Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add GDPR and Merge delius microservices #4683

Merged
merged 13 commits into from
Feb 2, 2024
Merged

add GDPR and Merge delius microservices #4683

merged 13 commits into from
Feb 2, 2024

Conversation

sobostion
Copy link
Contributor

No description provided.

@sobostion sobostion requested review from a team as code owners January 24, 2024 11:11
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 24, 2024
@sobostion sobostion had a problem deploying to delius-core-development January 24, 2024 11:13 — with GitHub Actions Error
@sobostion sobostion had a problem deploying to delius-core-development January 29, 2024 14:05 — with GitHub Actions Error
@sobostion sobostion force-pushed the NIT-1028_deploy_gdpr_merge branch from bd7390a to 0f58dd5 Compare January 29, 2024 14:06
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Success

Show Output ```hcl

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output 



      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
      



  

  @modernisation-platform-ci





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
@sobostion Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
          

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 29, 2024 14:29      — with 
GitHub Actions

                
    Error


    





  

  
  

  
      @sobostion
  sobostion


        force-pushed
    the
        
      
  NIT-1028_deploy_gdpr_merge


    
 branch
    from
    0f58dd5    to
    adf134b      
    Compare
  



    January 29, 2024 14:34    
    









      

  
      



  

  @modernisation-platform-ci





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
@sobostion Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Failed


Show Output
```hcl



TFSEC will check the following folders:

terraform/environments/delius-core/modules/environment_all_components




Running TFSEC in terraform/environments/delius-core/modules/environment_all_components

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


Results #1-25 CRITICAL Security group rule allows egress to multiple public internet addresses. (25 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/delius_microservice/sg.tf:37

via weblogic.tf:1-62 (module.weblogic)

────────────────────────────────────────────────────────────────────────────────

31    resource "aws_security_group_rule" "ecs_service_tls_egress" {

32      description       = "Allow all outbound traffic to any IPv4 address on 443"

33      type              = "egress"

34      from_port         = 443

35      to_port           = 443

36      protocol          = "tcp"

37  [   cidr_blocks       = ["0.0.0.0/0"]

38      security_group_id = aws_security_group.ecs_service.id

39    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/delius_microservice/sg.tf:1-143 (module.gdpr_api_service) 5 instances
    • 

  • ../components/delius_microservice/sg.tf:1-26 (module.merge_ui_service) 5 instances
    • 

  • ../components/delius_microservice/sg.tf:1-116 (module.merge_api_service) 5 instances
    • 

  • ../components/delius_microservice/sg.tf:1-62 (module.weblogic) 5 instances
    • 

  • ../components/delius_microservice/sg.tf:1-26 (module.gdpr_ui_service) 5 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-ec2-no-public-egress-sgr
    
Impact Your port is egressing data to the internet
    
Resolution Set a more restrictive cidr range
    • 



More Information



Result #26 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

../components/ldap/sg.tf:17

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

11    resource "aws_security_group_rule" "allow_all_egress" {

12      description       = "Allow all outbound traffic to any IPv4 address"

13      type              = "egress"

14      from_port         = 0

15      to_port           = 0

16      protocol          = "-1"

17  [   cidr_blocks       = ["0.0.0.0/0"]

18      security_group_id = aws_security_group.ldap.id

19    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #27 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

../components/ldap/backup.tf:100

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

97    data "aws_iam_policy_document" "efs_backup_policy" {

..

100  [     resources = [""]

...

134    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #28 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

../components/ldap/backup.tf:72

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

69    data "aws_iam_policy_document" "delius_core_backup_policy" {

..

72  [     resources = [""]

..

89    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #29-31 HIGH IAM policy document uses wildcarded action 'backup:' (3 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/ldap/datasync.tf:52-61

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

49    data "aws_iam_policy_document" "ldap_datasync_role_access" {

..

52  ┌     actions = [

53  │       "backup:",

54  │       "datasync:",

55  │       "elasticfilesystem:",

56  │       "ec2:DescribeInstances",

57  │       "ec2:CreateNetworkInterface",

58  └       "ec2:AttachNetworkInterface",

..

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/ldap/datasync.tf:1-23 (module.ldap) 3 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Result #32 HIGH IAM policy document uses sensitive action 'backup:' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

../components/ldap/datasync.tf:62

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

49    data "aws_iam_policy_document" "ldap_datasync_role_access" {

..

62  [     resources = ["*"]

..

88    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #33 HIGH IAM policy document uses wildcarded action 's3:'

────────────────────────────────────────────────────────────────────────────────

../components/ldap/datasync.tf:82

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

49    data "aws_iam_policy_document" "ldap_datasync_role_access" {

..

82  [     actions = ["s3:"]

..

88    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #34 HIGH IAM policy document uses sensitive action 's3:' on wildcarded resource 'arn:aws:s3:::-ldap-data-refresh-incoming'

────────────────────────────────────────────────────────────────────────────────

../components/ldap/datasync.tf:83-86

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

49    data "aws_iam_policy_document" "ldap_datasync_role_access" {

..

83  ┌     resources = [

84  │       "arn:aws:s3:::-ldap-data-refresh-incoming",

85  │       "arn:aws:s3:::-ldap-data-refresh-incoming/*",

86  └     ]

..

88    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #35-37 HIGH Instance does not require IMDS access to require a token (3 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_instance/instance.tf:21

via database.tf:129-233 (module.oracle_db_standby[1])

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_instance" "db_ec2" {

.

21  [     http_tokens   = var.metadata_options.http_tokens ("optional")

..

48    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/oracle_db_instance/instance.tf:129-233 (module.oracle_db_standby[1])
    • 

  • ../components/oracle_db_instance/instance.tf:129-233 (module.oracle_db_standby[0])
    • 

  • ../components/oracle_db_instance/instance.tf:24-127 (module.oracle_db_primary[0])
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-ec2-enforce-http-token-imds
    
Impact Instance metadata service can be interacted with freely
    
Resolution Enable HTTP token requirement for IMDS
    • 



More Information



Result #38 HIGH IAM policy document uses sensitive action 'ssm:PutParameter' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/iam.tf:103

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

96    data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {

97      statement {

98        sid    = "AllowAccessToSsmParameterStore"

99        effect = "Allow"

100        actions = [

101          "ssm:PutParameter"

102        ]

103  [     resources = [""]

104      }

105    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #39-43 HIGH IAM policy document uses wildcarded action 'secretsmanager:Describe*' (5 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/iam.tf:157-164

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

154    data "aws_iam_policy_document" "db_access_to_secrets_manager" {

155      statement {

156        sid = "DbAccessToSecretsManager"

157  ┌     actions = [

158  │       "secretsmanager:Describe*",

159  │       "secretsmanager:Get*",

160  │       "secretsmanager:ListSecret*",

161  │       "secretsmanager:Put*",

162  └       "secretsmanager:RestoreSecret",

...

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/oracle_db_shared/iam.tf:6-22 (module.oracle_db_shared) 5 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Results #44-47 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/iam.tf:36-45

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

33    data "aws_iam_policy_document" "business_unit_kms_key_access" {

34      statement {

35        effect = "Allow"

36  ┌     actions = [

37  │       "kms:Encrypt",

38  │       "kms:Decrypt",

39  │       "kms:ReEncrypt*",

40  │       "kms:GenerateDataKey*",

41  └       "kms:DescribeKey",

..

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/oracle_db_shared/iam.tf:6-22 (module.oracle_db_shared) 4 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Result #48 HIGH IAM policy document uses wildcarded action 's3:'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:44-46

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

44  ┌     actions = [

45  │       "s3:"

46  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #49 HIGH IAM policy document uses sensitive action 's3:' on wildcarded resource '40550545-c532-4d2f-9b91-6bae53a31e87'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:47-50

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

47  ┌     resources = [

48  │       "${module.s3_bucket_oracledb_backups.bucket.arn}",

49  │       "${module.s3_bucket_oracledb_backups.bucket.arn}/"

50  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #50-51 HIGH IAM policy document uses wildcarded action 's3:Get*' (2 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:56-59

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

56  ┌     actions = [

57  │       "s3:Get*",

58  │       "s3:List*"

59  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/oracle_db_shared/s3.tf:6-22 (module.oracle_db_shared) 2 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Result #52 HIGH IAM policy document uses sensitive action 's3:Get*' on wildcarded resource '94a69341-8d9d-4d6f-9f1f-9b594325b534'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:60-63

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

60  ┌     resources = [

61  │       "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}",

62  │       "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}/*"

63  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #53-54 HIGH IAM policy document uses wildcarded action 's3:Get*' (2 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:69-72

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

69  ┌     actions = [

70  │       "s3:Get*",

71  │       "s3:List*"

72  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/oracle_db_shared/s3.tf:6-22 (module.oracle_db_shared) 2 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Result #55 HIGH IAM policy document uses sensitive action 's3:GetBucketLocation' on wildcarded resource 'arn:aws:s3:::'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:86-88

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {

..

86  ┌     resources = [

87  │       "arn:aws:s3:::"

88  └     ]

..

90    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #56 HIGH Bucket does not have encryption enabled

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:99-110

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

99  ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {

100  │   bucket = "${var.env_name}-oracle-database-backups-inventory"

101  │   tags = merge(

102  │     var.tags,

103  │     {

104  │       "Name" = "${var.env_name}-oracle-database-backups-inventory"

105  │     },

106  │     {

107  └       "Purpose" = "Inventory of Oracle DB Backup Pieces"

...

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-bucket-encryption

Impact The bucket objects could be read if compromised

Resolution Configure bucket encryption


More Information



Result #57 HIGH Bucket does not encrypt data with a customer managed key.

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:99-110

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

99  ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {

100  │   bucket = "${var.env_name}-oracle-database-backups-inventory"

101  │   tags = merge(

102  │     var.tags,

103  │     {

104  │       "Name" = "${var.env_name}-oracle-database-backups-inventory"

105  │     },

106  │     {

107  └       "Purpose" = "Inventory of Oracle DB Backup Pieces"

...

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-encryption-customer-key

Impact Using AWS managed keys does not allow for fine grained control

Resolution Enable encryption using customer managed keys


More Information



Result #58 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'abc5330c-1116-4d1a-af3d-01817d31c98e/logs/'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/ssh_keys.tf:74

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

66    data "aws_iam_policy_document" "db_ssh_keys_s3_policy_document" {

..

74  [     resources = ["${module.s3_bucket_ssh_keys.bucket.arn}/logs/"]

...

108    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #59 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'abc5330c-1116-4d1a-af3d-01817d31c98e/public-keys/'

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/ssh_keys.tf:81

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

66    data "aws_iam_policy_document" "db_ssh_keys_s3_policy_document" {

..

81  [     resources = ["${module.s3_bucket_ssh_keys.bucket.arn}/public-keys/"]

...

108    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #60-65 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '' (6 similar results)

────────────────────────────────────────────────────────────────────────────────

../ecs_policies/main.tf:107

via gdpr_api_service.tf:1-143 (module.gdpr_api_service)

────────────────────────────────────────────────────────────────────────────────

104    data "aws_iam_policy_document" "task_exec" {

...

107  [     resources = [""]

...

121    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../ecs_policies/main.tf:1-143 (module.gdpr_api_service) 6 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Results #66-71 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '' (6 similar results)

────────────────────────────────────────────────────────────────────────────────

../ecs_policies/main.tf:46

via gdpr_api_service.tf:1-143 (module.gdpr_api_service)

────────────────────────────────────────────────────────────────────────────────

43    data "aws_iam_policy_document" "service_policy" {

..

46  [     resources = [""]

..

58    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../ecs_policies/main.tf:1-143 (module.gdpr_api_service) 6 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Results #72-83 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (12 similar results)

────────────────────────────────────────────────────────────────────────────────

../ecs_policies/main.tf:48-56

via gdpr_api_service.tf:1-143 (module.gdpr_api_service)

────────────────────────────────────────────────────────────────────────────────

43    data "aws_iam_policy_document" "service_policy" {

44      statement {

45        effect    = "Allow"

46        resources = [""]

47

48  ┌     actions = concat([

49  │       "elasticloadbalancing:Describe",

50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",

51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",

..

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../ecs_policies/main.tf:1-143 (module.gdpr_api_service) 12 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Results #84-86 MEDIUM Bucket does not have versioning enabled (3 similar results)

────────────────────────────────────────────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

167    resource "aws_s3_bucket_versioning" "default" {

168      bucket = aws_s3_bucket.default.id

169      versioning_configuration {

170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"

171      }

172    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:6-22 (module.oracle_db_shared) 2 instances
    • 

  • github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-23 (module.ldap)
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-s3-enable-versioning
    
Impact Deleted or modified data would not be recoverable
    
Resolution Enable versioning to protect against accidental/malicious removal or modification
    • 



More Information



Result #87 MEDIUM Bucket does not have versioning enabled

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:116

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

113    resource "aws_s3_bucket_versioning" "s3_bucket_oracledb_backups_inventory" {

114      bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id

115      versioning_configuration {

116  [     status = "Suspended"

117      }

118    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-versioning

Impact Deleted or modified data would not be recoverable

Resolution Enable versioning to protect against accidental/malicious removal or modification


More Information



Result #88 MEDIUM Bucket does not have logging enabled

────────────────────────────────────────────────────────────────────────────────

../components/oracle_db_shared/s3.tf:99-110

via database.tf:6-22 (module.oracle_db_shared)

────────────────────────────────────────────────────────────────────────────────

99  ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {

100  │   bucket = "${var.env_name}-oracle-database-backups-inventory"

101  │   tags = merge(

102  │     var.tags,

103  │     {

104  │       "Name" = "${var.env_name}-oracle-database-backups-inventory"

105  │     },

106  │     {

107  └       "Purpose" = "Inventory of Oracle DB Backup Pieces"

...

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-bucket-logging

Impact There is no way to determine the access to this bucket

Resolution Add a logging block to the resource to enable access logging


More Information



Results #89-93 LOW Log group is not encrypted. (5 similar results)

────────────────────────────────────────────────────────────────────────────────

../components/delius_microservice/cloudwatch.tf:1-5

via gdpr_api_service.tf:1-143 (module.gdpr_api_service)

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_cloudwatch_log_group" "ecs" {

2      name              = "${var.env_name}-${var.name}"

3      retention_in_days = 7

4      tags              = var.tags

5    }

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ../components/delius_microservice/cloudwatch.tf:1-116 (module.merge_api_service)
    • 

  • ../components/delius_microservice/cloudwatch.tf:1-26 (module.gdpr_ui_service)
    • 

  • ../components/delius_microservice/cloudwatch.tf:1-143 (module.gdpr_api_service)
    • 

  • ../components/delius_microservice/cloudwatch.tf:1-62 (module.weblogic)
    • 

  • ../components/delius_microservice/cloudwatch.tf:1-26 (module.merge_ui_service)
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-cloudwatch-log-group-customer-key
    
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
    
Resolution Enable CMK encryption of CloudWatch Log Groups
    • 



More Information



Result #94 LOW Log group is not encrypted.

────────────────────────────────────────────────────────────────────────────────

../components/ldap/cloudwatch.tf:1-4

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_cloudwatch_log_group" "ldap_test" {

2      name              = "/ecs/ldap_${var.env_name}"

3      retention_in_days = 5

4    }

────────────────────────────────────────────────────────────────────────────────

ID aws-cloudwatch-log-group-customer-key

Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.

Resolution Enable CMK encryption of CloudWatch Log Groups


More Information



Result #95 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

../components/ldap/sg.tf:54-61

via ldap.tf:1-23 (module.ldap)

────────────────────────────────────────────────────────────────────────────────

54    resource "aws_security_group_rule" "efs_ingress_ldap" {

55      type                     = "ingress"

56      from_port                = 2049

57      to_port                  = 2049

58      protocol                 = "tcp"

59      source_security_group_id = module.efs.sg_id

60      security_group_id        = aws_security_group.ldap.id

61    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



timings

──────────────────────────────────────────

disk i/o             5.130321ms

parsing              3.497798993s

adaptation           80.934123ms

checks               13.809466ms

total                3.597672903s


counts

──────────────────────────────────────────

modules downloaded   6

modules processed    52

blocks processed     1862

files read           279


results

──────────────────────────────────────────

passed               426

ignored              50

critical             26

high                 57

medium               5

low                  7


426 passed, 50 ignored, 95 potential problem(s) detected.


tfsec_exitcode=1


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2024-01-29 14:36:44,917 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=cc5958ecde3eeed1df86608cf0df22ccbcbe7ee6:None (for external modules, the --download-external-modules flag is required)
2024-01-29 14:36:44,917 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1065, Failed checks: 118, Skipped checks: 15

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.gdpr_api_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /gdpr_api_service.tf:1-143

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.gdpr_api_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /gdpr_api_service.tf:1-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.gdpr_ui_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /gdpr_ui_service.tf:1-26

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.gdpr_ui_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /gdpr_ui_service.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.merge_api_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /merge_api_service.tf:1-116

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.merge_api_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /merge_api_service.tf:1-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.merge_ui_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /merge_ui_service.tf:1-26

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.merge_ui_service.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /merge_ui_service.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-62

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../components/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.gdpr_api_service.container_definition
	File: /../components/delius_microservice/ecs.tf:1-20
	Calling File: /gdpr_api_service.tf:1-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = var.name
		4  |   container_image          = var.container_image
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		18 |     }
		19 |   }
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.gdpr_ui_service.container_definition
	File: /../components/delius_microservice/ecs.tf:1-20
	Calling File: /gdpr_ui_service.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = var.name
		4  |   container_image          = var.container_image
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		18 |     }
		19 |   }
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.merge_api_service.container_definition
	File: /../components/delius_microservice/ecs.tf:1-20
	Calling File: /merge_api_service.tf:1-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = var.name
		4  |   container_image          = var.container_image
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		18 |     }
		19 |   }
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.merge_ui_service.container_definition
	File: /../components/delius_microservice/ecs.tf:1-20
	Calling File: /merge_ui_service.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = var.name
		4  |   container_image          = var.container_image
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		18 |     }
		19 |   }
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.container_definition
	File: /../components/delius_microservice/ecs.tf:1-20
	Calling File: /weblogic.tf:1-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = var.name
		4  |   container_image          = var.container_image
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		18 |     }
		19 |   }
		20 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.delius_core_backup_policy
	File: /../components/ldap/backup.tf:69-89
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.delius_core_backup_policy
	File: /../components/ldap/backup.tf:69-89
	Calling File: /ldap.tf:1-23

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-23

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.ldap.aws_backup_vault.ldap_backup_vault
	File: /../components/ldap/backup.tf:1-9
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_test
	File: /../components/ldap/cloudwatch.tf:1-4
	Calling File: /ldap.tf:1-23

		1 | resource "aws_cloudwatch_log_group" "ldap_test" {
		2 |   name              = "/ecs/ldap_${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_test
	File: /../components/ldap/cloudwatch.tf:1-4
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_test" {
		2 |   name              = "/ecs/ldap_${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-23

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_ldap_data_refresh
	File: /../components/ldap/datasync.tf:117-131
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_migration
	File: /../components/ldap/s3.tf:1-99
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_app_deployment
	File: /../components/ldap/s3.tf:102-141
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		105 | 
		106 |   bucket_prefix      = "${var.app_name}-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: module.ldap.aws_security_group_rule.efs_ingress_ldap
	File: /../components/ldap/sg.tf:54-61
	Calling File: /ldap.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		54 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		55 |   type                     = "ingress"
		56 |   from_port                = 2049
		57 |   to_port                  = 2049
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = module.efs.sg_id
		60 |   security_group_id        = aws_security_group.ldap.id
		61 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../components/oracle_db_shared/iam.tf:96-105
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		96  | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		97  |   statement {
		98  |     sid    = "AllowAccessToSsmParameterStore"
		99  |     effect = "Allow"
		100 |     actions = [
		101 |       "ssm:PutParameter"
		102 |     ]
		103 |     resources = ["*"]
		104 |   }
		105 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../components/oracle_db_shared/iam.tf:96-105
	Calling File: /database.tf:6-22

		96  | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		97  |   statement {
		98  |     sid    = "AllowAccessToSsmParameterStore"
		99  |     effect = "Allow"
		100 |     actions = [
		101 |       "ssm:PutParameter"
		102 |     ]
		103 |     resources = ["*"]
		104 |   }
		105 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_oracledb_backups
	File: /../components/oracle_db_shared/s3.tf:1-38
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.kms_keys.general_shared
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = var.tags
		38 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.delius_core_dba_passwords
	File: /../components/oracle_db_shared/secrets.tf:1-5
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "delius_core_dba_passwords" {
		2 |   name        = join("-", [lookup(var.tags, "environment-name", null), lookup(var.tags, "delius-environment", null), replace(lookup(var.tags, "application", null), "-core", ""), "dba-passwords"])
		3 |   description = "DBA Users Credentials"
		4 |   tags        = var.tags
		5 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.delius_core_application_passwords
	File: /../components/oracle_db_shared/secrets.tf:17-21
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		17 | resource "aws_secretsmanager_secret" "delius_core_application_passwords" {
		18 |   name        = join("-", [lookup(var.tags, "environment-name", null), lookup(var.tags, "delius-environment", null), replace(lookup(var.tags, "application", null), "-core", ""), "application-passwords"])
		19 |   description = "Application Users Credentials"
		20 |   tags        = var.tags
		21 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../components/oracle_db_shared/sg.tf:73-80
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		73 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		74 |   security_group_id            = aws_security_group.db_ec2.id
		75 |   description                  = "bastion to testing db"
		76 |   from_port                    = 22
		77 |   to_port                      = 22
		78 |   ip_protocol                  = "tcp"
		79 |   referenced_security_group_id = var.bastion_sg_id
		80 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../components/oracle_db_shared/sg.tf:82-88
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		82 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		83 |   ip_protocol       = "tcp"
		84 |   from_port         = 1521
		85 |   to_port           = 1521
		86 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		87 |   security_group_id = aws_security_group.db_ec2.id
		88 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../components/oracle_db_shared/sg.tf:90-96
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		90 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		91 |   ip_protocol       = "tcp"
		92 |   from_port         = 3872
		93 |   to_port           = 3872
		94 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		95 |   security_group_id = aws_security_group.db_ec2.id
		96 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../components/oracle_db_shared/sg.tf:98-104
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		98  | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		99  |   ip_protocol       = "tcp"
		100 |   from_port         = 4903
		101 |   to_port           = 4903
		102 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		103 |   security_group_id = aws_security_group.db_ec2.id
		104 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../components/oracle_db_shared/sg.tf:106-113
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		106 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		107 |   ip_protocol = "tcp"
		108 |   from_port   = 7803
		109 |   to_port     = 7803
		110 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		111 | 
		112 |   security_group_id = aws_security_group.db_ec2.id
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_ssh_keys
	File: /../components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /database.tf:6-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		5  | 
		6  |   bucket_name = "${var.env_name}-oracle-database-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared.aws_ssm_parameter.rman_password
	File: /../components/oracle_db_shared/ssm.tf:1-10
	Calling File: /database.tf:6-22

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/delius-core-${var.env_name}/delius/oracle-db-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.gdpr_api_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.gdpr_api_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.gdpr_ui_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.gdpr_ui_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.merge_api_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.merge_api_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.merge_ui_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.merge_ui_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/delius_microservice/ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap.module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/ldap/ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /../components/ldap/ldap_policies.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.ldap
	File: /../efs/efs.tf:25-36
	Calling File: /../components/ldap/efs.tf:1-16

		25 | resource "aws_efs_access_point" "ldap" {
		26 |   file_system_id = aws_efs_file_system.this.id
		27 |   root_directory {
		28 |     path = "/"
		29 |   }
		30 |   tags = merge(
		31 |     var.tags,
		32 |     {
		33 |       Name = "${var.env_name}-ldap-efs-access-point"
		34 |     }
		35 |   )
		36 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.ldap
	File: /../efs/efs.tf:25-36
	Calling File: /../components/ldap/efs.tf:1-16

		25 | resource "aws_efs_access_point" "ldap" {
		26 |   file_system_id = aws_efs_file_system.this.id
		27 |   root_directory {
		28 |     path = "/"
		29 |   }
		30 |   tags = merge(
		31 |     var.tags,
		32 |     {
		33 |       Name = "${var.env_name}-ldap-efs-access-point"
		34 |     }
		35 |   )
		36 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /delius_frontend_alb.tf:57-69
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		57 | resource "aws_lb" "delius_core_frontend" {
		58 |   # checkov:skip=CKV_AWS_91
		59 |   # checkov:skip=CKV2_AWS_28
		60 | 
		61 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		62 |   internal           = false
		63 |   load_balancer_type = "application"
		64 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		65 |   subnets            = var.account_config.public_subnet_ids
		66 | 
		67 |   enable_deletion_protection = false
		68 |   drop_invalid_header_fields = true
		69 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_seed_uri
	File: /ldap_params.tf:20-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		20 | resource "aws_secretsmanager_secret" "delius_core_ldap_seed_uri" {
		21 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-seed-uri"
		22 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:34-44

		34 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		35 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		36 |   type  = "SecureString"
		37 |   value = "INITIAL_VALUE_OVERRIDDEN"
		38 |   lifecycle {
		39 |     ignore_changes = [
		40 |       value
		41 |     ]
		42 |   }
		43 |   tags = local.tags
		44 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:46-56

		46 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		47 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		48 |   type  = "SecureString"
		49 |   value = "INITIAL_VALUE_OVERRIDDEN"
		50 |   lifecycle {
		51 |     ignore_changes = [
		52 |       value
		53 |     ]
		54 |   }
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_admin_password
	File: /ssm.tf:215-225

		215 | resource "aws_ssm_parameter" "delius_core_gdpr_db_admin_password" {
		216 |   name  = format("/%s-%s/gdpr/api/db_admin_password", var.account_info.application_name, var.env_name)
		217 |   type  = "SecureString"
		218 |   value = "INITIAL_VALUE_OVERRIDDEN"
		219 |   lifecycle {
		220 |     ignore_changes = [
		221 |       value
		222 |     ]
		223 |   }
		224 |   tags = local.tags
		225 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_pool_password
	File: /ssm.tf:227-237

		227 | resource "aws_ssm_parameter" "delius_core_gdpr_db_pool_password" {
		228 |   name  = format("/%s-%s/gdpr/api/db_pool_password", var.account_info.application_name, var.env_name)
		229 |   type  = "SecureString"
		230 |   value = "INITIAL_VALUE_OVERRIDDEN"
		231 |   lifecycle {
		232 |     ignore_changes = [
		233 |       value
		234 |     ]
		235 |   }
		236 |   tags = local.tags
		237 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_admin_password
	File: /ssm.tf:239-249

		239 | resource "aws_ssm_parameter" "delius_core_merge_db_admin_password" {
		240 |   name  = format("/%s-%s/gdpr/api/db_admin_password", var.account_info.application_name, var.env_name)
		241 |   type  = "SecureString"
		242 |   value = "INITIAL_VALUE_OVERRIDDEN"
		243 |   lifecycle {
		244 |     ignore_changes = [
		245 |       value
		246 |     ]
		247 |   }
		248 |   tags = local.tags
		249 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_pool_password
	File: /ssm.tf:251-261

		251 | resource "aws_ssm_parameter" "delius_core_merge_db_pool_password" {
		252 |   name  = format("/%s-%s/gdpr/api/db_pool_password", var.account_info.application_name, var.env_name)
		253 |   type  = "SecureString"
		254 |   value = "INITIAL_VALUE_OVERRIDDEN"
		255 |   lifecycle {
		256 |     ignore_changes = [
		257 |       value
		258 |     ]
		259 |   }
		260 |   tags = local.tags
		261 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../nlb/nlb.tf:1-10
	Calling File: /../components/ldap/nlb.tf:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  |   tags = var.tags
		10 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../nlb/nlb.tf:1-10
	Calling File: /../components/ldap/nlb.tf:1-21
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  |   tags = var.tags
		10 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../nlb/nlb.tf:1-10
	Calling File: /../components/ldap/nlb.tf:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  |   tags = var.tags
		10 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.oracle_db_standby[1].aws_instance.db_ec2
	File: /../components/oracle_db_instance/instance.tf:1-48
	Calling File: /database.tf:129-233
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		1  | resource "aws_instance" "db_ec2" {
		2  |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		3  |   instance_type               = var.ec2_instance_type
		4  |   ami                         = data.aws_ami.oracle_db.id
		5  |   vpc_security_group_ids      = var.security_group_ids
		6  |   subnet_id                   = var.subnet_id
		7  |   iam_instance_profile        = var.instance_profile.name
		8  |   associate_public_ip_address = false
		9  |   monitoring                  = var.monitoring
		10 |   ebs_optimized               = true
		11 |   key_name                    = var.ec2_key_pair_name
		12 |   user_data_base64 = base64encode(templatefile("${path.module}/templates/concatenated_user_data.sh",
		13 |     {
		14 |       default   = var.user_data
		15 |       ssh_setup = templatefile("${path.module}/templates/ssh_key_setup.sh", { aws_region = "eu-west-2", bucket_name = var.ssh_keys_bucket_name })
		16 |     }
		17 |   ))
		18 | 
		19 |   metadata_options {
		20 |     http_endpoint = var.metadata_options.http_endpoint
		21 |     http_tokens   = var.metadata_options.http_tokens
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     volume_type = var.ebs_volumes.root_volume.volume_type
		26 |     volume_size = var.ebs_volumes.root_volume.volume_size
		27 |     iops        = var.ebs_volumes.iops
		28 |     throughput  = var.ebs_volumes.throughput
		29 |     encrypted   = true
		30 |     kms_key_id  = var.ebs_volumes.kms_key_id
		31 |     tags        = var.tags
		32 |   }
		33 | 
		34 |   dynamic "ephemeral_block_device" {
		35 |     for_each = { for k, v in var.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		36 |     content {
		37 |       device_name = ephemeral_block_device.key
		38 |       no_device   = true
		39 |     }
		40 |   }
		41 |   tags = merge(var.tags,
		42 |     { Name = lower(format("%s-delius-db-%s", var.env_name, local.instance_name_index)) },
		43 |     { server-type = "delius_core_db" },
		44 |     { database = local.database_tag }
		45 |   )
		46 | 
		47 |   user_data_replace_on_change = var.user_data_replace_on_change
		48 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.oracle_db_standby[1].aws_instance.db_ec2
	File: /../components/oracle_db_instance/instance.tf:1-48
	Calling File: /database.tf:129-233
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		1  | resource "aws_instance" "db_ec2" {
		2  |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		3  |   instance_type               = var.ec2_instance_type
		4  |   ami                         = data.aws_ami.oracle_db.id
		5  |   vpc_security_group_ids      = var.security_group_ids
		6  |   subnet_id                   = var.subnet_id
		7  |   iam_instance_profile        = var.instance_profile.name
		8  |   associate_public_ip_address = false
		9  |   monitoring                  = var.monitoring
		10 |   ebs_optimized               = true
		11 |   key_name                    = var.ec2_key_pair_name
		12 |   user_data_base64 = base64encode(templatefile("${path.module}/templates/concatenated_user_data.sh",
		13 |     {
		14 |       default   = var.user_data
		15 |       ssh_setup = templatefile("${path.module}/templates/ssh_key_setup.sh", { aws_region = "eu-west-2", bucket_name = var.ssh_keys_bucket_name })
		16 |     }
		17 |   ))
		18 | 
		19 |   metadata_options {
		20 |     http_endpoint = var.metadata_options.http_endpoint
		21 |     http_tokens   = var.metadata_options.http_tokens
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     volume_type = var.ebs_volumes.root_volume.volume_type
		26 |     volume_size = var.ebs_volumes.root_volume.volume_size
		27 |     iops        = var.ebs_volumes.iops
		28 |     throughput  = var.ebs_volumes.throughput
		29 |     encrypted   = true
		30 |     kms_key_id  = var.ebs_volumes.kms_key_id
		31 |     tags        = var.tags
		32 |   }
		33 | 
		34 |   dynamic "ephemeral_block_device" {
		35 |     for_each = { for k, v in var.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		36 |     content {
		37 |       device_name = ephemeral_block_device.key
		38 |       no_device   = true
		39 |     }
		40 |   }
		41 |   tags = merge(var.tags,
		42 |     { Name = lower(format("%s-delius-db-%s", var.env_name, local.instance_name_index)) },
		43 |     { server-type = "delius_core_db" },
		44 |     { database = local.database_tag }
		45 |   )
		46 | 
		47 |   user_data_replace_on_change = var.user_data_replace_on_change
		48 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.oracle_db_primary[0].module.ebs_volumes.aws_ebs_volume.this
	File: /../components/ebs_volume/main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 |   lifecycle {
		11 |     ignore_changes = [availability_zone]
		12 |   }
		13 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.oracle_db_standby[0].module.ebs_volumes.aws_ebs_volume.this
	File: /../components/ebs_volume/main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 |   lifecycle {
		11 |     ignore_changes = [availability_zone]
		12 |   }
		13 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.oracle_db_standby[1].module.ebs_volumes.aws_ebs_volume.this
	File: /../components/ebs_volume/main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 |   lifecycle {
		11 |     ignore_changes = [availability_zone]
		12 |   }
		13 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.gdpr_api_service.aws_security_group.ecs_service
	File: /../components/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.gdpr_ui_service.aws_security_group.ecs_service
	File: /../components/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.merge_api_service.aws_security_group.ecs_service
	File: /../components/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.merge_ui_service.aws_security_group.ecs_service
	File: /../components/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic.aws_security_group.ecs_service
	File: /../components/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.ldap.aws_security_group.ldap
	File: /../components/ldap/sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared.aws_security_group.db_ec2
	File: /../components/oracle_db_shared/sg.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "db_ec2" {
		2 |   name        = format("%s-sg-delius-db-ec2-instance", var.env_name)
		3 |   description = "Controls access to db ec2 instance"
		4 |   vpc_id      = var.account_config.shared_vpc_id
		5 |   tags = merge(var.tags,
		6 |     { Name = lower(format("%s-sg-delius-db-ec2-instance", var.env_name)) }
		7 |   )
		8 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.gdpr_api_service.aws_db_instance.this
	File: /../components/delius_microservice/rds.tf:33-74

		33 | resource "aws_db_instance" "this" {
		34 |   count          = var.create_rds ? 1 : 0
		35 |   engine         = var.rds_engine
		36 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		37 |   engine_version = var.rds_engine_version
		38 |   instance_class = var.rds_instance_class
		39 |   identifier     = "${var.name}-${var.env_name}-db"
		40 |   username       = var.rds_username
		41 | 
		42 |   manage_master_user_password = true
		43 | 
		44 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		45 | 
		46 |   # tflint-ignore: aws_db_instance_default_parameter_group
		47 |   parameter_group_name                = var.rds_parameter_group_name
		48 |   deletion_protection                 = var.rds_deletion_protection
		49 |   delete_automated_backups            = var.rds_delete_automated_backups
		50 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		51 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		52 |   allocated_storage                   = var.rds_allocated_storage
		53 |   max_allocated_storage               = var.rds_max_allocated_storage
		54 |   storage_type                        = var.rds_storage_type
		55 |   maintenance_window                  = var.maintenance_window
		56 |   auto_minor_version_upgrade          = true
		57 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		58 |   backup_window                       = var.rds_backup_window
		59 |   backup_retention_period             = var.rds_backup_retention_period
		60 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		61 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		62 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		63 |   multi_az                            = var.rds_multi_az
		64 |   monitoring_interval                 = var.rds_monitoring_interval
		65 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		66 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		67 |   storage_encrypted               = true
		68 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		69 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		70 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		71 |   tags = merge(var.tags,
		72 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		73 |   )
		74 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.gdpr_ui_service.aws_db_instance.this
	File: /../components/delius_microservice/rds.tf:33-74

		33 | resource "aws_db_instance" "this" {
		34 |   count          = var.create_rds ? 1 : 0
		35 |   engine         = var.rds_engine
		36 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		37 |   engine_version = var.rds_engine_version
		38 |   instance_class = var.rds_instance_class
		39 |   identifier     = "${var.name}-${var.env_name}-db"
		40 |   username       = var.rds_username
		41 | 
		42 |   manage_master_user_password = true
		43 | 
		44 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		45 | 
		46 |   # tflint-ignore: aws_db_instance_default_parameter_group
		47 |   parameter_group_name                = var.rds_parameter_group_name
		48 |   deletion_protection                 = var.rds_deletion_protection
		49 |   delete_automated_backups            = var.rds_delete_automated_backups
		50 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		51 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		52 |   allocated_storage                   = var.rds_allocated_storage
		53 |   max_allocated_storage               = var.rds_max_allocated_storage
		54 |   storage_type                        = var.rds_storage_type
		55 |   maintenance_window                  = var.maintenance_window
		56 |   auto_minor_version_upgrade          = true
		57 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		58 |   backup_window                       = var.rds_backup_window
		59 |   backup_retention_period             = var.rds_backup_retention_period
		60 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		61 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		62 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		63 |   multi_az                            = var.rds_multi_az
		64 |   monitoring_interval                 = var.rds_monitoring_interval
		65 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		66 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		67 |   storage_encrypted               = true
		68 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		69 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		70 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		71 |   tags = merge(var.tags,
		72 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		73 |   )
		74 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.merge_api_service.aws_db_instance.this
	File: /../components/delius_microservice/rds.tf:33-74

		33 | resource "aws_db_instance" "this" {
		34 |   count          = var.create_rds ? 1 : 0
		35 |   engine         = var.rds_engine
		36 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		37 |   engine_version = var.rds_engine_version
		38 |   instance_class = var.rds_instance_class
		39 |   identifier     = "${var.name}-${var.env_name}-db"
		40 |   username       = var.rds_username
		41 | 
		42 |   manage_master_user_password = true
		43 | 
		44 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		45 | 
		46 |   # tflint-ignore: aws_db_instance_default_parameter_group
		47 |   parameter_group_name                = var.rds_parameter_group_name
		48 |   deletion_protection                 = var.rds_deletion_protection
		49 |   delete_automated_backups            = var.rds_delete_automated_backups
		50 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		51 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		52 |   allocated_storage                   = var.rds_allocated_storage
		53 |   max_allocated_storage               = var.rds_max_allocated_storage
		54 |   storage_type                        = var.rds_storage_type
		55 |   maintenance_window                  = var.maintenance_window
		56 |   auto_minor_version_upgrade          = true
		57 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		58 |   backup_window                       = var.rds_backup_window
		59 |   backup_retention_period             = var.rds_backup_retention_period
		60 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		61 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		62 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		63 |   multi_az                            = var.rds_multi_az
		64 |   monitoring_interval                 = var.rds_monitoring_interval
		65 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		66 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		67 |   storage_encrypted               = true
		68 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		69 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		70 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		71 |   tags = merge(var.tags,
		72 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		73 |   )
		74 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.merge_ui_service.aws_db_instance.this
	File: /../components/delius_microservice/rds.tf:33-74

		33 | resource "aws_db_instance" "this" {
		34 |   count          = var.create_rds ? 1 : 0
		35 |   engine         = var.rds_engine
		36 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		37 |   engine_version = var.rds_engine_version
		38 |   instance_class = var.rds_instance_class
		39 |   identifier     = "${var.name}-${var.env_name}-db"
		40 |   username       = var.rds_username
		41 | 
		42 |   manage_master_user_password = true
		43 | 
		44 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		45 | 
		46 |   # tflint-ignore: aws_db_instance_default_parameter_group
		47 |   parameter_group_name                = var.rds_parameter_group_name
		48 |   deletion_protection                 = var.rds_deletion_protection
		49 |   delete_automated_backups            = var.rds_delete_automated_backups
		50 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		51 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		52 |   allocated_storage                   = var.rds_allocated_storage
		53 |   max_allocated_storage               = var.rds_max_allocated_storage
		54 |   storage_type                        = var.rds_storage_type
		55 |   maintenance_window                  = var.maintenance_window
		56 |   auto_minor_version_upgrade          = true
		57 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		58 |   backup_window                       = var.rds_backup_window
		59 |   backup_retention_period             = var.rds_backup_retention_period
		60 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		61 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		62 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		63 |   multi_az                            = var.rds_multi_az
		64 |   monitoring_interval                 = var.rds_monitoring_interval
		65 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		66 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		67 |   storage_encrypted               = true
		68 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		69 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		70 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		71 |   tags = merge(var.tags,
		72 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		73 |   )
		74 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic.aws_db_instance.this
	File: /../components/delius_microservice/rds.tf:33-74

		33 | resource "aws_db_instance" "this" {
		34 |   count          = var.create_rds ? 1 : 0
		35 |   engine         = var.rds_engine
		36 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		37 |   engine_version = var.rds_engine_version
		38 |   instance_class = var.rds_instance_class
		39 |   identifier     = "${var.name}-${var.env_name}-db"
		40 |   username       = var.rds_username
		41 | 
		42 |   manage_master_user_password = true
		43 | 
		44 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		45 | 
		46 |   # tflint-ignore: aws_db_instance_default_parameter_group
		47 |   parameter_group_name                = var.rds_parameter_group_name
		48 |   deletion_protection                 = var.rds_deletion_protection
		49 |   delete_automated_backups            = var.rds_delete_automated_backups
		50 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		51 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		52 |   allocated_storage                   = var.rds_allocated_storage
		53 |   max_allocated_storage               = var.rds_max_allocated_storage
		54 |   storage_type                        = var.rds_storage_type
		55 |   maintenance_window                  = var.maintenance_window
		56 |   auto_minor_version_upgrade          = true
		57 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		58 |   backup_window                       = var.rds_backup_window
		59 |   backup_retention_period             = var.rds_backup_retention_period
		60 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		61 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		62 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		63 |   multi_az                            = var.rds_multi_az
		64 |   monitoring_interval                 = var.rds_monitoring_interval
		65 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		66 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		67 |   storage_encrypted               = true
		68 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		69 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		70 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		71 |   tags = merge(var.tags,
		72 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		73 |   )
		74 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.delius_core_dba_passwords
	File: /../components/oracle_db_shared/secrets.tf:1-5

		1 | resource "aws_secretsmanager_secret" "delius_core_dba_passwords" {
		2 |   name        = join("-", [lookup(var.tags, "environment-name", null), lookup(var.tags, "delius-environment", null), replace(lookup(var.tags, "application", null), "-core", ""), "dba-passwords"])
		3 |   description = "DBA Users Credentials"
		4 |   tags        = var.tags
		5 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.delius_core_application_passwords
	File: /../components/oracle_db_shared/secrets.tf:17-21

		17 | resource "aws_secretsmanager_secret" "delius_core_application_passwords" {
		18 |   name        = join("-", [lookup(var.tags, "environment-name", null), lookup(var.tags, "delius-environment", null), replace(lookup(var.tags, "application", null), "-core", ""), "application-passwords"])
		19 |   description = "Application Users Credentials"
		20 |   tags        = var.tags
		21 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_seed_uri
	File: /ldap_params.tf:20-22

		20 | resource "aws_secretsmanager_secret" "delius_core_ldap_seed_uri" {
		21 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-seed-uri"
		22 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:99-110

		99  | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		100 |   bucket = "${var.env_name}-oracle-database-backups-inventory"
		101 |   tags = merge(
		102 |     var.tags,
		103 |     {
		104 |       "Name" = "${var.env_name}-oracle-database-backups-inventory"
		105 |     },
		106 |     {
		107 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		108 |     },
		109 |   )
		110 | }


checkov_exitcode=1





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        

  

      

  ASTRobinson
  

  
          

            
                  ASTRobinson
  

            

            previously approved these changes


            
                
                  Jan 29, 2024
                
            
            
          


          



              
    View reviewed changes
  


          






      

  
  
  




  








      

  
          

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 29, 2024 14:49      — with 
GitHub Actions

                
    Failure


    





  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 29, 2024 15:48      — with 
GitHub Actions

                
    Failure


    





  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 29, 2024 16:05      — with 
GitHub Actions

                
    Error


    





  
  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 29, 2024 16:31      — with 
GitHub Actions

                
    Failure


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Failed


Show Output
```hcl



TFSEC will check the following folders:

terraform/environments/cdpt-chaps




Running TFSEC in terraform/environments/cdpt-chaps

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


Result #1 CRITICAL Instance is exposed publicly.

────────────────────────────────────────────────────────────────────────────────

database.tf:19

────────────────────────────────────────────────────────────────────────────────

5    resource "aws_db_instance" "database" {

.

19  [   publicly_accessible       = true (true)

20    }

────────────────────────────────────────────────────────────────────────────────

ID aws-rds-no-public-db-access

Impact The database instance is publicly accessible

Resolution Set the database to not be publicly accessible


More Information



Result #2 CRITICAL Security group rule allows ingress from public internet.

────────────────────────────────────────────────────────────────────────────────

database.tf:47

────────────────────────────────────────────────────────────────────────────────

39    resource "aws_security_group" "db" {

..

47  [     cidr_blocks = ["0.0.0.0/0"]

..

55    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-ingress-sgr

Impact Your port exposed to the internet

Resolution Set a more restrictive cidr range


More Information



Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

database.tf:53

────────────────────────────────────────────────────────────────────────────────

39    resource "aws_security_group" "db" {

..

53  [     cidr_blocks = ["0.0.0.0/0"]

..

55    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #4 CRITICAL Security group rule allows ingress from public internet.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:239

────────────────────────────────────────────────────────────────────────────────

229    resource "aws_security_group" "cluster_ec2" {

...

239  [     cidr_blocks     = ["0.0.0.0/0"]

...

266    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-ingress-sgr

Impact Your port exposed to the internet

Resolution Set a more restrictive cidr range


More Information



Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:256

────────────────────────────────────────────────────────────────────────────────

229    resource "aws_security_group" "cluster_ec2" {

...

256  [     cidr_blocks     = ["0.0.0.0/0"]

...

266    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #6 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:473

────────────────────────────────────────────────────────────────────────────────

457    resource "aws_security_group" "ecs_service" {

...

473  [     cidr_blocks = ["0.0.0.0/0"]

...

475    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #7 CRITICAL Security group rule allows ingress from public internet.

────────────────────────────────────────────────────────────────────────────────

loadbalancer.tf:11

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_security_group" "chaps_lb_sc" {

.

11  [     cidr_blocks = ["0.0.0.0/0"]

..

21    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-ingress-sgr

Impact Your port exposed to the internet

Resolution Set a more restrictive cidr range


More Information



Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

loadbalancer.tf:19

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_security_group" "chaps_lb_sc" {

.

19  [     cidr_blocks = ["0.0.0.0/0"]

..

21    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #9 HIGH Instance has Public Access enabled

────────────────────────────────────────────────────────────────────────────────

database.tf:19

────────────────────────────────────────────────────────────────────────────────

19      publicly_accessible       = true

────────────────────────────────────────────────────────────────────────────────

Rego Package builtin.aws.rds.aws0180

Rego Rule deny

────────────────────────────────────────────────────────────────────────────────


Result #10 HIGH Instance does not have storage encryption enabled.

────────────────────────────────────────────────────────────────────────────────

database.tf:5-20

────────────────────────────────────────────────────────────────────────────────

5  ┌ resource "aws_db_instance" "database" {

6  │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage

7  │   storage_type              = "gp2"

8  │   engine                    = "sqlserver-web"

9  │   engine_version            = "14.00.3381.3.v1"

10  │   instance_class            = local.application_data.accounts[local.environment].db_instance_class

11  │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier

12  │   username                  = local.application_data.accounts[local.environment].db_user

13  └   password                  = aws_secretsmanager_secret_version.db_password.secret_string

..

────────────────────────────────────────────────────────────────────────────────

ID aws-rds-encrypt-instance-storage-data

Impact Data can be read from RDS instances if compromised

Resolution Enable encryption for RDS instances


More Information



Result #11 HIGH Launch template does not require IMDS access to require a token

────────────────────────────────────────────────────────────────────────────────

ecs.tf:285

────────────────────────────────────────────────────────────────────────────────

272    resource "aws_launch_template" "ec2-launch-template" {

...

285  [     http_tokens   = "optional" ("optional")

...

327    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-enforce-launch-config-http-token-imds

Impact Instance metadata service can be interacted with freely

Resolution Enable HTTP token requirement for IMDS


More Information



Result #12 HIGH IAM policy document uses wildcarded action 'ecr:'

────────────────────────────────────────────────────────────────────────────────

ecs.tf:390-397

────────────────────────────────────────────────────────────────────────────────

381    resource "aws_iam_role_policy" "app_execution" {

...

390  ┌            "Action": [

391  │               "ecr:",

392  │               "logs:CreateLogGroup",

393  │               "logs:CreateLogStream",

394  │               "logs:PutLogEvents",

395  │               "logs:DescribeLogStreams",

396  └               "secretsmanager:GetSecretValue"

...

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #13 HIGH IAM policy document uses sensitive action 'ecr:' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

ecs.tf:398

────────────────────────────────────────────────────────────────────────────────

381    resource "aws_iam_role_policy" "app_execution" {

...

398  [            "Resource": "*",

...

404    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Results #14-16 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)

────────────────────────────────────────────────────────────────────────────────

ecs.tf:443-449

────────────────────────────────────────────────────────────────────────────────

433    resource "aws_iam_role_policy" "app_task" {

...

443  ┌         "Action": [

444  │           "logs:CreateLogStream",

445  │           "logs:PutLogEvents",

446  │           "ecr:",

447  │           "iam:",

448  │           "ec2:*"

449  └         ],

...

────────────────────────────────────────────────────────────────────────────────

Individual Causes


    

  • ecs.tf:433-455 (aws_iam_role_policy.app_task) 3 instances
    
────────────────────────────────────────────────────────────────────────────────
    
ID aws-iam-no-policy-wildcards
    
Impact Overly permissive policies may grant access to sensitive resources
    
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
    • 



More Information



Result #17 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource ''

────────────────────────────────────────────────────────────────────────────────

ecs.tf:450

────────────────────────────────────────────────────────────────────────────────

433    resource "aws_iam_role_policy" "app_task" {

...

450  [        "Resource": ""

...

455    }

────────────────────────────────────────────────────────────────────────────────

ID aws-iam-no-policy-wildcards

Impact Overly permissive policies may grant access to sensitive resources

Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.


More Information



Result #18 HIGH Application load balancer is not set to drop invalid headers.

────────────────────────────────────────────────────────────────────────────────

loadbalancer.tf:23-28

────────────────────────────────────────────────────────────────────────────────

23    resource "aws_lb" "chaps_lb" {

24      name               = "chaps-load-balancer"

25      load_balancer_type = "application"

26      security_groups    = [aws_security_group.chaps_lb_sc.id]

27      subnets            = data.aws_subnets.shared-public.ids

28    }

────────────────────────────────────────────────────────────────────────────────

ID aws-elb-drop-invalid-headers

Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities

Resolution Set drop_invalid_header_fields to true


More Information



Result #19 HIGH Load balancer is exposed publicly.

────────────────────────────────────────────────────────────────────────────────

loadbalancer.tf:23-28

────────────────────────────────────────────────────────────────────────────────

23    resource "aws_lb" "chaps_lb" {

24      name               = "chaps-load-balancer"

25      load_balancer_type = "application"

26      security_groups    = [aws_security_group.chaps_lb_sc.id]

27      subnets            = data.aws_subnets.shared-public.ids

28    }

────────────────────────────────────────────────────────────────────────────────

ID aws-elb-alb-not-public

Impact The load balancer is exposed on the internet

Resolution Switch to an internal load balancer or add a tfsec ignore


More Information



Result #20 HIGH No public access block so not blocking public acls

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-block-public-acls

Impact PUT calls with public ACLs specified can make objects public

Resolution Enable blocking any PUT calls with a public ACL specified


More Information



Result #21 HIGH No public access block so not blocking public policies

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-block-public-policy

Impact Users could put a policy that allows public access

Resolution Prevent policies that allow public access being PUT


More Information



Result #22 HIGH Bucket does not have encryption enabled

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-bucket-encryption

Impact The bucket objects could be read if compromised

Resolution Configure bucket encryption


More Information



Result #23 HIGH No public access block so not ignoring public acls

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-ignore-public-acls

Impact PUT calls with public ACLs specified can make objects public

Resolution Enable ignoring the application of public ACLs in PUT calls


More Information



Result #24 HIGH No public access block so not restricting public buckets

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-no-public-buckets

Impact Public buckets can be accessed by anyone

Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)


More Information



Result #25 HIGH Bucket does not encrypt data with a customer managed key.

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-encryption-customer-key

Impact Using AWS managed keys does not allow for fine grained control

Resolution Enable encryption using customer managed keys


More Information



Result #26 MEDIUM Instance has very low backup retention period.

────────────────────────────────────────────────────────────────────────────────

database.tf:5-20

────────────────────────────────────────────────────────────────────────────────

5  ┌ resource "aws_db_instance" "database" {

6  │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage

7  │   storage_type              = "gp2"

8  │   engine                    = "sqlserver-web"

9  │   engine_version            = "14.00.3381.3.v1"

10  │   instance_class            = local.application_data.accounts[local.environment].db_instance_class

11  │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier

12  │   username                  = local.application_data.accounts[local.environment].db_user

13  └   password                  = aws_secretsmanager_secret_version.db_password.secret_string

..

────────────────────────────────────────────────────────────────────────────────

ID aws-rds-specify-backup-retention

Impact Potential loss of data and short opportunity for recovery

Resolution Explicitly set the retention period to greater than the default


More Information



Result #27 MEDIUM Instance does not have Deletion Protection enabled

────────────────────────────────────────────────────────────────────────────────

database.tf:5-20

────────────────────────────────────────────────────────────────────────────────

5  ┌ resource "aws_db_instance" "database" {

6  │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage

7  │   storage_type              = "gp2"

8  │   engine                    = "sqlserver-web"

9  │   engine_version            = "14.00.3381.3.v1"

10  │   instance_class            = local.application_data.accounts[local.environment].db_instance_class

11  │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier

12  │   username                  = local.application_data.accounts[local.environment].db_user

13  └   password                  = aws_secretsmanager_secret_version.db_password.secret_string

..

────────────────────────────────────────────────────────────────────────────────

Rego Package builtin.aws.rds.aws0177

Rego Rule deny

────────────────────────────────────────────────────────────────────────────────


Result #28 MEDIUM Bucket does not have logging enabled

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-bucket-logging

Impact There is no way to determine the access to this bucket

Resolution Add a logging block to the resource to enable access logging


More Information



Result #29 MEDIUM Bucket does not have versioning enabled

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-enable-versioning

Impact Deleted or modified data would not be recoverable

Resolution Enable versioning to protect against accidental/malicious removal or modification


More Information



Result #30 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

database.tf:43-48

────────────────────────────────────────────────────────────────────────────────

39    resource "aws_security_group" "db" {

..

43  ┌   ingress {

44  │     from_port   = 1433

45  │     to_port     = 1433

46  │     protocol    = "tcp"

47  │     cidr_blocks = ["0.0.0.0/0"]

48  └   }

..

55    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



Result #31 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

database.tf:49-54

────────────────────────────────────────────────────────────────────────────────

39    resource "aws_security_group" "db" {

..

49  ┌   egress {

50  │     from_port   = 0

51  │     to_port     = 0

52  │     protocol    = "-1"

53  │     cidr_blocks = ["0.0.0.0/0"]

54  └   }

55    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



Result #32 LOW Instance does not have performance insights enabled.

────────────────────────────────────────────────────────────────────────────────

database.tf:5-20

────────────────────────────────────────────────────────────────────────────────

5  ┌ resource "aws_db_instance" "database" {

6  │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage

7  │   storage_type              = "gp2"

8  │   engine                    = "sqlserver-web"

9  │   engine_version            = "14.00.3381.3.v1"

10  │   instance_class            = local.application_data.accounts[local.environment].db_instance_class

11  │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier

12  │   username                  = local.application_data.accounts[local.environment].db_user

13  └   password                  = aws_secretsmanager_secret_version.db_password.secret_string

..

────────────────────────────────────────────────────────────────────────────────

ID aws-rds-enable-performance-insights

Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.

Resolution Enable performance insights


More Information



Result #33 LOW Security group explicitly uses the default description.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:457-475

────────────────────────────────────────────────────────────────────────────────

457  ┌ resource "aws_security_group" "ecs_service" {

458  │   name_prefix = "ecs-service-sg-"

459  │   vpc_id      = data.aws_vpc.shared.id

460  │

461  │   ingress {

462  │     from_port       = 80

463  │     to_port         = 80

464  │     protocol        = "tcp"

465  └     description     = "Allow traffic on port 80 from load balancer"

...

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups


More Information



Result #34 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:469-474

────────────────────────────────────────────────────────────────────────────────

457    resource "aws_security_group" "ecs_service" {

...

469  ┌   egress {

470  │     from_port   = 0

471  │     to_port     = 0

472  │     protocol    = "-1"

473  │     cidr_blocks = ["0.0.0.0/0"]

474  └   }

475    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



Result #35 LOW Log group is not encrypted.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:520-523

────────────────────────────────────────────────────────────────────────────────

520    resource "aws_cloudwatch_log_group" "cloudwatch_group" {

521      name              = "${local.application_name}-ecs"

522      retention_in_days = 30

523    }

────────────────────────────────────────────────────────────────────────────────

ID aws-cloudwatch-log-group-customer-key

Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.

Resolution Enable CMK encryption of CloudWatch Log Groups


More Information



Result #36 LOW Log group is not encrypted.

────────────────────────────────────────────────────────────────────────────────

ecs.tf:63-66

────────────────────────────────────────────────────────────────────────────────

63    resource "aws_cloudwatch_log_group" "deployment_logs" {

64      name              = "/aws/events/deploymentLogs"

65      retention_in_days = "7"

66    }

────────────────────────────────────────────────────────────────────────────────

ID aws-cloudwatch-log-group-customer-key

Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.

Resolution Enable CMK encryption of CloudWatch Log Groups


More Information



Result #37 LOW Bucket does not have a corresponding public access block.

────────────────────────────────────────────────────────────────────────────────

s3.tf:1-3

────────────────────────────────────────────────────────────────────────────────

1    resource "aws_s3_bucket" "chaps-db-backup-bucket" {

2      bucket = local.application_data.accounts[local.environment].s3_bucket_name

3    }

────────────────────────────────────────────────────────────────────────────────

ID aws-s3-specify-public-access-block

Impact Public access policies may be applied to sensitive data buckets

Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies


More Information



timings

──────────────────────────────────────────

disk i/o             493.674µs

parsing              2.539103639s

adaptation           1.775522ms

checks               27.882782ms

total                2.569255617s


counts

──────────────────────────────────────────

modules downloaded   2

modules processed    3

blocks processed     188

files read           25


results

──────────────────────────────────────────

passed               53

ignored              81

critical             8

high                 17

medium               4

low                  8


53 passed, 81 ignored, 37 potential problem(s) detected.


tfsec_exitcode=1


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2024-01-29 16:31:28,707 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 115, Failed checks: 50, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:39-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		39 | resource "aws_security_group" "db" {
		40 |   name        = "${local.application_name}-db-sg"
		41 |   description = "Allow DB inbound traffic"
		42 |   vpc_id      = data.aws_vpc.shared.id
		43 |   ingress {
		44 |     from_port   = 1433
		45 |     to_port     = 1433
		46 |     protocol    = "tcp"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 |   egress {
		50 |     from_port   = 0
		51 |     to_port     = 0
		52 |     protocol    = "-1"
		53 |     cidr_blocks = ["0.0.0.0/0"]
		54 |   }
		55 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:63-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		63 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		64 |   name              = "/aws/events/deploymentLogs"
		65 |   retention_in_days = "7"
		66 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:68-125

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:229-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		229 | resource "aws_security_group" "cluster_ec2" {
		230 |   name        = "${local.application_name}-cluster-ec2-security-group"
		231 |   description = "controls access to the cluster ec2 instance"
		232 |   vpc_id      = data.aws_vpc.shared.id
		233 | 
		234 |   ingress {
		235 |     description     = "allow access on HTTP from load balancer"
		236 |     from_port       = 80
		237 |     to_port         = 80
		238 |     protocol        = "tcp"
		239 |     cidr_blocks     = ["0.0.0.0/0"]
		240 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		241 |   }
		242 | 
		243 |   ingress {
		244 |     description     = "Allow RDP ingress"
		245 |     from_port       = 3389
		246 |     to_port         = 3389
		247 |     protocol        = "tcp"
		248 |     security_groups = [module.bastion_linux.bastion_security_group]
		249 |   }
		250 | 
		251 |   egress {
		252 |     description     = "Cluster EC2 loadbalancer egress rule"
		253 |     from_port       = 0
		254 |     to_port         = 0
		255 |     protocol        = "-1"
		256 |     cidr_blocks     = ["0.0.0.0/0"]
		257 |     security_groups = []
		258 |   }
		259 | 
		260 |   tags = merge(
		261 |     local.tags,
		262 |     {
		263 |       Name = "${local.application_name}-cluster-ec2-security-group"
		264 |     }
		265 |   )
		266 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_launch_template.ec2-launch-template
	File: /ecs.tf:272-327
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:457-475
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		457 | resource "aws_security_group" "ecs_service" {
		458 |   name_prefix = "ecs-service-sg-"
		459 |   vpc_id      = data.aws_vpc.shared.id
		460 | 
		461 |   ingress {
		462 |     from_port       = 80
		463 |     to_port         = 80
		464 |     protocol        = "tcp"
		465 |     description     = "Allow traffic on port 80 from load balancer"
		466 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		467 |   }
		468 | 
		469 |   egress {
		470 |     from_port   = 0
		471 |     to_port     = 0
		472 |     protocol    = "-1"
		473 |     cidr_blocks = ["0.0.0.0/0"]
		474 |   }
		475 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:520-523

		520 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		521 |   name              = "${local.application_name}-ecs"
		522 |   retention_in_days = 30
		523 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:520-523
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		520 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		521 |   name              = "${local.application_name}-ecs"
		522 |   retention_in_days = 30
		523 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:30-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		30 | resource "aws_lb_target_group" "chaps_target_group" {
		31 |   name                 = "chaps-target-group"
		32 |   port                 = 80
		33 |   protocol             = "HTTP"
		34 |   vpc_id               = data.aws_vpc.shared.id
		35 |   target_type          = "ip"
		36 |   deregistration_delay = 30
		37 | 
		38 |   stickiness {
		39 |     type = "lb_cookie"
		40 |   }
		41 | 
		42 |   health_check {
		43 |     healthy_threshold   = "2"
		44 |     interval            = "30"
		45 |     unhealthy_threshold = "5"
		46 |     matcher             = "200-499"
		47 |     timeout             = "10"
		48 |   }
		49 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }


checkov_exitcode=1





CTFLint Scan Failed


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 98:
  98:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 102:
 102:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 106:
 106:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 110:
 110:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 114:
 114:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 168:
 168:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
          

  
  

  
      @sobostion
  sobostion


        force-pushed
    the
        
      
  NIT-1028_deploy_gdpr_merge


    
 branch
    from
    b156ab5    to
    0bf9ef1      
    Compare
  



    January 30, 2024 14:18    
    




  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 30, 2024 14:20      — with 
GitHub Actions

                
    Error


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
          

  
  

  
      @sobostion
  sobostion


        force-pushed
    the
        
      
  NIT-1028_deploy_gdpr_merge


    
 branch
    from
    0bf9ef1    to
    6e09b12      
    Compare
  



    January 31, 2024 13:26    
    




  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    January 31, 2024 13:28      — with 
GitHub Actions

                
    Failure


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    











      

  
    

      
        1 similar comment
      
    

  
    

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    














      

  
          

  


  

  







      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
          

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    February 1, 2024 13:04      — with 
GitHub Actions

                
    Error


    











  

    

      

        

          
          
        

      

    


        

  
        





        

  
          

  
  

  
      @sobostion
  sobostion


        force-pushed
    the
        
      
  NIT-1028_deploy_gdpr_merge


    
 branch
    from
    d21a849    to
    183b619      
    Compare
  



    February 1, 2024 14:54    
    




  

  


  

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    February 1, 2024 14:56      — with 
GitHub Actions

                
    Failure


    










        

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

      

      
            github-actions
  bot

      

      

      commented


        Feb 1, 2024


      
    


  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












        

  
        





        

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

      

      
            github-actions
  bot

      

      

      commented


        Feb 1, 2024


      
    


  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












        

  
        





        

  
          

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    February 1, 2024 16:15      — with 
GitHub Actions

                
    Failure


    










        

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

      

      
            github-actions
  bot

      

      

      commented


        Feb 1, 2024


      
    


  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












        

  
          

  

  
  

  
      @sobostion
  sobostion


            had a problem deploying
      to
        delius-core-development



    February 1, 2024 16:26      — with 
GitHub Actions

                
    Error


    










        

  
        





        

  
          

  

  
  

  
      @georgepstaylor
  georgepstaylor


            temporarily deployed
      to
        delius-core-development



    February 1, 2024 18:09      — with 
GitHub Actions

                
    Inactive


    










        

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

      

      
            github-actions
  bot

      

      

      commented


        Feb 1, 2024


      
    


  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












        

  
        





        

  
          

  


  

  

  
  

  
      @georgepstaylor
  georgepstaylor


            temporarily deployed
      to
        delius-core-development



    February 1, 2024 18:14      — with 
GitHub Actions

                
    Inactive


    










        

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

      

      
            github-actions
  bot

      

      

      commented


        Feb 1, 2024


      
    


  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












        

  
        

  

      

  georgepstaylor
  

  
          

            
                  georgepstaylor
  

            

            previously approved these changes


            
                
                  Feb 1, 2024
                
            
            
          


          



              
    View reviewed changes
  


          






      

  
  
  




  








        

  
        





        

  
          





        

  
        

  

      

  georgepstaylor
  

  
          

            
                  georgepstaylor
  

            

            previously approved these changes


            
                
                  Feb 2, 2024
                
            
            
          


          



              
    View reviewed changes
  


          






      

  
  
  




  








        

  
        





        

  
          





        

  
        





        

  
          

  

    
  

  


        
        @georgepstaylor
  georgepstaylor



        merged commit 42461c3
      into

      
  
    main
  


    Feb 2, 2024

      

        8 of 11 checks passed
      


      

        
          
  
    
    

        
      

  







  

  
  

  
      @georgepstaylor
  georgepstaylor


    
    deleted the
    
      
        NIT-1028_deploy_gdpr_merge
    
    branch

    February 2, 2024 12:41    
    











  
  

    

      

  




    


    

      

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



      

    

  




  
          




      

  

    
    

    
  

    Reviewers
  


    


        

          

  
      @georgepstaylor
  
    georgepstaylor



          
            
              
            
          
          georgepstaylor approved these changes

        

        

          

  
      @ASTRobinson
  
    ASTRobinson



          
            
              
            
          
          ASTRobinson left review comments

        


      






    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    environments-repository

  Used to exclude PRs from this repo in our Slack PR update








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  



          


Successfully merging this pull request may close these issues.



  


    
  




      

    

  
      

  

    

      4 participants
    

    

        
          @sobostion 
        
          @modernisation-platform-ci 
        
          @georgepstaylor 
        
          @ASTRobinson