:02,663 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 54, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "pra-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:255-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		255 | resource "aws_iam_role_policy" "app_execution" {
		256 |   name = "execution-${var.networking[0].application}"
		257 |   role = aws_iam_role.app_execution.id
		258 | 
		259 |   policy = <<-EOF
		260 |   {
		261 |     "Version": "2012-10-17",
		262 |     "Statement": [
		263 |       {
		264 |            "Action": [
		265 |               "ecr:*",
		266 |               "logs:CreateLogGroup",
		267 |               "logs:CreateLogStream",
		268 |               "logs:PutLogEvents",
		269 |               "logs:DescribeLogStreams",
		270 |               "secretsmanager:GetSecretValue"
		271 |            ],
		272 |            "Resource": "*",
		273 |            "Effect": "Allow"
		274 |       }
		275 |     ]
		276 |   }
		277 |   EOF
		278 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:255-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		255 | resource "aws_iam_role_policy" "app_execution" {
		256 |   name = "execution-${var.networking[0].application}"
		257 |   role = aws_iam_role.app_execution.id
		258 | 
		259 |   policy = <<-EOF
		260 |   {
		261 |     "Version": "2012-10-17",
		262 |     "Statement": [
		263 |       {
		264 |            "Action": [
		265 |               "ecr:*",
		266 |               "logs:CreateLogGroup",
		267 |               "logs:CreateLogStream",
		268 |               "logs:PutLogEvents",
		269 |               "logs:DescribeLogStreams",
		270 |               "secretsmanager:GetSecretValue"
		271 |            ],
		272 |            "Resource": "*",
		273 |            "Effect": "Allow"
		274 |       }
		275 |     ]
		276 |   }
		277 |   EOF
		278 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:255-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		255 | resource "aws_iam_role_policy" "app_execution" {
		256 |   name = "execution-${var.networking[0].application}"
		257 |   role = aws_iam_role.app_execution.id
		258 | 
		259 |   policy = <<-EOF
		260 |   {
		261 |     "Version": "2012-10-17",
		262 |     "Statement": [
		263 |       {
		264 |            "Action": [
		265 |               "ecr:*",
		266 |               "logs:CreateLogGroup",
		267 |               "logs:CreateLogStream",
		268 |               "logs:PutLogEvents",
		269 |               "logs:DescribeLogStreams",
		270 |               "secretsmanager:GetSecretValue"
		271 |            ],
		272 |            "Resource": "*",
		273 |            "Effect": "Allow"
		274 |       }
		275 |     ]
		276 |   }
		277 |   EOF
		278 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:255-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		255 | resource "aws_iam_role_policy" "app_execution" {
		256 |   name = "execution-${var.networking[0].application}"
		257 |   role = aws_iam_role.app_execution.id
		258 | 
		259 |   policy = <<-EOF
		260 |   {
		261 |     "Version": "2012-10-17",
		262 |     "Statement": [
		263 |       {
		264 |            "Action": [
		265 |               "ecr:*",
		266 |               "logs:CreateLogGroup",
		267 |               "logs:CreateLogStream",
		268 |               "logs:PutLogEvents",
		269 |               "logs:DescribeLogStreams",
		270 |               "secretsmanager:GetSecretValue"
		271 |            ],
		272 |            "Resource": "*",
		273 |            "Effect": "Allow"
		274 |       }
		275 |     ]
		276 |   }
		277 |   EOF
		278 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:331-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		331 | resource "aws_security_group" "ecs_service" {
		332 |   name_prefix = "ecs-service-sg-"
		333 |   vpc_id      = data.aws_vpc.shared.id
		334 | 
		335 |   ingress {
		336 |     from_port       = 80
		337 |     to_port         = 80
		338 |     protocol        = "tcp"
		339 |     description     = "Allow traffic on port 80 from load balancer"
		340 |     security_groups = [aws_security_group.pra_lb_sc.id]
		341 |   }
		342 | 
		343 |   egress {
		344 |     from_port   = 0
		345 |     to_port     = 0
		346 |     protocol    = "-1"
		347 |     cidr_blocks = ["0.0.0.0/0"]
		348 |   }
		349 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:351-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		351 | resource "aws_ecr_repository" "pra_ecr_repo" {
		352 |   name         = "pra-ecr-repo"
		353 |   force_delete = true
		354 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:351-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		351 | resource "aws_ecr_repository" "pra_ecr_repo" {
		352 |   name         = "pra-ecr-repo"
		353 |   force_delete = true
		354 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:351-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		351 | resource "aws_ecr_repository" "pra_ecr_repo" {
		352 |   name         = "pra-ecr-repo"
		353 |   force_delete = true
		354 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:448-451
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		448 | resource "aws_sns_topic" "ddos_alarm" {
		449 |   count = local.is-development ? 0 : 1
		450 |   name  = "pra_ddos_alarm"
		451 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.pra_utilisation_alarm
	File: /ecs.tf:453-456
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		453 | resource "aws_sns_topic" "pra_utilisation_alarm" {
		454 |   count = local.is-development ? 0 : 1
		455 |   name  = "pra_utilisation_alarm"
		456 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:476-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		476 | module "pagerduty_core_alerts_non_prod" {
		477 |   count = local.is-preproduction ? 1 : 0
		478 |   depends_on = [
		479 |     aws_sns_topic.pra_utilisation_alarm
		480 |   ]
		481 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		482 |   sns_topics                = [aws_sns_topic.pra_utilisation_alarm[0].name]
		483 |   pagerduty_integration_key = local.pagerduty_integration_keys["pra_non_prod_alarms"]
		484 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:487-495
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		487 | module "pagerduty_core_alerts_prod" {
		488 |   count = local.is-production ? 1 : 0
		489 |   depends_on = [
		490 |     aws_sns_topic.pra_utilisation_alarm
		491 |   ]
		492 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		493 |   sns_topics                = [aws_sns_topic.pra_utilisation_alarm[0].name]
		494 |   pagerduty_integration_key = local.pagerduty_integration_keys["pra_prod_alarms"]
		495 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:88-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:161-232
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "pra_lb" {
		235 |   name                       = "pra-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "pra_lb" {
		235 |   name                       = "pra-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "pra_lb" {
		235 |   name                       = "pra-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:244-266

		244 | resource "aws_lb_target_group" "pra_target_group" {
		245 |   name                 = "pra-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "pra_target_group" {
		245 |   name                 = "pra-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.pra_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "pra_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external.arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.pra_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.pra_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "pra_web_acl" {
		2  |   name  = "pra-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "pra-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.pra_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "pra_web_acl" {
		2  |   name  = "pra-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "pra-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "pra_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db_dev
	File: /rds.tf:60-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		60 | resource "aws_db_instance" "pra_db_dev" {
		61 |   count                       = local.is-development ? 1 : 0
		62 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		63 |   db_name                     = local.application_data.accounts[local.environment].db_name
		64 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		65 |   engine                      = local.application_data.accounts[local.environment].engine
		66 |   identifier                  = local.application_data.accounts[local.environment].identifier
		67 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		68 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		69 |   username                    = local.application_data.accounts[local.environment].db_username
		70 |   password                    = random_password.password.result
		71 |   skip_final_snapshot         = true
		72 |   publicly_accessible         = true
		73 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		74 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		75 |   allow_major_version_upgrade = true
		76 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.pra_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "pra_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external.arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.pra_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:307-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		307 | resource "aws_iam_role_policy" "app_task" {
		308 |   name = "task-${var.networking[0].application}"
		309 |   role = aws_iam_role.app_task.id
		310 | 
		311 |   policy = <<-EOF
		312 |   {
		313 |    "Version": "2012-10-17",
		314 |    "Statement": [
		315 |      {
		316 |        "Effect": "Allow",
		317 |         "Action": [
		318 |           "logs:CreateLogStream",
		319 |           "logs:PutLogEvents",
		320 |           "ecr:*",
		321 |           "iam:*",
		322 |           "ec2:*"
		323 |         ],
		324 |        "Resource": "*"
		325 |      }
		326 |    ]
		327 |   }
		328 |   EOF
		329 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
20 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 54:
  54:           value = "${aws_db_instance.pra_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 62:
  62:           value = "${aws_db_instance.pra_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 66:
  66:           value = "${aws_db_instance.pra_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 70:
  70:           value = "${aws_db_instance.pra_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 129:
 129:           value = "${aws_db_instance.pra_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 137:
 137:           value = "${aws_db_instance.pra_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 141:
 141:           value = "${aws_db_instance.pra_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 145:
 145:           value = "${aws_db_instance.pra_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 149:
 149:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 122:
 122: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 139:
 139:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/pra-register

*****************************

Running Trivy in terraform/environments/pra-register
2024-10-15T00:57:53Z	INFO	[vulndb] Need to update DB
2024-10-15T00:57:53Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T00:57:53Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:57:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:57:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T00:57:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T00:57:55Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T00:57:55Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T00:57:56Z	INFO	[secret] Secret scanning is enabled
2024-10-15T00:57:56Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:57:56Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:57:58Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T00:57:58Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:58:00Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:58:00Z	INFO	Number of language-specific files	num=0
2024-10-15T00:58:00Z	INFO	Detected config files	num=6

ecs.tf (terraform)
==================
Tests: 5 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 2)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Image scanning is not enabled
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.


See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:351-354
────────────────────────────────────────
 351 ┌ resource "aws_ecr_repository" "pra_ecr_repo" {
 352 │   name         = "pra-ecr-repo"
 353 │   force_delete = true
 354 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:448-451
────────────────────────────────────────
 448 ┌ resource "aws_sns_topic" "ddos_alarm" {
 449 │   count = local.is-development ? 0 : 1
 450 │   name  = "pra_ddos_alarm"
 451 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:453-456
────────────────────────────────────────
 453 ┌ resource "aws_sns_topic" "pra_utilisation_alarm" {
 454 │   count = local.is-development ? 0 : 1
 455 │   name  = "pra_utilisation_alarm"
 456 └ }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:234-242
────────────────────────────────────────
 234 ┌ resource "aws_lb" "pra_lb" {
 235 │   name                       = "pra-load-balancer"
 236 │   load_balancer_type         = "application"
 237 │   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238 │   subnets                    = data.aws_subnets.shared-public.ids
 239 │   enable_deletion_protection = false
 240 │   internal                   = false
 241 │   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:240
   via load_balancer.tf:234-242 (aws_lb.pra_lb)
────────────────────────────────────────
 234   resource "aws_lb" "pra_lb" {
 235     name                       = "pra-load-balancer"
 236     load_balancer_type         = "application"
 237     security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238     subnets                    = data.aws_subnets.shared-public.ids
 239     enable_deletion_protection = false
 240 [   internal                   = false
 241     depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242   }
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "pra_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


trivy_exitcode=1

dependabot bot requested a review from a team as a code owner October 15, 2024 00:56

dependabot bot added the dependencies Pull requests that update a dependency file label Oct 15, 2024

dependabot bot requested a review from a team as a code owner October 15, 2024 00:56

dependabot bot added the terraform Pull requests that update Terraform code label Oct 15, 2024

dependabot bot mentioned this pull request Oct 15, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/pra-register #8212

Closed

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/pra-register #8244

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/pra-register #8244

dependabot bot commented on behalf of github Oct 15, 2024

github-actions bot commented Oct 15, 2024

ecs.tf (terraform)

load_balancer.tf (terraform)

rds.tf (terraform)

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/pra-register #8244

Are you sure you want to change the base?

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/pra-register #8244

Conversation

dependabot bot commented on behalf of github Oct 15, 2024

v4.3.1

What's Fixed

What's Changed

v4.3.0

What's New

What's Changed

New Contributors

github-actions bot commented Oct 15, 2024

Trivy Scan Failed

ecs.tf (terraform)

load_balancer.tf (terraform)

rds.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed