planetfm(pd): adding `pd-cafm-db-a` #4610

keirwilliams · 2024-01-18T14:46:54Z

No description provided.

github-actions · 2024-01-18T14:49:13Z

`TFSEC Scan` Failed

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #6 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #7 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #8 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #13 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────

Result #14 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────

Result #15 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita_random_string.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #16 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #17 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:97-99
────────────────────────────────────────────────────────────────────────────────
97 resource "aws_cloudwatch_log_group" "transfer" {
98 name_prefix = "transfer_test_"
99 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 220.204µs
parsing 10.002546ms
adaptation 339.377µs
checks 4.365183ms
total 14.92731ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 73
files read 13

results
──────────────────────────────────────────
passed 14
ignored 0
critical 0
high 12
medium 2
low 3

14 passed, 17 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 125, Failed checks: 23, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_oakdale_ip
	File: /test_permissions.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		7  | resource "aws_vpc_security_group_ingress_rule" "test_oakdale_ip" {
		8  |   security_group_id = aws_security_group.test_security_group.id
		9  | 
		10 |   cidr_ipv4   = "82.16.51.175/32"
		11 |   ip_protocol = "tcp"
		12 |   from_port   = 2222
		13 |   to_port     = 2222
		14 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /test_permissions.tf:15-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		15 | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		16 |   security_group_id = aws_security_group.test_security_group.id
		17 | 
		18 |   cidr_ipv4   = "46.69.144.146/32"
		19 |   ip_protocol = "tcp"
		20 |   from_port   = 2222
		21 |   to_port     = 2222
		22 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_petty_france_ip
	File: /test_permissions.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		23 | resource "aws_vpc_security_group_ingress_rule" "test_petty_france_ip" {
		24 |   security_group_id = aws_security_group.test_security_group.id
		25 | 
		26 |   cidr_ipv4   = "81.134.202.29/32"
		27 |   ip_protocol = "tcp"
		28 |   from_port   = 2222
		29 |   to_port     = 2222
		30 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_global_protect_ip
	File: /test_permissions.tf:31-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		31 | resource "aws_vpc_security_group_ingress_rule" "test_global_protect_ip" {
		32 |   security_group_id = aws_security_group.test_security_group.id
		33 | 
		34 |   cidr_ipv4   = "35.176.93.186/32"
		35 |   ip_protocol = "tcp"
		36 |   from_port   = 2222
		37 |   to_port     = 2222
		38 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_1
	File: /transfer_server_capita.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		23 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_1" {
		24 |   security_group_id = aws_security_group.capita_security_group.id
		25 | 
		26 |   cidr_ipv4   = "82.203.33.112/28"
		27 |   ip_protocol = "tcp"
		28 |   from_port   = 2222
		29 |   to_port     = 2222
		30 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_2
	File: /transfer_server_capita.tf:32-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		32 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_2" {
		33 |   security_group_id = aws_security_group.capita_security_group.id
		34 | 
		35 |   cidr_ipv4   = "82.203.33.128/28"
		36 |   ip_protocol = "tcp"
		37 |   from_port   = 2222
		38 |   to_port     = 2222
		39 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_3
	File: /transfer_server_capita.tf:41-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		41 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_3" {
		42 |   security_group_id = aws_security_group.capita_security_group.id
		43 | 
		44 |   cidr_ipv4   = "85.115.52.0/24"
		45 |   ip_protocol = "tcp"
		46 |   from_port   = 2222
		47 |   to_port     = 2222
		48 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_4
	File: /transfer_server_capita.tf:50-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		50 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_4" {
		51 |   security_group_id = aws_security_group.capita_security_group.id
		52 | 
		53 |   cidr_ipv4   = "85.115.53.0/24"
		54 |   ip_protocol = "tcp"
		55 |   from_port   = 2222
		56 |   to_port     = 2222
		57 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_5
	File: /transfer_server_capita.tf:59-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		59 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" {
		60 |   security_group_id = aws_security_group.capita_security_group.id
		61 | 
		62 |   cidr_ipv4   = "85.115.54.0/24"
		63 |   ip_protocol = "tcp"
		64 |   from_port   = 2222
		65 |   to_port     = 2222
		66 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.transfer
	File: /transfer_server_capita.tf:97-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		97 | resource "aws_cloudwatch_log_group" "transfer" {
		98 |   name_prefix = "transfer_test_"
		99 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.transfer
	File: /transfer_server_capita.tf:97-99

		97 | resource "aws_cloudwatch_log_group" "transfer" {
		98 |   name_prefix = "transfer_test_"
		99 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.transfer
	File: /transfer_server_capita.tf:97-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		97 | resource "aws_cloudwatch_log_group" "transfer" {
		98 |   name_prefix = "transfer_test_"
		99 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita_random_string.result}"
		32 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita_random_string.result}"
		32 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita_random_string.result}"
		32 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita_random_string.result}"
		32 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita_random_string.result}"
		32 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 22:
  22: resource "random_string" "capita_random_string" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan`

Show Output

planetfm(pd): adding pd-cafm-db-a

083e1f6

keirwilliams requested review from a team as code owners January 18, 2024 14:46

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 18, 2024

keirwilliams had a problem deploying to planetfm-development January 18, 2024 14:48 — with GitHub Actions Failure

haitchison approved these changes Jan 18, 2024

View reviewed changes

keirwilliams merged commit 13726b6 into main Jan 18, 2024
14 of 16 checks passed

keirwilliams deleted the planetfm/add-instance branch January 18, 2024 14:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

planetfm(pd): adding `pd-cafm-db-a` #4610

planetfm(pd): adding `pd-cafm-db-a` #4610

keirwilliams commented Jan 18, 2024

github-actions bot commented Jan 18, 2024

You can read more here:
aquasecurity/tfsec#1994

planetfm(pd): adding pd-cafm-db-a #4610

planetfm(pd): adding pd-cafm-db-a #4610

Conversation

keirwilliams commented Jan 18, 2024

github-actions bot commented Jan 18, 2024

TFSEC Scan Failed

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Failed

Trivy Scan

planetfm(pd): adding `pd-cafm-db-a` #4610

planetfm(pd): adding `pd-cafm-db-a` #4610

`TFSEC Scan` Failed

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Failed

`Trivy Scan`