Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/cdpt-chaps #8250

dependabot · 2024-10-15T01:07:19Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.1

What's Fixed

The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Add alias for MP S3 KMS key by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566

Refactor unit tests by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

Update main.tf by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474

issue/7689 by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544

Bump Go versions by @ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551

Updated template to use dynamic resolution of SSM parameter store value by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

@Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415

@Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

@robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

ab924e5 Merge pull request #571 from ministryofjustice/dependabot/github_actions/gith...
0aeff36 Bump github/codeql-action from 3.26.12 to 3.26.13
9a92439 Merge pull request #569 from ministryofjustice/feature/7569-unit-tests
4d638cb Merge pull request #570 from ministryofjustice/dependabot/github_actions/mini...
0f844c3 Update versions.tf
f820ed1 Update terraform-static-analysis.yml
b8abd5c Update format-code.yml
714055c Bump ministryofjustice/github-actions from 18.2.2 to 18.2.4
89aaf2c added checkov skip as policy is defined as a separate resource and not inline
7d94ff1 terraform-docs: automated action
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.3.1. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.1) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-10-15T01:08:46Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/cdpt-chaps

Running Trivy in terraform/environments/cdpt-chaps
2024-10-15T01:08:33Z INFO [vulndb] Need to update DB
2024-10-15T01:08:33Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T01:08:33Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T01:08:35Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T01:08:35Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T01:08:35Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T01:08:35Z INFO [misconfig] Need to update the built-in checks
2024-10-15T01:08:35Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T01:08:35Z INFO [secret] Secret scanning is enabled
2024-10-15T01:08:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T01:08:35Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T01:08:36Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T01:08:36Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T01:08:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T01:08:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T01:08:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:40Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T01:08:40Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T01:08:40Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-15T01:08:40Z INFO Number of language-specific files num=0
2024-10-15T01:08:40Z INFO Detected config files num=9

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-24
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 01:08:43,478 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1:None (for external modules, the --download-external-modules flag is required)
2024-10-15 01:08:43,479 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 01:08:43,479 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 110, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 |   # public keys
		16 |   public_key_data = local.public_key_data.keys[local.environment]
		17 |   # logs
		18 |   log_auto_clean       = "Enabled"
		19 |   log_standard_ia_days = 30  # days before moving to IA storage
		20 |   log_glacier_days     = 60  # days before moving to Glacier
		21 |   log_expiry_days      = 180 # days before log expiration
		22 |   # bastion
		23 |   allow_ssh_commands = false
		24 | 
		25 |   app_name      = var.networking[0].application
		26 |   business_unit = local.vpc_name
		27 |   subnet_set    = local.subnet_set
		28 |   environment   = local.environment
		29 |   region        = "eu-west-2"
		30 | 
		31 |   extra_user_data_content = "yum install -y openldap-clients"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:70-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		70 | data "aws_iam_policy_document" "rds-kms" {
		71 |   statement {
		72 |     effect    = "Allow"
		73 |     actions   = ["kms:*"]
		74 |     resources = ["*"]
		75 |     principals {
		76 |       type        = "AWS"
		77 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		78 |     }
		79 |   }
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		37 | resource "aws_security_group" "db" {
		38 |   name        = "${local.application_name}-db-sg"
		39 |   description = "Allow DB inbound traffic"
		40 |   vpc_id      = data.aws_vpc.shared.id
		41 |   ingress {
		42 |     from_port   = 1433
		43 |     to_port     = 1433
		44 |     protocol    = "tcp"
		45 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		46 |   }
		47 |   egress {
		48 |     from_port   = 0
		49 |     to_port     = 0
		50 |     protocol    = "-1"
		51 |     cidr_blocks = ["0.0.0.0/0"]
		52 |   }
		53 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:10-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		10 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		11 |   name = "${local.application_name}-ec2-instance-policy"
		12 | 
		13 |   policy = <<EOF
		14 | {
		15 |     "Version": "2012-10-17",
		16 |     "Statement": [
		17 |         {
		18 |             "Effect": "Allow",
		19 |             "Action": [
		20 |                 "ec2:DescribeTags",
		21 |                 "ecs:CreateCluster",
		22 |                 "ecs:DeregisterContainerInstance",
		23 |                 "ecs:DiscoverPollEndpoint",
		24 |                 "ecs:Poll",
		25 |                 "ecs:RegisterContainerInstance",
		26 |                 "ecs:StartTelemetrySession",
		27 |                 "ecs:UpdateContainerInstancesState",
		28 |                 "ecs:Submit*",
		29 |                 "ecr:GetAuthorizationToken",
		30 |                 "ecr:BatchCheckLayerAvailability",
		31 |                 "ecr:GetDownloadUrlForLayer",
		32 |                 "ecr:BatchGetImage",
		33 |                 "logs:CreateLogStream",
		34 |                 "logs:PutLogEvents",
		35 |                 "logs:DescribeLogGroups",
		36 |                 "logs:CreateLogGroup",
		37 |                 "s3:ListBucket",
		38 |                 "s3:*Object*",
		39 |                 "kms:Decrypt",
		40 |                 "kms:Encrypt",
		41 |                 "kms:GenerateDataKey",
		42 |                 "kms:ReEncrypt",
		43 |                 "kms:GenerateDataKey",
		44 |                 "kms:DescribeKey",
		45 |                 "rds:Connect",
		46 |                 "rds:DescribeDBInstances"
		47 |             ],
		48 |             "Resource": "*"
		49 |         }
		50 |     ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:69-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		69 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		70 |   name              = "/aws/events/deploymentLogs"
		71 |   retention_in_days = "7"
		72 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:74-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:391-414
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		391 | resource "aws_iam_role_policy" "app_execution" {
		392 |   name = "execution-${var.networking[0].application}"
		393 |   role = aws_iam_role.app_execution.id
		394 | 
		395 |   policy = <<-EOF
		396 |   {
		397 |     "Version": "2012-10-17",
		398 |     "Statement": [
		399 |       {
		400 |            "Action": [
		401 |               "ecr:*",
		402 |               "logs:CreateLogGroup",
		403 |               "logs:CreateLogStream",
		404 |               "logs:PutLogEvents",
		405 |               "logs:DescribeLogStreams",
		406 |               "secretsmanager:GetSecretValue"
		407 |            ],
		408 |            "Resource": "*",
		409 |            "Effect": "Allow"
		410 |       }
		411 |     ]
		412 |   }
		413 |   EOF
		414 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:467-485
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		467 | resource "aws_security_group" "ecs_service" {
		468 |   name_prefix = "ecs-service-sg-"
		469 |   vpc_id      = data.aws_vpc.shared.id
		470 | 
		471 |   ingress {
		472 |     from_port       = 80
		473 |     to_port         = 80
		474 |     protocol        = "tcp"
		475 |     description     = "Allow traffic on port 80 from load balancer"
		476 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		477 |   }
		478 | 
		479 |   egress {
		480 |     from_port   = 0
		481 |     to_port     = 0
		482 |     protocol    = "-1"
		483 |     cidr_blocks = ["0.0.0.0/0"]
		484 |   }
		485 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:530-533
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		530 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		531 |   name              = "${local.application_name}-ecs"
		532 |   retention_in_days = 30
		533 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:101-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		101 | resource "aws_lb_target_group" "chaps_target_group" {
		102 |   name                 = "chaps-target-group"
		103 |   port                 = 80
		104 |   protocol             = "HTTP"
		105 |   vpc_id               = data.aws_vpc.shared.id
		106 |   target_type          = "ip"
		107 |   deregistration_delay = 30
		108 | 
		109 |   stickiness {
		110 |     type = "lb_cookie"
		111 |   }
		112 | 
		113 |   health_check {
		114 |     healthy_threshold   = "5"
		115 |     interval            = "30"
		116 |     protocol            = "HTTP"
		117 |     unhealthy_threshold = "2"
		118 |     matcher             = "200-499"
		119 |     timeout             = "5"
		120 |   }
		121 | 
		122 |   lifecycle {
		123 |     create_before_destroy = true
		124 |     ignore_changes        = [name]
		125 |   }
		126 | 
		127 |   tags = {
		128 |     Name = "chaps-target-group-${random_string.chaps_target_group_name.result}"
		129 |   }
		130 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:78-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		78 | module "pagerduty_core_alerts" {
		79 |   depends_on = [
		80 |     aws_sns_topic.cdpt_chaps_ddos_alarm
		81 |   ]
		82 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		83 |   sns_topics                = [aws_sns_topic.cdpt_chaps_ddos_alarm.name]
		84 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		85 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:132-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		132 | resource "aws_security_group" "chaps_lb_sc" {
		133 |   name        = "load balancer security group"
		134 |   description = "control access to the load balancer"
		135 |   vpc_id      = data.aws_vpc.shared.id
		136 | 
		137 |   ingress {
		138 |     description = "allow access on HTTPS"
		139 |     from_port   = 443
		140 |     to_port     = 443
		141 |     protocol    = "tcp"
		142 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
		143 |   }
		144 | 
		145 |   egress {
		146 |     description = "Open all outbound ports"
		147 |     from_port   = 0
		148 |     to_port     = 0
		149 |     protocol    = "-1"
		150 |     cidr_blocks = ["0.0.0.0/0"]
		151 |   }
		152 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.chaps_target_sc
	File: /loadbalancer.tf:154-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		154 | resource "aws_security_group" "chaps_target_sc" {
		155 |   name        = "target security group"
		156 |   description = "allow health check traffic from load balancer"
		157 |   vpc_id      = data.aws_vpc.shared.id
		158 | 
		159 |   ingress {
		160 |     description     = "allow traffic from load balancer"
		161 |     from_port       = 80
		162 |     to_port         = 80
		163 |     protocol        = "tcp"
		164 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		165 |   }
		166 | 
		167 |   egress {
		168 |     description = "Open all outbound ports"
		169 |     from_port   = 0
		170 |     to_port     = 0
		171 |     protocol    = "-1"
		172 |     cidr_blocks = ["0.0.0.0/0"]
		173 |   }
		174 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 |   ca_cert_identifier        = "rds-ca-rsa2048-g1"
		21 |   apply_immediately         = true
		22 | 
		23 | 
		24 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:443-465
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		443 | resource "aws_iam_role_policy" "app_task" {
		444 |   name = "task-${var.networking[0].application}"
		445 |   role = aws_iam_role.app_task.id
		446 | 
		447 |   policy = <<-EOF
		448 |   {
		449 |    "Version": "2012-10-17",
		450 |    "Statement": [
		451 |      {
		452 |        "Effect": "Allow",
		453 |         "Action": [
		454 |           "logs:CreateLogStream",
		455 |           "logs:PutLogEvents",
		456 |           "ecr:*",
		457 |           "iam:*",
		458 |           "ec2:*"
		459 |         ],
		460 |        "Resource": "*"
		461 |      }
		462 |    ]
		463 |   }
		464 |   EOF
		465 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 104:
 104:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 108:
 108:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 112:
 112:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 116:
 116:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 120:
 120:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 175:
 175:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Trivy in terraform/environments/cdpt-chaps
2024-10-15T01:08:33Z	INFO	[vulndb] Need to update DB
2024-10-15T01:08:33Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T01:08:33Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T01:08:35Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T01:08:35Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T01:08:35Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T01:08:35Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T01:08:35Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T01:08:35Z	INFO	[secret] Secret scanning is enabled
2024-10-15T01:08:35Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T01:08:35Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T01:08:36Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T01:08:36Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-15T01:08:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T01:08:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T01:08:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-15T01:08:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-15T01:08:40Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T01:08:40Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T01:08:40Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-15T01:08:40Z	INFO	Number of language-specific files	num=0
2024-10-15T01:08:40Z	INFO	Detected config files	num=9

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-24
────────────────────────────────────────
   5 ┌ resource "aws_db_instance" "database" {
   6 │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7 │   storage_type              = "gp2"
   8 │   engine                    = "sqlserver-web"
   9 │   engine_version            = "14.00.3381.3.v1"
  10 │   instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11 │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12 │   username                  = local.application_data.accounts[local.environment].db_user
  13 └   password                  = aws_secretsmanager_secret_version.db_password.secret_string
  ..   
────────────────────────────────────────


trivy_exitcode=1

dependabot bot requested a review from a team as a code owner October 15, 2024 01:07

dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Oct 15, 2024

dependabot bot requested a review from a team as a code owner October 15, 2024 01:07

dependabot bot mentioned this pull request Oct 15, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-chaps #8215

Closed

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/cdpt-chaps #8250

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/cdpt-chaps #8250

dependabot bot commented on behalf of github Oct 15, 2024

github-actions bot commented Oct 15, 2024

(terraform)

database.tf (terraform)

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/cdpt-chaps #8250

Are you sure you want to change the base?

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/cdpt-chaps #8250

Conversation

dependabot bot commented on behalf of github Oct 15, 2024

v4.3.1

What's Fixed

What's Changed

v4.3.0

What's New

What's Changed

New Contributors

github-actions bot commented Oct 15, 2024

Trivy Scan Failed

(terraform)

database.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed