database.tf test

[roncitrus]

No description provided.

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

---

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Instance is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
database.tf:19
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_db_instance" "database" {
.
19 [ publicly_accessible = true (true)
20 }
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-no-public-db-access
Impact The database instance is publicly accessible
Resolution Set the database to not be publicly accessible

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
database.tf:51
────────────────────────────────────────────────────────────────────────────────
43 resource "aws_security_group" "db" {
..
51 [ cidr_blocks = ["0.0.0.0/0"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
database.tf:57
────────────────────────────────────────────────────────────────────────────────
43 resource "aws_security_group" "db" {
..
57 [ cidr_blocks = ["0.0.0.0/0"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:213
────────────────────────────────────────────────────────────────────────────────
203 resource "aws_security_group" "cluster_ec2" {
...
213 [ cidr_blocks = ["0.0.0.0/0"]
...
248 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:238
────────────────────────────────────────────────────────────────────────────────
203 resource "aws_security_group" "cluster_ec2" {
...
238 [ cidr_blocks = ["0.0.0.0/0"]
...
248 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #6 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:455
────────────────────────────────────────────────────────────────────────────────
439 resource "aws_security_group" "ecs_service" {
...
455 [ cidr_blocks = ["0.0.0.0/0"]
...
457 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #7 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "chaps_lb_sc" {
.
11 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "chaps_lb_sc" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Instance has Public Access enabled
────────────────────────────────────────────────────────────────────────────────
database.tf:19
────────────────────────────────────────────────────────────────────────────────
19 publicly_accessible = true
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0180
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH Instance does not have storage encryption enabled.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = data.aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-encrypt-instance-storage-data
Impact Data can be read from RDS instances if compromised
Resolution Enable encryption for RDS instances

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
  ────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH Launch template does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
ecs.tf:267
────────────────────────────────────────────────────────────────────────────────
254 resource "aws_launch_template" "ec2-launch-template" {
...
267 [ http_tokens = "optional" ("optional")
...
309 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-launch-config-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-launch-config-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH IAM policy document uses wildcarded action 'ecr:'
────────────────────────────────────────────────────────────────────────────────
ecs.tf:372-379
────────────────────────────────────────────────────────────────────────────────
363 resource "aws_iam_role_policy" "app_execution" {
...
372 ┌ "Action": [
373 │ "ecr:",
374 │ "logs:CreateLogGroup",
375 │ "logs:CreateLogStream",
376 │ "logs:PutLogEvents",
377 │ "logs:DescribeLogStreams",
378 └ "secretsmanager:GetSecretValue"
...
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH IAM policy document uses sensitive action 'ecr:' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:380
────────────────────────────────────────────────────────────────────────────────
363 resource "aws_iam_role_policy" "app_execution" {
...
380 [ "Resource": "*",
...
386 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #14-16 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
ecs.tf:425-431
────────────────────────────────────────────────────────────────────────────────
415 resource "aws_iam_role_policy" "app_task" {
...
425 ┌ "Action": [
426 │ "logs:CreateLogStream",
427 │ "logs:PutLogEvents",
428 │ "ecr:",
429 │ "iam:",
430 │ "ec2:*"
431 └ ],
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• ecs.tf:415-437 (aws_iam_role_policy.app_task) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #17 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:432
────────────────────────────────────────────────────────────────────────────────
415 resource "aws_iam_role_policy" "app_task" {
...
432 [ "Resource": ""
...
437 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH Application load balancer is not set to drop invalid headers.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:23-28
────────────────────────────────────────────────────────────────────────────────
23 resource "aws_lb" "chaps_lb" {
24 name = "chaps-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.chaps_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-drop-invalid-headers
Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Resolution Set drop_invalid_header_fields to true

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
  ────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH Load balancer is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:23-28
────────────────────────────────────────────────────────────────────────────────
23 resource "aws_lb" "chaps_lb" {
24 name = "chaps-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.chaps_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-alb-not-public
Impact The load balancer is exposed on the internet
Resolution Switch to an internal load balancer or add a tfsec ignore

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
  ────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #26 MEDIUM Instance has very low backup retention period.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = data.aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-specify-backup-retention
Impact Potential loss of data and short opportunity for recovery
Resolution Explicitly set the retention period to greater than the default

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
  ────────────────────────────────────────────────────────────────────────────────

Result #27 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = data.aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0177
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #28 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #29 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #30 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
database.tf:47-52
────────────────────────────────────────────────────────────────────────────────
43 resource "aws_security_group" "db" {
..
47 ┌ ingress {
48 │ from_port = 1433
49 │ to_port = 1433
50 │ protocol = "tcp"
51 │ cidr_blocks = ["0.0.0.0/0"]
52 └ }
..
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #31 LOW Instance does not have performance insights enabled.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = data.aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-enable-performance-insights
Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
Resolution Enable performance insights

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #32 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
database.tf:53-58
────────────────────────────────────────────────────────────────────────────────
43 resource "aws_security_group" "db" {
..
53 ┌ egress {
54 │ from_port = 0
55 │ to_port = 0
56 │ protocol = "-1"
57 │ cidr_blocks = ["0.0.0.0/0"]
58 └ }
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #33 LOW Security group explicitly uses the default description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:439-457
────────────────────────────────────────────────────────────────────────────────
439 ┌ resource "aws_security_group" "ecs_service" {
440 │ name_prefix = "ecs-service-sg-"
441 │ vpc_id = data.aws_vpc.shared.id
442 │
443 │ ingress {
444 │ from_port = 80
445 │ to_port = 80
446 │ protocol = "tcp"
447 └ description = "Allow traffic on port 80 from load balancer"
...
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #34 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:451-456
────────────────────────────────────────────────────────────────────────────────
439 resource "aws_security_group" "ecs_service" {
...
451 ┌ egress {
452 │ from_port = 0
453 │ to_port = 0
454 │ protocol = "-1"
455 │ cidr_blocks = ["0.0.0.0/0"]
456 └ }
457 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #35 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:502-505
────────────────────────────────────────────────────────────────────────────────
502 resource "aws_cloudwatch_log_group" "cloudwatch_group" {
503 name = "${local.application_name}-ecs"
504 retention_in_days = 30
505 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #36 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:63-66
────────────────────────────────────────────────────────────────────────────────
63 resource "aws_cloudwatch_log_group" "deployment_logs" {
64 name = "/aws/events/deploymentLogs"
65 retention_in_days = "7"
66 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #37 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 499.876µs
parsing 2.519484991s
adaptation 1.563535ms
checks 25.475217ms
total 2.547023619s

counts
──────────────────────────────────────────
modules downloaded 2
modules processed 3
blocks processed 191
files read 25

results
──────────────────────────────────────────
passed 55
ignored 81
critical 8
high 17
medium 4
low 8

55 passed, 81 ignored, 37 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2024-01-15 14:55:46,744 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 115, Failed checks: 50, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:43-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		43 | resource "aws_security_group" "db" {
		44 |   name        = "${local.application_name}-db-sg"
		45 |   description = "Allow DB inbound traffic"
		46 |   vpc_id      = data.aws_vpc.shared.id
		47 |   ingress {
		48 |     from_port   = 1433
		49 |     to_port     = 1433
		50 |     protocol    = "tcp"
		51 |     cidr_blocks = ["0.0.0.0/0"]
		52 |   }
		53 |   egress {
		54 |     from_port   = 0
		55 |     to_port     = 0
		56 |     protocol    = "-1"
		57 |     cidr_blocks = ["0.0.0.0/0"]
		58 |   }
		59 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:93-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		93  | data "aws_iam_policy_document" "rds-kms" {
		94  |   statement {
		95  |     effect    = "Allow"
		96  |     actions   = ["kms:*"]
		97  |     resources = ["*"]
		98  |     principals {
		99  |       type        = "AWS"
		100 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		101 |     }
		102 |   }
		103 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:93-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		93  | data "aws_iam_policy_document" "rds-kms" {
		94  |   statement {
		95  |     effect    = "Allow"
		96  |     actions   = ["kms:*"]
		97  |     resources = ["*"]
		98  |     principals {
		99  |       type        = "AWS"
		100 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		101 |     }
		102 |   }
		103 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:93-103

		93  | data "aws_iam_policy_document" "rds-kms" {
		94  |   statement {
		95  |     effect    = "Allow"
		96  |     actions   = ["kms:*"]
		97  |     resources = ["*"]
		98  |     principals {
		99  |       type        = "AWS"
		100 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		101 |     }
		102 |   }
		103 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:63-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		63 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		64 |   name              = "/aws/events/deploymentLogs"
		65 |   retention_in_days = "7"
		66 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:68-99

		68 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		69 |   family                   = "chapsFamily"
		70 |   requires_compatibilities = ["EC2"]
		71 |   network_mode             = "awsvpc"
		72 |   execution_role_arn       = aws_iam_role.app_execution.arn
		73 |   task_role_arn            = aws_iam_role.app_task.arn
		74 |   container_definitions = jsonencode([
		75 |     {
		76 |       name      = "${local.application_name}-container"
		77 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		78 |       cpu       = 1024
		79 |       memory    = 1024
		80 |       essential = true
		81 |       portMappings = [
		82 |         {
		83 |           containerPort = local.application_data.accounts[local.environment].container_port
		84 |           protocol      = "tcp"
		85 |         }
		86 |       ]
		87 |       logConfiguration = {
		88 |         logDriver = "awslogs",
		89 |         options = {
		90 |           awslogs-group         = "${local.application_name}-ecs",
		91 |           awslogs-region        = "eu-west-2",
		92 |           awslogs-stream-prefix = local.application_name
		93 |         }
		94 |       }
		95 |       environment = [
		96 |       ]
		97 |     }
		98 |   ])
		99 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:203-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		203 | resource "aws_security_group" "cluster_ec2" {
		204 |   name        = "${local.application_name}-cluster-ec2-security-group"
		205 |   description = "controls access to the cluster ec2 instance"
		206 |   vpc_id      = data.aws_vpc.shared.id
		207 | 
		208 |   ingress {
		209 |     description     = "allow access on HTTP from load balancer"
		210 |     from_port       = 80
		211 |     to_port         = 80
		212 |     protocol        = "tcp"
		213 |     cidr_blocks     = ["0.0.0.0/0"]
		214 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		215 |   }
		216 | 
		217 |   ingress {
		218 |     description     = "Allow RDP ingress"
		219 |     from_port       = 3389
		220 |     to_port         = 3389
		221 |     protocol        = "tcp"
		222 |     security_groups = [module.bastion_linux.bastion_security_group]
		223 |   }
		224 | 
		225 |   ingress {
		226 |     description     = "Allow RDS access"
		227 |     from_port       = 1433
		228 |     to_port         = 1433
		229 |     protocol        = "tcp"
		230 |     security_groups = [aws_security_group.db.id]   
		231 |   }
		232 | 
		233 |   egress {
		234 |     description     = "Cluster EC2 loadbalancer egress rule"
		235 |     from_port       = 0
		236 |     to_port         = 0
		237 |     protocol        = "-1"
		238 |     cidr_blocks     = ["0.0.0.0/0"]
		239 |     security_groups = []
		240 |   }
		241 | 
		242 |   tags = merge(
		243 |     local.tags,
		244 |     {
		245 |       Name = "${local.application_name}-cluster-ec2-security-group"
		246 |     }
		247 |   )
		248 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_launch_template.ec2-launch-template
	File: /ecs.tf:254-309
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:363-386

		363 | resource "aws_iam_role_policy" "app_execution" {
		364 |   name = "execution-${var.networking[0].application}"
		365 |   role = aws_iam_role.app_execution.id
		366 | 
		367 |   policy = <<-EOF
		368 |   {
		369 |     "Version": "2012-10-17",
		370 |     "Statement": [
		371 |       {
		372 |            "Action": [
		373 |               "ecr:*",
		374 |               "logs:CreateLogGroup",
		375 |               "logs:CreateLogStream",
		376 |               "logs:PutLogEvents",
		377 |               "logs:DescribeLogStreams",
		378 |               "secretsmanager:GetSecretValue"
		379 |            ],
		380 |            "Resource": "*",
		381 |            "Effect": "Allow"
		382 |       }
		383 |     ]
		384 |   }
		385 |   EOF
		386 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:363-386

		363 | resource "aws_iam_role_policy" "app_execution" {
		364 |   name = "execution-${var.networking[0].application}"
		365 |   role = aws_iam_role.app_execution.id
		366 | 
		367 |   policy = <<-EOF
		368 |   {
		369 |     "Version": "2012-10-17",
		370 |     "Statement": [
		371 |       {
		372 |            "Action": [
		373 |               "ecr:*",
		374 |               "logs:CreateLogGroup",
		375 |               "logs:CreateLogStream",
		376 |               "logs:PutLogEvents",
		377 |               "logs:DescribeLogStreams",
		378 |               "secretsmanager:GetSecretValue"
		379 |            ],
		380 |            "Resource": "*",
		381 |            "Effect": "Allow"
		382 |       }
		383 |     ]
		384 |   }
		385 |   EOF
		386 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:363-386

		363 | resource "aws_iam_role_policy" "app_execution" {
		364 |   name = "execution-${var.networking[0].application}"
		365 |   role = aws_iam_role.app_execution.id
		366 | 
		367 |   policy = <<-EOF
		368 |   {
		369 |     "Version": "2012-10-17",
		370 |     "Statement": [
		371 |       {
		372 |            "Action": [
		373 |               "ecr:*",
		374 |               "logs:CreateLogGroup",
		375 |               "logs:CreateLogStream",
		376 |               "logs:PutLogEvents",
		377 |               "logs:DescribeLogStreams",
		378 |               "secretsmanager:GetSecretValue"
		379 |            ],
		380 |            "Resource": "*",
		381 |            "Effect": "Allow"
		382 |       }
		383 |     ]
		384 |   }
		385 |   EOF
		386 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:363-386

		363 | resource "aws_iam_role_policy" "app_execution" {
		364 |   name = "execution-${var.networking[0].application}"
		365 |   role = aws_iam_role.app_execution.id
		366 | 
		367 |   policy = <<-EOF
		368 |   {
		369 |     "Version": "2012-10-17",
		370 |     "Statement": [
		371 |       {
		372 |            "Action": [
		373 |               "ecr:*",
		374 |               "logs:CreateLogGroup",
		375 |               "logs:CreateLogStream",
		376 |               "logs:PutLogEvents",
		377 |               "logs:DescribeLogStreams",
		378 |               "secretsmanager:GetSecretValue"
		379 |            ],
		380 |            "Resource": "*",
		381 |            "Effect": "Allow"
		382 |       }
		383 |     ]
		384 |   }
		385 |   EOF
		386 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:439-457
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		439 | resource "aws_security_group" "ecs_service" {
		440 |   name_prefix = "ecs-service-sg-"
		441 |   vpc_id      = data.aws_vpc.shared.id
		442 | 
		443 |   ingress {
		444 |     from_port       = 80
		445 |     to_port         = 80
		446 |     protocol        = "tcp"
		447 |     description     = "Allow traffic on port 80 from load balancer"
		448 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		449 |   }
		450 | 
		451 |   egress {
		452 |     from_port   = 0
		453 |     to_port     = 0
		454 |     protocol    = "-1"
		455 |     cidr_blocks = ["0.0.0.0/0"]
		456 |   }
		457 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:502-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		502 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		503 |   name              = "${local.application_name}-ecs"
		504 |   retention_in_days = 30
		505 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:502-505

		502 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		503 |   name              = "${local.application_name}-ecs"
		504 |   retention_in_days = 30
		505 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:30-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		30 | resource "aws_lb_target_group" "chaps_target_group" {
		31 |   name                 = "chaps-target-group"
		32 |   port                 = 80
		33 |   protocol             = "HTTP"
		34 |   vpc_id               = data.aws_vpc.shared.id
		35 |   target_type          = "ip"
		36 |   deregistration_delay = 30
		37 | 
		38 |   stickiness {
		39 |     type = "lb_cookie"
		40 |   }
		41 | 
		42 |   health_check {
		43 |     healthy_threshold   = "2"
		44 |     interval            = "30"
		45 |     unhealthy_threshold = "5"
		46 |     matcher             = "200-499"
		47 |     timeout             = "10"
		48 |   }
		49 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.chaps_secret
	File: /secrets.tf:3-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "chaps_secret" {
		4 |   name        = "chaps_secret1"
		5 |   description = "Simple secret created through Terraform"
		6 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.chaps_secret
	File: /secrets.tf:3-6

		3 | resource "aws_secretsmanager_secret" "chaps_secret" {
		4 |   name        = "chaps_secret1"
		5 |   description = "Simple secret created through Terraform"
		6 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type           = "gp2"
		8  |   engine                 = "sqlserver-web"
		9  |   engine_version         = "14.00.3381.3.v1"
		10 |   instance_class         = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username               = local.application_data.accounts[local.environment].db_user
		13 |   password               = data.aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids = [aws_security_group.db.id]
		15 |   depends_on             = [aws_security_group.db]
		16 |   snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24"
		17 |   skip_final_snapshot    = true
		18 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		19 |   publicly_accessible    = true
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:415-437

		415 | resource "aws_iam_role_policy" "app_task" {
		416 |   name = "task-${var.networking[0].application}"
		417 |   role = aws_iam_role.app_task.id
		418 | 
		419 |   policy = <<-EOF
		420 |   {
		421 |    "Version": "2012-10-17",
		422 |    "Statement": [
		423 |      {
		424 |        "Effect": "Allow",
		425 |         "Action": [
		426 |           "logs:CreateLogStream",
		427 |           "logs:PutLogEvents",
		428 |           "ecr:*",
		429 |           "iam:*",
		430 |           "ec2:*"
		431 |         ],
		432 |        "Resource": "*"
		433 |      }
		434 |    ]
		435 |   }
		436 |   EOF
		437 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 142:
 142:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 8:
   8: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[vertism]

LGTM